How to bruteforce development, CI/CD, and other apps with Hydra and the Password Auditor

Compromising development and CI/CD tools can give attackers access to source code repositories, automation pipelines, and deployment systems, making them high-value targets. 

This guide provides real-world testing methodologies for Bitbucket, GitLab CE, Jenkins, JetBrains TeamCity, and more, helping you discover login endpoints, analyze authentication mechanisms, and test credential security. By applying these techniques, you can uncover authentication weaknesses before attackers do, ensuring a stronger security posture for the systems you audit.

Hydra vs password auditor hero image

How to check Bitbucket for weak credentials

Deployment method: Atlassian Dockerhub

1. Find the web app login endpoint for Bitbucket

The Bitbucket login form usually sits on the /login endpoint.

Bitbucket login form

2. Discover the Bitbucket login parameters

Use the Network tab in Web Developer Tools to identify the parameters.

Bitbucket Web Developer Tools

3. Identify error messages and protection mechanisms

After one invalid attempt, the following message is returned:

Bitbucket login error

After two failed attempts, the CAPTCHA is activated.

Bitbucket login captcha

Hydra commands and output

We used the following commands to bruteforce Bitbucket with Hydra with one pair of valid credentials and one pair of invalid ones:

hydra -l benchmark-user -p tq6nAhfAhqtwBn7WXWqoaMXWF -s 7990 bitbucket.pentest-ground.com http-post-form "/j_atl_security_check:j_username=^USER^&j_password=^PASS^&_atl_remember_me=on&next=%2Fdashboard&queryString=next%3D%252Fdashboard&submit=Log+in:Invalid username or password."
hydra -l benchmark-user -p bad-password -s 7990 bitbucket.pentest-ground.com http-post-form "/j_atl_security_check:j_username=^USER^&j_password=^PASS^&_atl_remember_me=on&next=%2Fdashboard&queryString=next%3D%252Fdashboard&submit=Log+in:Invalid username or password."
Bitbucket Hydra output

As shown in the output, Hydra correctly identified both invalid and valid credentials.


For the second scenario with multiple usernames and passwords, we used the following command:

hydra -L users.txt -P pass.txt -s 7990 bitbucket.pentest-ground.com http-post-form "/j_atl_security_check:j_username=^USER^&j_password=^PASS^&_atl_remember_me=on&next=%2Fdashboard&queryString=next%3D%252Fdashboard&submit=Log+in:Invalid username or password."  -V
Bitbucket Hydra output multiple credentials

Hydra identified the valid credentials when testing 2 users and 13 passwords.

Password Auditor commands and results

For the first scenario, these are the parameters we adjusted to perform a more focused scan:

  • Target: http://bitbucket.pentest-ground.com:7990/login

  • Ports: Use port from target URL

  • Services: HTTP

  • Wordlists: pa-benchmark


Because the pa-benchmark wordlist includes the valid credentials, the tool will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.


As the screenshot below shows, the Password Auditor successfully identified the valid credentials.

Bitbucket Password Auditor scan results

It also delivered a screenshot of the logged-in session to confirm the provided credentials are valid.

Password Auditor screenshot of the Bitbucket logged-in session

For the second scenario, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid).

Bitbucket Password Auditor CAPTCHA checkBitbucket Password Auditor screenshot

The Password Auditor reports that the Bitbucket server activated its CAPTCHA protection. In the Details section, we recommend using the Password Spray attack type or splitting the scan into multiple scans with smaller wordlists.

Bruteforce commands and settings for Hydra and the Password Auditor

Since authentication security varies across different platforms - some using CAPTCHAs, CSRF tokens, or IP-based rate limiting - choosing the right testing approach is essential. These detailed Hydra commands for manual bruteforcing are ready to use, along with steps that demonstrate how the Password Auditor automates credential testing for more efficient, reliable assessments. 


You’ll see how Hydra interacts with authentication defenses and how the Password Auditor captures screenshots and proof of valid credentials to streamline your security audits.