lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Atlassian Bamboo

AtlassianCI/CD6 credentials

Credentials6 documented
01

Database Password

atlassian-bamboo / database-password

Bamboo stores database connection settings for external databases in its home configuration. The database username and password are operator-supplied credentials used by Bamboo to connect to the Bamboo database.

user definedsecretusername/password

Looks like

pattern
pattern

Bamboo database credential pair in XML configuration; values are arbitrary operator-supplied strings

<property name="hibernate\.connection\.username">[^<]+</property>\s*<property name="hibernate\.connection\.password">[^<]*</property>
pattern

database password property in Bamboo configuration; the password value has no product-specific textual shape

<property name="hibernate\.connection\.password">[^<]*</property>

Location

config file
$BAMBOO_HOME/bamboo.cfg.xml

Bamboo home configuration file

build artifact

Bamboo home backups, migration bundles, snapshots, support exports

Notes

Database access can expose build configuration, deployment project metadata, stored credentials metadata, user-directory state, and plugin configuration. Bamboo home backups should be treated as credential-bearing artifacts.

02

Local User / Administrator Password

atlassian-bamboo / local-user-admin-password

Bamboo local users, including administrators created during setup or by operators, authenticate with passwords stored in the configured user directory. For internal directories, password material is database state rather than a plaintext file.

user definedsecretusername/password

Looks like

pattern
pattern

internal-directory password material in Atlassian user tables; the value has no Bamboo-specific textual prefix and is identified by table and column context

cwd_user.*credential
pattern

raw Basic-auth username:password form before Base64 encoding; request context identifies Bamboo

[^\s:@]+:[^\s:]+

Location

database

internal user directory tables, including cwd_user credential data

public interface
/userlogin.action

Bamboo web login for users and administrators

public interface
/rest/api/*

Bamboo REST API Basic authentication in legacy scripts

source code

scripts and integrations that embed Bamboo usernames and passwords

Notes

There is no universal shipped Bamboo administrator password. The setup flow or an operator creates administrator credentials, and later users may be local, LDAP-backed, Crowd-backed, SSO-backed, or externally managed.

03

Personal Access Token

atlassian-bamboo / personal-access-token

Bamboo personal access tokens replace username and password authentication for scripts and external applications. Atlassian documents them as bearer tokens for REST API calls and for downloading artifacts, logs, and agent installers.

user definedsecrettoken

Looks like

example
example

Bamboo documentation shows an opaque base64-like bearer token and does not document a product-specific prefix

NDc4NDkyNDg3ODE3OstHYSeYC1UgXqRacSqvUbookcZk
pattern

bearer-token HTTP header used by Bamboo REST clients

Authorization:\s*Bearer\s+[^\s]+

Location

environment
BAMBOO_TOKEN, BAMBOO_PAT
source code

automation scripts, curl commands, release tooling, CI/CD configs

logs

REST client debug logs when Authorization headers are printed

secret store

deployment-platform and CI/CD secret stores

Notes

A Bamboo PAT carries the creating user's permissions. Admins can revoke tokens, but cannot create tokens on behalf of users according to Atlassian's PAT documentation.

04

Repository / Shared Credential

atlassian-bamboo / repository-credential

Bamboo plans and linked repositories store credentials used to access source-code repositories and other external systems. These include username/password pairs, access tokens, and shared credentials reused by multiple plans.

user definedsecretsecret value

Looks like

pattern
pattern

Bamboo repository or shared-credential field name; the actual stored value is arbitrary and is identified by credential context

(password|passphrase|token|accessKey|secretKey)

Location

database

Bamboo plan, repository, and shared-credential records

source code

Bamboo Specs repositories and deployment scripts

secret store

Bamboo shared credentials and linked repository authentication

build artifact

Bamboo exports and database backups

Notes

Credentials stored for repository polling and checkout often reach outside Bamboo into Bitbucket, GitHub, GitLab, artifact repositories, container registries, and deployment targets. A leaked Bamboo database or export can therefore expose credentials for many downstream systems.

05

SSH Private Key

atlassian-bamboo / ssh-private-key

Bamboo can use SSH keys for linked repositories, deployments, and remote systems reached by build tasks. The private key is the secret half of the credential and may be stored in Bamboo or on build agents.

user definedsecretkey pair

Looks like

pattern
pattern

identified by the PEM/OpenSSH private-key header; full private keys are multi-line and not useful as compact specimens

-----BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY-----

Location

secret store

Bamboo shared credentials and linked repository credentials

config file
~/.ssh/id_*, ~/.ssh/*_bamboo*

Bamboo server and remote agent filesystems

source code

accidentally committed deployment keys in Bamboo Specs repositories

build artifact

job artifacts, logs, or exports that accidentally include key files

Notes

The key's blast radius is determined by the systems that trust the public key: source repositories, deployment hosts, artifact stores, or cloud infrastructure used by Bamboo jobs.

06

Build / Deployment Variable Secret

atlassian-bamboo / build-variable-secret

Bamboo variables can be referenced by plans, jobs, tasks, and deployments. Operators frequently place passwords, tokens, and API keys in Bamboo variables or password fields for build and deployment use.

user definedsecretsecret value

Looks like

pattern
pattern

Bamboo variable reference in task fields or scripts; the expanded value may be a secret even though the reference itself is not

\$\{bamboo\.[A-Za-z0-9_.-]+\}

Location

database

Bamboo global, project, plan, and deployment variable storage

source code

Bamboo Specs repositories and scripts using ${bamboo.*} variables

logs

build logs when tasks echo expanded variables

Notes

Atlassian documents that variables are used in task fields and that password fields are treated specially. Secret values still leak when copied into scripts, echoed by jobs, written to artifacts, or exported through backups.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.