Abusing URL Shortners to discover sensitive resources or assets

The specific method describes how its possible to salvage a bunch of potentially sensitive/or confidential URLs via the Bit.ly SaaS used by a large number of corporations (and those who offer bounties).

X corporation uses the URL shortner domain http://xyz.com. We can check whether or not it's a Bitly URL shortner service by visiting http://xyz.com/debug.

We can now run a directory/file bruteforce on this URL shortner service in order to find links that have been generated by staff at said company through the shortner.

For example, by using the dirs3arch tool we can brute this Bitly endpoint in order to find URLs that could potentially be sensitive.