localhost disclosure(spreaker.com)

Hi fellas,

i was pentesting on spreaker.com and i came across its api which is api.spreaker.com

as you know api subdomain don't have much untill you know what to look for ;-)
so i came across it and started doing changes to its header in order to get some interesting results
so i thought to change the
"host:" values in the header so i changed it to "localhost"

and then in the message body over reply i got is the localhost.. a attacker can map out the network easily but seems spreaker don't care

here is the video


sorry it was submitted through email as it is an external program.



  1. well that was a virtual host, i didn't knew at that time, if you find some
    thing like that, try bruteforcing for directories and files, you may find some juicy stuff.


Post a Comment

Popular Posts