localhost disclosure(spreaker.com)

Hi fellas,

i was pentesting on spreaker.com and i came across its api which is api.spreaker.com

as you know api subdomain don't have much untill you know what to look for ;-)
so i came across it and started doing changes to its header in order to get some interesting results
so i thought to change the
"host:" values in the header so i changed it to "localhost"

and then in the message body over reply i got is the localhost.. a attacker can map out the network easily but seems spreaker don't care

here is the video


sorry it was submitted through email as it is an external program.



Popular Posts