Catch-all hosts
Two random paths return identical 200 bodies → the server answers everything. We canary every host before trusting a hit.
Quality · the part nobody markets
Category 1 · HTTP response
Two random paths return identical 200 bodies → the server answers everything. We canary every host before trusting a hit.
Single-page apps serve index.html for every route, including /.env. The 200 is the router, not the file.
A /credentials.json returning {"success":"false"} is an API error, not exposed creds.
HTML 404s served with 200, and Cloudflare "Just a moment" interstitials. Both look like content, neither is.
A 14-byte credentials.json is an error blob like {"error":true}, not a real credential file.
.env / .git/config with a text/html content-type is a routed SPA page, not the raw file.
Category 2 · "secrets" that are public by design
The Sentry browser SDK requires the DSN in client JS. It's public by design.
Build tools inline these into the bundle on purpose. A VITE_-prefixed value is public by framework design.
The apiKey in a firebaseConfig is not a secret. Firebase's own docs say so. Filtered when seen in config context.
Key-shaped strings inside sentry-cdn, GA, Stripe.js and other third-party bundles aren't the app's secrets.
Categories 3 to 5 · takeover, database, infra, contracts
A finding on *.digitaloceanspaces.com / *.herokuapp.com belongs to the customer, not the provider, so it's out of scope.
A dangling CNAME to Fastly/Magento Cloud isn't claimable without an account, so it's theoretical, not exploitable. Only self-signup vendors stay HIGH.
Port 3306 open but the server replies "Host X not allowed to connect" = reachable, not exposed. We only flag a real protocol handshake.
WHM on :2087 is standard shared-hosting config. Every cPanel customer has it. Not a finding.
MakerDAO-style _rpow / _rmul use n % 2 for bit-checking, not random numbers. A perennial Slither false positive.