Now we have this website.

Let’s click on the search.

As showen the photo below we found that this page can be accessed without any authentication.

Now let’s see it from source code.

Notice that the $_user_location is set to public which mean that the endpoint can be accessed without the need to be authenticated.

Why Publicly Available Endpoints Are Good Attack Vectors?

• If we discovered a vulnerablity in the unauthenticated part of the application that can help us chain it to identify a vulnerablities in the authenticated part.

Now let’s deep dive in the application.

Now let’s Discover all the pages that are avilable without any authentication.

now let’s extract the php files names and.

grep -rnw /opt/lampp/htdocs/ATutor -e "^.*user_location.*public.*" --color

as we see we got all the endpoints that are public available.