A phishing/spam email promotes a 'free partnership tool' at start.avail.zone. The invite URL passes a domain through a query parameter — what does the server actually do with it? Investigate the request flow and find an abuse path that could turn this 'invite' into something nastier.
Objective: Construct a weaponised invite URL that redirects a victim from the trusted avail.zone domain to an attacker-controlled page.
Context: Legitimate-looking links that start with a known domain (start.avail.zone) are far more convincing in phishing campaigns. If the `website` parameter causes a redirect, an attacker can abuse this from behind the trusted domain name.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Think about what a victim sees in their email or chat: they hover over the link and see start.avail.zone — a domain that may appear trustworthy. What happens after they click?
Test whether supplying a full URL (including scheme) in the `website` parameter causes the application to redirect there, e.g. `website=https://evil.com`.
Try the following URL and observe where your browser ends up:
https://start.avail.zone/build-connections?website=https://evil.com
Also test with `//evil.com` (protocol-relative) if the full URL is sanitised.
Chat with a spoiler-safe tutor for this step. It uses only this lab spec and gives the smallest useful nudge first.
Tell the tutor what you tried, where you got stuck, or paste the response/error you are seeing.
Enjoying Hintru? Buy me a coffee ☕ ☕