A phishing/spam email promotes a 'free partnership tool' at start.avail.zone. The invite URL passes a domain through a query parameter — what does the server actually do with it? Investigate the request flow and find an abuse path that could turn this 'invite' into something nastier.
Objective: Understand the structure of the invite URL and identify all controllable parameters.
Context: You received the following invite link in an unsolicited email:
https://start.avail.zone/build-connections?website=hintru.com
Your goal is to map out the attack surface before touching any payloads.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Break the URL into its components — scheme, host, path, and query string. Which parts are static and which are attacker-controlled?
The `website` query parameter accepts a domain value supplied entirely by whoever crafted the link. Think about what the server might DO with a domain name it receives.
Try replacing `hintru.com` with a domain you control (e.g. a Burp Collaborator or interactsh URL) and visit the link. Watch for inbound HTTP/DNS callbacks, redirects, or reflected values in the response.