================================================================================ BURKINA FASO BANKING/FINANCE PROBE - ROUND 2 Date: 2026-03-04 Probed from: External (US-based, no proxy) ================================================================================ EXECUTIVE SUMMARY ================= 15 domains probed. 5 domains are unreachable (DNS NXDOMAIN or timeout). Of the 10 reachable targets, CRITICAL findings on 3 targets: [CRITICAL] sbiftrade.bf - Full WCF WSDL exposed (161KB), unauthenticated BRVM stock market data dump, SQL error stack traces with table names [CRITICAL] mail.rcpb.bf / autodiscover.rcpb.bf - Exchange Server 2019 CU14 fully fingerprinted, internal FQDN leaked, all health endpoints open [HIGH] webmail.corisbank.bf - Roundcube 1.6.10 on nginx/PHP 8.3.30, Apache backend leaking server name, health endpoint exposed [MEDIUM] societegenerale.bf - TYPO3 CMS behind Imperva WAF, extension paths disclosed in robots.txt, CSP nonce visible [MEDIUM] ecobank.com - CSP headers leak 13+ internal/dev infrastructure URLs including Azure, Oracle Cloud, S3 buckets, UAT environments [LOW] sbifbourse.bf - Wix-hosted, Wix API session tokens exposed [LOW] sbiftrade.bf homepage - IIS/10.0, ASP.NET 4.0.30319 ================================================================================ DOMAIN-BY-DOMAIN RESULTS ========================= 1. bacb.bf (Banque Agricole et Commerciale) Status: DNS NXDOMAIN - Domain does not exist Files: DUMP/BACB/ 2. cbaofaso.bf (Commercial Bank of Africa) Status: DNS resolves but connection timeout on both HTTP/HTTPS IP: Resolved (Comcast DNS) Files: DUMP/CBAOFASO/ 3. apbef-b.net.bf (Banking association) Status: DNS NXDOMAIN - Domain does not exist Files: DUMP/APBEF/ 4. sbifbourse.bf (SBIF - Stock broker) Status: LIVE - Wix-hosted site Redirect: sbifbourse.bf -> https://www.sbifbourse.bf/ Server: Pepyaka (Wix CDN), Varnish cache, Fastly CDN Site ID: 81c6b934-f0a6-48d2-842c-85b7ad871272 Created: 2017-06-21 Owner ID: acbfffd6-cc40-4a26-aa5d-64aaf5388bd1 Findings: - robots.txt: Standard Wix robots.txt - sitemap.xml: 200 OK - /_api/v2/dynamicmodel: Returns full Wix session data including: * visitorId, svSession token, ctToken, mediaAuthToken (JWT) * App instance tokens with metaSiteId * Multiple app definitions with access tokens - Wix platform - no server-side vulns to probe Severity: LOW Files: DUMP/SBIFBOURSE/ 5. sbiftrade.bf (SBIF Trading Platform) *** CRITICAL *** Status: LIVE - Full stock trading web application Server: Microsoft-IIS/10.0 Framework: ASP.NET 4.0.30319, WCF Service SSL: Valid for www.sbiftrade.bf FINDINGS: a) WCF Service WSDL FULLY EXPOSED (161,227 bytes): - https://www.sbiftrade.bf/SBIFTradeServer/Service.svc?singleWsdl - https://www.sbiftrade.bf/SBIFTradeServer/Service.svc?wsdl - Complete API contract for the trading platform - tempuri.org namespace (default, not customized) b) 30+ REST endpoints responding to unauthenticated GET requests: Service.svc/Auth -> 200 (returns error msg) Service.svc/Ping -> 200 ("0###") Service.svc/GetMarketSnapshot -> 200 *** LIVE DATA *** Service.svc/GetListOfIndicators -> 200 *** LIVE DATA *** Service.svc/GetAppVersion -> 200 *** STACK TRACE *** Service.svc/Modif_ORDRES -> 200 Service.svc/Nouvelle_COTATION -> 200 Service.svc/SICAV_LISTE -> 200 Service.svc/cancelOrdreFIX -> 200 Service.svc/f_AJORDRE -> 200 Service.svc/getDetailsOBL -> 200 Service.svc/getQteExecutee -> 200 Service.svc/getTitresOBL -> 200 Service.svc/get_ETAT_MARCHE -> 200 Service.svc/get_HIST_ORDRES -> 200 Service.svc/get_TITRES_RECH -> 200 Service.svc/get_Titres -> 200 Service.svc/get_Titres_VENTE -> 200 Service.svc/get_qte_res_titre_vente -> 200 Service.svc/get_type_titre -> 200 Service.svc/navigation_ordre -> 200 Service.svc/qte_PORTEFEUILLE -> 200 Service.svc/rech_ord_avancee -> 200 Service.svc/rechercherOrdre -> 200 Service.svc/rechercher_Ordre_specifiq -> 200 Service.svc/refreshSession -> 200 Service.svc/supprimer_ordre -> 200 Service.svc/updateSessionCpt -> 200 Service.svc/update_my_list_for_all_Account -> 200 Service.svc/validerLimitesOrd -> 200 Service.svc/verifMoyenneMontantOrd -> 200 c) LIVE MARKET DATA DUMP (unauthenticated): GetMarketSnapshot returns: - BRVM-10 index data (Jan-Mar 2026, daily) - BRVM Composite index data - All 11 BRVM indices with current prices - 48 listed equities with: closing price, opening price, previous close, variation, volume - Top 5 buyers, Top 5 highs, Top 5 volumes - Full stock ticker with all securities - Bond listings (government bonds from BF, Mali, Senegal, Togo) - Market status ("Marche Ferme") Notable: Includes Burkina Faso sovereign bonds (TPBF.O10-O15) d) SQL ERROR / STACK TRACE DISCLOSURE: GetAppVersion leaks: - SQL table name: 'appversions' (invalid/missing table) - Full .NET stack trace: Service.GetAppVersion -> SyncInvokeGetAppVersion - System.ServiceModel.Dispatcher internal paths e) CLIENT-SIDE SECURITY ISSUES: - jQuery 1.11.0 (2014, multiple known CVEs) - CryptoJS v3.1.2 (2013, outdated) - SHA1 password hashing (weak) - Localhost URL in comments: "http://localhost:52237/" - ASP.NET_SessionId cookie: HttpOnly but NOT Secure flag - SameSite=Lax only f) IIS default page exposed: /iisstart.htm -> 200 /aspnet_client/ -> 403 (exists) /trace.axd -> 403 (exists, ASP.NET tracing) Severity: CRITICAL Files: DUMP/SBIFTRADE/ Key files: - Service.singleWsdl.xml (161KB full API contract) - Service.wsdl.xml (66KB) - data_GetMarketSnapshot.json (live market data) - data_GetListOfIndicators.json - endpoint-data.txt (all endpoint responses) - js-source.txt (6498 lines of JS source) - api-endpoints.txt (extracted API URLs) - stack-trace.txt (error messages + traces) 6. sportcash.bf (Betting/finance) Status: DNS fails / Server failed Files: DUMP/SPORTCASH/ 7. ecobank.com/bf (Ecobank Burkina) Status: LIVE - Large multinational bank website Server: (blank SERVER header) Framework: ASP.NET (WebResource.axd, ScriptResource.axd in robots.txt) Security: HSTS preload, HPKP, CSP, X-Frame-Options, X-XSS-Protection CORS: Access-Control-Allow-Origin: https://edctradingportal.ecobank.com FINDINGS: a) CSP HEADERS LEAK INTERNAL INFRASTRUCTURE: - cisback.aznresearch.com (CIS backend) - azncis.aznresearch.com - cisecobackend.azurewebsites.net (Azure) - cisecoapi.aznresearch.com - azncis.azurewebsites.net (Azure) - ecobankbi.aznresearch.com (BI tool) - fintech.aznresearch.com - ecobank.fa-emqf-dev1-saasfaprod1.fa.ocs.oraclecloud.com (Oracle Cloud HCM) - ecobankeco.s3.amazonaws.com (S3 bucket - 403) - appsuat.ecobank.com (UAT environment - LIVE, 200) - edctradingportal.ecobank.com (Trading portal - LIVE, 200) - ice.ecobank.com (timeout) - digitalonline.ecobank.com (404) b) edctradingportal.ecobank.com: Live trading portal with F5 ASM bot protection (Shape/ThreatMetrix JavaScript) 47KB login page, multiple session cookies c) /.well-known/openid-configuration -> 500 (server error) d) robots.txt discloses: /js/, /upload/, WebResource.axd, ScriptResource.axd Severity: MEDIUM Files: DUMP/ECOBANK-BF/ 8. societegenerale.bf (Societe Generale Burkina Faso) Status: LIVE Server: nginx (behind Imperva WAF) CMS: TYPO3 (version not explicitly disclosed) CDN: Imperva (X-CDN: Imperva) Backend: x-from: slumberland-prod-front01, slumberland-prod-front02 Cookies: SERVERID=f0/f1, visid_incap_3119943, incap_ses_197_3119943 FINDINGS: a) TYPO3 PATHS CONFIRMED: /typo3/ -> 403 /typo3/login -> 403 /typo3/index.php -> 403 /typo3conf/ -> 403 /typo3conf/LocalConfiguration.php -> 200 (empty body, PHP executed) /typo3conf/ext/ -> 403 /typo3temp/ -> 403 /fileadmin/ -> 403 /uploads/ -> 403 /typo3/sysext/ -> 302 b) EXTENSIONS DISCLOSED: - bi_template (custom SG template) - powermail (form plugin) - ps_quantumsearch (search plugin) - bi_sg_implantations (from robots.txt) - tx_bisgslider (slider plugin, from HTML) c) robots.txt DISCLOSES: - /typo3conf/ext/bi_sg_implantations/res/ultimate_flash_map_killer.js - /typo3conf/ext/bi_sg_implantations/res/lib/polregi.lib - Blocks MJ12bot, BLP_bbot, Ezooms d) CSP nonce visible in HTML: nonce-XF/eqC9ApcZfTLtsbxik+A== (Not a vuln per se, but indicates server-side nonce generation) e) /.git/HEAD -> 403, /.env -> 403 (blocked but paths exist) /wp-login.php -> 403 (WAF blocking) f) Piwik Pro analytics: sgss.piwik.pro, client.containers.piwik.pro Mouseflow: cdn.mouseflow.com Botnation chatbot: chatbox.botnation.ai Severity: MEDIUM Files: DUMP/SOCIETEGENERALE/ 9. fidelisfinance.bf Status: DNS timeout - Unreachable Files: DUMP/FIDELISFINANCE/ 10. ebanking.bacb.bf (e-banking portal) Status: DNS NXDOMAIN - Domain does not exist (parent bacb.bf also NXDOMAIN) Files: DUMP/EBANKING-BACB/ 11. webmail.corisbank.bf *** HIGH *** Status: LIVE - Roundcube Webmail Server: nginx (frontend) + Apache (backend, leaked in 403 pages) PHP: 8.3.30 Roundcube: Version 1.6.10 (rcversion: 10610 in JavaScript env) Skin: elastic SSL: Valid, HSTS enabled FINDINGS: a) ROUNDCUBE VERSION CONFIRMED: 1.6.10 rcversion:10610 in rcmail.set_env() JavaScript Session token visible: request_token in HTML source b) APACHE BACKEND LEAKED IN 403 PAGES: "Apache Server at webmail.corisbank.bf Port 443" (nginx is reverse proxy, Apache is backend) c) /?_task=utils&_action=health -> 200 (health check endpoint) d) DIRECTORY STRUCTURE CONFIRMED (all 403): /skins/, /plugins/, /config/, /logs/, /temp/, /program/ /CHANGELOG, /CHANGELOG.md, /README.md, /INSTALL /SQL/, /composer.json, /composer.lock, /public_html/ e) Session cookie: roundcube_sessid, secure + HttpOnly Session lifetime: 600 seconds f) /.git/HEAD -> 403, /.env -> 403 (blocked) g) Roundcube 1.6.10 is latest stable as of probe date However, PHP 8.3.30 + exposed health endpoint + Apache version leak provide fingerprinting surface Severity: HIGH (banking webmail, detailed fingerprinting possible) Files: DUMP/WEBMAIL-CORISBANK/ 12. mail.cbaofaso.bf Status: DNS resolves (196.28.240.187) but connection timeout Files: DUMP/MAIL-CBAOFASO/ 13. autodiscover.cbaofaso.bf Status: DNS resolves (196.28.240.187) but connection timeout Files: DUMP/AUTODISCOVER-CBAOFASO/ 14. intranet.rcpb.bf Status: DNS NXDOMAIN - Domain does not exist Files: DUMP/INTRANET-RCPB/ 15. autodiscover.rcpb.bf / mail.rcpb.bf *** CRITICAL *** Status: LIVE - Microsoft Exchange Server 2019 Server: Microsoft-IIS/10.0, Microsoft-HTTPAPI/2.0 Exchange Version: 15.2.1748.26 (Exchange 2019 CU14 - Feb 2024) Internal FQDN: VM-FCPB-MAIL.RCPB.LAN Internal hostname: VM-FCPB-MAIL ASP.NET: 4.0.30319 FINDINGS: a) INTERNAL HOSTNAME/FQDN LEAKED IN EVERY RESPONSE: x-feserver: VM-FCPB-MAIL x-calculatedbetarget: vm-fcpb-mail.rcpb.lan x-beserver: VM-FCPB-MAIL x-diaginfo: VM-FCPB-MAIL Health endpoints: "200 OK
VM-FCPB-MAIL.RCPB.LAN" b) EXCHANGE VERSION PRECISELY IDENTIFIED: x-owa-version: 15.2.1748.26 OWA auth path: /owa/auth/15.2.1748/ This is Exchange Server 2019 CU14 (February 2024) IMPORTANT: CU14 is NOT the latest. CU15 (June 2024) and later security updates exist. Potential CVE exposure. c) ALL HEALTH ENDPOINTS EXPOSED (unauthenticated, 200 OK): /owa/healthcheck.htm -> 200 OK + VM-FCPB-MAIL.RCPB.LAN /ews/healthcheck.htm -> 200 OK + VM-FCPB-MAIL.RCPB.LAN /ecp/healthcheck.htm -> 200 OK + VM-FCPB-MAIL.RCPB.LAN /mapi/healthcheck.htm -> 200 OK + VM-FCPB-MAIL.RCPB.LAN /Microsoft-Server-ActiveSync/healthcheck.htm -> 200 OK + FQDN d) FULL OWA LOGIN PAGE ACCESSIBLE: https://mail.rcpb.bf/owa/auth/logon.aspx 28KB login page, fully rendered e) EXCHANGE ADMIN CENTER (ECP) LOGIN PAGE ACCESSIBLE: https://mail.rcpb.bf/ecp/ Redirects to logon.aspx (28KB) Title: "Exchange Admin Center" f) AUTHENTICATION MECHANISMS DISCLOSED: EWS: NTLM + Negotiate (Kerberos) OAB: NTLM + Negotiate MAPI: NTLM + Negotiate ActiveSync: Basic realm="mail.rcpb.bf" RPC: NTLM + Basic realm="mail.rcpb.bf" + Negotiate Autodiscover: NTLM + Basic + Negotiate + OAuth enabled g) ADDITIONAL PROTOCOL FLAGS: x-oauth-enabled: True x-soap-enabled: True x-wssecurity-enabled: True x-wssecurity-for: None h) autodiscover.rcpb.bf JSON endpoint returns 500 with: jsonerror: true X-BackEndCookie set/cleared i) ALL EXCHANGE SERVICES CONFIRMED RUNNING: OWA: 302 -> logon (working) ECP: 302 -> logon (working) EWS: 401 (auth required, service running) OAB: 401 (auth required, service running) ActiveSync: 401 (auth required, service running) MAPI: 401 (auth required, service running) RPC: 401 (auth required, service running) Severity: CRITICAL Risk: Exchange 2019 CU14 is behind on patches. ProxyLogon/ProxyShell/OWASSRF family of CVEs affect Exchange 2019. CU14 without latest SU may be vulnerable to CVE-2024-21410 (NTLM relay), CVE-2024-26198 (RCE). Full infrastructure fingerprint enables targeted attacks. Files: DUMP/AUTODISCOVER-RCPB/ Key files: - exchange-full.txt (all endpoint headers) - exchange-version.txt (version analysis) - health-endpoints.txt (health check responses) - owa-full.html (OWA login page) - ecp-full.html (ECP admin login page) ================================================================================ DNS RESOLUTION SUMMARY ====================== bacb.bf -> NXDOMAIN (does not exist) cbaofaso.bf -> Resolves but timeout apbef-b.net.bf -> NXDOMAIN (does not exist) sportcash.bf -> Server failed fidelisfinance.bf -> DNS timeout ebanking.bacb.bf -> NXDOMAIN (parent doesn't exist) mail.cbaofaso.bf -> 196.28.240.187 (timeout) autodiscover.cbaofaso.bf -> 196.28.240.187 (timeout) intranet.rcpb.bf -> NXDOMAIN (does not exist) autodiscover.rcpb.bf -> Resolves (LIVE) mail.rcpb.bf -> Resolves (LIVE) sbifbourse.bf -> Resolves (Wix) sbiftrade.bf -> Resolves (IIS) societegenerale.bf -> Resolves (Imperva) ecobank.com -> Resolves (Enterprise) webmail.corisbank.bf -> Resolves (LIVE) ================================================================================ FILES SAVED =========== DUMP/BACB/ - probe.txt DUMP/CBAOFASO/ - probe.txt, retry-probe.txt DUMP/APBEF/ - probe.txt DUMP/SBIFBOURSE/ - probe.txt, deep-probe.txt, wix-api.txt, sitemap.xml, www-homepage.html DUMP/SBIFTRADE/ - probe.txt, deep-probe.txt, deep-probe2.txt, Service.singleWsdl.xml (161KB), Service.wsdl.xml (66KB), Service.svc.html, sbiftrade-app.html, js-source.txt, api-endpoints.txt, rest-endpoints.txt, wsdl-operations.txt, wcf-service.txt, endpoint-data.txt, stack-trace.txt, data_GetMarketSnapshot.json, data_GetListOfIndicators.json, auth-response.json, endpoint_*.json DUMP/SPORTCASH/ - probe.txt DUMP/ECOBANK-BF/ - probe.txt, deep-probe.txt, infrastructure.txt, exposed-apps.txt, edctradingportal.html, s3-listing.xml DUMP/SOCIETEGENERALE/ - probe.txt, deep-probe.txt, typo3-config.txt, homepage-analysis.txt, fr-homepage.html, LocalConfiguration.php, robots.txt content, sitemap.xml DUMP/FIDELISFINANCE/ - probe.txt DUMP/EBANKING-BACB/ - probe.txt DUMP/WEBMAIL-CORISBANK/ - probe.txt, deep-probe.txt, health-check.txt, homepage.html DUMP/MAIL-CBAOFASO/ - probe.txt, retry-probe.txt DUMP/AUTODISCOVER-CBAOFASO/ - probe.txt DUMP/INTRANET-RCPB/ - probe.txt DUMP/AUTODISCOVER-RCPB/ - probe.txt, deep-probe.txt, exchange-full.txt, exchange-version.txt, health-endpoints.txt, owa-full.html, ecp-full.html, owa-headers.txt, ecp-headers.txt, headers_*.txt DUMP/dns-check.txt - DNS resolution results ================================================================================ PRIORITY TARGETS FOR FURTHER INVESTIGATION =========================================== 1. sbiftrade.bf - Full WSDL available, WCF endpoints respond to unauthenticated requests. The GetMarketSnapshot endpoint dumps live BRVM data. Multiple endpoints for order management (f_AJORDRE, supprimer_ordre, cancelOrdreFIX) respond 200 - need authenticated testing. SHA1 password hashing is weak. IIS/ASP.NET stack is fully fingerprinted. 2. mail.rcpb.bf - Exchange 2019 CU14 (15.2.1748.26) is not current. All services running and accessible. NTLM auth on most endpoints enables username enumeration. Basic auth on ActiveSync/RPC enables brute force. Internal domain: rcpb.lan, server: VM-FCPB-MAIL. 3. webmail.corisbank.bf - Roundcube 1.6.10 on PHP 8.3.30. Banking webmail with full architecture fingerprint. Health endpoint accessible. 4. ecobank.com - 13+ internal infrastructure URLs in CSP headers. UAT environment (appsuat.ecobank.com) appears accessible. Trading portal has bot protection but may be bypassable. 5. societegenerale.bf - TYPO3 CMS with disclosed extensions. Behind Imperva WAF but backend server names leak (slumberland-prod-front01/02). ================================================================================ END OF REPORT