# ARCEP - Autorite de Regulation des Communications Electroniques et des Postes **Sector:** Telecommunications Regulator / .bf Domain Authority **Date:** 2026-03-03 **Source:** THOT Domain Intel + Manual Recon ## Domains | Domain | Status | |--------|--------| | `arcep.bf` | UP | | `www.arcep.bf` | UP (canonical) | ## Hosting & Infrastructure - **IP:** 196.43.247.56 (Burkina Faso — hosted in-country) - **Server:** Varnish HTTP accelerator (caching proxy) - **Backend:** WordPress - **No Server header disclosed** in responses ## Tech Stack ### CMS / Framework - **WordPress** (version not explicitly in headers but plugins confirm) - **Elementor 3.23.2** (page builder) - **Slider Revolution 6.6.7** - **All in One SEO Pro (AIOSEO) 4.6.7.1** - **WordPress Download Manager 3.2.97** - **Theme: egovenz** (e-government WordPress theme) ### Frontend / JavaScript - jQuery 3.7.1 - Bootstrap 5.0 + 6.6.1 (dual versions!) - HTML5, Open Graph Protocol ### Analytics - **Matomo** (self-hosted analytics — NOT Google Analytics) - Contact Form 7 (CF7) - Mailchimp (MC4WP newsletter) ### Caching / Performance - **Varnish** HTTP accelerator as reverse proxy - X-Cacheable: YES:Forced - X-Varnish headers visible ### Security Headers - X-Frame-Options: SAMEORIGIN - X-Content-Type-Options: nosniff - No HSTS - No CSP ### Plugins Detected - WooCommerce (setup but inactive) - **bbPress** (forum software) - Pojo A11y Toolbar (accessibility) - WPML or translation plugin ## DNS Records (17 found — most of any target) ## Subdomains (999 found via brute-force!) - **WILDCARD DNS detected** — brute-force found 999/1000 subdomains - This means *.arcep.bf resolves to the same IP - ANY subdomain will resolve (test123.arcep.bf works) - Known real subdomains from crt.sh: - `mail.arcep.bf` — mail server - `mailb1-b4.arcep.bf` — mail backends (4 servers!) - `mailgateway.arcep.bf` — mail gateway - `mailp1.arcep.bf` — mail proxy - `webmail.arcep.bf` — webmail interface ## Emails Discovered - `secretariat@arcep.bf` (from website — 0 breaches, 0 platforms) ## Interesting Findings - **WILDCARD DNS** — *.arcep.bf resolves to 196.43.247.56 - This is a significant misconfiguration for a telecom regulator - Enables subdomain takeover attacks and phishing - any-text.arcep.bf will show the ARCEP website - **Hosted IN Burkina Faso** (196.43.247.56) — one of very few sites hosted in-country - **Varnish caching proxy** — enterprise-grade reverse proxy - **Matomo analytics** instead of Google — privacy-conscious choice (self-hosted tracking) - **7 mail infrastructure subdomains** — extensive email setup (mailb1-b4, mailgateway, mailp1) - **bbPress forum** on telecom regulator — unusual, potential user enumeration - **17 DNS records** — most complex DNS of all targets - **Dual Bootstrap versions** (5.0 + 6.6.1) — possible version conflict - **ARCEP controls the .bf TLD** — compromise here could affect ALL .bf domain infrastructure ## Security Concerns - Wildcard DNS is a major misconfiguration - No HSTS enforcement - bbPress forum exposes user data - Multiple WordPress plugins = large attack surface - As .bf domain authority, ARCEP is the most critical target ## TODO - [ ] Confirm wildcard DNS with dig/nslookup - [ ] Enumerate bbPress forum users - [ ] Check Matomo for exposed analytics data - [ ] WordPress REST API enumeration (/wp-json/) - [ ] Check mail infrastructure (mailb1-b4, mailgateway) - [ ] robots.txt and sitemap.xml - [ ] Google dorking: site:arcep.bf filetype:pdf|doc