################################################################################ ################################################################################ ## ## ## EXECUTIVE SUMMARY & PRIORITY TARGETS ## ## ## ################################################################################ ################################################################################ Generated: 2026-03-04 Total targets tested: 29 primary domains + 30 alternate domains Responded: 10 domains live out of 59 tested Full raw data: probe-results.txt (same directory) ================================================================================ PRIORITY - OPEN API FOUND: moov-africa.bf ================================================================================ CMS: WordPress + WooCommerce + Polylang + Yoast + Jetpack + Tribe Events Server: Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.5.1 mod_fcgid/2.3.9 PHP: 8.3.29 Protocol: HTTPS OPEN APIs: - /wp-json/wp/v2/users -> 200 (LEAKS EMAIL: d.coulibaly@moov-africa.bf, user ID 1) - /wp-json/wp/v2/posts -> 200 (full post content, dates, slugs) - /wp-json/wp/v2/pages -> 200 (page content including pricing/plans) - /wp-json/wp/v2/categories -> 200 (includes "Actions ONATEL BF" = stock info) - /wp-json/wp/v2/tags -> 200 - /wp-json/wp/v2/media -> 200 (full media library with URLs) - /wp-json/wp/v2/types -> 200 (tribe-ea statuses exposed) - /wp-json/wp/v2/statuses -> 200 - /wp-json/wp/v2/taxonomies -> 200 - /wp-json/wp/v2/search -> 200 - /wp-json/tribe/events/v1/events -> 200 (events API) - /wp-json/wc/store/v1/products -> 200 (WooCommerce Store: FTTH modems, pricing) - /wp-json/wc/store/v1/cart -> 200 (cart API - currency XOF) - /wp-json/pll/v1/languages -> 200 (FR/EN language config) - /wp-json/yoast/v1/get_head -> 200 DIRECTORY LISTING: - /wp-content/uploads/ -> 200 (OPEN DIRECTORY LISTING - full file tree) OTHER: - /readme.html -> 200 (WordPress version disclosure) - /license.txt -> 200 - /xmlrpc.php -> 405 (Method Not Allowed - exists) - /wp-cron.php -> 200 - /.htaccess -> 403 NOTES: Moov Africa Burkina Faso (ONATEL subsidiary) telecom site. WooCommerce store API is open. User enumeration succeeded. Full WP REST API open. ONATEL stock data category present. Major telecom with wide open API surface. ================================================================================ PRIORITY - OPEN API FOUND: www.bceao.int (BCEAO Central Bank) ================================================================================ CMS: Drupal 8 Server: nginx/1.20.1 Protocol: HTTPS OPEN APIs: - /node/7?_format=json -> 200 (JSON data: institution nodes, UIDs, revisions) - /node/8?_format=json -> 200 (institution data with user references) - /node/9?_format=json -> 200 (institution data, revision UIDs) - /core/CHANGELOG.txt -> 200 (Drupal version info) - /fr/rss.xml -> 200 (RSS feed with full content) - /user/login -> 200 (login form accessible) - /user/register -> 200 (registration page accessible) EXPOSED METADATA: - X-Drupal-Cache-Tags header leaks complete site structure: * Node types: article, institutions, publication, event, document, communique_presse, offre * Block content IDs: 1-98+ (massive block structure) * Views: appels_offres, bceao_news, communique_presse, documents, evenements, institutions, interventions_du_gouverneur, publications, reglementations, reunions, tabs_home, banner_index, etats_membres, album_photo * Webforms: contactez_nous, newsletter * User IDs referenced: 1, 85, 120 - X-Generator: Drupal 8 (https://www.drupal.org) BLOCKED: - /node/1?_format=json -> 401 (protected) - /user/1?_format=json -> 403 - /jsonapi/* endpoints -> all redirect to homepage (JSON:API disabled or requires auth) - /sites/default/files/ -> 403 - /update.php -> 403 NOTES: Central bank of West Africa. Drupal 8 with REST module partially enabled. Node JSON export works for some node IDs. Cache tags leak extensive site architecture. Node enumeration possible (/node/N?_format=json for N=7,8,9 and likely more). ================================================================================ PRIORITY - OPEN API FOUND: benin.coris.bank (Coris Bank Benin) ================================================================================ Discovered via: www.corisbank.bf -> redirects to benin.coris.bank CMS: WordPress (with Jetpack, Fluent SMTP, Akismet, ACF) Server: Apache (Ubuntu) Protocol: HTTPS OPEN APIs: - /wp-json/ (full namespace listing including jetpack, fluent-smtp, akismet, ACF) - /wp-json/wp/v2/posts -> 200 (recruitment posts, bank news) - /wp-json/wp/v2/pages -> 200 (mentions legales, etc.) - /wp-json/wp/v2/media -> 200 (uploaded files: SVGs, images, with full URLs) - /wp-json/wp/v2/categories -> 200 - /wp-json/wp/v2/comments -> 200 - /wp-json/wp/v2/types -> 200 - /wp-json/wp/v2/search -> 200 DIRECTORY LISTING: - /wp-content/uploads/ -> 200 (OPEN DIRECTORY LISTING) BLOCKED (but confirms WordPress): - /wp-json/wp/v2/users -> 401 (user enum blocked) - /wp-json/wp/v2/settings -> 401 - /wp-json/wp/v2/plugins -> 401 OTHER: - /readme.html -> 200 - /xmlrpc.php -> 405 - /admin, /login, /wp-admin/ -> redirect to wp-login.php NOTES: Coris Bank International Benin branch. Other Coris Bank branches likely at *.coris.bank (e.g., bf.coris.bank, tg.coris.bank). WordPress REST API open with content and media enumeration. Open upload directory listing. ================================================================================ PRIORITY - OPEN API FOUND: onea.bf (ONEA Water Utility) ================================================================================ CMS: WordPress (with Elementor, The7, Jetpack, MEC Events, Bluehost/Newfold) Server: Cloudflare (origin unknown) Protocol: HTTPS OPEN APIs: - /wp-json/ (full namespace listing: elementor, the7, jetpack, jetpack-boost, newfold-*, mec, videopress, etc.) - Initial probe confirmed WP-JSON with site description: "Office national de l eau et de l assainissement" - Rate limited (429) on deep probe - Cloudflare WAF active ADMIN PANELS: - /wp-admin/ -> redirects to wp-login.php (login form) - /wp-login.php -> 200 - /cpanel -> 200 (cPanel accessible) - /webmail -> 200 (Webmail accessible) - /admin -> /admin/ -> /dashboard/ all redirect to wp-admin CONFIG: - /.env -> 403 (exists but protected) - /web.config -> 403 - /.git/HEAD -> 403 (GIT REPO EXISTS) - /.git/config -> 403 - /.htaccess -> 403 - /phpinfo.php -> 403 (exists) - /server-status -> 403 NOTES: Government water utility. WordPress on Bluehost/Newfold hosting with Cloudflare. Rate limited API access (429). cPanel and Webmail endpoints exposed. Git repository exists but is protected. Multiple sensitive files confirmed to exist. Hosting appears to be Bluehost (newfold-* namespaces in API). ================================================================================ INTERESTING: www.brvm.org (BRVM Stock Exchange) ================================================================================ CMS: Drupal 7.82 (OUTDATED - last update 2021-07-21) Server: nginx + PleskLin PHP: 7.0.33 (SEVERELY OUTDATED - EOL) Protocol: HTTPS FINDINGS: - /CHANGELOG.txt -> 200 (Drupal 7.82 confirmed) - /install.php -> 200 ("Drupal already installed") - /fr/user/login -> 200 (login form) - /fr/indices -> 200 (stock market data) - /fr/actualites -> 200 (news) - /fr/rss.xml -> 200 (RSS feed with full content) - /.env -> 403 (exists) - /.git/HEAD -> 403 (GIT REPO EXISTS) NOTES: Regional stock exchange. Running severely outdated Drupal 7.82 on PHP 7.0.33. Both are well past end-of-life. Multiple known CVEs for this version. Stock market index data at /fr/indices. ================================================================================ INTERESTING: societegenerale.bf (Societe Generale BF) ================================================================================ CMS: TYPO3 CMS Server: nginx (behind Imperva CDN) Protocol: HTTPS Redirect header: x-redirect-by: TYPO3 Redirect 17 FINDINGS: - /typo3/ -> 403 (admin panel exists but blocked by Imperva) - /typo3/login -> 403 - /typo3conf/ -> 403 - /typo3conf/LocalConfiguration.php -> 200 (EMPTY - may be accessible) - /.env -> 403 (exists) - /web.config -> 403 (exists) - /config.yml -> 403 (exists) - /.git/HEAD -> 403 (GIT REPO EXISTS) - /.git/config -> 403 (GIT REPO EXISTS) - /composer.json -> 403 (exists) - /.htaccess -> 403 (exists) - /wp-config.php.bak -> 403 (exists - WP migration remnant?) - /wp-admin/ -> 403 - /wp-login.php -> 403 SECURITY DISCLOSURE: - /.well-known/security.txt -> 200 Contact: cert.sg@socgen.com Contact: tel:+33(0)1-5898-7200 VDP: https://vdp.societegenerale.com NOTES: Well-protected by Imperva WAF. Many files exist (403) but are blocked. Multiple config files confirmed to exist. Has a formal VDP program. TYPO3 version unclear but Redirect 17 suggests relatively modern. ================================================================================ INTERESTING: ecobank.com (Ecobank Pan-Africa) ================================================================================ CMS: ASP.NET (custom MVC app) Server: [blank] (deliberately hidden) Protocol: HTTPS Session: ASP.NET_SessionId CDN: Custom (not Cloudflare/Imperva) FINDINGS: - All /api/* paths return 200 with homepage (catch-all routing) - /ContentHandler.ashx -> 405 (Method Not Allowed - API endpoint exists) - /login -> 200 (distinct login page) - robots.txt disallows: /js/, /WebResource.axd, /upload/, /ScriptResource.axd SUBDOMAINS: - secure.ecobank.com -> 302 (internet banking portal) - developer.ecobank.com -> 302 (Server: BigIP - DEVELOPER PORTAL) - digitalonline.ecobank.com -> 404 CSP reveals internal services: - secure.ecobank.com/ContentHandler.ashx - ice.ecobank.com (corporate banking) - digitalonline.ecobank.com - edctradingportal.ecobank.com (trading portal) - ecobank-prod.custhelp.com (Oracle Service Cloud) NOTES: Pan-African bank. ASP.NET application with catch-all routing. Developer portal at developer.ecobank.com behind BigIP load balancer. Trading portal referenced in CORS headers. ================================================================================ INTERESTING: air-burkina.com (Air Burkina) ================================================================================ CMS: TYPO3 CMS Server: nginx Hosting: Plesk (PleskLin) Protocol: HTTPS FINDINGS: - /config.yml -> 403 (exists) - /.git/HEAD -> 403 (GIT REPO EXISTS) - /.git/config -> 403 (GIT REPO EXISTS) - /composer.json -> 403 (exists) - /.htaccess -> 403 (exists) - /wp-config.php.bak -> 403 (exists - WP migration remnant) - robots.txt disallows: /typo3_src/, /t3lib/, /typo3/, /typo3conf/ NOTES: National airline. TYPO3 CMS on Plesk hosting. Git repo exists. Deep probe timed out (000 responses) - server may be slow or rate limiting. ================================================================================ INTERESTING: boad.org (BOAD West African Development Bank) ================================================================================ CMS: Laravel (with Vue.js + Inertia.js) Server: nginx Protocol: HTTPS Framework: Laravel (XSRF-TOKEN cookie, la_boad_session cookie) FINDINGS: - Exposes XSRF-TOKEN in cookies (Laravel CSRF) - /sitemap_index.xml -> 200 (contacts, definitions, documents sitemaps) - /storage/ -> 403 (Laravel storage exists) - /build/assets/ -> 403 (Vite build assets exist) - /vendor/ -> 403 (Composer vendor dir exists) - /.env -> 403 (exists) - /.git/HEAD -> 403 (GIT REPO EXISTS) - /.git/config -> 403 (GIT REPO EXISTS) - /.htaccess -> 403 (exists) - /.DS_Store -> 403 (macOS dev artifact) NOTES: Modern Laravel/Vue SPA. Well-protected but git repo and .env confirmed to exist. Sitemap reveals content structure (contacts, definitions, documents). ================================================================================ INTERESTING: www.orange.bf (Orange Burkina Faso) ================================================================================ Server: Custom (no server header) Protocol: HTTPS (static site served via nginx) Framework: Static HTML (prebuilt) FINDINGS: - Massive CSP header reveals internal infrastructure: * Bot platform: prod.botconnector.cloud.orange, *.smartly.ai * Live homescreen: live-homescreen.orange.com * Payment: secureacceptance.cybersource.com (CyberSource payments) * Customer service: orange-burkina.dimelochat.com, *.dimelo.com (RingCentral) * Engagement: orange-burkina.engagement.dimelo.com * Analytics: *.crazyegg.com, w.usabilla.com, quanta.io * Appointment system: orange-rdv.right-q.com - /.env -> 403 (exists) - /.git/HEAD -> 403 (GIT REPO EXISTS) - No WP/Drupal/Joomla detected - appears to be static pre-built site - robots.txt present (standard Drupal format from template) NOTES: Major telecom. Static site but CSP reveals rich backend infrastructure. CyberSource payment integration. Dimelo/RingCentral chat platform. ================================================================================ DOMAINS UNREACHABLE ================================================================================ The following domains were unreachable on both HTTP and HTTPS (both bare and www): BANKING: - bicia.bf / www.bicia.bf (BICIA-B Bank) - coris-bank.com (redirects 301 from www but final destination unreachable) - sgbf.bf / www.sgbf.bf (Societe Generale alternate) - bsic.bf / www.bsic.bf (BSIC Bank) - bcb.bf / www.bcb.bf (Banque Commerciale) - wendkuni-bank.bf (Wendkuni Bank) - crepmf.org / www.crepmf.org (Stock Market Regulator) TELECOM: - moov.bf / www.moov.bf (Moov alternate) - onatel.bf / www.onatel.bf (ONATEL) - faso-net.bf / fasonet.bf (FasoNet) ENTERPRISE: - sonabel.bf / www.sonabel.bf (SONABEL Electricity - known WP site, possibly down) - sitarail.bf (SITARAIL Railway) - aeroport-ouaga.bf / aeroports.bf (Airport) - cameg.bf (CAMEG Pharma) - cmu.bf (CMU Health Coverage) - rss-bf.org (Social Security) ================================================================================ RECOMMENDED FOLLOW-UP ACTIONS ================================================================================ 1. moov-africa.bf (HIGHEST PRIORITY): - Enumerate all WP users: /wp-json/wp/v2/users?per_page=100&page=N - Dump all WooCommerce products: /wp-json/wc/store/v1/products?per_page=100 - Spider /wp-content/uploads/ directory listing - Check for WP plugin vulnerabilities (Yoast 27.0, WooCommerce, Jetpack, Tribe Events) - Test WooCommerce payment flow - Check for ONATEL stock data in categories 2. www.bceao.int (HIGH PRIORITY): - Enumerate all nodes: /node/N?_format=json for N=1..10000+ - Focus on node types from cache tags: publication, document, offre, appels_offres - Test user registration at /user/register - Check if REST views are accessible 3. benin.coris.bank (HIGH PRIORITY): - Spider /wp-content/uploads/ directory listing - Check other Coris branches: bf.coris.bank, tg.coris.bank, ci.coris.bank, etc. - Dump all media: /wp-json/wp/v2/media?per_page=100&page=N 4. onea.bf (MEDIUM - rate limited): - Retry API endpoints with delays (rate limited at 429) - Investigate cPanel/Webmail exposure - Test if .git repo can be dumped despite 403 5. www.brvm.org (MEDIUM): - Drupal 7.82 + PHP 7.0.33 are severely outdated with known CVEs - Test Drupalgeddon variants - Enumerate nodes and views 6. developer.ecobank.com (MEDIUM): - Investigate developer portal (302 redirect behind BigIP) - May expose API documentation or developer keys 7. societegenerale.bf (LOW - well protected): - Has formal VDP at vdp.societegenerale.com - Imperva WAF blocks most probes 8. boad.org (LOW - well protected): - Laravel app, modern stack, properly configured