Obtain list of all subdomains. Discover endpoint with sensitive information. Let’s assume for other subdomains, vulnerable endpoint is restricted (403). Using 4-ZERO-3, we might be able to bypass. → Report References https://medium.com/@rajauzairabdullah/how-i-earned-4000-from-a-simple-information-disclosure-bug-d644c47803c1