Hey Hunters,
I have found a sensitive stripe live token leaking on a private program.[let’s say redacted.com]
I collected all the subdomains using tools like Subfinder and Amass. After that, I filtered the live subdomains using httprobe. Found a subdomain admin.redacted.com which redirects the user/admin to google OAuth.
Your browser can execute JavaScript, which can, in turn, change the document; in this case, it redirects to google OAuth. After this, I used curl for admin.redacted.com to get the plain original output and nothing else.
Leaking stripe live token
Now I have a leaking stripe live token, but the token’s validity needs to be checked.