⚠️ This article is only meant for educational and ethical pentesting purposes. Author not responsible for any actions!

If you need POC exploitation guide, there are already many good articles on it by top bug hunters. Check below:

This article will demonstrate how I do recon for these types of endpoint , how to narrow down to this endpoint directly via Custom Dorking

Dorking is like building a custom signature / ruleset for the endpoint you want to hunt for. It's may not be accurate or may be in some cases because there can be many possible dorks for same endpoint. It depends on you how you see through it.

🪲 Google Dorking

site:*.com "We run on Intercom" -site:intercom.io -site:intercom.com

🐞 FOFA Dorking

domain=example.com && body="intercom"
domain=example.com && body="INTERCOM_APP_ID"

You need to tweak the filtering a bit to get more accurate results.

body="var intercomAppId"

🕷️ Shodan Dorking

"api-iam.intercom.io"

"intercom.io" hostname:domain.com
"intercom.io" ssl.cert.subject.cn:domain.com

👁️ ZoomEye Dorking

http.body="We run on Intercom"

You can collect those keywords / strings and make your own custom nuclei template for mass hunting :)

Happy Dorking! See you in next article 🤘