Comparing Security Stacks of Competitors
2/2/2026
Are you able to help me compare the outward facing security stack of our competitors like FanDual and DraftKings versus our own for TheScore Sportsbook?
I can definitely help you compare the outward-facing security stacks of FanDuel, DraftKings, and TheScore Sportsbook. This is a great competitive intelligence exercise that involves passive reconnaissance to understand their public security posture.
Let me first check if there's any prior work or context on this topic, then create a plan for this analysis.
args
out
{
"messageRange": 2,
"messages": [
{
"content": "\n\nStarting Phase 2: Active Crawling with Katana. Let me run an aggressive crawl with JS parsing enabled:\n\n\nGood start! Let me check the full results and continue with more aggressive crawling to find API endpoints:\n\n\nThe initial crawl didn't find direct API endpoints. Let me extract JavaScript files and also run a deeper crawl with headless mode to capture dynamic content:\n\n\nNow let me download and analyze the main JavaScript files to extract API endpoints embedded in the code:\n\n\n\nExcellent! Found some API endpoints! Let me do a more thorough analysis of the large index.js file:\n\n\nLet me search for more specific patterns including full URLs and WebSocket endpoints:\n\n\nLet me search for GraphQL operations and mutation/query names which are critical for API discovery:\n\n\nExcellent! Found GraphQL mutations and queries! Let me extract more detailed GraphQL operation names and also look for endpoint patterns:\n\n\nThis is excellent! Let me get more endpoint paths and also download more JS chunks to find additional API operations:\n\n\nNow let me compile all the discovered API endpoints and probe them with httpx:\n\n\nNow let me create a list of URLs to probe with httpx:\n\n\n\nExcellent! Now let me test the GraphQL endpoint to see if it's accessible:\n\n\n🎯 **CRITICAL DISCOVERY!** The GraphQL API is fully accessible and returns the complete schema! Let me save this and update the todo:\n\n\nExcellent! 1002 GraphQL types discovered! Now let me update the todo and provide a summary:\n\n\n## ✅ Phase 2: Active Crawling Complete\n\n### 🎯 **MAJOR FINDINGS**\n\n#### **GraphQL API - FULLY ACCESSIBLE**\n- **Endpoint**: `https://sportsbook.us-default.thescore.bet/graphql`\n- **Status**: ✅ Introspection ENABLED - Full schema accessible\n- **Types Discovered**: **1,002 GraphQL types**\n- **Mutations Found**: 46 operations\n- **Queries Found**: 55+ operations\n\n#### **REST API Endpoints Discovered (from JS Analysis)**\n\n| Endpoint | Purpose |\n|----------|---------|\n| `/api/login_preferences` | Login preferences |\n| ",
"id": "3c90c3b8-8a7b-4959-9bb4-18fb12e305fe",
"index": 1,
"role": "assistant",
"timestamp": {}
},
{
"content": "<original-user-prompt>\nI'm targeting a single application `https://sportsbook.thescore.bet/`\n</original-user-prompt>\n\n\n<browserbase-session>\nSession ID: 03de4567-46a0-4868-89ba-e788729a8753\nLive View: https://www.browserbase.com/devtools-fullscreen/inspector.html?wss=connect.browserbase.com/debug/03de4567-46a0-4868-89ba-e788729a8753/devtools/page/81D630FFC897FC91718C2EA42D3E5A76?debug=true\nBasic Stealth: ENABLED (automatic random fingerprints)\nProxies: ENABLED\nCAPTCHA Solving: ENABLED\nSession Recording: ENABLED\n</browserbase-session>\n\nTask: <current-task>\nNavigate to https://sportsbook.thescore.bet/ and perform the following to discover dynamic APIs:\n\n1. First, navigate to the homepage and take a screenshot\n2. Use browser_extract_endpoints in SESSION mode to capture all API calls made during browsing\n3. Click through different sections: Sports betting pages, promotions, help/FAQ sections\n4. Look for login/signup flows (don't actually login, just observe the forms and endpoints)\n5. Check for any betting odds pages, live sports sections\n6. Extract all XHR/Fetch requests, WebSocket connections, and API endpoints discovered\n7. Look for any hidden API documentation links, developer tools, or swagger endpoints\n\nProvide a comprehensive list of all API endpoints discovered during the browser session, categorized by type (GraphQL, REST, WebSocket, 3rd-party).\n</current-task>\nGoal: <current-goal>\nBrowse sportsbook.thescore.bet interactively to capture all dynamic API calls, XHR requests, and WebSocket connections made by the application\n</current-goal>",
"id": "w3uql2bL8McmXTFe",
"index": 2,
"role": "user",
"timestamp": {}
},
{
"content": "\n\nI have context from previous phases. Phase 1 (URLfinder) and Phase 2 (Katana) discovered:\n- GraphQL API at `https://sportsbook.us-default.thescore.bet/graphql` with 1,002 types\n- WebSocket at `wss://sportsbook.us-default.thescore.bet/graphql/websocket`\n- Multiple REST endpoints (`/api/`, `/i/`, `/me/`, `/score_pay/`)\n- Exposed API keys in `/env.js`\n\nNow let me perform Phase 3: Browser-based discovery to capture dynamic API calls.\n\n\n\nLet me try again with the navigation:\n\n\nSuccessfully navigated. Let me extract cookies, tokens, and app state, then capture network activity:\n\n\nExcellent! I've captured extensive client-side data including:\n- **Region-specific GraphQL endpoints** (e.g., `https://sportsbook.US-AZ.thescore.bet/graphql`)\n- **All API keys and tokens** from `window.__ENV`\n- **Auth token storage structure** in localStorage\n- **24 supported US states/regions** with their configurations\n\nNow let me browse through different sections to capture more API calls and then extract endpoints:\n\n\n\n\nLet me get more specific network logs focusing on API calls:\n\n\nI see mostly third-party analytics calls. Let me navigate to more pages and use the endpoint extraction tool to capture all API calls from the session:\n\n\n\n\n\nNow let me extract all endpoints from the session using the endpoint extraction tool:\n\n\nExcellent! The endpoint extraction found **1,440 endpoints** from **46 JavaScript files**! Let me get the recent network logs to see the actual GraphQL and API calls made:\n\n\nLet me get a more focused view of the GraphQL calls:\n\n\nI found several new API domains. Let me now update the todo and compile the comprehensive API reconnaissance report:\n\n\n## ✅ Phase 3: Browser-based Discovery Complete\n\n### 🎯 **COMPREHENSIVE API RECONNAISSANCE RESULTS**\n\nI've completed the browser-based discovery phase. Here's a comprehensive summary of all APIs discovered across all phases:\n\n---\n\n## **📊 DISCOVERY SUMMARY**\n\n| Phase | Tool | Endpoints Found |\n|-------|------|-----------------|\n| Pha",
"id": "a1894876-24db-49ba-a51b-a0b6a1f522de",
"index": 3,
"role": "assistant",
"timestamp": {}
},
{
"content": "<original-user-prompt>\nI'm targeting a single application `https://sportsbook.thescore.bet/`\n</original-user-prompt>\n\nTask: <current-task>\nRead all the saved files from previous phases and create a final comprehensive API reconnaissance report. Do the following:\n\n1. Read the files: urlfinder-results.txt, api-endpoints-passive.txt, katana-results.txt, all-api-endpoints.txt, graphql-types.txt\n\n2. Create a comprehensive markdown report called `thescore-api-recon-report.md` that includes:\n - Executive Summary\n - All Production/Internal APIs (categorized)\n - All Third-Party APIs (categorized by service type)\n - Exposed API Keys and Credentials\n - GraphQL Schema Summary (key mutations, queries, types)\n - Technology Stack\n - Security Findings\n - Recommendations for further testing\n\n3. Also create a JSON file `thescore-api-inventory.json` with structured data of all discovered APIs\n\n4. Show me the final report content\n</current-task>\nGoal: <current-goal>\nCreate a comprehensive API reconnaissance report for sportsbook.thescore.bet with all discovered endpoints classified and organized\n</current-goal>",
"id": "a88d590c-1d4c-4b72-a382-8ba02208dc70",
"index": 4,
"role": "user",
"timestamp": {}
},
{
"content": "\n\n\n\n\n\nNow let me create the comprehensive markdown report and JSON inventory:\n",
"id": "7e82ca57-e0a8-4a3b-bfd2-494a891af8bc",
"index": 5,
"role": "assistant",
"timestamp": {}
},
{
"content": "\n\nGood progress! I can see the schema has different field names than expected. Let me introspect the correct field names and run more targeted tests:\n\n\nLet me fix the jq syntax and get the correct field names:\n\n\nNow I have the correct field names. Let me run the proper unauthenticated tests:\n\n\nInteresting! The API requires authentication for most queries. Let me test more queries including the `sharedBet` feature which might be public, and also test the `page` query:\n\n\nLet me see the earlier tests and also test the `sharedBet` and `page` queries:\n\n\n\n\nInteresting findings! The `sharedBet` query exists but needs correct field names. Let me introspect it and test properly:\n\n\n\n\nNow let me test the sharedBet with the correct fields:\n\n\n**IMPORTANT FINDING!** The `sharedBet` query works WITHOUT authentication! It returns \"No shared bet found\" which means:\n1. The query is accessible without auth\n2. If we find valid shared bet URLs, we can access bet details without authentication\n\nThis is a potential IDOR vector. Let me now create a comprehensive summary and test a few more things:\n\n\nNow let me also test GraphQL batching and aliasing for potential DoS or enumeration:\n\n\n**CRITICAL FINDINGS!**\n\n1. **Query Batching is ENABLED** - Multiple queries can be sent in a single request\n2. **Alias-based enumeration works** - Can enumerate multiple shared bets in one request\n\nLet me update the summary and save all results:\n\n\nLet me also test a few mutations without authentication to verify they're protected:\n\n\nThe mutations have different names. Let me test the correct ones:\n\n\nInteresting! The mutations are returning schema validation errors rather than authentication errors. Let me test with proper input to see if they require auth:\n\n\nNow let me test the mutations with proper input to see if they require authentication:\n\n\nThe mutations are returning schema validation errors, not authentication errors. Let me get the correct return type and test properly:\n\n\n\nLet me test the correct muta",
"id": "39846b98-abf9-40af-a08b-e75df095756a",
"index": 6,
"role": "assistant",
"timestamp": {}
},
{
"content": "<original-user-prompt>\nI don't have credentials yet, so we can start high level and unauthenticated\n</original-user-prompt>\n\nTask: <current-task>\nRead the test results and create a final summary. Do the following:\n\n1. Read the unauth-query-results.txt file if it exists:\n```bash\ncat /workspace/unauth-query-results.txt 2>/dev/null || echo \"File not found\"\n```\n\n2. Create a final summary document /workspace/graphql-unauth-testing-summary.md with:\n - Which queries work without authentication\n - Which queries properly require authentication\n - Any IDOR vectors discovered (like sharedBet)\n - GraphQL security features tested (batching, aliasing, depth)\n - Recommendations for further testing with credentials\n\n3. Show me the key findings from the unauthenticated testing\n</current-task>\nGoal: <current-goal>\nCompile final unauthenticated testing results and create summary\n</current-goal>",
"id": "28419c23-e0dd-4be6-a78e-5a0c7c90f9eb",
"index": 7,
"role": "user",
"timestamp": {}
},
{
"content": "\n\n\nNow let me read the file and provide a final summary:\n\n\nHere's the complete summary of the unauthenticated GraphQL security testing:\n\n---\n\n## 🔍 GraphQL Unauthenticated Testing - Key Findings\n\n### Target: `https://sportsbook.us-default.thescore.bet/graphql`\n\n---\n\n### 🚨 Critical Finding: Introspection Enabled\n- **Full GraphQL schema exposed** without authentication\n- 200+ types, all queries/mutations discoverable\n- Enables targeted attack planning and reconnaissance\n\n---\n\n### ✅ Properly Protected (Require Authentication)\n| Query | Response |\n|-------|----------|\n| `node(id)` | `UNAUTHORIZED` error |\n| `promotionsPage` | `UNAUTHORIZED` error |\n| `account`, `betslip`, `wallet` | Likely protected |\n\n---\n\n### ⚠️ Accessible Without Authentication\n| Query | Risk |\n|-------|------|\n| `sharedBet(id)` | **POTENTIAL IDOR** - May expose other users' bets |\n| `sportsMenu` | Low - Navigation data |\n| `liveEventsCount` | Low - Statistics |\n| `casinoMenu` | Low - Casino categories |\n\n---\n\n### 🎯 IDOR Vector Identified\n```graphql\nquery { sharedBet(id: \"TARGET_ID\") { id shareType placedBet { ... } } }\n```\n- If bet IDs are predictable/enumerable, could expose other users' betting history\n- **Requires further testing with valid bet IDs**\n\n---\n\n### 📊 GraphQL Security Features\n| Feature | Status | Risk |\n|---------|--------|------|\n| Query Batching | ✅ Allowed | Rate limit bypass |\n| Query Aliasing | ✅ Allowed | Amplification attacks |\n| Field Suggestions | ✅ Enabled | Aids reconnaissance |\n\n---\n\n### 📁 Artifacts Created\n- `/workspace/graphql-unauth-testing-summary.md` - Full report\n- `/workspace/graphql-full-introspection.json` - Complete schema\n- `/workspace/graphql-schema-analysis.md` - Schema analysis\n- `/workspace/graphql-high-value-targets.md` - Priority targets\n\n---\n\n### 🔜 Next Steps (With Credentials)\n1. **Priority 1:** Test `sharedBet` IDOR with various ID formats\n2. **Priority 2:** Test cross-user access to `placedBets`, `wallet`\n3. **Priority 3:** Test bet placement with",
"id": "2272fa03-0f47-4ad8-b907-90b379422789",
"index": 8,
"role": "assistant",
"timestamp": {}
},
{
"content": "How do I give you credentials for a test account?",
"id": "126562ed-ff44-4b65-ba60-8c3bbca5800c",
"index": 9,
"role": "user",
"timestamp": {}
},
{
"content": "Great question! There are a few ways you can provide credentials for authenticated testing:\n\n## Option 1: Direct Message (Simplest)\nJust paste the credentials directly in the chat:\n```\nUsername: [email protected]\nPassword: TestPass123!\n```\n\nOr if it's token-based:\n```\nAuthorization: Bearer eyJhbGciOiJIUzI1NiIs...\n```\n\n---\n\n## Option 2: Session Cookies/Headers\nIf you've already logged in via browser, you can provide the session cookies or auth headers:\n```\nCookie: session=abc123; auth_token=xyz789\n```\n\nOr copy the full request headers from your browser's DevTools (Network tab → right-click request → Copy as cURL).\n\n---\n\n## Option 3: Capture from Browser\n1. Log into theScore Bet in your browser\n2. Open DevTools (F12) → Network tab\n3. Make any request to the GraphQL endpoint\n4. Right-click the request → **Copy as cURL**\n5. Paste it here - I'll extract the auth headers\n\n---\n\n## What I'll Need for theScore Bet GraphQL\n\nBased on the schema, the API likely uses one of these:\n- **Bearer token** in `Authorization` header\n- **Session cookie** \n- **Custom header** (like `X-Auth-Token`)\n\n**Recommended approach:** Log into your test account in the browser, then copy a GraphQL request as cURL from DevTools. This gives me the exact authentication format they use.\n\n---\n\n⚠️ **Security Note:** Only share credentials for **test accounts** you control. I'll use them solely for authorized security testing within this session.",
"id": "79b48bc7-9139-4711-87c9-8573d6fc093a",
"index": 10,
"role": "assistant",
"timestamp": {}
},
{
"content": "\nI'll create a comprehensive reconnaissance subagent based on the Day_1_-_Env_Recon.md methodology. Let me build this with proper custom tools:\n\n\nThe subagent was created successfully. The installation is blocked because `GITHUB_TOKEN` is required for the github-subdomains tool. Let me update the subagent to make that optional:\n\n\nThe **Full Scope Reconnaissance Agent** has been created successfully. Here's a summary:\n\n---\n\n## ✅ Subagent Created: `full-scope-recon`\n\n### **Overview**\n| Field | Value |\n|-------|-------|\n| **Agent ID** | `full-scope-recon` |\n| **Name** | Full Scope Reconnaissance Agent |\n| **Version** | 2 |\n| **Tags** | recon, subdomain-enumeration, asset-discovery, bug-bounty, osint, jhaddix-methodology |\n\n### **18 Custom Tools Included**\n\n| Tool | Purpose |\n|------|---------|\n| `subfinder_enum` | Subdomain enumeration from passive sources |\n| `httpx_probe` | Live host probing with 100+ ports |\n| `naabu_portscan` | Fast port scanning |\n| `asnmap_lookup` | ASN to IP range mapping |\n| `puredns_bruteforce` | Subdomain brute forcing |\n| `puredns_resolve` | DNS resolution filtering |\n| `dnsgen_permute` | Subdomain permutation generation |\n| `alterx_permute` | Pattern-based permutations |\n| `katana_crawl` | Headless web crawling |\n| `tlsx_certs` | SSL certificate extraction |\n| `dnsx_resolve` | Fast DNS resolution |\n| `gowitness_screenshot` | Visual reconnaissance |\n| `github_subdomains` | GitHub subdomain extraction |\n| `verify_dns_resolution` | ✅ VERIFIER: DNS validation |\n| `verify_http_alive` | ✅ VERIFIER: HTTP response check |\n| `verify_output_files` | ✅ VERIFIER: Output file validation |\n| `merge_dedupe` | Merge and deduplicate results |\n| `extract_apex_domains` | Extract apex from subdomains |\n\n### **7-Phase Workflow**\n1. **APEX EXPANSION** - Find related apex domains via acquisitions, RevWHOIS\n2. **ASN/IP DISCOVERY** - Map organization's IP space\n3. **SUBDOMAIN ENUMERATION** - Passive sources (subfinder, github, CT logs)\n4. **SUBDOMAIN EXPANSION** - ",
"id": "4c54b74e-fa64-4e62-b47b-81e3d705ee43",
"index": 11,
"role": "assistant",
"timestamp": {}
},
{
"content": "pennentertainment.com\nthescore.com\nthescore.bet",
"id": "d21eca98-a634-45f3-8e7f-849a89c2da91",
"index": 12,
"role": "user",
"timestamp": {}
},
{
"content": "I'll run full-scope reconnaissance on these 3 seed domains. Let me create a task plan and execute the workflow.\n\n\n\nExcellent! Phase 1 discovered **54 apex domains**! Let me continue with Phases 2 and 3 in parallel:\n\n\n\nExcellent progress! **3,140 subdomains** discovered! Let me continue with Phases 4 and 5:\n\n\n\nExcellent! **66 live hosts** with 200 OK responses discovered, including critical identity, API, and payment endpoints! Let me continue with the final phases:\n\n\n\nLet me get the final report and complete the reconnaissance:\n\n\n\n---\n\n# ✅ Full Scope Reconnaissance Complete\n\n## 📊 Executive Summary\n\nStarting from **3 seed domains**, I discovered and mapped the entire Penn Entertainment digital ecosystem:\n\n| Metric | Count |\n|--------|-------|\n| **Seed Domains** | 3 |\n| **Apex Domains Discovered** | **54** |\n| **Total Subdomains** | **3,140** |\n| **Live Hosts (HTTP 200)** | **66** |\n\n---\n\n## 🏢 Apex Domain Categories (54 total)\n\n| Category | Count | Examples |\n|----------|-------|----------|\n| **Corporate** | 4 | pennentertainment.com, scoremediaandgaming.com |\n| **Sports Media** | 4 | thescore.com, thescore.bet, thescoreesports.com |\n| **Sports Betting** | 5 | espnbet.com, hollywoodcasino.com |\n| **Hollywood Casino** | 16 | hollywoodcasinotoledo.com, hollywoodcasinojoliet.com |\n| **Ameristar Casino** | 5 | ameristar.com, ameristarblackhawk.com |\n| **Other Properties** | 20 | tropicana.net, lauberge.com, boomtownbiloxi.com |\n\n---\n\n## 🎯 High-Value Targets Discovered\n\n### 🔴 CRITICAL - Identity/Authentication (24 endpoints)\n```\nid.us-core.thescore.bet (Production)\nid.ca.thescore.bet (Canada Production)\nid.us-core.hollywoodcasino.com (Production)\nid.us-core.staging.thescore.bet (Staging)\nid.us-core.uat.thescore.bet (UAT)\n+ 19 more staging/demo/audit endpoints\n```\n\n### 🔴 CRITICAL - Payment Systems (2 endpoints)\n```\nblitz-payments.us-core.staging.thescore.bet\nblitz-payments.us-core.ps.thescore.bet\n```\n\n### 🟠 HIGH - API Infrastructure (12 endpoints)\n```\napi.thescore.com",
"id": "5ff1a55b-3914-4e0c-9db5-39efc6abb26e",
"index": 13,
"role": "assistant",
"timestamp": {}
},
{
"content": "<original-user-prompt>\npennentertainment.com\nthescore.com\nthescore.bet\n</original-user-prompt>\n\nTask: <current-task>\nUsing the live hosts from /workspace/recon/penn/live_200_hosts.txt, execute:\n\n**PHASE 6 - Content Discovery:**\n1. Run katana on the top 10 most interesting live hosts (APIs, staging, dev):\n - api.thescore.com\n - dev.thescore.com \n - staging.thescore.com\n - id.us-core.thescore.bet\n - Any payment or admin endpoints\n2. Extract discovered endpoints, parameters, and JS files\n3. Save to /workspace/recon/penn/crawled_endpoints.txt\n\n**PHASE 7 - Visual Recon & Tech Fingerprinting:**\n1. Run httpx with screenshot capability OR gowitness on live_200_hosts.txt\n2. Extract technology fingerprints for all live hosts\n3. Identify interesting patterns (old frameworks, default pages, admin panels)\n\n**FINAL REPORT:**\nCreate a comprehensive markdown report at /workspace/recon/penn/FINAL_RECON_REPORT.md with:\n1. Executive Summary\n2. Scope (seed domains → discovered assets)\n3. Attack Surface Overview\n4. High-Value Targets (prioritized)\n5. Technology Stack\n6. Recommendations for further testing\n7. All file locations and counts\n\nInclude statistics:\n- Total apex domains discovered\n- Total subdomains enumerated\n- Total live hosts\n- Key findings and interesting targets\n</current-task>\nGoal: <current-goal>\nExecute Phase 6: Content Discovery and Phase 7: Visual Recon, then generate final report\n</current-goal>",
"id": "sdzXaVY9TfXaR8m0",
"index": 14,
"role": "user",
"timestamp": {}
},
{
"content": "\nI'll research Penn Entertainment's corporate structure, acquisitions, and related brands to discover all apex domains.\n\n\n\n\nExcellent! I found key information. Let me search for more specific domains and brands:\n\n\n\n\n\n\nLet me search for more specific casino brand domains:\n\n\n\n\nNow I have comprehensive information. Let me create the workspace directory and compile all discovered apex domains:\n\n\n\nNow let me create a clean list without comments for tool processing:\n\n\nNow let me verify which of these domains actually resolve:\n\n\nExcellent! Most domains resolve. Let me extract just the domain names and create a summary:\n\n\n\nI've discovered and verified **54 apex domains** for the Penn Entertainment ecosystem. Let me create a summary report:\n\n\n---\n\n## ✅ Phase 1: Apex Domain Expansion Complete\n\n### Summary\n\nStarting from **3 seed domains**, I discovered and verified **54 apex domains** belonging to the Penn Entertainment ecosystem:\n\n| Category | Count | Examples |\n|----------|-------|----------|\n| **Corporate** | 4 | pennentertainment.com, scoremediaandgaming.com |\n| **Sports Media (theScore)** | 4 | thescore.com, thescore.bet, thescoreesports.com |\n| **Sports Betting/iGaming** | 5 | espnbet.com, hollywoodcasino.com |\n| **Hollywood Casino** | 16 | hollywoodcasinotoledo.com, hollywoodcasinojoliet.com |\n| **Ameristar Casino** | 5 | ameristar.com, ameristarblackhawk.com |\n| **Argosy Casino** | 2 | argosyalton.com, argosykansascity.com |\n| **Boomtown Casino** | 3 | boomtownbiloxi.com, boomtownneworleans.com |\n| **L'Auberge Casino** | 3 | lauberge.com, laubergebatonrouge.com |\n| **Other Properties** | 9 | themresort.com, tropicana.net, margaritavillebossiercity.com |\n| **Racing** | 2 | samhoustonracepark.com |\n| **Historical** | 2 | barstoolsports.com, barstoolsportsbook.com |\n\n### Key Findings:\n- Penn Entertainment operates **43+ casino/gaming properties** across 20 US states\n- Acquired **theScore** in October 2021 for $2B\n- **ESPN Bet partnership ended** December 2025, rebranded ",
"id": "f3187cae-0754-4771-9cb9-363ed6e46b66",
"index": 15,
"role": "assistant",
"timestamp": {}
},
{
"content": "\n\n\nLet me check the live_200_hosts.txt file to see what we're working with:\n\n\nExcellent! I have 66 live hosts with HTTP 200 responses. Let me identify the most interesting targets for crawling and execute Phase 6 & 7:\n\n\n\n\n\n\nNow let me crawl more interesting targets - payment endpoints and identity services:\n\n\n\n\n\n\nNow let me merge all crawl results and run technology fingerprinting with httpx:\n\n\nThe crawls didn't return much (likely API endpoints without HTML). Let me check what files exist and run httpx for tech fingerprinting:\n\n\nThe crawls returned empty (likely due to API endpoints or JS-heavy sites blocking crawlers). Let me run httpx with technology detection on the live hosts:\n\n\nExcellent! Now let me prepare the URLs file for screenshots and run gowitness:\n\n\n\nGowitness isn't available. Let me gather all the data and create the final comprehensive report. First, let me get the statistics:\n\n\n\nNow let me read the previous phase summaries to compile the final report:\n\n\n\nNow I have all the data needed. Let me create the comprehensive final report:\n\n\nNow let me verify all the output files and update the working memory:\n\n\nLet me verify the files individually:\n",
"id": "1f5eafe3-6d15-4902-85f0-5bc2be245700",
"index": 16,
"role": "assistant",
"timestamp": {}
},
{
"content": "<original-user-prompt>\npennentertainment.com\nthescore.com\nthescore.bet\n</original-user-prompt>\n\nTask: <current-task>\n1. Read the file /workspace/recon/penn/FINAL_RECON_REPORT.md and display its contents\n2. List all files in /workspace/recon/penn/ with their sizes\n3. Show the count of:\n - Total apex domains (from verified_apex_domains.txt)\n - Total subdomains (from all_subdomains.txt)\n - Total live hosts (from live_200_hosts.txt)\n4. Display the high-value targets list\n</current-task>\nGoal: <current-goal>\nRead and display the final reconnaissance report\n</current-goal>",
"id": "ffb7f657-363f-46e5-884e-07c3a568493c",
"index": 17,
"role": "user",
"timestamp": {}
},
{
"content": "\n\n\n\nNow let me display the high-value targets list:\n\n\n---\n\n## 📊 Penn Entertainment Full Scope Reconnaissance - Summary\n\n### Asset Counts\n| Metric | Count |\n|--------|-------|\n| **Apex Domains** | 54 |\n| **Total Subdomains** | 3,140 |\n| **Live Hosts (200 OK)** | 66 |\n\n### Files in `/workspace/recon/penn/`\n\n| File | Size | Description |\n|------|------|-------------|\n| `FINAL_RECON_REPORT.md` | 15 KB | Complete reconnaissance report |\n| `all_subdomains.txt` | 107 KB | All 3,140 discovered subdomains |\n| `live_hosts.txt` | 112 KB | All HTTP responses |\n| `live_hosts_clean.txt` | 395 KB | Cleaned live host data |\n| `priority_targets.txt` | 56 KB | High-value targets |\n| `tech_fingerprints.txt` | 11 KB | Technology fingerprints |\n| `live_200_hosts.txt` | 2 KB | 66 live hosts returning 200 OK |\n| `verified_apex_domains.txt` | 1 KB | 54 verified apex domains |\n| `subs_thescorebet.txt` | 87 KB | 2,393 subdomains for thescore.bet |\n| `subs_thescore.txt` | 13 KB | 456 subdomains for thescore.com |\n\n### 🎯 High-Value Targets (66 Live Hosts)\n\n#### 🔴 CRITICAL - Identity/Authentication (24 endpoints)\n- `id.us-core.thescore.bet` - Production identity\n- `id.ca.thescore.bet` - Canada production\n- `id.us.thescore.bet` - US production\n- `id.us-core.hollywoodcasino.com` - Hollywood Casino identity\n- Plus 20+ staging/UAT/demo/audit identity endpoints\n\n#### 🔴 CRITICAL - Payment Systems (2 endpoints)\n- `blitz-payments.us-core.staging.thescore.bet`\n- `blitz-payments.us-core.ps.thescore.bet`\n\n#### 🟠 HIGH - API Infrastructure (12 endpoints)\n- `api.thescore.com` - Production API\n- `origin-api.thescore.com` - **Origin (bypasses Cloudflare WAF)**\n- `origin-api-gcp.thescore.com` - GCP origin\n- Plus staging/dev/ps variants\n\n#### 🟠 HIGH - Sportsbook Platforms (9 endpoints)\n- `www.thescore.bet` - Production betting\n- `sportsbook.us.staging.thescore.bet`\n- `sportsbook.ca.staging.thescore.bet`\n- `sportsbook-espnbet.us-az.efadde45.dev.thescore.bet` - Legacy ESPN Bet\n\n#### 🟡 MEDIUM - Development/S",
"id": "5200b069-d6ec-4b12-b925-87109e031b5d",
"index": 18,
"role": "assistant",
"timestamp": {}
},
{
"content": "[env_variables] Use the following environment variables for this task: $password, $username, $WAF_BYPASS [/env_variables] What should we go for next? I have provided a username and password key, those can be used specifically for sportsbook.thescore.bet. The WAF_BYPASS key is a header that should be included in requests that will need to bypass cloudflare.",
"id": "a6efd9d2-1bba-4cf3-af3f-91f7fea4b915",
"index": 19,
"role": "user",
"timestamp": {}
},
{
"content": "Great intel, Rick! With credentials for sportsbook.thescore.bet and a WAF bypass header, we have several high-value attack vectors. Let me recall what we discovered and propose next steps:\n\n\nI have context from our previous work. Based on the recon findings and your credentials, here are the **top attack vectors** I recommend:\n\n---\n\n## 🎯 Recommended Next Steps\n\n| Priority | Target | Attack Vector | Why |\n|----------|--------|---------------|-----|\n| **🔴 #1** | **GraphQL API** | Authenticated introspection + IDOR testing | We found 1,002 GraphQL types with introspection enabled. With auth, we can test mutations for IDOR, authorization bypass |\n| **🔴 #2** | **Origin APIs** | Direct API testing (WAF bypass) | `origin-api.thescore.com` bypasses Cloudflare - use `$WAF_BYPASS` header for direct access |\n| **🟠 #3** | **Identity Services** | Session management, OAuth flows | 24+ identity endpoints - test for session fixation, token leakage |\n| **🟠 #4** | **Payment Staging** | Transaction manipulation, race conditions | `blitz-payments.us-core.staging.thescore.bet` - weaker controls in staging |\n| **🟡 #5** | **Sportsbook Logic** | Betting manipulation, bonus abuse | Authenticated testing of betting flows |\n\n---\n\n## 🚀 My Recommendation: Start with GraphQL + Origin API\n\n**Why?**\n1. We already know the GraphQL schema has **1,002 types** and **46+ mutations**\n2. With credentials, we can test **authenticated queries** for IDOR\n3. The **origin-api** endpoints bypass Cloudflare WAF entirely\n4. Combining `$WAF_BYPASS` header + `$username/$password` gives us maximum access\n\n---\n\n**Which would you like to pursue?**\n\n1. **GraphQL Deep Dive** - Authenticate, enumerate mutations, test for IDOR/authorization bypass on betting operations\n2. **Origin API Testing** - Direct API testing with WAF bypass header on `origin-api.thescore.com`\n3. **Full Authenticated Crawl** - Login to sportsbook.thescore.bet and crawl authenticated endpoints\n4. **Payment System Testing** - Focus on Blitz pa",
"id": "7a324148-e4f3-4dbb-88ed-e2cf11baf026",
"index": 20,
"role": "assistant",
"timestamp": {}
},
{
"content": "\n\n\n\n\n\n\n\n\nLet me try with the proper region cookie format and also read the existing findings to compile the final report:\n\n\n\n\n\n\n\n\nLet me continue reading the attack vectors file and then compile the final report:\n\n",
"id": "b1151f4e-3ac1-41c9-a343-ac983debe2af",
"index": 21,
"role": "assistant",
"timestamp": {}
},
{
"content": "<original-user-prompt>\nContinue with other attack vectors\n</original-user-prompt>\n\nTask: <current-task>\n1. Read the file /workspace/recon/penn/VULNERABILITY_ASSESSMENT_REPORT.md and display its full contents\n2. List all files in /workspace/recon/penn/ with their sizes\n3. Summarize the key vulnerabilities found with their severity ratings\n\nIf the report doesn't exist, create it based on the findings from:\n- /workspace/recon/penn/attack_vector1_graphql.md\n- /workspace/recon/penn/attack_vectors_2_3_4.md\n- Any other attack vector files\n\nThe report should include:\n- Executive Summary\n- All vulnerabilities with CVSS scores\n- Steps to reproduce\n- Recommendations\n</current-task>\nGoal: <current-goal>\nRead and display the final vulnerability assessment report\n</current-goal>",
"id": "12ad5c55-9334-4b10-a699-2f18387c95c5",
"index": 22,
"role": "user",
"timestamp": {}
},
{
"content": "\n\n\nI found the vulnerability assessment report. Let me also check the additional attack vector files to see if there are more recent findings:\n\n\n\n\nNow let me read more of the attack_vectors_2_3_4.md file to get the complete findings:\n\n\nExcellent! Now I have a comprehensive view of all the findings. Let me create an updated comprehensive vulnerability assessment report that includes all the attack vectors:\n\n\nNow let me provide a summary of the key findings:\n\n## Summary: Penn Entertainment Vulnerability Assessment\n\n### Files in `/workspace/recon/penn/`:\n\n| File | Size | Description |\n|------|------|-------------|\n| `COMPREHENSIVE_VULNERABILITY_REPORT.md` | NEW | Updated comprehensive report |\n| `VULNERABILITY_ASSESSMENT_REPORT.md` | 9.5KB | Previous assessment report |\n| `attack_vector1_graphql.md` | 14KB | GraphQL auth & IDOR testing |\n| `attack_vectors_2_3_4.md` | 125KB | Origin API, IDOR, Payment testing |\n| `attack_vector_5_identity.md` | 366B | Identity service testing |\n| `payments_staging_schema.json` | 160KB | Full payments GraphQL schema |\n| `all_subdomains.txt` | 107KB | 3,140 enumerated subdomains |\n\n---\n\n### Key Vulnerabilities Found (by Severity):\n\n#### 🔴 CRITICAL (1)\n1. **Staging Transactions Endpoint Exposes Payment Data** (CVSS 8.5)\n - `https://blitz-payments.us-core.staging.thescore.bet/api/v1/transactions`\n - Returns full mock payment transaction data without auth\n\n#### 🔴 HIGH (4)\n2. **GraphQL Introspection Enabled (Production)** - 56 mutations, 64 queries exposed\n3. **GraphQL Introspection Enabled (Payments Staging)** - 18 payment mutations exposed\n4. **GraphQL Batching Without Rate Limiting** - Brute force potential\n5. **sendOneTimeCode Mutation Without Auth** - SMS/Call bombing potential\n\n#### 🟠 MEDIUM (3)\n6. **40+ Staging Environments Publicly Accessible**\n7. **Internal Repository Names Disclosed** (penn-interactive/blitz-payment-provider)\n8. **CSRF Token Exposed in Staging HTML**\n\n#### 🟡 LOW (2)\n9. **sharedBet Query Without Authenticatio",
"id": "4029a395-329f-44a7-8c7a-7aae9f15f0bb",
"index": 23,
"role": "assistant",
"timestamp": {}
}
],
"query": "TheScore FanDuel DraftKings security analysis reconnaissance",
"requestedScope": "resource",
"scope": "resource",
"scopeOverridden": false,
"success": true,
"topK": 5,
"totalFound": 23,
"usage_tip": "Found 23 relevant message(s) across all conversations. Each message includes 2 surrounding message(s) for context."
}out
{
"count": 0,
"success": true,
"todos": []
}Excellent! I have significant prior context. You've done extensive reconnaissance on TheScore/Penn Entertainment already. Now let me create a comprehensive plan for comparing the security stacks of your competitors (FanDuel, DraftKings) against TheScore Sportsbook.
args
out
{
"previousTodosCount": 0,
"resumedSession": false,
"success": true,
"todos": [
{
"content": "Passive recon on FanDuel (fanduel.com) - DNS, subdomains, tech stack, WAF, CDN",
"id": "7d8ea5be-80d1-41a5-abe1-72781af45262",
"priority": "high",
"status": "pending"
},
{
"content": "Passive recon on DraftKings (draftkings.com) - DNS, subdomains, tech stack, WAF, CDN",
"id": "f8e3ce43-1013-4dc2-af81-65f34291e17b",
"priority": "high",
"status": "pending"
},
{
"content": "Compile TheScore security stack from existing recon data",
"id": "f426a990-adcb-4d9e-b429-e999a12c0f4d",
"priority": "high",
"status": "pending"
},
{
"content": "Compare WAF/CDN providers across all three platforms",
"id": "a9e61e89-c422-4164-98de-98d886c23d6d",
"priority": "medium",
"status": "pending"
},
{
"content": "Compare API security posture (GraphQL introspection, rate limiting, auth)",
"id": "4a7a7632-226b-4cb5-9d8a-05c181203ed4",
"priority": "medium",
"status": "pending"
},
{
"content": "Compare identity/authentication infrastructure",
"id": "4310183f-8656-4436-be04-9c0df1b64236",
"priority": "medium",
"status": "pending"
},
{
"content": "Create comprehensive comparison report with recommendations",
"id": "8cb4e70a-73f8-4f5a-a10a-c82d56ea9a0d",
"priority": "high",
"status": "pending"
}
]
}Updated memory
I've got the plan set up. Based on our previous extensive work on TheScore/Penn Entertainment, I already have a wealth of data on your security stack. Now I'll run parallel reconnaissance on FanDuel and DraftKings to compare.
Let me start by running passive recon on both competitors simultaneously:
args
out
No output
Sandbox Agent
Max Steps: 35
Perform passive reconnaissance on FanDuel (fanduel.com) to identify their security stack
Sandbox Agent
Max Steps: 35
Perform passive reconnaissance on DraftKings (draftkings.com) to identify their security stack
I'll execute passive reconnaissance on DraftKings to identify their security stack. Let me run these commands in parallel where possible.
I'll execute the passive reconnaissance on FanDuel to identify their security stack. Let me run these commands in parallel where possible.
Sandbox Logs[name:run_command][title:mkdir -p /workspace/recon/competito...
Sandbox Logs[name:run_command][title:dig draftkings.com ANY +noall +answ...
Sandbox Logs[name:run_command][title:dig sportsbook.draftkings.com ANY +...
Sandbox Logs[name:run_command][title:whois draftkings.com 2>/dev/null | ...
Sandbox Logs[name:run_command][title:mkdir -p /workspace/recon/competito...
Sandbox Logs[name:run_command][title:dig fanduel.com ANY +noall +answer ...
Sandbox Logs[name:run_command][title:dig sportsbook.fanduel.com ANY +noa...
Sandbox Logs[name:run_command][title:whois fanduel.com 2>/dev/null | hea...
Sandbox Logs[name:run_command][title:subfinder -d fanduel.com -silent 2>...
Sandbox Logs[title:Setting up sandbox...]Sandbox: Connected.