Hello guys, I’m back with a new post and a new discovery. As I’m a Mobilis GSM subscriber I thought about registering to their online invoice system, I took the steps and I have been provided with access to my account online . EXPLORING THE WONDERLAND : When you first login you get this page : You can do some things from here, like viewing/downloading your invoices and canceling the online account, we are mainly interested in the invoices as they contain all information about the target in order to help conduct further attacks on him/her I hooked up burp suite proxy to the browser and I logged in, I was amazed about what I was seeing …. this is happening upon login : Isn’t that a session initializer ? : /servlet/InitSessionExt?USER=”account_id”&ACCESS=1&INVOICE=”invoice_id” The “account_id” can be brute forced as it a sequence number, but how can we get the “invoice_id” f