LeakIX - Host app.hellohibou.com

Domain app.hellohibou.com

Canada

MICROSOFT-CORP-MSN-AS-BLOCK

Software information

Microsoft-IIS 10.0

tcp/443

Swagger API description is publicly available

Exposing Swagger/OpenAPI documentation is primarily a risk if your API has underlying security flaws, as it gives attackers a precise roadmap to find them.

Those detail every endpoint, parameter, and data model, making it easier to discover and exploit vulnerabilities like broken access control or injection points.

While a perfectly secure API mitigates the danger, protecting your documentation is a critical layer of defense that forces attackers to work without a map.

IP: 52.233.38.143
Domain: app.hellohibou.com
Port: 443
URL: https://app.hellohibou.com

First seen 2025-11-18 00:39
Last seen 2026-02-09 14:47
Open for 83 days

Severity: info
Fingerprint: 5733ddf49ff49cd1aad03549a17e92311bb3186b6dd291bc5068d86c2a9dfe79

Public Swagger UI/API detected at path: /swagger/index.html - sample paths:
DELETE /api/user/{oid}/circle/{id}
GET /api/system/countries
GET /api/system/regions
GET /api/user/activitysettings
GET /api/user/generalsettings
GET /api/user/getuseroid
GET /api/user/ivrsettings
GET /api/user/media
GET /api/user/mydetails
GET /api/user/resendverificationemail
GET /api/user/settings
GET /api/user/verifiyemail
GET /api/user/verifyphone
GET /api/user/wellnesscheckpausesettings
GET /api/user/wellnesschecksettings
GET /api/user/{oid}
GET /api/user/{oid}/activity/deleteactivity
GET /api/user/{oid}/activity/getactivities
GET /api/user/{oid}/circle/{id}/action
GET /api/user/{oid}/circle/{id}/resend
GET /api/user/{oid}/details
POST /api/user/ackhelprequest
POST /api/user/create
POST /api/user/endhelprequest
POST /api/user/helprequest
POST /api/user/updatewellnesscheck
POST /api/user/wellnesscheckreportok
POST /api/user/{oid}/activity/endtimer
POST /api/user/{oid}/activity/extendtimer
POST /api/user/{oid}/activity/starttimer
POST /api/user/{oid}/circle/createinvite
POST /api/user/{oid}/edit
POST /api/user/{oid}/logs
PUT /api/user/{oid}/circle/{id}/updatepermissions

Found on 2026-02-09 14:47

Severity: info
Fingerprint: 5733ddf49ff49cd12ec8532c2ec8532c2ec8532c2ec8532c2ec8532c2ec8532c
```
Public Swagger UI/API detected at path: /swagger/index.html
```
Found on 2025-11-23 17:26

Create report

Open service 52.233.38.143:443 · app.hellohibou.com

2026-01-23 09:32

HTTP/1.1 200 OK
Connection: close
Content-Type: text/html; charset=utf-8
Date: Fri, 23 Jan 2026 09:32:45 GMT
Server: Microsoft-IIS/10.0
Set-Cookie: ARRAffinity=a0fe454dc2b6bb16ebb059fc3911bfb190ecd766bc7d5d1b9782ca8b4c5f9561;Path=/;HttpOnly;Secure;Domain=app.hellohibou.com
Set-Cookie: ARRAffinitySameSite=a0fe454dc2b6bb16ebb059fc3911bfb190ecd766bc7d5d1b9782ca8b4c5f9561;Path=/;HttpOnly;SameSite=None;Secure;Domain=app.hellohibou.com
Transfer-Encoding: chunked
Request-Context: appId=cid-v1:3ca47230-7897-4648-9227-615e6c93f6f4
X-Powered-By: ASP.NET

Page title: Hibou



<!DOCTYPE html>
<html>
<head>
    <!-- Google Tag Manager -->
    <script>
        (function (w, d, s, l, i) {
            w[l] = w[l] || []; w[l].push({
                'gtm.start':
                    new Date().getTime(), event: 'gtm.js'
            }); var f = d.getElementsByTagName(s)[0],
                j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src =
                    'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f);
        })(window, document, 'script', 'dataLayer', 'GTM-MDFBW4X');
    </script>
    <!-- End Google Tag Manager -->

    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="apple-itunes-app" content="app-id=1455983135, app-argument=https://app.hellohibou.com/user/start">

    <title>Hibou</title>

    
        <link rel="stylesheet" href="/lib/bootstrap/dist/css/bootstrap.css" />
        <link rel="stylesheet" href="/css/site.css" />
        <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.7/css/all.css" />

     
    
    <script type="text/javascript">!function(T,l,y){var S=T.location,k="script",D="instrumentationKey",C="ingestionendpoint",I="disableExceptionTracking",E="ai.device.",b="toLowerCase",w="crossOrigin",N="POST",e="appInsightsSDK",t=y.name||"appInsights";(y.name||T[e])&&(T[e]=t);var n=T[t]||function(d){var g=!1,f=!1,m={initialize:!0,queue:[],sv:"5",version:2,config:d};function v(e,t){var n={},a="Browser";return n[E+"id"]=a[b](),n[E+"type"]=a,n["ai.operation.name"]=S&&S.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(m.sv||m.version),{time:function(){var e=new Date;function t(e){var t=""+e;return 1===t.length&&(t="0"+t),t}return e.getUTCFullYear()+"-"+t(1+e.getUTCMonth())+"-"+t(e.getUTCDate())+"T"+t(e.getUTCHours())+":"+t(e.getUTCMinutes())+":"+t(e.getUTCSeconds())+"."+((e.getUTCMilliseconds()/1e3).toFixed(3)+"").slice(2,5)+"Z"}(),iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}}}}var h=d.url||y.src;if(h){function a(e){var t,n,a,i,r,o,s,c,u,p,l;g=!0,m.queue=[],f||(f=!0,t=h,s=function(){var e={},t=d.connectionString;if(t)for(var n=t.split(";"),a=0;a<n.length;a++){var i=n[a].split("=");2===i.length&&(e[i[0][b]()]=i[1])}if(!e[C]){var r=e.endpointsuffix,o=r?e.location:null;e[C]="https://"+(o?o+".":"")+"dc."+(r||"services.visualstudio.com")}return e}(),c=s[D]||d[D]||"",u=s[C],p=u?u+"/v2/track":d.endpointUrl,(l=[]).push((n="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",a=t,i=p,(o=(r=v(c,"Exception")).data).baseType="ExceptionData",o.baseData.exceptions=[{typeName:"SDKLoadFailed",message:n.replace(/\./g,"-"),hasFullStack:!1,stack:n+"\nSnippet failed to load ["+a+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(S&&S.pathname||"_unknown_")+"\nEndpoint: "+i,parsedStack:[]}],r)),l.push(function(e,t,n,a){var i=v(c,"Message"),r=i.data;r.baseType="MessageData";var o=r.baseData;return o.message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+n+")").replace(/\"/g,"")+'"',o.properties={endpoint:a},i}(0,0,t,p)),function(e,t){if(JSON){var n=T.fetch;if(n&&!y.useXhr)n(t,{method:N,body:JSON.stringify(e),mode:"cors"});else if(XMLHttpRequest){var a=new XMLHttpRequest;a.open(N,t),a.setRequestHeader("Content-type","application/json"),a.send(JSON.stringify(e))}}}(l,p))}function i(e,t){f||setTimeout(function(){!t&&m.core||a()},500)}var e=function(){var n=l.createElement(k);n.src=h;var e=y[w];return!e&&""!==e||"undefined"==n[w]||(n[w]=e),n.onload=i,n.onerror=a,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||i(0,t)},n}();y.ld<0?l.getElementsByTagName("head")[0].appendChild(e):setTimeout(function(){l.getElementsByTagName(k)[0].parentNode.appendChild(e)},y.ld||0)}try{m.cookie=l.cookie}catch(p){}function t(e){for(;e.length;)!function(t){m[t]=function(){var e=a

Found 2026-01-23 by HttpPlugin

Create report

app.hellohibou.com

Fingerprint:

e590097fed8677184b0e1c09d91423f42030c340a4123c352518286f5da6e962

CN:

app.hellohibou.com

Key:

RSA-2048

Issuer:

GeoTrust Global TLS RSA4096 SHA256 2022 CA1

Not before:

2025-11-18 00:00

Not after:

2026-04-14 23:59

Domain summary

app.hellohibou.com 2

1 recorded

IP summary

52.233.38.143 2

1 recorded