Art of Chaining Security Vulnerabilities in Penetration Testing
There are Amazing security mindsets in the industry who have spent hours turning P5 issues to P1 by chaining multiple Vulnerabilities, avoiding security issues by the low severity or considering them as non-impactful or Low hanging fruits will trouble Applications and programs in the future, in that case, it’s pretty much important to understand how low severity Vulnerabilities can be chained into impactful and meaningful issues.
Let’s take a few scenarios hand in hand:
Scenario: 1
Vulnerability: Reflected Cross-Site Scripting (XSS)
Description: In this scenario, let's say there's a web application where user inputs aren't properly sanitized before being reflected to the user. An attacker could craft a malicious link containing a script that executes when clicked by a victim.
Application Scenario: Imagine a basic web application where users can submit comments on a forum. When a user submits a comment, it's displayed back to them without proper sanitization, making it susceptible to XSS attacks.
HTTP Request Example:
POST /submitComment HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
comment=<script>alert('XSS attack!')</script>&submit=Submit
Chaining with Another Vulnerability: CSRF
Vulnerability: Cross-Site Request Forgery (CSRF) Description: CSRF allows an attacker to perform actions on behalf of an authenticated user without their consent by exploiting the trust that a site has in the user's browser.
Application Scenario: Let's say the same web application is also vulnerable to CSRF attacks, where actions can be triggered through forged requests.
HTTP Request Example (CSRF):
POST /changePassword HTTP/1.1
Host: example.com
Content\-Type: application/x\-www\-form\-urlencoded
Content\-Length: 69
Cookie: session\=attacker\_session\_cookie
newPassword\=evilpassword&confirmPassword\=evilpassword&submit\=Change+Password
Chained Impact:
Now, an attacker can craft a malicious web page (hosted elsewhere) containing JavaScript that automatically sends a forged request to change the victim's password when visited. They can then combine this with the XSS vulnerability mentioned earlier to make the attack more convincing and automated.
Chained Attack Flow:
The attacker lures the victim to visit their malicious webpage.
-
The malicious webpage executes JavaScript code containing a CSRF attack targeting the vulnerable "change password" functionality on the target web application.
-
Additionally, the page can contain an XSS payload, which steals the victim's session cookie or performs other actions on behalf of the victim without their consent.
-
As a result, the victim's password gets changed without their knowledge, and their account becomes compromised.
Scenario 2
Low-Impact Security Issue: Clickjacking
Description: Clickjacking is a technique where an attacker tricks a user into clicking on something different from what the user perceives, potentially revealing confidential information, installing malware, or performing unintended actions.
Scenario: Imagine a scenario where a user visits a social media platform that allows users to upload images with captions. The platform doesn't employ adequate clickjacking protection.
HTTP Request Example:
POST /uploadImage HTTP/1.1
Host: example.com
Content\-Type: multipart/form\-data; boundary\=---------------------------974767299852498929531610575
Content\-Length: 554
\-----------------------------974767299852498929531610575
Content\-Disposition: form\-data; name\="image"; filename\="example.jpg"
Content\-Type: image/jpeg
(binary data)
\-----------------------------974767299852498929531610575
Content\-Disposition: form\-data; name\="caption"
Check out my latest pic!
\-----------------------------974767299852498929531610575\--
Chaining with XSS Vulnerability
Description: Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to various consequences, including session hijacking, data theft, and unauthorized actions on behalf of the user.
Scenario: In our scenario, the social media platform is vulnerable to XSS attacks due to improper input validation, allowing attackers to inject malicious scripts into the caption field.
HTTP Request Example with XSS Payload:
POST /uploadImage HTTP/1.1
Host: example.com
Content\-Type: multipart/form\-data; boundary\=---------------------------974767299852498929531610575
Content\-Length: 613
\-----------------------------974767299852498929531610575
Content\-Disposition: form\-data; name\="image"; filename\="example.jpg"
Content\-Type: image/jpeg
(binary data)
\-----------------------------974767299852498929531610575
Content\-Disposition: form\-data; name\="caption"
<script\>alert('Your session has been hijacked!');</script>
\-----------------------------974767299852498929531610575--
Chained attack flow
By combining Clickjacking and XSS:
-
Clickjacking: The attacker can overlay an invisible iframe on top of the social media platform's upload button, tricking the user into clicking on it instead of the legitimate button.
-
XSS: The injected script can perform actions like session hijacking. In this case, it shows a simple alert, but it could steal cookies, capture keystrokes, or perform other malicious activities.
Consequence: When a user uploads an image with the caption containing the XSS payload, thinking they are simply uploading an image with a caption, they inadvertently execute the malicious script, allowing the attacker to hijack their session.
**Scenario 3 **
Low-Impactful Security Issue: Open Redirect
Description: An open redirect vulnerability occurs when a web application allows users to navigate to external URLs. While this might seem harmless at first, it can be exploited by attackers to redirect users to malicious websites, phishing pages, or other harmful content.
Example HTTP Request:
GET /redirect?url\=https://malicious-site.com HTTP/1.1
Host: vulnerable\-site.com
Application Scenario: Imagine a scenario where a legitimate website (vulnerable-site.com) offers a feature that allows users to redirect to external websites for various purposes such as partner sites, advertisements, or shortened URLs. The website might have a redirect endpoint like /redirect?url=<external_url>
.
Chaining with Another Vulnerability: Server-Side Request Forgery (SSRF)
Description: SSRF occurs when an attacker can manipulate the HTTP requests sent by the server, allowing them to make requests to internal or external resources from the perspective of the vulnerable server. This can lead to sensitive data exposure, service manipulation, or in some cases, remote code execution.
Example HTTP Request for SSRF:
POST /api/endpoint HTTP/1.1
Host: vulnerable\-site.com
Content\-Type: application/json
{"url": "http://internal-service/vulnerable-endpoint"}
Chained Attack Steps:
The attacker crafts a URL that exploits the open redirect vulnerability:
https://vulnerable-site.com/redirect?url=http://internal-service/api/endpoint
The vulnerable website redirects the user to the attacker-controlled SSRF payload, which makes a request to an internal service endpoint (http://internal-service/api/endpoint
).
The SSRF payload, being executed from the perspective of the vulnerable server, can potentially interact with internal resources, allowing the attacker to bypass network restrictions, access sensitive data, or even compromise internal systems.
Impact: By chaining the open redirect with SSRF, the attacker can bypass network restrictions and access sensitive internal resources, potentially leading to data breaches, service manipulation, or further exploitation of the internal network. This demonstrates how seemingly low-impact vulnerabilities can be combined to create a significant security risk.

Robin Joseph
Head of Security testing