Web Vulnerabilities Chains

Common Web Vulnerability Chains with Examples

Common Web Vulnerability Chains with Examples


Table Of Contents

1. Cross-Site Scripting (XSS)

XSS → Session Hijacking → Privilege Escalation Example:

  • A comment section on a website is vulnerable to stored XSS.
  • An attacker posts a comment containing a malicious script that steals session cookies when viewed by other users.
  • The script sends the session cookie to the attacker, who then uses it to impersonate the user and escalate privileges.

    XSS → CSRF → Account Takeover Example:

  • A web application allows users to update their email without CSRF protection.
  • The attacker sends a link with an embedded XSS payload to the victim.
  • When the victim clicks the link, the XSS payload executes a CSRF attack, changing the victim’s email address.

    XSS → LFI/RFI → RCE Example:

  • An attacker finds an XSS vulnerability in a search feature and exploits it to inject a script that exploits an RFI vulnerability.
  • The RFI payload points to an external malicious script, which gets executed on the server, leading to RCE.

2. SQL Injection (SQLi)

SQLi → Data Exfiltration → Credential Theft Example:

-An attacker injects OR 1=1 into a login form. -This bypasses authentication and returns all user records, revealing usernames and hashed passwords.

SQLi → Authentication Bypass → Privilege Escalation Example:

-Injecting ' OR '1'='1 into a login form bypasses authentication. -The attacker gains access to the application with administrative privileges.

SQLi → RCE Example:

-The application has a vulnerable SQL query that allows executing commands(e.g., xp_cmdshell in SQL Server). -The attacker injects ; exec xp_cmdshell('dir'); -- to execute commands on the server.

SQLi → LFI Example:

-An attacker exploits SQLi to read a file from the server, such as the application configuration file. -The query UNION SELECT LOAD_FILE('/etc/passwd') reveals sensitive information, enabling further attacks.

3. Local File Inclusion (LFI)

LFI → Information Disclosure → Credential Theft Example:

  • An attacker exploits LFI to read /etc/passwd and /var/www/html/config.php.
  • This reveals database credentials stored in the configuration file.

    LFI → RCE Example:

  • LFI is used to include /proc/self/environ or logs containing PHP code injected by the attacker.
  • The attacker injects <?php system($_GET['cmd']); ?> into the logs and includes the log file to achieve RCE.

4. Remote File Inclusion (RFI)

RFI → Web Shell Upload → Persistent Backdoor Example:

  • An attacker includes a remote script that uploads a PHP web shell to the server.
  • The attacker accesses the web shell at http://example.com/shell.php, maintaining persistent control.

    RFI → RCE Example:

  • An RFI vulnerability allows including http://attacker.com/shell.php.

  • The included script contains malicious code that executes commands on the server.

5. Cross-Site Request Forgery (CSRF)

CSRF → Account Takeover → Business Logic Abuse Example:

  • The attacker crafts a malicious form that changes the user’s password.
  • When the victim submits the form, their password is changed without their knowledge.

    CSRF → XSS Injection Example:

  • The attacker crafts a malicious form that injects a script into the user's profile.
  • When the victim submits the form, the script is stored and executed whenever the profile is viewed.

6. Command Injection

Command Injection → RCE Example:

A web application passes user input to a system shell without sanitization. The attacker injects ; rm -rf /; into the input field, causing arbitrary commands to be executed.

Command Injection → Data Exfiltration Example:

An attacker injects ; cat /etc/passwd; into a vulnerable input field. The command reveals sensitive information that the attacker can exfiltrate.

7. Server-Side Request Forgery (SSRF)

SSRF → Internal Network Scanning → Pivoting Example:

  • An SSRF vulnerability allows the attacker to send requests to internal IP addresses.
  • The attacker discovers internal services and exploits them to pivot deeper into the network.

    SSRF → Metadata Service Access → Cloud Account Takeover Example:

  • Exploiting SSRF to access the cloud provider's metadata service.

  • The attacker retrieves IAM credentials, gaining control over the cloud account.

8. Insecure Deserialization

Insecure Deserialization → RCE Example:

  • The application deserializes untrusted data.
  • The attacker crafts a serialized payload that executes arbitrary code upon deserialization.

    Insecure Deserialization → Authentication Bypass Example:

  • The attacker manipulates a serialized object to escalate their privileges.

  • Upon deserialization, the attacker gains administrative access.

9. XML External Entity (XXE)

XXE → File Disclosure → Credential Theft Example:

  • An XXE payload in an XML file retrieves /etc/passwd.
  • The attacker uses this information to further compromise the system.

    XXE → SSRF Example:

  • An XXE payload makes internal HTTP requests.

  • The attacker discovers internal services and potentially exploits them.

    XXE → Denial of Service (DoS) Example:

  • An XXE payload triggers a billion laughs attack, consuming server resources and causing a DoS.

10. Clickjacking

Clickjacking → CSRF → Account Takeover Example:

  • The attacker overlays a transparent iframe over a legitimate website.
  • The victim unknowingly clicks on buttons that trigger CSRF attacks.

    Clickjacking → XSS Injection Example:

  • The attacker uses clickjacking to trick the victim into clicking on elements that inject XSS payloads.

11. Self-XSS

Self-XSS → Credential Theft Example:

  • The attacker convinces the victim to paste a malicious script into their browser console.
  • The script sends the victim's session cookies to the attacker.

    Self-XSS → Account Takeover Example:

  • The victim runs a script that changes their account settings.

  • The attacker gains control over the victim's account by changing the email address and password.

نموذج الاتصال