Summary:
This article discusses how a security consultant uncovered a critical vulnerability by chaining multiple findings across three applications running on the same hostname. Initially rated as informational, a misconfiguration led to administrative access and remote code execution. The case highlights the dangers of seemingly benign vulnerabilities when combined.
#WebSecurity #ExploitChain #VulnerabilityAssessment
This article discusses how a security consultant uncovered a critical vulnerability by chaining multiple findings across three applications running on the same hostname. Initially rated as informational, a misconfiguration led to administrative access and remote code execution. The case highlights the dangers of seemingly benign vulnerabilities when combined.
#WebSecurity #ExploitChain #VulnerabilityAssessment
Keypoints:
- Security consultant identified vulnerabilities across three applications running on the same hostname but different ports.
- Application A was vulnerable to Reflected XSS but couldn’t be exploited for session hijacking due to HttpOnly flags on cookies.
- Application B had a high-severity RCE vulnerability requiring admin access and exposed sensitive Spring Boot actuator endpoints.
- Application C supported both Authorization Header and session-based authentication, making it a target for session hijacking.
- Weak Configuration – Cross-Application Cookie Exposure was identified, allowing cookies to be leaked between applications.
- Session hijacking was possible due to the absence of the HttpOnly flag on Application C’s JSESSIONID cookie.
- Chaining vulnerabilities escalated the severity from informational to critical, allowing exploitation of RCE without admin privileges.
- The engagement demonstrated the risk of misconfigurations leading to significant security threats.
MITRE Techniques:
- Exploitation for Client Execution (T1203): Leveraged XSS vulnerability in Application A to hijack session cookie from Application C.
- Remote Code Execution (T1203): Exploited RCE vulnerability in Application C after gaining administrative access through session hijacking.
- Cross-Site Scripting (T1068): Used XSS in Application A to access sensitive cookies from Application C.
IoC:
- [domain] example[.]com
- [url] https://example[.]com:1111?id=
- [url] https://my-malicious-server.com
Full Research: https://www.netspi.com/blog/technical-blog/web-application-pentesting/uncovering-a-critical-vulnerability-through-chained-findings/