From Informational To Critical: Chaining & Elevating Web Vulnerabilities
Category

Summary:
This article discusses how a security consultant uncovered a critical vulnerability by chaining multiple findings across three applications running on the same hostname. Initially rated as informational, a misconfiguration led to administrative access and remote code execution. The case highlights the dangers of seemingly benign vulnerabilities when combined.
#WebSecurity #ExploitChain #VulnerabilityAssessment

Keypoints:
  • Security consultant identified vulnerabilities across three applications running on the same hostname but different ports.
  • Application A was vulnerable to Reflected XSS but couldn’t be exploited for session hijacking due to HttpOnly flags on cookies.
  • Application B had a high-severity RCE vulnerability requiring admin access and exposed sensitive Spring Boot actuator endpoints.
  • Application C supported both Authorization Header and session-based authentication, making it a target for session hijacking.
  • Weak Configuration – Cross-Application Cookie Exposure was identified, allowing cookies to be leaked between applications.
  • Session hijacking was possible due to the absence of the HttpOnly flag on Application C’s JSESSIONID cookie.
  • Chaining vulnerabilities escalated the severity from informational to critical, allowing exploitation of RCE without admin privileges.
  • The engagement demonstrated the risk of misconfigurations leading to significant security threats.

MITRE Techniques:
  • Exploitation for Client Execution (T1203): Leveraged XSS vulnerability in Application A to hijack session cookie from Application C.
  • Remote Code Execution (T1203): Exploited RCE vulnerability in Application C after gaining administrative access through session hijacking.
  • Cross-Site Scripting (T1068): Used XSS in Application A to access sensitive cookies from Application C.

IoC:
  • [domain] example[.]com
  • [url] https://example[.]com:1111?id=
  • [url] https://my-malicious-server.com


Full Research: https://www.netspi.com/blog/technical-blog/web-application-pentesting/uncovering-a-critical-vulnerability-through-chained-findings/