Not all security vulnerabilities are at high risk in themselves, but at the hands of sophisticated attackers, even small weaknesses can escalate into major violations. These five true vulnerabilities revealed by the intruder bug hunting team reveal how attackers turn overlooked flaws into serious security incidents.
1. Steal AWS Credentials with Redirect
Server-side Request Forfary (SSRF) is a common vulnerability that can have a significant impact, especially in cloud-hosted applications. If a web application retrieves resources from a user-supported URL, you should be careful not to allow attackers to manipulate requests to access unintended resources.
During the evaluation of home moving apps running on AWS, our team tested popular SSRF bypass technology.
The attack chain was as follows: The app sent a webhook request to the attacker’s web server that responded to AWS’ metadata service with a 302 redirect. The app followed the redirect, recorded the response and published sensitive metadata, including AWS credentials.
These credentials allow an attacker to enumerate IAM permissions and try to enter deeper into the cloud environment.
This attack was not possible if the Metadata Service was implementing IMDSV2. This is a best practice flagged by a good cloud security scanner. The automated tool may not have detected a complete attack chain, but breaking only this part of the chain can prevent exploitation.
2. From exposed.GIT repository to full database access
Unintended exposure flagged by vulnerability scans. While investigating the GIT repository, our team discovered that it belongs to a publishable web application.
Checking the application’s source code revealed an authentication bypass. You can access the login page by providing hidden parameters.
Our team gained access to management tools. There, further analysis revealed blind SQL injection vulnerabilities on authenticated pages.
Utilizing this vulnerability gave access to the university’s database. This could have exposed sensitive personal information from students and staff if exploited by an attacker.
3. How small details led to remote code execution
While searching for bugs in the Document Signing app, our team noticed that after signing the PDF, the metadata listed “Exiftool” as the document creator. Given the history of Exiftool’s important vulnerabilities, we dig deeper.
The application does not disclose the version of the tool, but recent known vulnerability testing has confirmed it to be vulnerable to CVE-2021-22204. By creating and uploading malicious PDFs, the team successfully acquired remote command execution as a WWW-DATA user.
This scaffolding allows attackers to take advantage of additional vulnerabilities in affected servers to gain root access and pivots to other machines on the network, which could cause significant damage.
4. From SelfXSS to site-wide account takeover
Cross-site scripting (XSS) is a powerful attack vector for session hijacking attacks, especially when user interaction is not required. “selfxss” vulnerabilities are usually low risk, but can be dangerous when combined with another vulnerability.
Our team uncovered this exact scenario while evaluating the auction application. A selfXSS vulnerability was discovered when a user-supported HTTP request header is reflected in the application’s response.
Normally this is harmless because an attacker cannot force malicious headers to the victim’s browser, but further testing revealed a cache position vulnerability.
By checking for these two weaknesses, our team tricked the app into providing a selfXSS payload cached to all site visitors, escalating into a permanent site-wide XSS attack.
This allowed the attacker to hijack user accounts, including the administrator account.
5. Change the numbers to expose sensitive data
The weaknesses of the API are more common than you think. Among them, Idor vulnerabilities require little effort to utilize, not only modify, identifiers in requests.
The real challenge for attackers is not to discover, not to execute, but to discover, but to find vulnerable endpoints that can be used without proper authentication or authorization, and to expose sensitive data. Once discovered, abuse is as simple as changing the identifier to a resource that the user does not own, or making a request to an endpoint that should be reserved for an administrator.
Our team frequently identifies API IDOR, missing authentication, and broken approval weaknesses. Here is a snippet from the actual HTTP request and path.
get /Organization /edit_user? user_id = 1001: An attacker can change user profiles and hijack the account. Post/Order/Download, Orderno=10202: Attackers can access customer order information.
These examples are as simple as obtaining API weaknesses, but the results are extensive. You can simply change one number and enumerate it via thousands of values and download the entire database of information belonging to other customers.
Stop the violation before they start
These real-world examples show how vulnerabilities escalate into serious violations, even if left unchecked. The attackers aren’t waiting – they are always looking for new entry points. The first step to moving forward? Knowing that an attacker can access it from the Internet – Include assets that may even be unknown to exist. Intruders continually discover these unknowns, such as subdomains, logins, APIs, and more, and scan for exposures other solutions have missed.
Intruder Discovery Tab – existed for assets you did (or probably didn’t know)
From applications to cloud infrastructure, find and protect everything with a powerful platform with intruders. Find out more with our 14-day free trial or start a scan.
Source link
