Not every safety vulnerability risks on its own – but even small weaknesses can develop in the hands of the advanced attacker into major disorders. These five real vulnerabilities are revealed Attacker The bug hunting team reveals how attackers turn deficiencies into serious security incidents.
1. Theft of AWS data with redirect
Fake a request on the server (SSRF) is the usual vulnerability that can have a significant impact, especially in the cloud applications. If the web application receives resources from the URL URLs, you need to make sure that the attackers could not manipulate requests for unintentional resources.
By evaluating the home app that works in AWS, our team has checked the general methods of ssrf.
The attacked network was this: the app directed the Webhook request to the attacker’s web server, which responded 302 to redirect to the AWS metadata service. The app followed the redirect and registered the answer that subjected to sensitive metadata – including AWS credentials.
With these powers, the attacker can list IAM permits and try to turn deeper into a cloud environment.
This attack would be impossible if the metadata service was Fulfillment IMDSV2 – the best practice that’s good A cloud scanner of security I would indicate. While automated tools may not find a complete attack chain, the rupture of this part of the chain may interfere with the operation.
2. From opening .git Repo to full access database
During the investigation into the unintentional exposed repository, which is marked by the vulnerability, our team found that it belongs to the public application.
Inspecting the source application code, we found the authentication passage – you can access the entry page by putting a hidden parameter.
Our team gained access to the control tool where further analysis revealed the vulnerability of the blind injection SQL on the authentified page.
Using this vulnerability, it provided access to the university database, which, if the attacker used, can expose the sensitive personal information of students and staff – showing how a slight mistake can quickly grow into a high risk of safety.
3. As a tiny detail led to a remote code
Error hunting for the documents app, our team noticed that after signing the PDF metadata listed “Exifool” as the creator of the documents. Given the history of Exifool’s critical vulnerabilities, we deepened deeper.
Although the application did not reveal the tool version, testing for recent well -known vulnerabilities confirmed that it was vulnerable to Cve-2021-22204. By creating and downloading malicious PDF, our team has successfully received remote command execution as a WWW-Data user.
This attachment can allow the attacker to use additional vulnerabilities on the affected server, which allowed them to access the roots and turn to other machines on the network, causing large damage.
4. From the self -xs to absorption of the account on the general site
Settlement of the Transverse Site (XSS) is a powerful vector of attack sessions, especially if the user interaction is not required. While the “Self-XSS” vulnerability is usually low at risk, it can be dangerous in conjunction with another vulnerability.
Our team discovered this accurate scenario when evaluating the auction. A self -XSS independent XSS was discovered when the HTTP request header was reflected in response.
Usually it would be harmless, because the attacker cannot force the victim’s browser to send a malicious title – but further test revealed a vulnerability that violates the cache.
Having taken away these two weaknesses, our team cheated on the app in the caching and maintaining the useful Self-XSS load for all site visitors, developing it into a permanent XSS attack.
This would allow the attacker to seize any user account – including administrator accounts.
5. Change number to expose sensitive data
Weak sides API are more common than you think. Among their vulnerabilities, IDor requires little effort to use the ID change in the request.
The real task for the attacker is not a fulfillment, and the discovery is the search for a vulnerable final point, which can be used without proper authentication and authorization, and acknowledge that it exposes sensitive data. As soon as found, operation may be as simple as changing the ID to a resource that the user does not have, or simply makes a request to the final point that should be reserved for administrators.
Our team often identifies IDor, lacking authentication and impaired weak authorization in API. Here are a few snippets and http quotations that we found that exposed very sensitive data:
- Get /Organization /Edit_user? User_id = 1001: The attacker can change users’ profiles and content accounts
- Get /Prod-applicantresumes/12031.pdf: The attacker can access the work resumes.
- Message /Order /Download, Cordenno = 10202: The attacker can access the customer order information.
These examples are approximately as simple as the weaknesses of API, but the consequences are far away. Just changing one number and transferred through thousands of values, you can download entire databases belonging to other customers.
Stop the violations before you start
These examples in the real world show how vulnerabilities can develop into serious violations if left without control. The attackers do not expect – they are always looking for new entry points. The first step is up to stay forward? Knowing what attackers can access from the Internet – including assets you don’t even know. The attacker constantly reveals these unknown, such as subdomena, entry and API, and scans them on impacts that miss other solutions.
 |
| Discovery Intruder tab – For those assets you did (and may not know) existed |
From applications to cloud infrastructure, find and fasten everything on one, powerful platform with an attacker. Learn more or Start scanning 14 -day free trial.
