23 C
Washington
Tuesday, June 17, 2025

Breaking Down 5 Real Vulns

Must read

Not each safety vulnerability is excessive danger by itself – however within the palms of a sophisticated attacker, even small weaknesses can escalate into main breaches. These 5 actual vulnerabilities, uncovered by Intruder’s bug-hunting group, reveal how attackers flip neglected flaws into critical safety incidents.

1. Stealing AWS Credentials with a Redirect

    Server-Facet Request Forgery (SSRF) is a typical vulnerability that may have a big affect, particularly in cloud-hosted purposes. If an online software fetches assets from user-supplied URLs, care ought to be taken to make sure attackers cannot manipulate requests to entry unintended assets.

    Whereas assessing a home-moving app operating in AWS, our group examined widespread SSRF bypass methods.

    The assault chain was as follows: the app despatched a webhook request to the attacker’s net server, which responded with a 302 redirect to AWS’s metadata service. The app adopted the redirect and logged the response, which uncovered delicate metadata – together with AWS credentials.

    With these credentials, an attacker might enumerate IAM permissions and try to pivot deeper into the cloud surroundings.

    This assault wouldn’t have been attainable if the metadata service was implementing IMDSv2 – a greatest follow {that a} good cloud safety scanner would have flagged. Whereas automated instruments won’t have detected the complete assault chain, breaking simply this a part of the chain might have prevented exploitation.

    2. From Uncovered .git Repo to Full Database Entry

      Whereas investigating an unintentionally uncovered .git repository flagged by a vulnerability scan, our group found it belonged to a publicly accessible net software.

      Reviewing the applying’s supply code, we uncovered an authentication bypass – the login web page could possibly be accessed by supplying a hidden parameter.

      See also  State of Decay 3 is Likely a 2026 Game – Rumour

      Our group gained entry to a administration software, the place additional evaluation revealed a blind SQL injection vulnerability in an authenticated web page.

      Exploiting this vulnerability granted entry to a college’s database, which, if leveraged by an attacker, might have uncovered delicate private info of scholars and workers – displaying how a small misconfiguration can rapidly escalate into a serious safety danger.

      3. How a Tiny Element Led to Distant Code Execution

        Whereas trying to find bugs in a doc signing app, our group observed that, after signing a PDF, the metadata listed “ExifTool” because the doc creator. Given ExifTool’s historical past of crucial vulnerabilities, we dug deeper.

        Though the applying did not disclose the software’s model, testing for current recognized vulnerabilities confirmed it was susceptible to CVE-2021-22204. By creating and importing a malicious PDF, our group efficiently gained distant command execution because the www-data consumer.

        This foothold might have allowed an attacker to leverage extra vulnerabilities on the affected server, enabling them to realize root entry and pivot to different machines on the community, inflicting in depth harm.

        4. From Self-XSS to Website-Large Account Takeover

          Cross-site scripting (XSS) is a robust assault vector for session hijacking assaults, particularly when no consumer interplay is required. Whereas a ‘Self-XSS’ vulnerability is often low danger, it may develop into harmful when mixed with one other vulnerability.

          Our group uncovered this actual situation whereas assessing an public sale software. A Self-XSS vulnerability was found the place a user-supplied HTTP request header was mirrored within the software’s response.

          Usually, this might be innocent since an attacker cannot pressure a sufferer’s browser to ship a malicious header – however additional testing uncovered a cache-poisoning vulnerability.

          See also  Star Wars Battlefront 2 Has Broken its Record on Steam With More Than 18,000 Concurrent Players

          By chaining these two weaknesses, our group tricked the app into caching and serving the Self-XSS payload to all website guests, escalating it to a site-wide persistent XSS assault.

          This could have allowed an attacker to hijack any consumer account – together with admin accounts.

          5. Altering a Quantity to Expose Delicate Information

            API weaknesses are extra widespread than you’d assume. Amongst them, IDOR vulnerabilities require little effort to take advantage of past modifying an identifier in a request.

            The actual problem for an attacker is not execution however discovery – discovering a susceptible endpoint that can be utilized with out correct authentication or authorization, and recognizing that it exposes delicate information. As soon as discovered, exploitation will be so simple as altering the identifier to a useful resource that the consumer doesn’t personal, or simply making a request to an endpoint that ought to be reserved for directors.

            Our group regularly identifies IDOR, lacking authentication, and damaged authorization weaknesses in APIs. Listed here are some snippets from actual HTTP requests and paths we discovered that uncovered extremely delicate information:

            • GET /organisations/edit_user?user_id=1001: The attacker might modify consumer profiles and hijack accounts
            • GET /prod-applicantresumes/12031.pdf: The attacker might entry job seekers’ CVs.
            • POST /Order/Obtain, OrderNo=10202: The attacker might entry buyer order info.

            These examples are about so simple as API weaknesses get, however the penalties are far-reaching. By merely altering one quantity and enumerating by hundreds of values, complete databases of knowledge belonging to different clients will be downloaded.

            Cease breaches earlier than they begin

            These real-world examples present how vulnerabilities can escalate into critical breaches when left unchecked. Attackers do not wait – they’re all the time trying to find new entry factors. Step one to staying forward? Understanding what attackers can entry from the web – together with property you won’t even know exist. Intruder constantly discovers these unknowns, like subdomains, logins, and APIs, and scans them for exposures that different options miss.

            See also  Over 80% of Targets Found in Russia
            Intruder’s Discovery tab – for these property you probably did (or perhaps did not know) existed

            From purposes to cloud infrastructure, discover and safe it multi function, highly effective platform with Intruder. Be taught extra or begin scanning with a 14 day free trial.

            Related News

            LEAVE A REPLY

            Please enter your comment!
            Please enter your name here

            Latest News