Never dismiss a small vulnerability because its impact on its own is negligible. Seemingly innocent vulnerabilities can be combined into something much more dangerous or, at the very least, be used to aid in an attack.
Sometimes a small vulnerability is overlooked as the impact is not seen as dangerous. What is often missed in this type of scenario is what happens when vulnerabilities are combined. This is often called chain vulnerabilities.
It is way too common to disregard vulnerabilities because they have no big security impact by themselves.
This is not a technical blog post with awesome well thought-out examples of combined vulnerabilities. This is food for thought, to introduce the mindset and make you think a few steps ahead. This is how the examples should be read.
How vulnerabilities can be combined
Example 1
Imagine there is a developer page publicly accessible from the internet. The only thing this page does it print the whole request onto the page. At the first glance this looks very innocent, how much does seeing their own request really help the attacker?
Now, imagine there is also an XSS on the same domain. All of a sudden the printed request becomes very bad, as the hacker is able to steal all cookies with the XSS. An XSS can read the content of the webpage but not the sent headers when HTTPOnly is used. Such a debug page will therefore result in an HTTPOnly bypass.
Example 2
Sometimes developers deprioritize upgrading software that is only accessible locally. Vulnerable software that only allows requests from localhost/the same server does not sound that scary.
There is another vulnerability type called SSRF, Server Side Request Forgery. In short, it means that an attacker is able to force the web server to make custom requests to the internal network.
Now combine these two and an attacker is able to exploit the vulnerable software that was only running locally. Neither of those things sound that dangerous, but combined, they can have a considerable impact!
Example 3
Login/logout CSRF is another vulnerability we have written about before. It enables the attacker to forcefully log the victim in to the attacker’s own account.
Once again, at first glance this looks innocent enough. What good does it do the attacker that they can give away their own account? However, combine it with an XSS that previously only affected your own account and you now have an XSS affecting anyone.
Example 4
A great write-up on the subject is this one written by Orange Tsai, combining four different vulnerabilities resulting in the ability to execute code on Github’s servers.
Automation
Many of these combinations are hard to automate. Some can of course be combined automatically, but others still require human creativity to fully understand the potential impact.
Because of this, minor issues reported by tools such as Detectify should not be ignored. Critical findings need to be prioritised, but it is a good idea to try and think about how an attacker might exploit minor issues. Maybe even the most harmless ones can escalate into something critical?
To check your site for both minor and critical security issues, sign up for a free Detectify trial and run a scan. You will receive a detailed report with all the identified vulnerabilities and tips on how to fix them.