====== Bug Chaining & Escalation ======

Individual low/medium bugs often chain together into critical impact. Always ask: can this go further?

===== Common Chains =====

^ Chain ^ Result ^
| Open Redirect + OAuth | Token theft = account takeover |
| Self-XSS + CSRF | Stored XSS affecting other users |
| XSS + no email change confirmation | Account takeover |
| CSRF + email change | Account takeover |
| SSRF + open redirect | Internal network access |
| IDOR + mass enumeration | Data breach |
| File upload (SVG) + same domain | XSS on main domain |
| Clickjacking + CSRF | State change without user's knowledge |
| Host header injection + password reset | Intercept reset token |

===== Raising Severity =====

  * Low bugs alone may be ''informational'' -- find the chain that makes them ''critical''
  * Self-XSS becomes high if you can deliver it via CSRF
  * Open redirect becomes critical if chained with OAuth
  * CORS misconfiguration + sensitive API endpoint = high/critical
  * IDOR on non-sensitive data + mass enumeration = data breach = high

===== Impact to Report =====

Always frame bugs in terms of **what an attacker can actually do**:

  * "Attacker can read all users' private messages" (data breach)
  * "Attacker can take over any account without interaction" (ATO)
  * "Attacker can access the admin panel and modify all user data" (full compromise)

Generic impact ("this could be used for phishing") is weak. Show the chain.

===== Post-Fix Testing =====

  * After a bug is fixed, test the exact fix
  * Devs usually only fix the specific reported endpoint
  * Check if the root cause is patched everywhere in the app
  * The same code pattern is often reused -- look for it elsewhere

===== See Also =====

  * [[zseano:xss|XSS Testing]]
  * [[zseano:csrf|CSRF Testing]]
  * [[zseano:open_redirects|Open Redirects]]
  * [[zseano:ssrf|SSRF Testing]]
  * [[zseano:reporting|Writing Good Reports]]
  * [[zseano:start|Methodology Index]]