Table of Contents

Bug Chaining & Escalation

Bug Chaining & Escalation

Individual low/medium bugs often chain together into critical impact. Always ask: can this go further?

Common Chains

Chain	Result
Open Redirect + OAuth	Token theft = account takeover
Self-XSS + CSRF	Stored XSS affecting other users
XSS + no email change confirmation	Account takeover
CSRF + email change	Account takeover
SSRF + open redirect	Internal network access
IDOR + mass enumeration	Data breach
File upload (SVG) + same domain	XSS on main domain
Clickjacking + CSRF	State change without user's knowledge
Host header injection + password reset	Intercept reset token

Raising Severity

Low bugs alone may be informational – find the chain that makes them critical
Self-XSS becomes high if you can deliver it via CSRF
Open redirect becomes critical if chained with OAuth
CORS misconfiguration + sensitive API endpoint = high/critical
IDOR on non-sensitive data + mass enumeration = data breach = high

Impact to Report

Always frame bugs in terms of what an attacker can actually do:

“Attacker can read all users' private messages” (data breach)
“Attacker can take over any account without interaction” (ATO)
“Attacker can access the admin panel and modify all user data” (full compromise)

Generic impact (“this could be used for phishing”) is weak. Show the chain.

Post-Fix Testing

After a bug is fixed, test the exact fix
Devs usually only fix the specific reported endpoint
Check if the root cause is patched everywhere in the app
The same code pattern is often reused – look for it elsewhere

See Also