zseano:escalation
Table of Contents
Bug Chaining & Escalation
Individual low/medium bugs often chain together into critical impact. Always ask: can this go further?
Common Chains
| Chain | Result |
|---|---|
| Open Redirect + OAuth | Token theft = account takeover |
| Self-XSS + CSRF | Stored XSS affecting other users |
| XSS + no email change confirmation | Account takeover |
| CSRF + email change | Account takeover |
| SSRF + open redirect | Internal network access |
| IDOR + mass enumeration | Data breach |
| File upload (SVG) + same domain | XSS on main domain |
| Clickjacking + CSRF | State change without user's knowledge |
| Host header injection + password reset | Intercept reset token |
Raising Severity
- Low bugs alone may be
informational– find the chain that makes themcritical - Self-XSS becomes high if you can deliver it via CSRF
- Open redirect becomes critical if chained with OAuth
- CORS misconfiguration + sensitive API endpoint = high/critical
- IDOR on non-sensitive data + mass enumeration = data breach = high
Impact to Report
Always frame bugs in terms of what an attacker can actually do:
- “Attacker can read all users' private messages” (data breach)
- “Attacker can take over any account without interaction” (ATO)
- “Attacker can access the admin panel and modify all user data” (full compromise)
Generic impact (“this could be used for phishing”) is weak. Show the chain.
Post-Fix Testing
- After a bug is fixed, test the exact fix
- Devs usually only fix the specific reported endpoint
- Check if the root cause is patched everywhere in the app
- The same code pattern is often reused – look for it elsewhere
See Also
zseano/escalation.txt · Last modified: by drew