Simple Vulnerabilities Aren’t Always Simple

In any given application, vulnerabilities can range from a minor case of Information Leakage to major Insufficient Authorization/Authentication, and anywhere in between.  With such a wide range of vulnerabilities it is easy to see how, say, an issue with Insufficient Anti-Automation can be minor.  However, a malicious attacker will more than likely focus on multiple vulnerabilities; this tactic can exploit seemingly minor vulnerabilities and result in a much more dangerous exploit than the sum of its parts.

A Perfect Example

I recently tested an application and almost immediately discovered an Insufficient Anti-Automation vulnerability.  A profile creation page had a CAPTCHA in place to prevent automated creation of accounts, but I found that the CAPTCHA could be bypassed by repeating the same parameters in the POST request.  We’ll say these were named “CAPTCHA_value” and “CAPTCHA_text.”  This vulnerability is normally rated at a Threat/Severity of Critical/Medium; most would consider this a “minor” vulnerability, especially compared to something like SQL Injection or Insufficient Authentication.

Later, testing the same application, I discovered a place I could land reflective Cross Site Scripting; it was in an obscure, hard-to-reach error page, but it was there.  This is a more severe vulnerability than the Insufficient Anti-Automation vulnerability I previously mentioned, but being reflective it was a less-than-stellar find, somewhat difficult to exploit.

Finally, after several hours of testing, I discovered a way to view, and indeed modify, another user’s profile information.  This is a major find, very dangerous in the hands of a malicious attacker, and it was not difficult to exploit.  This major find could be used to plant the aforementioned Cross Site Scripting vulnerability into a user’s profile; suddenly the vulnerability seemed much more potent.   After a little more testing, I determined that it would actually be possible to iterate through user accounts and, utilizing the previous Insufficient Anti-Automation vulnerability, alter their profile information to include a link to the Cross Site Scripting vulnerability.

This chain of vulnerabilities quickly led to an exploit that could potentially destroy the entire business model of this application: imagine finding out that every single user had been attacked simultaneously, at minimum compromising users’ sensitive data, and potentially removing said data or even compromising their accounts through Cross Site Scripting.  Thus, it is clear that apparently “minor” vulnerabilities can be used in combination with more “dangerous” finds to create a truly devastating attack that could compromise an entire application.  Remember, many instances of Insufficient Anti-Automation are considered minor; nevertheless, by exploiting this particular example the entire application could be compromised.

This is exactly the sort of vulnerability that can only be found through manual assessments; an application or source scanner might have found any of these individually, but could never use the human reasoning required to link the three of them together to form an exploit that is far greater than the sum of its parts. Human beings can assess and assign risk accurately: whether an exploit (such as insufficient anti-automation) is apparently “low risk” or not, the actual risk will vary based on information a human reviewer can bring to this process much more reliably than any automated system.