At CYVOCATE, we often encounter complex vulnerabilities that are not impactful on their own but, when chained together, result in severe exploitation potential.
In this engagement, we discovered and exploited a session hijack vulnerability that required bypassing a robust Web Application Firewall (WAF), leveraging Cross-Site Scripting (XSS), and escalating impact through a Server-Side Template Injection (SSTI) flaw.
The result? A successful account takeover via cookie exfiltration, demonstrating the real-world danger of overlooked vulnerabilities.
While navigating the platform, we noticed a redirect URL with template expression patterns:
<https://example.com?redirect=${redirectURL}>
Suspicious of template injection, we began experimenting on the user profile page. Updating the username to:
John${2*2}
produced:
John4
This confirmed Server-Side Template Injection (SSTI). Further probing revealed support for JSP Expression Language, allowing payloads such as:
${header.cookie}
This expression successfully revealed all cookies, including HTTP-only session cookies, confirming that session hijacking was possible if we could find a way to trigger it remotely.
To weaponize SSTI for a real attack, we needed a delivery mechanism. After extensive testing, we identified an XSS vulnerability in the video streaming module via the videoId parameter:
<https://example.com/videos/?videoId=w6exeqbemte>