BugBounty.info

Chains

3 min read

Chains

This is where the money is.

A standalone medium-severity bug earns you $500-$2,000 depending on the program. That same medium, chained with one or two other findings into a complete attack scenario, earns $5,000-$50,000. Those numbers aren't made up. The delta between "I found an open redirect" and "I found an open redirect that enables account takeover of any user via OAuth token theft" is often a 10-20x multiplier.

Every chain starts with understanding what position each vulnerability gives you and what's reachable from that position.

Chain Pattern Map

flowchart TD
    subgraph Position["Initial Finding"]
        P1["Open Redirect"]
        P2["SSRF"]
        P3["XSS"]
        P4["IDOR"]
        P5["Info Disclosure"]
        P6["Subdomain Takeover"]
    end

    subgraph Bridge["Bridge / Enabler"]
        B1["OAuth redirect_uri"]
        B2["Cloud metadata"]
        B3["Admin renders user content"]
        B4["PII in response"]
        B5["Referer leaks token"]
        B6["Cookies on *.domain.com"]
    end

    subgraph Impact["Final Impact"]
        I1["Account Takeover"]
        I2["RCE / Infra Compromise"]
        I3["Privilege Escalation"]
    end

    P1 --> B1 --> I1
    P1 --> B5 --> I1
    P2 --> B2 --> I2
    P3 --> B3 --> I3
    P3 --> B1
    P4 --> B4 --> I1
    P5 --> B4
    P6 --> B6 --> I1

Chain Patterns

Open Redirect → OAuth Account Takeover

Low → Critical. The classic chain. Requires an OAuth implementation with a redirect_uri that can be manipulated to include your open redirect.

SSRF → Cloud Metadata → RCE

Medium → Critical. Any SSRF on a cloud-hosted app. Hit the metadata endpoint, grab IAM creds, enumerate permissions, escalate.

XSS → Admin Action → Privilege Escalation

Medium → Critical. Stored XSS that fires in a privileged context. Use the admin's session to perform admin actions programmatically.

IDOR → PII Leak → Account Takeover

Medium → Critical. IDOR leaks enough user data to enable password reset, security question bypass, or API key theft.

Subdomain Takeover → Cookie Theft

Medium → High/Critical. Take over an abandoned subdomain, use it to read cookies scoped to the parent domain.

Race Condition → Financial Impact

Medium → High. Race condition on a payment, transfer, or reward redemption flow. Demonstrate actual monetary loss.

Info Disclosure → Full Exploitation

Low → Varies. The finding the triager wants to close as informational, until you show what an attacker does with the disclosed data.

Building Your Own Chains

The patterns above are documented because they're common. But the most valuable chains are the ones specific to the application you're testing. Methodology for discovering them is in Chain Thinking.

Short version: every time you find something, stop and map what new position it gives you. Look at what's accessible from that position. If you can't escalate right now, note it and come back when you find the missing link.

See Also

7 items under this folder.