# A Sweet Recipe for Consolidated Vulnerabilities: Attacking a Live   Website by Harnessing a Killer Combination of Vulnerabilities

**Authors:** Mazharul Islam, MD. Nazmuddoha Ansary, Novia Nurain, Salauddin Parvez, Shams, and A. B. M. Alim Al Islam

arXiv: 1906.11782 · 2019-06-28

## TL;DR

This paper introduces a finite state machine model to analyze and exploit combinations of vulnerabilities in live websites, demonstrating how interconnected weaknesses can be exploited to cause significant damage.

## Contribution

It presents a novel FSM-based approach to identify and leverage connections among multiple website vulnerabilities, enhancing attack strategies.

## Key findings

- Effective in analyzing vulnerabilities on real websites
- Demonstrates the potential for combined vulnerabilities to cause greater harm
- Provides a new method for vulnerability connection analysis

## Abstract

The recent emergence of new vulnerabilities is an epoch-making problem in the complex world of website security. Most of the websites are failing to keep updating to tackle their websites from these new vulnerabilities leaving without realizing the weakness of the websites. As a result, when cyber-criminals scour such vulnerable old version websites, the scanner will represent a set of vulnerabilities. Once found, these vulnerabilities are then exploited to steal data, distribute malicious content, or inject defacement and spam content into the vulnerable websites. Furthermore, a combination of different vulnerabilities is able to cause more damages than anticipation. Therefore, in this paper, we endeavor to find connections among various vulnerabilities such as cross-site scripting, local file inclusion, remote file inclusion, buffer overflow CSRF, etc. To do so, we develop a Finite State Machine (FSM) attacking model, which analyzes a set of vulnerabilities towards the road to finding connections. We demonstrate the efficacy of our model by applying it to the set of vulnerabilities found on two live websites.

---
Source: https://tomesphere.com/paper/1906.11782