How Breaches Start: Analyzing 5 Real-World Vulnerabilities

Not every security vulnerability poses an immediate high risk, but attackers often chain seemingly minor flaws to escalate into full-scale breaches. A recent analysis by Intruder’s bug-hunting team reveals five real-world vulnerabilities that demonstrate this tactic in action¹. These cases highlight how attackers exploit overlooked weaknesses in cloud services, APIs, and web applications.

Executive Summary for Security Leaders

The following vulnerabilities were identified across multiple industries, with exploitation methods ranging from SSRF to IDOR. Each case resulted in unauthorized access, data exposure, or system compromise. Key findings include:

SSRF attacks bypassing AWS metadata protections
Exposed .git repositories leading to SQL injection
Unpatched ExifTool installations enabling RCE
Self-XSS combined with cache poisoning
IDOR flaws in API endpoints

Technical Breakdown of Vulnerabilities

1. SSRF Leading to AWS Credential Theft

A cloud-hosted home-moving application contained a Server-Side Request Forgery (SSRF) vulnerability in its webhook functionality. Attackers manipulated requests to redirect to AWS’s Instance Metadata Service (IMDS), exposing IAM credentials². The compromised credentials allowed full access to the cloud environment. This case underscores the importance of enforcing IMDSv2 and implementing strict input validation for URLs.

2. Exposed .git Repository to Database Breach

A university application had its .git directory publicly accessible, revealing an authentication bypass through a hidden parameter. Attackers combined this with blind SQL injection to access sensitive student and staff records¹. The incident demonstrates why repository access controls and regular authentication logic audits are necessary.

3. ExifTool RCE via Malicious PDFs

A document-signing application used an outdated version of ExifTool (CVE-2021-22204), which allowed remote code execution through specially crafted PDF files⁴. The vulnerability enabled attackers to execute commands as the www-data user, facilitating lateral movement. Patching known vulnerabilities and sandboxing document processing could have prevented this.

4. Self-XSS Chained with Cache Poisoning

An auction application contained a low-risk Self-XSS vulnerability that became critical when combined with cache-poisoning. Attackers stored malicious payloads in cached responses, which then executed in admin sessions across the application³. Proper header sanitization and strict caching policies would have mitigated this risk.

5. IDOR in APIs Exposing Sensitive Data

Insecure Direct Object References (IDOR) were found in endpoints like /organisations/edit_user?user_id=1001. By enumerating identifiers, attackers accessed resumes, orders, and customer data⁵. Implementing role-based access controls (RBAC) and regular API endpoint audits could have prevented this data exposure.

Practical Implications and Mitigation

These cases demonstrate that attackers frequently combine multiple low-severity vulnerabilities to achieve significant impact. Cloud environments remain particularly vulnerable to SSRF and metadata service misconfigurations. While automated scanning tools are useful, manual testing uncovered several of these flaws that scanners missed.

Recommended mitigation strategies include:

Enforcing IMDSv2 in AWS environments
Regular audits of repository access controls
Timely patching of known vulnerabilities
Implementing strict caching policies
Applying RBAC to API endpoints

Conclusion

The five vulnerabilities analyzed show how attackers exploit seemingly minor weaknesses to create major security incidents. Organizations should prioritize comprehensive security testing that combines automated scanning with manual review. As Sabine VanderLinden noted on LinkedIn, these cases highlight gaps that security teams and insurance providers need to address⁵.