Skill

vulnerability-chains

This skill should be used when the user asks about "vulnerability chains", "chained exploits", "multi-step attacks", "SSRF to RCE", "pivot attacks", or needs to identify how vulnerabilities in different components can be combined during whitebox pentesting.

From vuln-scout

Install

Run in your terminal

npx claudepluginhub allsmog/vuln-scout --plugin vuln-scout

Tool Access

This skill uses the workspace's default tool permissions.

Supporting Assets

View in Repository

common-chains.md

ssrf-chains.md

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

139.9k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

everything-claude-code

139.9k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

139.9k

Stats

Parent Repo Stars12

Parent Repo Forks1

Last CommitMar 24, 2026

Actions

View Source View Plugin View on GitHub View README

Vulnerability Chain Detection

Modern applications consist of multiple services and frameworks. Critical exploits often require chaining vulnerabilities across components.

Why Chains Matter

Single vulnerabilities may have limited impact:

SSRF with no response → Blind, hard to exploit
SSTI in internal-only service → Unreachable from internet
SQLi returning only boolean → Data extraction is slow

Chains amplify impact:

SSRF → reaches internal SSTI → RCE
Auth bypass → accesses admin SQLi → full database dump
Path traversal → reads source → finds hardcoded credentials

Chain Detection Methodology

Step 1: Map the Architecture

# Find orchestration configs
find . -name "docker-compose*.yml" -o -name "supervisord.conf" -o -name "*.k8s.yaml"

# Extract service topology
grep -E "ports:|expose:|links:|depends_on:" docker-compose.yml

# Identify internal-only services
grep -E "127\.0\.0\.1:|localhost:" docker-compose.yml supervisord.conf

Step 2: Identify Pivot Points

Pivot vulnerabilities enable reaching other services:

Pivot Type	What It Enables
SSRF	Reach internal services
Header Injection	Modify downstream requests
Open Redirect	Phishing, OAuth token theft
Path Traversal	Read configs, source code
SQL Injection	Read files, execute commands (in some DBs)

Step 3: Map Impact Sinks

High-impact sinks in each service:

Sink Type	Impact
Template Injection (SSTI)	RCE
Command Injection	RCE
Deserialization	RCE
SQL Injection	Data breach, sometimes RCE
File Write	Code execution via webshell

Step 4: Connect Pivots to Sinks

For each pivot found:

What internal services can it reach?
What sinks exist in those services?
Can attacker-controlled data reach the sink?

Common Chain Patterns

SSRF → SSTI → RCE (DoxPit Pattern)

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│   Next.js   │────►│   Flask     │────►│    Shell    │
│   (SSRF)    │     │   (SSTI)    │     │   (RCE)     │
└─────────────┘     └─────────────┘     └─────────────┘
     │                    │
     │ Host header        │ render_template_string()
     │ → internal fetch   │ with user input
     │                    │
     ▼                    ▼
  Attacker server      Jinja2 payload
  redirects to         executes code
  internal Flask

Detection:

Find SSRF in externally-accessible service (Next.js redirect, fetch with user URL)
Find SSTI in internal service (render_template_string)
Verify SSRF can reach SSTI endpoint with controllable input

SSRF → Cloud Metadata → Credential Theft

┌─────────────┐     ┌─────────────────┐     ┌─────────────┐
│   Web App   │────►│ 169.254.169.254 │────►│  AWS/GCP    │
│   (SSRF)    │     │ (Metadata)      │     │  (Creds)    │
└─────────────┘     └─────────────────┘     └─────────────┘

Detection:

Find SSRF capability
Check if app runs in cloud (AWS, GCP, Azure)
Verify no IMDSv2 or metadata endpoint blocking

SQLi → File Read → Source Code → Credentials

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│   SQLi      │────►│  LOAD_FILE  │────►│   Config    │
│             │     │  (MySQL)    │     │   Secrets   │
└─────────────┘     └─────────────┘     └─────────────┘

Detection:

Find SQL injection
Check database type and permissions
Identify sensitive file paths (config, .env, etc.)

Auth Bypass → Admin Function → High-Impact Vuln

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  Middleware │────►│   Admin     │────►│   Command   │
│  Bypass     │     │   Panel     │     │   Injection │
└─────────────┘     └─────────────┘     └─────────────┘

Detection:

Find authentication/authorization bypass
Identify what protected functionality becomes accessible
Audit protected functionality for high-impact vulns

Chain Documentation Template

When documenting a chain:

## Chain: [Name]

**Impact:** [RCE/Data Breach/Account Takeover/etc.]

**Components:**
1. [Service A] - [Vulnerability Type] at [location]
2. [Service B] - [Vulnerability Type] at [location]

**Prerequisites:**
- [What attacker needs: account, network position, etc.]

**Flow:**
1. Attacker [action] → [result]
2. [Result] enables [next action]
3. [Final impact]

**Evidence:**
- [File:line] - [code snippet]
- [File:line] - [code snippet]

Integration with Full Audit

During /full-audit:

Architecture phase maps services and connectivity
Threat model identifies trust boundaries
Deep dive finds individual vulnerabilities
Chain analysis connects vulnerabilities across services

Verification Checklist

Before reporting a chain as exploitable:

Each component vulnerability confirmed
Network path between components verified
Data flow from attacker input to sink traced
Filters/sanitization accounted for
Prerequisites documented