# EXAM Guidelines Vulnerability Targeting Matrix (Final Exam Edition) <!-- Page Title --> <h1 style="color: darkblue; font-size: 32px;">🔥 Vulnerability Targeting Matrix (Final Exam Edition)</h1> <!-- 1. Business Logic Vulnerabilities --> <h2 style="color: teal; font-size: 24px;">1. Business Logic Vulnerabilities</h2> <table style="width:100%; border-collapse: collapse;"> <thead> <tr style="background-color: lightblue; color: white; font-weight: bold;"> <th>Vulnerability</th> <th>Example CVE(s)</th> <th>Target App Type</th> <th>Responsible Component</th> <th>Pre-Target Indicators</th> </tr> </thead> <tbody style="color: black; background-color: #f9f9f9;"> <tr> <td>Logic Bypass in Checkout Flow</td> <td>CVE-2023-30535, CVE-2021-22911</td> <td>E-commerce, SaaS with payment modules</td> <td>Payment workflow handler, cart API</td> <td>Promo code misuse, price not validated on server</td> </tr> <tr> <td>Abuse of API Endpoints for Unintended Actions</td> <td>CVE-2023-27524, CVE-2022-22965</td> <td>Web apps with exposed API</td> <td>API Gateway, business logic controller</td> <td>API allows role change without admin approval</td> </tr> </tbody> </table> <!-- 2. Authentication Vulnerabilities --> <h2 style="color: teal; font-size: 24px;">2. Authentication Vulnerabilities</h2> <table style="width:100%; border-collapse: collapse;"> <thead> <tr style="background-color: lightblue; color: white; font-weight: bold;"> <th>Vulnerability</th> <th>Example CVE(s)</th> <th>Target App Type</th> <th>Responsible Component</th> <th>Pre-Target Indicators</th>[](https://) </tr> </thead> <tbody style="color: black; background-color: #f9f9f9;"> <tr> <td>Broken Login Mechanism</td> <td>CVE-2023-22515, CVE-2021-26855</td> <td>CMS, ERP, Custom portals</td> <td>Auth controller, session handler</td> <td>Login form without rate limit</td> </tr> <tr> <td>JWT Token Forgery / Weak Secret</td> <td>CVE-2022-21661, CVE-2020-26217</td> <td>Single Page Apps, APIs</td> <td>Token generator, JWT verification</td> <td>Exposed public key or predictable secret</td> </tr> </tbody> </table> <!-- 3. Authorization Vulnerabilities --> <h2 style="color: teal; font-size: 24px;">3. Authorization Vulnerabilities</h2> <table style="width:100%; border-collapse: collapse;"> <thead> <tr style="background-color: lightblue; color: white; font-weight: bold;"> <th>Vulnerability</th> <th>Example CVE(s)</th> <th>Target App Type</th> <th>Responsible Component</th> <th>Pre-Target Indicators</th> </tr> </thead> <tbody style="color: black; background-color: #f9f9f9;"> <tr> <td>IDOR (Insecure Direct Object Reference)</td> <td>CVE-2021-21315, CVE-2022-22947</td> <td>Social media, file sharing</td> <td>Resource access controller</td> <td>Incremental IDs in URLs</td> </tr> <tr> <td>Privilege Escalation via Role Tampering</td> <td>CVE-2023-28115, CVE-2021-35211</td> <td>SaaS, Admin panels</td> <td>Role management service</td> <td>Client-side role checks only</td> </tr> </tbody> </table> <!-- 4. Cross-Site Scripting (XSS) to SSRF --> <h2 style="color: teal; font-size: 24px;">4. Cross-Site Scripting (XSS) to SSRF</h2> <table style="width:100%; border-collapse: collapse;"> <thead> <tr style="background-color: lightblue; color: white; font-weight: bold;"> <th>Vulnerability</th> <th>Example CVE(s)</th> <th>Target App Type</th> <th>Responsible Component</th> <th>Pre-Target Indicators</th> </tr> </thead> <tbody style="color: black; background-color: #f9f9f9;"> <tr> <td>Reflected XSS to SSRF</td> <td>CVE-2022-36067, CVE-2021-22963</td> <td>Any app with file fetch API</td> <td>Input handler, SSRF-prone backend</td> <td>User input reflected in URL fetch requests</td> </tr> <tr> <td>Stored XSS to SSRF via Admin Panel</td> <td>CVE-2022-22965, CVE-2023-22952</td> <td>CMS, Blog platforms</td> <td>Stored XSS injection point, internal fetcher</td> <td>Rich text field processed by backend crawler</td> </tr> </tbody> </table> <!-- 5. SQL Injection --> <h2 style="color: teal; font-size: 24px;">5. SQL Injection (SQLi)</h2> <table style="width:100%; border-collapse: collapse;"> <thead> <tr style="background-color: lightblue; color: white; font-weight: bold;"> <th>Vulnerability</th> <th>Example CVE(s)</th> <th>Target App Type</th> <th>Responsible Component</th> <th>Pre-Target Indicators</th> </tr> </thead> <tbody style="color: black; background-color: #f9f9f9;"> <tr> <td>Union-based SQLi</td> <td>CVE-2023-31248, CVE-2021-27905</td> <td>Web apps with search/filter</td> <td>Query builder</td> <td>Unescaped input in search</td> </tr> <tr> <td>Blind SQLi (Time-based)</td> <td>CVE-2021-34473, CVE-2022-22965</td> <td>Login forms, API filters</td> <td>ORM, query executor</td> <td>Boolean-based responses</td> </tr> </tbody> </table> <!-- 6. Command Injection --> <h2 style="color: teal; font-size: 24px;">6. Command Injection</h2> <table style="width:100%; border-collapse: collapse;"> <thead> <tr style="background-color: lightblue; color: white; font-weight: bold;"> <th>Vulnerability</th> <th>Example CVE(s)</th> <th>Target App Type</th> <th>Responsible Component</th> <th>Pre-Target Indicators</th> </tr> </thead> <tbody style="color: black; background-color: #f9f9f9;"> <tr> <td>Direct OS Command Injection</td> <td>CVE-2023-25194, CVE-2021-41773</td> <td>File conversion tools, image processors</td> <td>System call handler</td> <td>User input sent to shell commands</td> </tr> <tr> <td>Command Injection via File Upload</td> <td>CVE-2023-23946, CVE-2021-42013</td> <td>CMS, CI/CD systems</td> <td>Upload parser, post-processing script</td> <td>Uploaded files processed with system commands</td> </tr> </tbody> </table> <!-- 7. Cross-Site Shifting → SSRF Chain --> <h2 style="color: teal; font-size: 24px;">7. Cross-Site Shifting → SSRF Chain</h2> <table style="width:100%; border-collapse: collapse;"> <thead> <tr style="background-color: lightblue; color: white; font-weight: bold;"> <th>Vulnerability</th> <th>Example CVE(s) / Reports</th> <th>Target App Type</th> <th>Responsible Component</th> <th>Pre-Target Indicators</th> </tr> </thead> <tbody style="color: black; background-color: #f9f9f9;"> <tr> <td>Subdomain XSS → Main Domain Hijack</td> <td>Slack 2023, Shopify 2022</td> <td>Multi-subdomain SaaS, corporate panels</td> <td>Admin browser, cookie scope</td> <td>Wildcard cookies, document.domain relaxation</td> </tr> <tr> <td>XSS in Internal Tool → SSRF</td> <td>Atlassian Jira older versions</td> <td>Internal admin portals</td> <td>Admin browser, internal fetcher</td> <td>Admin-only URLs in JS, fetch requests to internal IPs</td> </tr> </tbody> </table> <!-- Pre-Target Checklist --> <h2 style="color: teal; font-size: 24px;">🔍 Pre-Target Checklist for Students</h2> <ul style="color: black; font-size: 16px;"> <li><strong>Login Flows:</strong> Custom login? Password reset? MFA? → Auth testing.</li> <li><strong>Identify Roles:</strong> Multiple account levels? → Authorization testing.</li> <li><strong>Transaction Points:</strong> Money, credits, coupons → Business logic testing.</li> <li><strong>APIs:</strong> JSON/REST/GraphQL → IDOR, privilege escalation.</li> <li><strong>Workflow Analysis:</strong> Multi-step processes → Skip / Repeat testing.</li> </ul> <p style="color: black; font-size: 16px;"><strong>Usage Note:</strong> Pick targets with visible API endpoints, multiple roles, and exposed parameters. Students should record findings, map vulnerabilities, and propose CVE attack steps. </p> <p> bytecapsuleit.com </p>