πŸ›‘ Pentestas β€Ί help

Attack chains

A single MEDIUM-severity finding usually isn't a fire drill. Two MEDIUMs that combine into an account takeover absolutely is. Attack chains are where Pentestas surfaces that combinatorial risk.

What a chain looks like

An ordered sequence of stages. Each stage:

  • Stands alone as a finding (or a known behaviour of the target).
  • Creates the precondition for the next stage.
  • Ends at a concrete impact β€” account takeover, RCE, data exfil, admin escalation.

Example chain:

File upload accepts SVG       β†’ SVG embeds <script>               β†’ stored XSS
stored XSS fires on profile   β†’ executes on admin's session       β†’ cookie exfil via SSRF-safe channel
admin cookie sent to attacker β†’ attacker posts /admin/users/X     β†’ arbitrary user promotion

Three separate findings (unrestricted file upload / stored XSS / missing cookie flag), individually MEDIUM, combine into a CRITICAL account-takeover chain.

How Pentestas builds them

Two mechanisms run side by side:

Rule-based synthesis

A hand-curated set of 23 rules encodes common escalation patterns. Each rule:

  • Checks preconditions (e.g. "there's a file upload finding AND a stored-XSS finding").
  • Emits a chain with a stage template explaining the escalation.
  • Computes the combined severity (usually one step above the max of its parts).

Examples of the rules:

  • Default creds β†’ takeover
  • Path traversal β†’ SSH keys β†’ lateral movement
  • SSRF β†’ cloud metadata β†’ IAM credential theft
  • Open redirect β†’ credential phishing
  • Mass assignment β†’ admin promotion
  • IDOR β†’ bulk PII scrape
  • RCE β†’ persistence (cron, systemd timer, startup script)

LLM synthesis (Pro+)

Claude reads the full findings list + app context and proposes chains the rules missed. Output is validated (each stage must reference an actual finding) before publishing.

Where chains appear

  • Scan detail page β€” mindmap view at the top. Click any node to jump to the finding.
  • Executive reports (PDF) β€” each chain gets a dedicated page.
  • API β€” GET /api/scans/{id}/graph returns the chain list.

Mindmap controls

  • Click a node to expand + reveal the next stage.
  • Drag the background to pan.
  • Scroll + shift to scroll horizontally.
  • Click a leaf to open the finding.

Severity of a chain

The chain's severity is derived from:

  • The max severity across its stages.
  • Whether the impact is a widely-understood "pwn" (RCE, account takeover, arbitrary DB access) β€” bumps by one level.
  • Whether the chain requires authentication to start (bypasses requiring no auth are higher severity).

Most chains end up at CRITICAL or HIGH β€” that's by design. If a chain would only land at LOW, the rule engine typically doesn't bother publishing it (LOW chains add noise without informing action).

When there are no chains

Not every scan produces chains β€” it means the findings don't combine into known escalation patterns. Don't interpret "no chains" as "you're safe"; individual HIGH findings still matter. The chain view is additive, not a replacement for the severity-ordered findings list.

See also