Exploitation chains

Pentestas no longer stops at "we found SQLi." After the primitive detectors run, an exploitation orchestrator walks the accumulated findings, builds a capability graph, and runs every pre-built chain whose required capabilities are present. Successful chains demonstrate concrete application-level impact: a logged-in admin session, a live AWS-credential extraction, a customer record dump, money movement on a real account.

Each successful chain becomes a single EXPLOIT_CHAIN finding at CRITICAL severity with a numbered playbook the operator can replay step-for-step.

How this differs from "Attack chains"

Two related but distinct concepts:

Attack chains — rule-based + AI-narrated multi-step paths inferred from the findings list. They describe compromise paths the operator should walk manually. No HTTP traffic generated.
Exploitation chains (this page) — the orchestrator actually executes the chain. Real HTTP requests against the customer's app, real captured artifacts (extracted DB rows, forged JWT, fetched IMDS keys), real proof of impact.

The ten chains

Ordered by impact class:

Account takeover (5 chains)

A — Default credentials → admin actions. When Pentestas discovers working default credentials (admin:admin123, root:root, etc.), the chain logs in to the application's actual login endpoint, captures the resulting session, and walks a curated list of admin-shaped paths (/admin, /sup3r_s3cr3t_admin, /api/admin, /actuator, etc.). Confirmation = the response body contains user-list / loan-approval / admin-action markers.
B — SQLi → users-table dump → app login. Reuses the SQLi extractor to pull the users table, harvests cleartext passwords (or cracks hashes via tools/hash_cracker.py), then logs in with the real credentials at /login. Output: a session that proves any account in the dumped set is compromised.
D — Mass-assignment → register synthetic admin → admin actions. When mass-assignment accepts is_admin: true, the chain registers a synthetic admin account, logs in, and verifies the JWT carries the admin claim. Destructive — only runs when the operator opted into demonstrate_destructive=True.
F — JWT alg=none → forge admin token → admin paths. Builds a token with {"alg":"none"} + is_admin: true, submits it to known admin paths, confirms the response carries admin-page markers.
G — Credential dump → reuse → app login. Endpoints like /debug/users that return plaintext passwords are picked up by the credential-dump classifier. The chain takes the leaked pairs and logs in with them at /login, demonstrating that every credential in the dump is a working account.

Data exfiltration (2 chains)

C — BOLA → mass enumerate id space → scale-of-leak. When an unauthenticated BOLA endpoint is found (e.g. /check_balance/<account>), the chain walks a sampled id range capped at 25 records (responsible disclosure) and emits the aggregate impact: number of distinct users, total observed balance, sample records.
H — Prompt injection → LLM-as-DB-query. When a confirmed prompt-injection primitive exists, re-issues the injection asking the model to dump the users table. Confirmation requires both a per-request nonce echo AND credential-shaped data in the reply.

Cloud takeover (1 chain)

E — SSRF → IMDS → AWS HMAC. Uses an SSRF primitive to fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>; extracts AccessKeyId + SecretAccessKey + session token. The customer's role on the host is now compromised.

Money movement (1 chain — destructive)

I — Negative-amount transfer. When the numeric body fuzzer found a state-diff on a transfer-shaped endpoint AND the orchestrator holds an authenticated session, it executes a $0.01 negative-amount transfer and reads back the balance to prove the move. Destructive.

RCE (1 chain — destructive)

J — Werkzeug PIN crack → RCE. When /console is reachable, tries common-default debugger PINs. On hit → executes a benign command and captures the response. On miss → emits a HIGH "1 PIN-guess away" finding so the operator knows to compute the deterministic PIN offline. Destructive.

Session state propagation

The orchestrator maintains a shared SessionRegistry across chains. When chain A obtains an admin JWT via default-creds, chain I (negative-amount transfer) automatically reuses that token — no re-auth, no operator-side wiring. The first chain to acquire a session populates the registry; later chains read it. The session is also folded back into the engine's HTTP client so subsequent scan phases benefit.

Destructive mode opt-in

Three chains modify application state:

D registers a synthetic admin account that persists in the customer's database (Pentestas does NOT delete it; the operator must revoke post-scan).
I moves $0.01 between attacker-controlled accounts.
J executes a benign Werkzeug-debugger command if a PIN works.

These chains are off by default. Tick "Demonstrate destructive impact" on the new-scan form to enable them. The seven non-destructive chains run on every scan automatically.

Safety guards

Sample caps. BOLA enumeration stops at 25 records — proof of scale, not full data dump.
Tiny demonstrative impact. Money-movement chain is hard-coded to $0.01 + self-account when possible.
No deep PIN brute force. Werkzeug PIN crack only tries a curated list of 5 common defaults; "compute the deterministic PIN" requires operator-side info we don't ship.
Redacted artifacts. Credentials, tokens, and AWS keys captured by chains are stored with middle bytes elided in the finding evidence — operator sees enough to verify, not enough to reuse without consent.

Where it shows in the UI

Each successful chain emits a CRITICAL finding with vuln_type=EXPLOIT_CHAIN:

Title starts with DEMONSTRATED ... so it's distinguishable from primitive findings.
Description contains the full numbered playbook (steps 1..N with request, response, outcome).
Validation steps mirror the playbook for the report.
Evidence carries the captured artifact: extracted token (redacted), AWS key prefix, balance delta, sample records, etc.

API

curl

curl -H "Authorization: Bearer $PT_TOKEN" \
  "https://app.pentestas.com/api/findings?scan_id=$SID&vuln_type=EXPLOIT_CHAIN"