Vuln Chain Composer

The strategic brain. Correlates individual vulnerabilities into devastating multi-step exploit chains.

Important

CRITICAL: This skill produces offensive security analysis. Only use with explicit authorization on the target systems.

Instructions

Step 1: Import Findings

Accept vulnerability data from:

1. JSON output from webapp-exploit-hunter, api-breaker, cloud-pivot-finder
2. Manual finding descriptions from the user
3. Attack tree data from attack-path-architect
4. Mixed sources - consolidate everything

python scripts/import_findings.py --input {findings_dir_or_files}

Normalize all findings to a common format:

• Vulnerability type (SQLi, XSS, SSRF, IDOR, etc.)
• Location (domain, URL, parameter)
• Severity (standalone)
• PoC (if available)
• Prerequisites (authentication level, specific conditions)

Step 2: Cross-Domain Correlation

python scripts/correlate.py --findings {normalized_findings}

Analyze relationships between findings:

Same-Origin Chains:

• XSS on subdomain A + sensitive cookies scoped to parent domain = session hijack on all subdomains
• SSRF on subdomain B + internal API access = data exfiltration via internal endpoints
• Open redirect on auth endpoint + OAuth callback = token theft

Trust-Based Chains:

• Subdomain takeover + same cookie scope = full session hijack
• CI/CD access + deployment pipeline = production RCE
• Cloud metadata via SSRF + IAM overprivilege = full cloud compromise

Credential-Based Chains:

• SQL injection + password hashes = credential cracking + account takeover
• .env file exposure + database credentials = direct data access
• IDOR on user profile + email exposure = targeted phishing + account takeover

Escalation Chains:

• Low-privilege IDOR + mass assignment = privilege escalation to admin
• Self-XSS + CSRF = weaponized stored XSS affecting other users
• Rate limit bypass + brute-force + OTP bypass = authentication bypass

Step 3: Chain Construction

python scripts/build_chains.py --correlations {correlation_data}

For each identified chain:

1. Define the chain narrative: Clear story from initial access to final impact
2. List each step with:
   • Vulnerability exploited
   • Specific URL/parameter
   • What is gained at this step
   • How it enables the next step
3. Map dependencies: What must succeed for the chain to work
4. Identify alternatives: If one step is fixed, is there a bypass?
5. Calculate chain feasibility: Product of individual step probabilities

Step 4: Impact Recalculation

python scripts/calculate_impact.py --chains {chains_file}

Recalculate severity based on chain context:

Impact Amplifiers:

• Self-XSS (Low) + CSRF chain = Stored XSS affecting others (High)
• Info disclosure (Low) + credential reuse = Account takeover (Critical)
• SSRF (Medium) + cloud metadata = Full infrastructure access (Critical)
• IDOR (Medium) + PII access + mass enumeration = Data breach (Critical)

CVSS Recalculation: For each chain, calculate:

• Attack Complexity: Based on number of steps and prerequisites
• Privileges Required: Based on initial access requirements
• User Interaction: Based on whether victim action is needed
• Scope: Changed if chain crosses trust boundaries
• Confidentiality/Integrity/Availability impact of the FINAL outcome

Step 5: PoC Generation

python scripts/generate_chain_poc.py --chain {chain_file}

For each confirmed chain, generate:

1. Step-by-step reproduction guide with screenshots descriptions
2. Automated PoC script (Python) that:
   • Executes each step in sequence
   • Passes data between steps (tokens, cookies, IDs)
   • Validates each step succeeded before continuing
   • Generates evidence at each step
3. curl command sequence for manual reproduction
4. Video script: Narrated steps for recording a PoC video

Step 6: Bug Bounty Report Generation

python scripts/generate_report.py --chains {chains_file} --format {platform}

Platform-optimized reports for:

• HackerOne format: Title, severity, description, steps to reproduce, impact, remediation
• Bugcrowd format: Similar with VRT classification
• Generic format: Professional pentest report style

Report structure per chain:

## Title
[Compelling, impact-focused title]

## Severity
[Recalculated severity with justification]

## Summary
[2-3 sentences: what it is, why it matters, what an attacker gains]

## Affected Assets
[List of all domains/endpoints involved]

## Steps to Reproduce
[Numbered steps with exact URLs, payloads, expected results]

## Proof of Concept
[curl commands or script]

## Impact
[Business impact: what data is at risk, what actions are possible]

## Attack Scenario
[Realistic attack narrative from attacker's perspective]

## Remediation
[Fix recommendations for EACH vulnerability in the chain]

## Chain Visualization
[ASCII diagram of the attack flow]

Step 7: Alternative Path Analysis

For each chain, document:

1. If Step N is fixed: Does an alternative path exist?
2. Minimal fix set: What is the minimum number of fixes to break ALL chains?
3. Defense in depth: Which controls would detect/prevent each step?
4. Monitoring recommendations: What logs/alerts would catch this chain in action?

Error Handling

Insufficient Findings for Chaining

If findings are isolated with no chainable relationships:

1. Report individual findings with standalone severity
2. Suggest additional testing that might reveal chain opportunities
3. Note: "No chain identified, but testing X, Y, Z might reveal connections"

Unverified Chain Steps

If some steps in a chain haven't been tested:

1. Mark the chain as "theoretical" or "partially verified"
2. Clearly indicate which steps are confirmed vs assumed
3. Provide testing instructions for unverified steps

Examples

Example 1: Full Chain Analysis

User says: "I found XSS on blog.example.com, SSRF on docs.example.com, and an open S3 bucket. Chain these."

Actions:

1. Import all three findings
2. Check cookie scope across subdomains
3. Check if SSRF can reach S3 internal endpoint
4. Build chains: XSS -> cookie theft -> access to docs -> SSRF -> S3
5. Calculate impact of full chain (Critical)
6. Generate PoC and report

Example 2: Bug Bounty Report

User says: "Generate a HackerOne report for this chain of findings"

Actions:

1. Load the chain data
2. Write compelling title and summary
3. Format steps to reproduce with exact payloads
4. Include curl commands as PoC
5. Calculate and justify severity
6. Add remediation recommendations
7. Output markdown ready to paste into HackerOne

Example 3: What-If Analysis

User says: "If they fix the XSS, can we still get to the S3 bucket?"

Actions:

1. Remove XSS from available findings
2. Re-run correlation with remaining findings
3. Check for alternative initial access paths
4. Report: alternative chains exist/don't exist
5. Recommend which fixes break the most chains