A Sweet Recipe for Consolidated Vulnerabilities: Attacking a Live Website by Harnessing a Killer Combination of Vulnerabilities

A. B. M. Alim Al Islam; Mazharul Islam; MD. Nazmuddoha Ansary; Novia Nurain; Salauddin Parvez Shams

arxiv: 1906.11782 · v1 · pith:DYEWELEEnew · submitted 2019-06-27 · 💻 cs.CR

A Sweet Recipe for Consolidated Vulnerabilities: Attacking a Live Website by Harnessing a Killer Combination of Vulnerabilities

Mazharul Islam , MD. Nazmuddoha Ansary , Novia Nurain , Salauddin Parvez Shams , A. B. M. Alim Al Islam This is my paper

Pith reviewed 2026-05-25 14:26 UTC · model grok-4.3

classification 💻 cs.CR

keywords web vulnerabilitiesfinite state machinevulnerability chainingcross-site scriptingfile inclusionCSRFattack modelingwebsite security

0 comments

The pith

A finite state machine model maps connections among web vulnerabilities to enable chained attacks on live sites.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper develops a finite state machine attacking model to analyze sets of website vulnerabilities and identify how they connect. The model is tested by applying it to vulnerabilities found on two actual live websites. A sympathetic reader would care because it provides a systematic way to understand combined exploits rather than isolated issues. This approach matters if websites commonly leave multiple outdated weaknesses that attackers can link for greater impact.

Core claim

We develop a Finite State Machine (FSM) attacking model, which analyzes a set of vulnerabilities towards the road to finding connections. We demonstrate the efficacy of our model by applying it to the set of vulnerabilities found on two live websites.

What carries the argument

The Finite State Machine (FSM) attacking model that treats vulnerabilities as states and transitions as exploitation steps to discover chained attack sequences.

If this is right

Combinations of vulnerabilities such as cross-site scripting, file inclusion, and CSRF produce greater damage than any single one.
The FSM model can identify connections within any given set of discovered vulnerabilities.
Live websites with multiple unpatched issues become susceptible to sequenced attacks.
Applying the model shows concrete paths from initial access to full compromise on real sites.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Automated security tools could adopt similar state models to prioritize combinations over isolated findings.
The same modeling technique might extend to other systems such as network services or application frameworks.
Vulnerability databases could be augmented with transition data to generate FSMs automatically.

Load-bearing premise

The finite state machine accurately represents real exploitation sequences that attackers can chain on live websites without being adjusted to the specific sites tested.

What would settle it

Running the attack sequences predicted by the FSM on the two websites and checking whether they produce successful compromises when performed independently.

Figures

Figures reproduced from arXiv: 1906.11782 by A. B. M. Alim Al Islam, Mazharul Islam, MD. Nazmuddoha Ansary, Novia Nurain, Salauddin Parvez Shams.

**Figure 2.** Figure 2: Three sequential phases of preprocessing stage: building Finite State [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗

**Figure 4.** Figure 4: Simplified state diagram to those states which do not need any precondition to be true. • Accepting state: Accepting (goal) states represent a harmful state of the victim website after combining more than one states. After the preprocessing step, we build a Finite State Machine (FSM) for the target victim website. We summarize the algorithmic details in Algorithm 1. B. Goal Reaching Stage: Modeled Recursi… view at source ↗

**Figure 5.** Figure 5: Outcomes of executing phase 1 on http://testphp.vulnweb.com in terms of server information and http://teacher.xxx.xx.xx (public government website hence we are being anonymous about the website address) for testing our FSM attacking model. In both cases, our attacking machine is Kali linux (2018 July release version). We download the virtual machine images of Kali linux and run these image files using Orac… view at source ↗

**Figure 6.** Figure 6: Outcomes of phase-1 on http://testphp.vulnweb.com in terms of URI resources. The leaf nodes represents resources. The non-leaf nodes represents directory/folder Outcomes of phase-2: Outcomes of phase-2: After having, the knowledge base of the website at our disposal, we then find the vulnerabilities of each URI as shown in figure[6] in the second phase. We give resources of the website as an input to scann… view at source ↗

**Figure 8.** Figure 8: Outcomes of phase-1 on http://teacher.xxx.xx.xx in terms of server information [PITH_FULL_IMAGE:figures/full_fig_p006_8.png] view at source ↗

**Figure 9.** Figure 9: Outcomes of phase-1 on http://teacher.xxx.xx.xx in terms of URI resources. The leaf nodes represents resources. The non leaf nodes represents directory/folder Outcomes of phase-2: After gaining the knowledge base of the website, we then find the existing vulnerabilities for URI resources on the outdated live website http://teacher.xxx.xx.xx in this second phase. In this phase, we utilize Acunetix [1], Nets… view at source ↗

**Figure 11.** Figure 11: Proof of concept: possible brute force attack (in less aggressive [PITH_FULL_IMAGE:figures/full_fig_p008_11.png] view at source ↗

read the original abstract

The recent emergence of new vulnerabilities is an epoch-making problem in the complex world of website security. Most of the websites are failing to keep updating to tackle their websites from these new vulnerabilities leaving without realizing the weakness of the websites. As a result, when cyber-criminals scour such vulnerable old version websites, the scanner will represent a set of vulnerabilities. Once found, these vulnerabilities are then exploited to steal data, distribute malicious content, or inject defacement and spam content into the vulnerable websites. Furthermore, a combination of different vulnerabilities is able to cause more damages than anticipation. Therefore, in this paper, we endeavor to find connections among various vulnerabilities such as cross-site scripting, local file inclusion, remote file inclusion, buffer overflow CSRF, etc. To do so, we develop a Finite State Machine (FSM) attacking model, which analyzes a set of vulnerabilities towards the road to finding connections. We demonstrate the efficacy of our model by applying it to the set of vulnerabilities found on two live websites.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Applies FSM to chain common web vulns on two live sites, but the model looks like it could be reverse-engineered from those sites, so the efficacy demo is likely circular.

read the letter

The paper's core move is to model sequences of web vulnerabilities (XSS, LFI, RFI, CSRF, buffer overflow) as states in a finite state machine and use transitions to show how they can be chained. They then run this on the vulnerabilities found in two live websites and call the result a demonstration of efficacy. That is the entire contribution as described in the abstract. Chaining itself is already a standard practical concern in web security, and FSMs have been used for attack modeling before, so the framing does not introduce a new technique or result. The concrete example on real sites is the only part that could add value for someone building or tuning a scanner. The main problem is that nothing in the abstract shows the FSM was specified from general principles ahead of looking at the two sites. If the states and transitions were derived from the exact vulnerabilities discovered there, the exercise reduces to drawing a graph after the fact rather than testing whether the model predicts chaining on unseen sites. That makes the efficacy claim circular. There is also no mention of how the model was validated, any error rates, comparison against simpler rule-based chaining, or tests on additional sites. The paper therefore does not establish that the FSM captures real-world sequences better than existing approaches. This kind of work might interest a small group of people who maintain web vulnerability scanners and want another case study, but it does not supply the independent validation or generality needed for broader use. I would not bring it to a reading group and would not cite it. It does not merit sending to peer review in its current form; the central demonstration needs to be redone with a pre-specified model and held-out sites before it is worth referee time.

Referee Report

2 major / 1 minor

Summary. The manuscript claims to develop a Finite State Machine (FSM) attacking model that identifies connections among web vulnerabilities including cross-site scripting, local file inclusion, remote file inclusion, buffer overflow, and CSRF. Efficacy is demonstrated by applying the model to the set of vulnerabilities found on two live websites.

Significance. A general, pre-specified FSM model for chaining web vulnerabilities could provide a structured framework for analyzing multi-stage attacks if the states and transitions are defined independently of any particular site and shown to generalize. The use of live websites for demonstration is a strength, but the absence of model specification or quantitative validation in the provided description prevents assessment of whether the result would advance the field.

major comments (2)

[Abstract] Abstract: The FSM attacking model is described only at the level of 'analyzes a set of vulnerabilities towards the road to finding connections' with no enumeration of states (one per vulnerability class?), transition rules (e.g., conditions under which LFI enables XSS), or input alphabet. Without this definition it is impossible to determine whether the model was constructed from general principles before site analysis or reverse-engineered from the vulnerabilities discovered on the two sites.
[Abstract] Abstract: The demonstration of efficacy consists solely of the statement that the model was 'applied' to vulnerabilities on two live websites; no success metric, attack path length, false-positive rate, or comparison against manual chaining or existing attack-graph tools is supplied. This leaves the central claim without measurable support.

minor comments (1)

[Abstract] Abstract: The phrase 'buffer overflow CSRF' is ambiguous; it is unclear whether this intends two separate vulnerabilities or a combined class.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on our manuscript. We address each major comment below and will revise the paper to incorporate additional details on the FSM model specification and evaluation metrics.

read point-by-point responses

Referee: [Abstract] Abstract: The FSM attacking model is described only at the level of 'analyzes a set of vulnerabilities towards the road to finding connections' with no enumeration of states (one per vulnerability class?), transition rules (e.g., conditions under which LFI enables XSS), or input alphabet. Without this definition it is impossible to determine whether the model was constructed from general principles before site analysis or reverse-engineered from the vulnerabilities discovered on the two sites.

Authors: The FSM was constructed from general principles of vulnerability chaining prior to site analysis. States represent the vulnerability classes (XSS, LFI, RFI, buffer overflow, CSRF), transitions encode enabling conditions (e.g., LFI exposing file paths usable for RFI or XSS injection), and the input alphabet consists of the corresponding payloads and actions. We will add a dedicated section with the formal FSM definition, state-transition diagram, and explicit statement that the model was pre-specified, to address this concern. revision: yes
Referee: [Abstract] Abstract: The demonstration of efficacy consists solely of the statement that the model was 'applied' to vulnerabilities on two live websites; no success metric, attack path length, false-positive rate, or comparison against manual chaining or existing attack-graph tools is supplied. This leaves the central claim without measurable support.

Authors: The manuscript demonstrates efficacy through concrete attack paths identified on the two live sites. We agree that explicit metrics strengthen the claim and will revise to report the number and lengths of discovered paths, along with a comparison to manual chaining performed by the authors. Quantitative false-positive rates are difficult to define without an external oracle on live sites, but we will provide the raw path counts and qualitative validation. A full benchmark against attack-graph tools is outside the paper's scope but a brief discussion will be added. revision: partial

Circularity Check

0 steps flagged

No circularity: FSM model presented as developed independently before site application

full rationale

The paper claims to develop an FSM attacking model to find connections among vulnerabilities and then demonstrates it on two live websites. No equations, fitted parameters, or self-citations are present in the provided abstract or description. The derivation chain does not reduce any prediction to its inputs by construction, as the model is described as an analytical tool applied to discovered vulnerabilities rather than reverse-engineered from them. This is a standard non-finding for a descriptive security paper without mathematical derivations.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review supplies no equations, parameters, or explicit assumptions; ledger entries cannot be populated from available text.

pith-pipeline@v0.9.0 · 5736 in / 942 out tokens · 29048 ms · 2026-05-25T14:26:26.547020+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

2 extracted references · 2 canonical work pages

[1]

”Tool based implementation of SQL injection for penetration testing.” In Computing, Communication and Automation (ICCCA), 2015 Inter- national Conference on, pp

Nagpal, Bharti, Nanhay Singh, Naresh Chauhan, and Angel Panesar. ”Tool based implementation of SQL injection for penetration testing.” In Computing, Communication and Automation (ICCCA), 2015 Inter- national Conference on, pp. 746-749. IEEE, 2015. [11]Jajodia, Sushil, Steven Noel, and Brian OBerry. Topological analysis of network attack vulnerability. In ...

work page 2015
[2]

[13]Dirbuster(URLfuzzer:OWASP) https://www.owasp.org/index.php/ Category:OWASP DirBuster Project, Last Accessed 8 9 2018

Beautiful Soup Documentation https://www.crummy.com/software/ BeautifulSoup/bs4/doc/, Last Accessed ,Last Accessed 8 9 2018. [13]Dirbuster(URLfuzzer:OWASP) https://www.owasp.org/index.php/ Category:OWASP DirBuster Project, Last Accessed 8 9 2018. [14]Nikto web scanner https://cirt.net/Nikto2, Last Accessed 8 9 2018. [15]Nmap: the Network Mapper- Free Secu...

work page 2018

[1] [1]

”Tool based implementation of SQL injection for penetration testing.” In Computing, Communication and Automation (ICCCA), 2015 Inter- national Conference on, pp

Nagpal, Bharti, Nanhay Singh, Naresh Chauhan, and Angel Panesar. ”Tool based implementation of SQL injection for penetration testing.” In Computing, Communication and Automation (ICCCA), 2015 Inter- national Conference on, pp. 746-749. IEEE, 2015. [11]Jajodia, Sushil, Steven Noel, and Brian OBerry. Topological analysis of network attack vulnerability. In ...

work page 2015

[2] [2]

[13]Dirbuster(URLfuzzer:OWASP) https://www.owasp.org/index.php/ Category:OWASP DirBuster Project, Last Accessed 8 9 2018

Beautiful Soup Documentation https://www.crummy.com/software/ BeautifulSoup/bs4/doc/, Last Accessed ,Last Accessed 8 9 2018. [13]Dirbuster(URLfuzzer:OWASP) https://www.owasp.org/index.php/ Category:OWASP DirBuster Project, Last Accessed 8 9 2018. [14]Nikto web scanner https://cirt.net/Nikto2, Last Accessed 8 9 2018. [15]Nmap: the Network Mapper- Free Secu...

work page 2018