Chaining File Upload Bypass and Stored XSS to Create Admin Accounts

The post describes a vulnerability chain discovered during a SaaS penetration test, combining a file upload bypass and stored XSS to create an admin account. The target had security controls like CSP, CORS, and CSRF tokens, but the attack bypassed them by remaining same-origin. A malicious JavaScript payload was uploaded as a file, then executed via an <img onerror> handler in the admin inbox, using the admin’s session to create a backdoor account. A Docker lab replicating the vulnerabilities and attack chain is also provided.