Chain Attacks: From XSS to RCE in 3 Steps

How chaining seemingly low-severity vulnerabilities can lead to critical impact — with a real-world case study.

The Starting Point: Reflected XSS

It started with what seemed like a low-severity reflected XSS in a search parameter. The security team had classified it as P4 (low risk) because the page had no sensitive functionality and CSP was partially implemented. But in penetration testing, context is everything — and this XSS was on an authenticated admin dashboard.

Step 1: XSS to Admin Session

Using the XSS, I crafted a payload that exfiltrated the admin's session cookie via a fetch request to my server. The CSP had a gap — it allowed connections to a whitelisted analytics domain that I could use as an exfiltration channel via an open redirect on that domain. Within seconds of the admin clicking a crafted link, I had full admin session access.

Step 2: Admin Access to File Upload

The admin dashboard had a file upload feature for importing CSV data. While the application validated file extensions client-side, the server-side check only verified the Content-Type header — not the actual file content. Using the admin session, I uploaded a CSV file that was actually a web shell disguised with a .csv extension and a legitimate Content-Type.

Step 3: File Upload to RCE

The server stored uploaded files in a publicly accessible directory. The web shell, despite its .csv extension, was executed by the server because the application's Apache configuration had a misconfigured AddHandler directive that processed all files in the upload directory as PHP. This gave me remote code execution on the server.

Lessons Learned

Never dismiss low-severity findings in high-value contexts. Always consider the attack chain, not individual vulnerabilities in isolation. Defense in depth means implementing controls at every layer — CSP alone is not enough if other controls are missing. Proper file upload validation requires checking file content (magic bytes), not just extensions and headers.