Not usual CSP bypass case
CSP default-src ‘self’ — bypass using the error page.
During one of the penetration tests, I managed to chain three application issues that finally enabled the execution of the Stored XSS vulnerability.
The vulnerability combines three flaws in the application:
- Unrestricted file upload.