Local file read via XSS using PDF generate functionality

Hello InfoSec elites,

I’m going to share a story about how I escalated a low severity bug into a critical one.

I was taking a look at different functionalities of one of the program and it had a Collab feature where we can make notes and share with others. There was an option to export the Notes as PDF. Here without wasting my time I simply added "><h1>LoL</h1> and exported the same content as PDF and it was executing HTML.

Okay, so now we have one P4. Let’s see if I can escalate this to P2 or P1 maybe?

Here, I was not sure if I can execute javascript. After googling I found document.write() can be used to override existing html content .

<img src="x" onerror="document.write('aaaa')" />

Awesome! Now we need to find out where it is executing with the help of “window.location()”

<img src="x" onerror="document.write(window.location)" />
And it returned with following content in PDF:

Since I was able to get the location, I tried to access file:///etc/passwd with the help of document.write() function.
<img src="echopwn" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>

Program manager personally appreciated this report and chose to reward me twice the amount for this bug.

If you have any question related to this post, feel free to comment.

9 Replies to “Local file read via XSS using PDF generate functionality”

  1. Shubham saxena says: Reply

    Great work! Keep it up

  2. Great finding jerry

  3. Very informative 👍

  4. can you please give us the pdf files u used

  5. Nice article

  6. If there is html injection then what’s the need for javascript for injections iframe??..

  7. It is really good! very informative.

  8. Damn ! P4 to P1 like a pro (haha xD)
    Private Program on h1 or Bugcrowd ?

Leave a Reply