Local file read via XSS using PDF generate functionality

Posted on by admin

Hello InfoSec elites,

I’m going to share a story about how I escalated a low severity bug into a critical one.

I was taking a look at different functionalities of one of the program and it had a Collab feature where we can make notes and share with others. There was an option to export the Notes as PDF. Here without wasting my time I simply added "><h1>LoL</h1> and exported the same content as PDF and it was executing HTML.

Okay, so now we have one P4. Let’s see if I can escalate this to P2 or P1 maybe?

Here, I was not sure if I can execute javascript. After googling I found document.write() can be used to override existing html content .

<img src="x" onerror="document.write('aaaa')" />

Awesome! Now we need to find out where it is executing with the help of “window.location()”

<img src="x" onerror="document.write(window.location)" />
And it returned with following content in PDF:

Since I was able to get the location, I tried to access file:///etc/passwd with the help of document.write() function.
<img src="echopwn" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>

Program manager personally appreciated this report and chose to reward me twice the amount for this bug.

If you have any question related to this post, feel free to comment.

Comments (14)

14 Replies to “Local file read via XSS using PDF generate functionality”

  1. Shubham saxena says: Reply
    June 5, 2020 at 2:23 pm

    Great work! Keep it up

  2. Haerd says: Reply
    June 5, 2020 at 4:10 pm

    Great finding jerry

  3. Shaily says: Reply
    June 5, 2020 at 4:12 pm

    Very informative 👍

  4. 0x0x says: Reply
    June 5, 2020 at 8:39 pm

    can you please give us the pdf files u used

  5. Priyanshu says: Reply
    June 5, 2020 at 8:52 pm

    Nice article

  6. Cyber dude says: Reply
    June 6, 2020 at 3:23 am

    If there is html injection then what’s the need for javascript for injections iframe??..

  7. Jyoti says: Reply
    June 6, 2020 at 3:35 am

    It is really good! very informative.

  8. TESS says: Reply
    June 7, 2020 at 10:17 pm

    Damn ! P4 to P1 like a pro (haha xD)
    Private Program on h1 or Bugcrowd ?

  9. Rahul bhichher says: Reply
    June 24, 2020 at 5:40 pm

    Great work!!!!

  10. Tamiflu says: Reply
    July 19, 2020 at 5:21 pm

    Next idea that came to my mind was reading local files using iframe, object and so on, but tag iframe was completely blocked and html didn’t processed in any ways, and tag

  11. erotik says: Reply
    November 15, 2020 at 11:48 am

    Remarkable! Its genuinely remarkable post, I have got much clear idea on the topic of from this article. Orelle Garrot Jenette

  12. erotik izle says: Reply
    November 15, 2020 at 4:28 pm

    Thanks for the auspicious writeup. It actually used to be a enjoyment account it. Gertruda Esra Purington

  13. sikis izle says: Reply
    November 15, 2020 at 8:45 pm

    Thanks a lot for the blog. Much thanks again. Want more. Camila Isidore Froehlich

  14. erotik izle says: Reply
    November 16, 2020 at 2:25 am

    I visit daily a few web sites and sites to read articles, except this weblog presents feature based posts. Tonie Chrissy Fae

Leave a Reply