Hello InfoSec elites,
I’m going to share a story about how I escalated a low severity bug into a critical one.
I was taking a look at different functionalities of one of the program and it had a Collab feature where we can make notes and share with others. There was an option to export the Notes as PDF. Here without wasting my time I simply added "><h1>LoL</h1>
and exported the same content as PDF and it was executing HTML.
Okay, so now we have one P4. Let’s see if I can escalate this to P2 or P1 maybe?
Here, I was not sure if I can execute javascript. After googling I found document.write() can be used to override existing html content .
<img src="x" onerror="document.write('aaaa')" />

Awesome! Now we need to find out where it is executing with the help of “window.location()”
<img src="x" onerror="document.write(window.location)" />
And it returned with following content in PDF:

Since I was able to get the location, I tried to access file:///etc/passwd with the help of document.write() function.<img src="echopwn" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
Program manager personally appreciated this report and chose to reward me twice the amount for this bug.
If you have any question related to this post, feel free to comment.
Great work! Keep it up
Great finding jerry
Very informative 👍
can you please give us the pdf files u used
Nice article
If there is html injection then what’s the need for javascript for injections iframe??..
It is really good! very informative.
Damn ! P4 to P1 like a pro (haha xD)
Private Program on h1 or Bugcrowd ?
Great work!!!!
Next idea that came to my mind was reading local files using iframe, object and so on, but tag iframe was completely blocked and html didn’t processed in any ways, and tag
Remarkable! Its genuinely remarkable post, I have got much clear idea on the topic of from this article. Orelle Garrot Jenette
Thanks for the auspicious writeup. It actually used to be a enjoyment account it. Gertruda Esra Purington
Thanks a lot for the blog. Much thanks again. Want more. Camila Isidore Froehlich
I visit daily a few web sites and sites to read articles, except this weblog presents feature based posts. Tonie Chrissy Fae