Local file read via XSS using PDF generate functionality

Hello InfoSec elites,

I’m going to share a story about how I escalated a low severity bug into a critical one.

I was taking a look at different functionalities of one of the program and it had a Collab feature where we can make notes and share with others. There was an option to export the Notes as PDF. Here without wasting my time I simply added "><h1>LoL</h1> and exported the same content as PDF and it was executing HTML.

Okay, so now we have one P4. Let’s see if I can escalate this to P2 or P1 maybe?

Here, I was not sure if I can execute javascript. After googling I found document.write() can be used to override existing html content .

<img src="x" onerror="document.write('aaaa')" />

Awesome! Now we need to find out where it is executing with the help of “window.location()”

<img src="x" onerror="document.write(window.location)" />
And it returned with following content in PDF:

Since I was able to get the location, I tried to access file:///etc/passwd with the help of document.write() function.
<img src="echopwn" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>

Program manager personally appreciated this report and chose to reward me twice the amount for this bug.

If you have any question related to this post, feel free to comment.

10 Replies to “Local file read via XSS using PDF generate functionality”

  1. Shubham saxena says: Reply

    Great work! Keep it up

  2. Great finding jerry

  3. Very informative 👍

  4. can you please give us the pdf files u used

  5. Nice article

  6. If there is html injection then what’s the need for javascript for injections iframe??..

  7. It is really good! very informative.

  8. Damn ! P4 to P1 like a pro (haha xD)
    Private Program on h1 or Bugcrowd ?

  9. Next idea that came to my mind was reading local files using iframe, object and so on, but tag iframe was completely blocked and html didn’t processed in any ways, and tag

Leave a Reply