Finally, I'll show you how to steal the contents of a PDF without user interaction, and wrap up with a hybrid PDF that works on both PDFium and Acrobat. I've also managed to read the contents of files from the same domain, even when the Acrobat user agent is blocked by a WAF. I've successfully crafted an injection that can perform an SSRF attack on a PDF rendered server-side. Even PDFs loaded from the filesystem in Acrobat, which have more rigorous protection, can still be made to make external requests. I'll share how I was able to use a custom JavaScript enumerator on the various PDF objects to discover functions that make external requests, enabling me to to exfiltrate data from the PDF.
You'll learn how to create the "alert(1)" of PDF injection and how to improve it to inject JavaScript that can steal the contents of a PDF on both readers. I evaluate several popular PDF libraries for injection attacks, as well as the most common readers: Acrobat and Chrome's PDFium. I'll show how you can inject PDF code to escape objects, hijack links, and even execute arbitrary JavaScript - basically XSS within the bounds of a PDF document. Did you know that controlling a measly HTTP hyperlink can provide a foothold into the inner workings of a PDF? In this paper, you will learn how to use a single link to compromise the contents of a PDF and exfiltrate it to a remote server, just like a blind XSS attack. PDF documents and PDF generators are ubiquitous on the web, and so are injection vulnerabilities.
0 kommentar(er)
