Sometimes PDF generators even allow the execution of JavaScript code. If it is possible to fetch server-side files and execute JavaScript code, we can steal files using JavaScript.

Do the exercise below and try to read the file 

 from the server through the PDF generator. The file contains a flag. The task is solved in the material below the lab, but try it on your own first.

PDF injection - JavaScript

We start by searching for a vulnerability. The website is relatively simple in its functionality, so we can input data into four different fields, after which we can generate a PDF file from this "profile" that includes the value of each field. After a few attempts, it becomes clear that only the 

 field is not cleaned before generation. The rest of the fields are filtered so that they form HTML-encoded data. The name field, on the other hand, does not allow any HTML code at all.

Next, we will exploit a vulnerability and steal the 

 file. This file can be found on every Linux system, so it is an excellent Proof-of-Concept (PoC) file to demonstrate the ability to read internal server files.

 element used in the previous task, the PDF file will only contain an empty window.

This depends somewhat on the PDF generator and the situation. Sometimes iframe works, sometimes it doesn't. In cases where it doesn't work, it is advisable to be prepared to use other methods such as JavaScript code. Let's try the following code.

The above JavaScript code uses an older way to execute HTTP requests with JavaScript code. The newer 

Success! - We have now successfully leaked the /

 file from the server. Next, try to come up with other ways yourself how the file could be leaked from the server, now that the 

Sometimes PDF generators even allow the execution of JavaScript code. If it is possible to fetch server-side files and execute JavaScript code, we can steal files using JavaScript.

Do the exercise below and try to read the file */etc/passwd* from the server through the PDF generator. The file contains a flag. The task is solved in the material below the lab, but try it on your own first.

@exercise b2ce7b9e77ed

## Vulnerability Assessment

We start by searching for a vulnerability. The website is relatively simple in its functionality, so we can input data into four different fields, after which we can generate a PDF file from this "profile" that includes the value of each field. After a few attempts, it becomes clear that only the **comment** field is not cleaned before generation. The rest of the fields are filtered so that they form HTML-encoded data. The name field, on the other hand, does not allow any HTML code at all.

![](sanity:image-0305ed064ed8bee6796a491252084b46cb434031-440x187-png)

---

## Exploiting Vulnerability

Next, we will exploit a vulnerability and steal the */etc/passwd* file. This file can be found on every Linux system, so it is an excellent Proof-of-Concept (PoC) file to demonstrate the ability to read internal server files.

If we try to use the **iframe** element used in the previous task, the PDF file will only contain an empty window.

![](sanity:image-8c4f794a2c86724cccec4e5a71d283224e396017-534x357-png)

![](sanity:image-523ae8a0fce3715416851c318020b1edda3dcfa8-613x231-png)

This depends somewhat on the PDF generator and the situation. Sometimes iframe works, sometimes it doesn't. In cases where it doesn't work, it is advisable to be prepared to use other methods such as JavaScript code. Let's try the following code.

```javascript
<script>
x=new XMLHttpRequest;
x.onload=function(){ document.write(this.responseText) };
x.open("GET","file:///etc/passwd");
x.send();
</script>
```

The above JavaScript code uses an older way to execute HTTP requests with JavaScript code. The newer *fetch* function does not support the *file:///* scheme. The code retrieves the file */etc/passwd* and writes it to the document.

![](sanity:image-c38cceb482606dbb0b502981c630b7a4cc8bc96e-1190x291-png)

Success! - We have now successfully leaked the /*etc/passwd* file from the server. Next, try to come up with other ways yourself how the file could be leaked from the server, now that the **iframe** element is not working.


PDF export injection - using JavaScript

PDF file generators are common and for good reason. However, dangerous vulnerabilities have been found in these in recent years.

In this course, we will explore various PDF file generators and the dangerous vulnerabilities hidden within them, as well as how to avoid them.

PDF export injection - using JavaScript

Vulnerability Assessment

Learn to hack — start here