From Duplicate to Valuable: How a Stored XSS via PDF Upload Taught Me Critical Bug Bounty Lessons + Video

Listen to this Post

Featured Image

Introduction

Stored Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous web application vulnerabilities, especially when it sneaks through file upload mechanisms. The recent disclosure of a stored XSS discovered in a chatbot’s PDF upload feature highlights how easily user‑controlled input can lead to script execution if not properly sanitized. This article dissects that real‑world scenario, providing a hands‑on guide to identifying, validating, and reporting such flaws—while turning a duplicate submission into a powerful learning experience.

Learning Objectives

  • Understand how stored XSS can be introduced via malicious PDF file uploads.
  • Learn step‑by‑step testing techniques, including crafting payloads and using essential tools.
  • Master the art of writing structured vulnerability reports and validating business impact.

You Should Know

  1. The Anatomy of Stored XSS via PDF Upload
    Modern web applications often allow users to upload files—PDFs, images, documents—which are then stored and displayed to other users. If the application does not properly validate or sanitize the content, an attacker can embed malicious scripts that execute when the file is viewed. In the case of a chatbot, an uploaded PDF might be rendered inline or made available for download, and any embedded JavaScript could run in the context of the victim’s browser.

How to test for PDF‑based XSS

  • Craft a malicious PDF using metadata fields. Many applications read and display file metadata (author, title, etc.) without proper escaping.
  • On Linux, use `exiftool` to inject a payload into metadata:
    exiftool -Author='<script>alert("XSS")</script>' test.pdf
    
  • On Windows, you can use a tool like ExifTool GUI or PowerShell with `Set-Content` to modify metadata if you have a PDF library, but the simplest is to generate a PDF with JavaScript using online generators or `pdfkit` in Python:
    from reportlab.pdfgen import canvas
    c = canvas.Canvas("xss.pdf")
    c.drawString(100, 750, "<script>alert('XSS')</script>")  embedded in text
    c.save()
    

    Note: Many PDF viewers will not execute JavaScript in plain text, so more advanced embedding may be needed.

  • Test upload functionality by intercepting the request with Burp Suite. Modify the filename or content‑type headers, and observe whether the file is stored and later rendered in the browser.

  • Check if the PDF is embedded via “ or `

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: T Jaswanth – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky