Stored XSS Via Malicious PDF Upload

Discovered a Stored XSS vulnerability by uploading a malicious PDF containing JavaScript:

%PDF-1.7
1 0 obj
<>
2 0 obj
<>
trailer
<>

Report was marked as Duplicate, but still a great learning experience!

You Should Know:

How to Test for Stored XSS via PDF Upload

1. Craft a Malicious PDF

Use a PDF editor or manually create a PDF with embedded JavaScript.

Example code snippet:

%PDF-1.7
1 0 obj
<>
2 0 obj
<>
trailer
<>

Upload the PDF to the Target Web Application

– Look for file upload functionalities in web apps (e.g., profile picture upload, document submission).

3. Verify Stored XSS

After uploading, access the file via direct URL or preview.
If the JavaScript executes (e.g., an alert pops up), it confirms Stored XSS.

4. Automate Testing with Tools

Use Burp Suite to intercept and modify PDF uploads.

Metasploit can generate malicious PDFs:

msfvenom -p generic/custom PAYLOAD_FILE=malicious.pdf -f raw > xss_pdf.pdf

5. Mitigation Techniques

Server-Side PDF Sanitization: Use tools like `peepdf` to analyze PDFs.
```
python peepdf.py -f malicious.pdf
```
Content Security Policy (CSP): Restrict script execution in browsers.

Disable JavaScript in PDF Readers:

sudo apt-get install qpdf For Linux PDF analysis
qpdf --check malicious.pdf

What Undercode Say

Stored XSS via PDF upload is a critical vulnerability that can lead to session hijacking, phishing, and malware distribution. Always sanitize file uploads, disable unnecessary JavaScript execution in PDFs, and implement strict CSP headers. For penetration testers, automating malicious PDF generation and testing upload functionalities is essential.

Linux Commands for PDF Analysis:

exiftool malicious.pdf Extract PDF metadata
pdfid.py malicious.pdf Analyze PDF structure with PDFID
pdf-parser.py malicious.pdf Deep inspection with Didier Stevens' tool

Windows Command for PDF Security Check:

Get-ChildItem -Path ..pdf | Select-String -Pattern "JavaScript" Find JS in PDFs

Expected Output:

A working PoC PDF that triggers an XSS payload when opened in a vulnerable PDF reader.

References:

Reported By: Valid Nasirli – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Stored XSS via Malicious PDF Upload

You Should Know:

1. Craft a Malicious PDF

3. Verify Stored XSS

4. Automate Testing with Tools

5. Mitigation Techniques

What Undercode Say

Linux Commands for PDF Analysis:

Windows Command for PDF Security Check:

Expected Output:

Further Reading:

References:

Join Our Cyber World:

Listen to this Post

You Should Know:

1. Craft a Malicious PDF

3. Verify Stored XSS

4. Automate Testing with Tools

5. Mitigation Techniques

What Undercode Say

Linux Commands for PDF Analysis:

Windows Command for PDF Security Check:

Expected Output:

Further Reading:

References:

Join Our Cyber World:

Related Posts: