About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Portable Data ExFiltration: XSS for PDFs- 339

Gareth HeyesPosted 5 Years Ago
  • PDFs have their own hidden language in them. What if we could escape the content being added to the PDF and exfiltrate data? This is what the paper is about.
  • PDFs are commonly used for generating reports. The idea is to inject our own code into the page that will allow us to exfiltrate sensitive data.
  • The main issue was that PDF generating libraries were not blocking out parenthesis' when doing the link generation. This allowed for the escaping of the link to create a PDF payload.
  • Overall, the technique is pretty awesome and should be something to look for in the future. The link bulk of the understanding is above... Gareth goes into the actual nitty-gritty of creating valid PDF code but that can be googled when the time comes :)

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed