Skip to main content

Posts

Featured

Local File Read via XSS in Dynamically Generated PDF

Hello Hunters,
                        This time I am writing about a Vulnerability found in another private program(xyz.com) on Bugcrowd which at first I thought wasn't much harmful(P4) but later escalated it to a P1.

While browsing the Application I came across an endpoint which allowed us to download some kind of Payment Statements as PDF.

The URL looked like this

https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=xyz&date=2017-08-11&settlement_type=all&advice_id=undefined

I saw that the Value of utr number is reflected inside the PDF file that got downloaded so I wrote some HTML in utrnumber parameter as "><S>aaa 

https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber="><S>aaa &date=2017-08-11&settlement_type=all&advice_id=undefined

Upon opening this PDF I found that the HTML was rendered and could be seen in PDF


I tried if I could use an iframe and load internal domains in the frame or if I cou…

Latest posts

Story of a Parameter Specific XSS!