Stored XSS in PDF Viewer

Hi Everyone, I hope you all are doing well.

During a Recent Web App Penetest, I came across a File Upload functionality that only accepts PDF and Image files and allows the preview of the PDF file in a PDF viewer.

They were using the PDF.js express viewer which wraps around the open-source PDF.js rendering engine. The PDF.js component is susceptible to CVE-2024–4367, a security vulnerability that allows arbitrary JavaScript execution in the PDF.js context. Given that PDF.js is embedded within the application, this vulnerability can be exploited to perform stored Cross-Site Scripting (XSS) attacks on the domain hosting the PDF viewer.

Usually, an XSS attack in a PDF file only occurs inside the PDF viewer, which restricts it from accessing the DOM. As a result, you can’t do much other than alerting or, at best, prompting the user to enter their credentials, which could be sent to your server. However, this depends on the PDF viewer the application is using.

But in this case, the XSS is executed in the context of the domain, so we can interact with DOM, access local storage, cookies, etc.

Interestingly, with this approach, I also successfully bypassed the CSP on the website, which doesn’t allow any type of script execution without a valid nonce.

Exploit

Download and run the exploit from this GitHub repo: https://raw.githubusercontent.com/LOURC0D3/CVE-2024-4367-PoC/main/CVE-2024-4367.py

python CVE-2024-4367.py "alert(top.document.domain)"

Upload the Generated PDF file on the web application, View the PDF file if the application is using the vulnerable PDF.JS library you will see an alert with the domain name.

We have used top.document.domain in the payload because the PDF viewer is embedded in an iframe in the webpage. By using top, we are accessing the main/top-level window.

Accessing the JWT in the DOM.

Thank you for Reading.