New Injection Technique Exposes Data in PDFs

2020-12-10 17:13

Security researchers on Thursday documented and described a new injection technique capable of extracting sensitive data from PDF files.

The new code-injection technique essentially allows hackers to inject code to launch dangerous XSS attacks within the bounds of a PDF document.

Heyes, a researcher at web application security testing firm PortSwigger, warned that malicious hackers are capable of injecting PDF code to "Escape objects, hijack links, and even execute arbitrary JavaScript" inside PDF files.

Heyes tested the technique on several popular PDF libraries and confirmed two popular libraries were vulnerable to the exploitation technique - PDF-Lib and jsPDF. "You'll learn how to create the"alert(1)" of PDF injection and how to improve it to inject JavaScrip.

Heyes found that he could exfiltrate the contents from PDFs to a remote server using a rigged URL. "Even PDFs loaded from the filesystem in Acrobat, which have more rigorous protection, can still be made to make external requests," he warned, demonstrating how he successfully crafted an injection that can perform an SSRF attack on a PDF rendered server-side.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/jdaw3cRqkL8/new-injection-technique-exposes-data-pdfs

#PDF