Because it’s very interesting, I’d like to show you how you can do a XSS attack an the most webapplications out there. The example I’ll present to you now is about the PDF-Plugin and it should make you think about other Browser Plugins like Flashplayer and so on.
The PDF Plugin have many different features you can use over the URL which they call “Open Parameters“.
Here you can see a few examples:
- The “page” parameter directly access a speciefic site in the PDF -> Example
- The “zoom” parameter defines the zoom-factor of the PDF -> Example
- The “search” parameter searches for a specific word or wordlist -> Example
So now let’s go to the interesting stuff. Because of these nice features it’s possible to execute your own script if you use your own parameter. It’s enough if you access a PDF with the following URL:
Now have fun with it, I already had mine
Credits goes to Stefano Di Paola and Giorgio Fedon.
Sorry that I’ve missed to copy paste this part of the Blog entry in here before