Everybody is familiar with what an XSS is so fast-forwarding it a bit, this is a write-up on how I managed to get an XSS in a PDF generator on an Android application that allowed me to read local files on the system.
Background
A little background on the target -
This was a Healthcare related app/pentest which had an android application that they pre-installed in their Android tablets and locked them so filesystem access or any app access was impossible.
It installed a custom launcher that prevented users to change screens or access anything inside, just like the ones you see on a displayed Mobile phone in a mall.
So finding a Local File Read was definitely a critical one because it bypassed the business logic of the application and allowed the attacker to access internal data.
The XSS => LFI
Finding Cross-Site scripting in a mobile or any application is not uncommon. These kinds of issues are widespread but the one I got was inside a PDF-generated output.
The application allowed me to edit any patient's records and get a printout of their details. This also allowed me to save the output as a PDF file.
So I tried to enter a normal HTML payload to see if it gets rendered in the generated PDF output.
<h1>test</h1>test2
And I wasn't surprised to see it getting executed.
The next approach which I had seen in some blogs is to check if reading Local files was possible because all of this was happening locally.
This is the payload that I tried
<script>
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();
</script>
But for some reason, it didn't work and kept on loading the same page.
Then I tried another payload using <img>
tags.
<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
which did not work as well and the app crashed. Maybe it was because of onerror
or img
.
So instead of using all the complex payloads, I tried a simple one, i.e.,
<script>document.write('<iframe src=file:///etc/passwd></iframe>');</scrip>
and got an awesome file read in the generated PDF file shown below.
This bypassed the launcher which was prohibiting users to access the system and allowed them to read internal files.
References: