# Leveraging XSS to Read Internal Files

Everybody is familiar with what an XSS is so fast-forwarding it a bit, this is a write-up on how I managed to get an XSS in a PDF generator on an Android application that allowed me to read local files on the system.

## Background

A little background on the target -   
This was a Healthcare related app/pentest which had an android application that they pre-installed in their Android tablets and locked them so filesystem access or any app access was impossible.

It installed a custom launcher that prevented users to change screens or access anything inside, just like the ones you see on a displayed Mobile phone in a mall.

So finding a Local File Read was definitely a critical one because it bypassed the business logic of the application and allowed the attacker to access internal data.

* * *

## The XSS =\> LFI

Finding Cross-Site scripting in a mobile or any application is not uncommon. These kinds of issues are widespread but the one I got was inside a PDF-generated output.

The application allowed me to edit any patient's records and get a printout of their details. This also allowed me to save the output as a PDF file.

So I tried to enter a normal HTML payload to see if it gets rendered in the generated PDF output.

> `<h1>test</h1>test2`

And I wasn't surprised to see it getting executed.

The next approach which I had seen in some blogs is to check if reading Local files was possible because all of this was happening locally.  
This is the payload that I tried

    <script>
    	x=new XMLHttpRequest;
    	x.onload=function(){
    		document.write(this.responseText)
    	};
    	x.open("GET","file:///etc/passwd");
    	x.send();
    </script>

But for some reason, it didn't work and kept on loading the same page.

Then I tried another payload using `<img>` tags.

    <img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>

which did not work as well and the app crashed. Maybe it was because of `onerror` or `img`.

So instead of &nbsp;using all the complex payloads, I tried a simple one, i.e.,

<figure class="kg-card kg-image-card"><img src="https://imgur.com/TwkRoyL.png" class="kg-image" alt="xss" loading="lazy"></figure>

    <script>document.write('<iframe src=file:///etc/passwd></iframe>');</scrip>

and got an awesome file read in the generated PDF file shown below.

<figure class="kg-card kg-image-card"><img src="https://imgur.com/D2UvZWN.png" class="kg-image" alt="lfi" loading="lazy"></figure>

This bypassed the launcher which was prohibiting users to access the system and allowed them to read internal files.

* * *

> _References:_  
>    
> - _[https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf)_
> - _[https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html](https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html)_