This article discusses the discovery of stored XSS vulnerabilities through the upload of malicious PDFs on various company platforms, leading to Hall of Fame (HOF) recognitions for the author. The vulnerabilities allow for potential exploitation, particularly the execution of JavaScript in PDF documents. The author highlights the risk associated with improper handling of uploaded files and emphasizes the importance of using sandbox environments. Affected: Whatfix, Lenovo
Keypoints :
- The author discovered stored XSS by uploading a malicious PDF.
- Two instances of HOF were awarded for the vulnerabilities reported.
- The uploaded PDFs triggered XSS payloads but could not execute certain JavaScript commands like document.cookie.
- Whatfix and Lenovo are the companies involved in the reported bugs.
- It is important to use sandbox domains for uploaded files to mitigate risk to the main site.
- The author faced challenges in explaining the impact of the vulnerabilities to the Bugcrowd team.
- It was confirmed that the XSS could execute on the company’s side after testing.
- The article suggests that beginners can gain their first HOF by discovering similar vulnerabilities.
Full Story: https://infosecwriteups.com/stored-xss-using-pdf-a-bug-0690125015bb?source=rss—-7b722bfd1b8d—4