Update XSS.md

This commit is contained in:
Mehdi 2023-08-18 18:56:14 +03:30 committed by GitHub
parent 76b816434c
commit 5c2745df83
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

2
XSS.md
View File

@ -762,6 +762,7 @@ More information about this technique here: https://book.hacktricks.xyz/pentesti
**XSS in dynamic created PDF** **XSS in dynamic created PDF**
If a web page is creating a PDF using user controlled input, you can try to trick the bot that is creating the PDF into executing arbitrary JS code. If a web page is creating a PDF using user controlled input, you can try to trick the bot that is creating the PDF into executing arbitrary JS code.
So, if the PDF creator bot finds some kind of HTML tags, it is going to interpret them, and you can abuse this behaviour to cause a Server XSS. So, if the PDF creator bot finds some kind of HTML tags, it is going to interpret them, and you can abuse this behaviour to cause a Server XSS.
@ -771,6 +772,7 @@ If you cannot inject HTML tags it could be worth it to try to inject PDF data:
https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/pdf-injection https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/pdf-injection
**XSS uploading files (svg)** **XSS uploading files (svg)**
Upload as an image a file like the following one (from : https://ghostlulz.com/xss-svg/) Upload as an image a file like the following one (from : https://ghostlulz.com/xss-svg/)