Skip to content

Commit cb8bccd

Browse files
jonaslejonclaude
andcommitted
Add 11 new PDF XSS test cases from PortSwigger research
Add test18-test28 covering annotation URI injection, PV/PC/E auto-execution triggers, SubmitForm with SubmitPDF flag, JS submitForm() API, Chrome widget button/text field injection, getPageNthWord() content extraction, hybrid Acrobat/Chrome payloads, and URL hijacking. Also consolidate scheme validation into shared KNOWN_SCHEMES, default output to output/ directory, and update header and help text. Source: https://portswigger.net/research/portable-data-exfiltration Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent f0bc4a0 commit cb8bccd

3 files changed

Lines changed: 829 additions & 15 deletions

File tree

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ __pycache__/
99
# PDF Files
1010
*.pdf
1111

12+
# Generated output directory
13+
output/
14+
1215
# Distribution / packaging
1316
.Python
1417
build/

README.md

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
# Malicious PDF Generator ☠️
66

7-
Generate eighteen different malicious PDF files with phone-home functionality. Can be used with [Burp Collaborator](https://portswigger.net/burp/documentation/collaborator) or [Interact.sh](https://github.com/projectdiscovery/interactsh)
7+
Generate twenty-nine different malicious PDF files with phone-home functionality. Can be used with [Burp Collaborator](https://portswigger.net/burp/documentation/collaborator) or [Interact.sh](https://github.com/projectdiscovery/interactsh)
88

99
Used for penetration testing and/or red-teaming etc. I created this tool because I needed a tool to generate a bunch of PDF files with various links. Educational and professional purposes only.
1010

@@ -15,7 +15,7 @@ pip install -r requirements.txt
1515
python3 malicious-pdf.py burp-collaborator-url
1616
```
1717

18-
Output will be written as: test1.pdf, test2.pdf, test3.pdf etc in the current directory.
18+
Output will be written to the `output/` directory as: test1.pdf, test2.pdf, test3.pdf etc.
1919

2020
## Complete Test Matrix
2121

@@ -39,6 +39,17 @@ Output will be written as: test1.pdf, test2.pdf, test3.pdf etc in the current di
3939
| test15.pdf | `create_malpdf15()` | PDF specification | FormCalc header injection | XFA FormCalc `Post()` with custom headers | Arbitrary HTTP header injection |
4040
| test16.pdf | `create_malpdf16()` | PDF specification | JavaScript via GotoE | `/GoToE` with `javascript:` URI | Browser XSS when PDF embedded via `<embed>`/`<object>` |
4141
| test17.pdf | `create_malpdf17()` | CVE-2014-8452 | XXE injection | `XMLData.parse()` external entity | XML external entity resolution |
42+
| test18.pdf | `create_malpdf18()` | PortSwigger research | Annotation URI injection | Unescaped parens inject JS action via duplicate `/A` key | XSS via PDF-Lib/jsPDF output |
43+
| test19.pdf | `create_malpdf19()` | PortSwigger research | PV auto-execution | `/AA /PV` Screen annotation fires JS on page visible | Automatic code execution (Acrobat) |
44+
| test20.pdf | `create_malpdf20()` | PortSwigger research | PC close trigger | `/AA /PC` annotation fires JS on page close | Code execution on close (Acrobat) |
45+
| test21.pdf | `create_malpdf21()` | PortSwigger research | SubmitForm SubmitPDF | `/SubmitForm` with Flags 256 sends entire PDF | Full PDF content exfiltration |
46+
| test22.pdf | `create_malpdf22()` | PortSwigger research | JS submitForm() | `this.submitForm()` with `cSubmitAs: "PDF"` | PDF content submission (Acrobat) |
47+
| test23.pdf | `create_malpdf23()` | PortSwigger research | Widget button injection | Invisible `/Btn` widget covering page, JS on click | Code execution (Chrome/PDFium) |
48+
| test24.pdf | `create_malpdf24()` | PortSwigger research | Text field SSRF | Widget `/Tx` field with `submitForm()` POST | Blind SSRF via form data |
49+
| test25.pdf | `create_malpdf25()` | PortSwigger research | Content extraction | `getPageNthWord()` reads all text and exfiltrates | Rendered text exfiltration |
50+
| test26.pdf | `create_malpdf26()` | PortSwigger research | Mouseover trigger | `/AA /E` annotation fires JS on mouse enter | Code execution on hover (PDFium) |
51+
| test27.pdf | `create_malpdf27()` | PortSwigger research | Hybrid payload | JS OpenAction + Widget button in single PDF | Targets both Acrobat and Chrome |
52+
| test28.pdf | `create_malpdf28()` | PortSwigger research | URL hijacking | Unescaped parens inject new `/URI` action | Click redirection via PDF-Lib/jsPDF |
4253

4354
## Purpose
4455
- Test web pages/services accepting PDF files
@@ -59,6 +70,7 @@ Output will be written as: test1.pdf, test2.pdf, test3.pdf etc in the current di
5970
- [PDF - Mess with the web - FormCalc header injection](https://insert-script.blogspot.com/2015/05/pdf-mess-with-web.html)
6071
- [Adobe Reader PDF - Client Side Request Injection](https://insert-script.blogspot.com/2018/05/adobe-reader-pdf-client-side-request.html)
6172
- [ImageMagick - Shell injection via PDF password](https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html)
73+
- [Portable Data Exfiltration - PortSwigger Research](https://portswigger.net/research/portable-data-exfiltration)
6274

6375
## In Media
6476

0 commit comments

Comments
 (0)