javascript
youtube
app.alert(1) is the new alert(1): PDFs as a vector to inject JavaScript code in web applications - Luigi Gubello
This talk was recorded at NDC Security in Oslo, Norway. #ndcsecurity #ndcconferences #security #developer #softwaredeveloper
Attend the next NDC conference near you:
Subscribe to our YouTube channel and learn every day: @NDC
Follow our Social Media!
#applicationsecurity #bugbounty
PDFs - rise, decline, and revival: a journey across how we have changed our way of viewing and editing PDF files by moving from offline clients to online services, and how this is changing the role of PDF files as attack vectors.
A talk on how we have moved from local clients (Adobe, etc) to browsers and online services to render, view, edit, and sign PDF files, and how this has changed the role of PDFs in attacks and exploitations. From the false-positive vulnerabilities (CVE-2020-26505, CVE-2023-0108, CVE-2023-5873, and other CVEs that were not vulnerabilities) to vulnerabilities in client-side PDF SDKs.
During the talk, we will investigate some cross-site-scripting vulnerabilities exploited in the real world (e.g. bug bounty programs), focusing in particular on PDF.js (CVE-2018-5158, and CVE-2024-4367) and Apryse Webviewer (CVE-2024-4327, and CVE-2024-29359).
The talk will show how a PDF file can exploit web applications if they don't properly mitigate risks (using CSP, and keeping the dependencies updated).
|
2026/03/27
youtube
