‘PDF Silent HTTP Form Repurposing Attacks’

Summary

This paper sheds light on a modified approach to triggering web attacks through JavaScript protocol handler in the context of opening a PDF in a browser.’

Credit:

‘The information has been provided by Aditya K Sood.
The original article can be found at: http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf


Details

‘Due to ingrained security mechanism in PDF Reader, it is hard to launch certain attacks. But with this technique an attacker can steal generic information from website by executing the code directly in the context of the domain where it is uploaded. The attack surface can be diversified by randomizing the attack vector. On further analysis it has been observed that it is possible to trigger phishing attacks too. Successful attacks have been conducted on number of web applications mainly to extract information based on DOM objects. The paper exposes a differential behavior of Acro JS and Brower JavaScript.

Vendor Response:
The security is implemented mainly for cross domain calls. A check is produced when ever a third party URL is contacted. These restrictions work fine. But our analysis proves that Adobe JavaScript model can be used to test web applications (enterprise) through this attack vector.

Adobe stated ‘Our position is that, like an HTML page, a PDF file is active content.’

It is right because for JavaScript working the object should be treated as dynamic. But our aim is to demonstrate that the interdependency factor among different software s can raise security concern.’

Categories: Reviews