{"uuid": "f1f358e7-f69d-4194-8ac9-bc7691ed63dd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-4367", "type": "published-proof-of-concept", "source": "https://t.me/brutsecurity/2470", "content": "\u267eBug Bounty Tip: Bypassing WAFs for Stored XSS via ASCII-Hex Encoded PDF Payloads\n\n\u27a1\ufe0fMany platforms allow users to upload PDFs that get previewed/rendered directly in the browser (often using libraries like PDF.js in Firefox, Chrome extensions, embedded viewers, or custom implementations).\n\nA clever trick for Stored XSS (or Blind XSS variants):\n\n1. Craft a classic XSS payload (e.g., one that executes alert(document.domain) or exfiltrates cookies/tokens).\n\n2. Encode the entire malicious JavaScript as ASCII hex (each character \u2192 \\xHH format).\n\n3. Embed it inside a tiny/valid PDF structure that triggers execution during font/glyph rendering or object parsing in vulnerable PDF renderers.\n\n4. Upload the PDF to a target feature that stores and previews user-uploaded documents (profile, reports, tickets, resumes, invoices, shared files, etc.).\n\n5. When a victim (admin, user, or support) previews/opens the PDF in a vulnerable renderer \u2192 XSS fires in the context of the PDF viewer.\n\n\u26a1\ufe0fKey advantages:\n- Many WAFs / upload filters / content scanners completely miss it because it's not a classic  or HTML \u2014 it's binary-ish PDF content with hex-encoded JS.\n\n- Can be tuned for Stored \u2192 persistent until deleted.\n\n- Can be adapted for Blind XSS \u2192 exfiltrate to your server instead of alert().\n\n\ud83d\udcacReal-world notes from hunters:\n- Works especially well against PDF.js-based previews (Firefox default, many web apps embed it).\n\n- Reference: Similar to behavior seen in CVE-2024-4367 (arbitrary JS exec in PDF.js via font handling path).\n\n- Impact varies:\n\n  - Self-XSS / low-priv user alert \u2192 usually P4\u2013P5 or Informational.\n\n  - Admin views it \u2192 potential session theft / higher severity (P2\u2013P3 possible if you can prove escalation).\n\n  - Some programs reject pure alert() PoCs in sandboxed viewers (no cookie access in most cases) \u2192 demonstrate real impact (e.g., redirect, keylogger, token exfil) or target-specific quirks.\n\n- Pro tip: Test on your primary programs that have PDF preview/generation features \u2014 many still do!\n\n\u26a1\ufe0fResources to start:\n- Repo with example payloads: https://github.com/orwagodfather/XSS-Payloads\n- Edit payloads easily in Notepad++ (hex view or find/replace).\n\nHappy hunting \u2014 stay ethical &amp; report responsibly! \ud83c\udfc6\n\nPhoto Credit- Orwa\n\n#bugbountytip #bugbounty #xss #websecurity #pdfxss", "creation_timestamp": "2026-07-11T11:00:04.930255Z"}