模拟pdf运行js脚本触发xss攻击及防攻击

一、引入pdfbox依赖

<dependency>
    <groupId>org.apache.pdfbox</groupId>
    <artifactId>pdfbox</artifactId>
    <version>3.0.0</version>
</dependency>

二、生成一个带js脚本的pdf文件

//Creating PDF document object
PDDocument document = new PDDocument();

//Creating a blank page
PDPage blankPage = new PDPage();

//Adding the blank page to the document
document.addPage(blankPage);

String javaScript = "app.alert('欢迎关注cms.centyun.com');";

//Creating PDActionJavaScript object
PDActionJavaScript PDAjavascript = new PDActionJavaScript(javaScript);

//Embedding java script
document.getDocumentCatalog().setOpenAction(PDAjavascript);

//Saving the document
document.save("d:\\centyun.pdf");
System.out.println("PDF created");

//Closing the document
document.close();

三、在浏览器中打开pdf文件触发xss攻击

四、防止pdf的xss攻击

判断pdf文件中是否包含打开文档就运行的js脚本

/**
 * 校验pdf文件是否包含打开文档就执行的js脚本
 **/
public static boolean containJavaScript(File file) {
    try {
        PDDocument document = Loader.loadPDF(file);
        PDDestinationOrAction openAction = document.getDocumentCatalog().getOpenAction();
        if (openAction != null) {
            String str = openAction.getCOSObject().toString().toLowerCase();
            return str.contains("javascript") || str.contains("cosname{js}");
        }
    } catch (Exception e) {
        log.error(e.getMessage(), e);
    }
    return false;
}

本文到此结束。