PDF fonts, encodings, and risk potentials interacting with web browser

I once encountered a very interesting type of XSS on a website purely by accident. This website allows users to upload PDFs, and will open the PDF in browser with some builtin Javascript. What happened was I uploaded a paper of mine that contains a text <script>alert()</script>, and when I tried to open the PDF, the script magically got executed in the browser. I reported this issues to the webmaster, they fixed it but did not tell me what have happened. What I have also found is that this above text must be in a certain font so it will be executed (unfortunately I forgot what font it was).

Today, I was copying a piece of text from a PDF that was saved off a web page, and paste the text to a word document, and I found what displayed in the PDF as “certified” became “certiÕed”. Again, it only happens to a certain font, the font in that PDF is “open sans”, a wired font that my PDF editor does not have, but can still display.

I have very limited knowledge about PDF and fonts and encoding, I wonder if someone knowledgeable can explain what are the underlying reasons of my first and second observation. The first one is definitely a XSS breach, but does the second may bear any security risk?

PDF Documents – Browser View 2020

I posted a question yesterday about PDF files in a browser that can be found here. There you can find more information about dealing with PDF documents in browser.

My question here is how each browser handles PDF files by default.

PDF files can cause security concerns because the have the capability to contain executable code.

What I have found is that some browsers today have their own PDF viewers. Some of those viewers open in a sandbox environment which at least seems to protect the end user. I have confirmed that both Chrome and Firefox open PDFs in a sandbox environment.

Question 1:

Do the following browsers also open PDFs in a sandbox (2020)?

  • Edge?
  • IE?
  • Safari?

Now these sandboxes sound pretty great if they can mitigate any security concerns with PDF files. My next series of questions regard the sandbox environments.

Question 2:

Is there any way a user might disable the protections a sandbox provides?

Question 3:

Are there still concerns when opening a PDF in a sandbox?

Question 4:

Are there easy ways to verify a user is opening a PDF in the correct browser or with the correct settings before opening?

PDF Documents in Browser 2020

I have a project where I would like to allow a user to view a document (PDF) in their browser by clicking on a link or thumbnail of the file. They would be able to download said file. Ive just begun to research the vulnerabilities associated with PDF files but here is what I can gather so far:

PDFs can contain executable code that could create exploits or identify other exploits. PDFs are not unique in this regard.

To protect against any malicious PDF action occurring, browsers now open all PDF files in a sandbox. These sandboxes can be more secure than local viewers. Browsers that open PDF files in a sandbox:

  • Chrome : yes
  • Firefox : yes
  • Edge : ?
  • IE : ?
  • Safari : ?

I plan to store the PDF files on the file system outside of web root. The files meta data will be indexed inside a database.

Communication will be over SSL.

Questions:

  1. Does opening a PDF file in a browser sandbox eliminate risks with displaying PDF in browser?
  2. Are there more ideal file formats (from a security standpoint) to use over PDF for the use case described?
  3. What types of server side validation could/should I perform when displaying a PDF document?

Minimum (safest) firewall holes to create to connect to public WiFi networks and use a web browser?

What are the minimum (safest) Windows Firewall holes to make to permit Windows 7-10 computers to connect to public (secured or open) WiFi networks and browse the web with any modern web browser?

Assume all incoming and outgoing packets are blocked on every port unless explicitly allowed.

Note that Windows Firewall does allow incoming packets when only outgoing packets are allowed. This oddness is because it automatically trusts Established Connections. Thus allowing outgoing TCP packets on ports 80 and 443 will also allow incoming packets (even if they were not requested).

So far, this is what I’m thinking is required:

UDP - Local Port 53  - Remote Port 53  - Outgoing - Why: DNS TCP - Local Port 80  - Remote Port 80  - Outgoing - Why: HTTP TCP - Local Port 443 - Remote Port 443 - Outgoing - Why: HTTPS 

Also, to actually connect to the network and get assigned an internal IP address:

UDP - Local Port 68  - Remote Port 67  - Outgoing - Why: DHCP 

Is anything missing or too restrictive?

Can I get a double layer protection if I use both desktop & browser based VPN?

Let’s say, if I use both NordVPN’s own software (random VPN location) and its Google Chrome VPN extension (random VPN location), does this add an extra layer of protection/encryption – means hiding internet activity from ISP and/or from your network plus an encryption- ?

Or connecting to the VPN server via NordVPN software plus Epic browser’s VPN, what kind of protection is that?

Is it double layer or just connecting to different ports?

Create fake browser fingerprints

Some websites give you certain props if you are using a browser they have never “seen”. For example, you buy a new tablet, open Chrome and try to create a hotmail account; most likely they won’t ask for phone number verification. Try again a few times, and they catch you. Erasing the cookies doesn’t work and if you use a non-tracking browser they can detect that and automatically flag you. Using a VPN has the same result.

So letting the system think your browser is “new” by manipulating the tracking seems like the best way. Joke is on them; stop tracking people in the first place.

I am pretty sure this is very difficult and would require me to compile my own version of Chrome. I need a comprehensive list of the things I need to modify. That is the question.

Thx

What use would a privacy browser, such as Firefox Focus for iPhone, have for an internal web server?

The Mozilla Foundation has a “privacy browser” called Firefox Focus that is available for example iPhone (here). This browser has an always-on ad blocking function.

I was checking the third-party licenses used by this iPhone version (image shown below) and noticed that it includes the use of GCDWebServer.

[3rd-party licenses used by Firefox Focus]

The GitHub page for GCDWebServer says that:

GCDWebServer is a modern and lightweight GCD based HTTP 1.1 server designed to be embedded in iOS, macOS & tvOS apps.

There is a support information for this browser here but the documentation does not mention the use of an internal web server.

This issue has relevance in evaluating the risks from possible open ports in connection with determining whether to allow this browser in corporate bring-your-own-device configuration.

Question: What use would a mobile device web browser have for running an embedded web server?