Mirror Mirror — Reflected PDF Attacks Using SQL Injection

well good afternoon or good evening I never know what to say what to say around five o'clock but hi thanks for showing up uh welcome to mirror mirror reflect the PDF attacks against or using SQL injection uh my name is Sean as and uh with me is Kristoff weedi which uh uh who's my tag team partner today uh we both worked on uh this presentation together we're both uh application Security Consultants with fet security uh today's agenda we be doing a little bit of uh gearing up on what this Talk's all about we cover a little brief history uh too much history is a bad thing so what we'd like to focus on today is uh a case study based on a real

world in test that I was involved in we'll do an awesome demo for you guys setting that up for success and then summarize at the end obviously so at any point during this talk feel free to throw up your hand uh raise a question or comment we um if if you like your question we'll we'll try to answer it so um so what we're not going to talk about or what the talk isn't about today we are not disc closing anything like a uh a new way to escape PDF syntax okay a lot of research has already been done a lot of great research and we actually include a lot of reference at the end on

that research if you're not familiar with what we mean by PDF escaping uh we'll give you some examples through this presentation but we include references at the end uh same thing with SQL injection if you're not all that up to speed on what it means to execute SQL injection against the website we got some great references at the end um but back to what it isn't who are not releasing an oday or a new flaw in a particular vulnerability uh or a particular version of Acrobat Reader or other PDF reader we are also not rehashing some of the additional uh pretty interesting research on how to use crite scripting attacks to launch SQL injection attacks however with uh

some of the techniques that we will be uh covering uh not specifically in our presentation but towards the end uh we actually have a tool that will eventually uh it's not quite there but we will eventually go the opposite way how to use SQL injection to launch scripting attacks so of course why SQL injection why are you here obviously it is of some interest to you but why is it relevant you know wasn't wasn't this fixed you know last decade and apparently not right there's still a lot of it out there and I'm going to hand the mic over Kristoff sure so uh just something that was in the the news recently did anyone care about the

the deeds and Yahoo voices compromise that happened see no so there was some group that you know they dropped they they they dox Yahoo voices they through some type of SQL injection attack they extracted a bunch of credentials from one of the Yahoo sites and uh they disclosed 400 or 400 53,000 uh different credentials and showed that Yahoo has some pretty weak password policies now yahooo came back and said uh it's not a problem only 5% of these accounts are still active we're going to close this up but it's it's not interesting you're you you got into our database but there's there's nothing there so big deal now what we want to talk about in

this presentation is okay maybe maybe maybe you have a SQL injection in your application with a database that doesn't have something interesting in it but can we do other things with that SQL injection attack that might be of interest to an attacker and I would argue for you know any kind of trusted website um you can do some of that so we'll be talking about that later in the talk that was kind of an awkward seg way you're getting out of the way Type move anyway so a little more history here so um I never know what to call this I I read it as ASP rocks because I was an asp P de developer for a number of years

but I've heard it called aspro but this was a botnet right back in '08 uh more or less that um use some interesting techniques to inject malicious JavaScript into um many many websites right that uh that ran Microsoft SQL so one of the payloads that uh we pulled uh here is an example of of what it was injecting so um just real quickly here so you'll notice a series of semicolons those are delimiters for what we call Stacked queries so it's actually a set of multiple commands uh tsql commands that were executed in the in the uh SQL context so the query engine actually process that um when uh uh this this but had activated so what this query does is

set up a temporary variable of inv varar and injects a hex encoded uh piece of JavaScript script that when rendered back to a browser that visited this website okay and the website was rendering back data values from the database so if for example the the the payload would to get injected into uh any and all barar uh data type Fields so so you visited a website that was infected your B your browser would render this uh JavaScript and execute it and install a piece of malware uh which I believe was like a Spam bot or some type so so the interesting thing about ASP rocks I'm going to stick with that title so the interesting thing are are are

these points so this obviously relied upon the database's capability of of executing stack queries in the context of of the vulnerable uh uh web application page it also relied upon the fact that the database tables were updatable it used hex and coded JavaScript um some sometimes you use that to compact your payload other times you use the jobby skated to get around filtering uh or any type of uh security monitoring uh it spread through the uh visits to quote unquote trusted sites so uh back around this time the attackers were no longer uh as much trying to get users to visit malicious sites as they were injecting trusted sites and and letting it properly through that attack

Decker and then also it obviously relied upon the fact that the uh the web application was some sort of database driven app or or pull uh information from databased queries so this talk is actually presenting a set of um methods to uh to to use SQL injection in such a way as uh is is to exploit a the vulnerable website let me back up so we are only going to be requiring the last two bullet points okay and we'll talk about uh why that's important later on talk so uh we just on with a show right so the case study again was based on a real world penetration test the web application in question was live it was

accessible from the internet it had username and password um like a login page for authentication and actually a a a web page that unfortunately did not require authentication to pull uh or to perform certain functionality and when we exploited it the client was like oh my God I can't believe we had this on our Network please you know give us more information we want to remediate uh immediately expected more reaction from this slide but too soon right too soon okay so you know rather than talk a whole lot about what this application did or whatever this is in essence what the web uh the web code looked like so this was a it was an application pinest

SL application code review so we actually had access to the source code and um this is what it looked like so the top part is actually a page load event and it calls the support and get image data function at the bottom so in anybody's spot the vulnerability line 36 thank you so exactly so you're taking uh input which was supplied by the uh page uh load Handler uh you see at the ex line 16 we're passing request query string get image ID eventually down to the function uh as a string now image ID you would think that should be a numerical value in the world that they treat it as a string who knows but they did and as you

can tell the query just happily appends it or the the code happily tends it to the GRE string and uh the SQL uh data source the command object happily ex executes it now a couple things about this code yes yes this it is C so a couple things uh interestingly uh maybe maybe maybe not interesting to put important to point out uh number one that the content type of this web page is fixed it's application PDF and the reason that is is because this is like a get file uh web page that returns only PDF documents so the uh essentially the the web page uh the purpose of the web page was to retrieve a um a store PDF within a within the

database it was like the the image of binary data column and uh given a unique ID would pull that uh store PDF from the database and return it as a web page which since uh since the content type is application PDF the browser would automatically render it as a PDF so um and then the other thing to uh point out here is that it issues the execute scaler method and what that does is uh if your query for example uh returned more than one r row set right execute scaler would actually only uh return that first grow um was that done on purpose I'm not sure but what it also does uh from our research uh uh it indicates that you

cannot do stack queries okay you cannot pass stack queries to this this particular web page or you cannot inject stack queries here so remember that for later we'll come back to uh it'll come back up for discussion hopefully so this is uh the application performing as designed so obviously the developers uh meant that the parameter be uh an Ure value and actually what it was is you logged into the web app you would be presented a list of links uh these are the documents that are available you click the link it would go directly to this URL and R through the doc Okay so so the problem with tools is well first of all this was an application code

review so we did use some automated testing tools to identify hey uh Hey security analyst this this uh application access a database probably is vulnerable to seet injection thank you but uh uh I actually just I identified it manually right so it's pretty obvious that it had a problem um however using other automated tools try to validate that finding that's where it was a little more interesting uh for example there's well-known um tool that uh tries a number of uh different attack vectors of related to SQL injections tried to cool uh usern names database names table names column names actually extract the schema from the database um that tool actually failed and uh the reason that that tool failed

and actually I ran a few scanners on this model uh web application the the scanners actually failed and and the reason they failed to identify clearly uh the the SQL injection vulnerability is because they had no way of parsing the response from the application since it was a in essence a binary response right it was not HTML markup it was application PDF right so that was one reason um another reason I think I ran SQL map on it and it seemed to work fine for a few iterations of blind SQL um attempts but it seemed to choke after a little bit and and uh and I think that that parsing had to do had something to

do with it so um I'd like to takea away from all this slide to be you as penetration testers or attackers we need to uh not rely so much on on these these great scripts that are already out there but uh sort of use our heads and our brains and our skills to uh to move past um past these tools when necess when necessary because if you can imagine okay so we had a blind SQL injection vulnerability if we use some sort of tool to iterate through uh queries that it that compared you know true false values or responses one character at a time it would Tak forever to get the data that we were after right

so we felt that there was a much better better way we we wanted to tweak that query but unfortunately the tools didn't allow sufficient tweaking uh to what we wanted so so this is basically our custom payload for this particular website so what we did here is uh of course uh null out the expected p uh parameter value uh so that was necessarily guess that's a typo here but mhid equals okay let's ignore what it's supposed to be make that a false condition and then Union all will append another uh result set to that initial query right and we can extract pretty much anything that we want from that database so we had to use Union all

instead of Union because the original data type of the column right was image and when you use image of binary data types uh SQL wants to actually will will prevent you from doing unions with even another column of binary or enage data type so Union all kind of gets around that restraint uh and then also we used a convert or we could have used a cast here to actually uh return the row set that we wanted uh from the database as barar and actually what that forced the command processor to do was to return it as uh readable text otherwise it would have been a hodge podge of text and binary data so hopefully this will

become maybe a little clearer as we move on so here's just an example of using uh burp to uh to send a custom payload basically it's our our template that we just saw and the payload here that we used in this case was add ad verion so we asked the database return uh information about what version you're on and as you can see it renders finding the proxy right this would not render in a browser why because the application content type is is PDF makes sense so that's kind of uh really boring right so why not pull data from the users table so since this was an application code review I knew what columns there there were but uh we could

have enumerated those through blind injection attacks too but as you can see the the payload at the top we are using a little bit of uh uh SQL Server Microsoft SQL Server servers support for x amount and so we're stuffing all of the rows right or all we are stuffing uh concatenated values from the user table and we're doing a little trim to make it a little more condens here at the bottom so we're again pulling username and password and yeah we we use a delim as well to make it more readable and that's what we get right so you you can imagine what how much time that might have taken using the blind squl injection approach

here it returned within a few seconds so is this new to anybody does this make sense hopefully nothing's surprising here um in the real world app actually they did not store their passwords with their tags they use hashers um that they were unsalted so um that that was actually the least of their worries um

yeah you know in most of the the pin test that I'm involved in that are usually uh integrating with ldap or some type of directory service and yeah so so we actually had no visibility into a lot of times no visibility into how they're storing it because they're using another store uh but when it is brought sort of in the house into the application we say about

50% so the real world application uh had major problems right because not only could we pull from the database we could write to the database okay the tabl the tables were wide open the uh SQL Server service account was network service I I believe um might have been local system um think about that because we were actually able to use uh some tricks uh well not tricks commands and SQL open row set to read from the file system so I think in the final report was able to show a screenshot of a boot I and I file which was kind of surprising to them um what else so so major major Ownage right so we could actually execute uh XP

command shell upload a web shell to the web server get read access and all those so why wasn't that good enough right well we wanted more right and the reason why we wanted more was in at least in my mind I can't speak for your mind Kristoff but well what if the web server was hardened what if those tables were redone what could have what could an attacker really get away with or or do to to make the application respond in the way that he or she wanted wanted to so um something you ever get that spidey sense you know that you know that there's something else out there that's kind of what I had with with all of

this so what could an attacker do in those situations okay so we're kind of transitioning from the live app into our demol app okay what could end attacker do in fact any of this will apply to that live demol app but GNA hand the mic to Christ around three a few so since we were dealing with an application that was returning a PDF as a return type we started to look at what can you do with PDF uh there's a lot of great research out there about um malicious PDFs um so the Syntax for PDF very forgiving you can mangle all kinds of stuff still get it to render in your in your reader um a lot of that is

client or version dependent but um there's there's all kind of stuff that you can leave out um or or modify um there's lots of great officiation techniques um again lots of great work on there uh by Didier Stevens and others um uh you can you know you can encode stuff in HEX and octal uh add white space you can encrypt it all kinds of stuff um you can Nest a PDF inside of another PDF um so there's there's all kinds of stuff that you can do with PDF that that's interesting for an attacker so we basically started to look at all right so we're able to to inject stuff into this this uh data stream

about what's being returned back to the user it's a PDF what can we do with that and I think there's sort of three sort of C atories of things that we came up with one is that you can put Javascript in the PDF if you can return a PDF that's going to be rendered in in your in your browser or reader or whatever it it can run JavaScript um so you can do all kinds of cool stuff with JavaScript including you know malicious payloads and stuff like that um aside from JavaScript you can inject stuff into the PDF content stream uh in other places as static text or hidden text or or whatever um and that can include uh you

know database the result of database queries which you could also do with JavaScript as well um and of course you can just you can replace the whole uh thing that's being returned with uh just a PDF a raw a raw PDF um again including malicious PDFs so uh let's let's do some demos of some ATT attacks that we what we illustrate this yeah I'll just sit here and you do that so we have we have a little test server set up again it's running that code that you saw um running on a Microsoft server with Ms SQL in the background and the first attack that we're going to show you is um one in which we're we're

injecting um something into the the content stream of the PDF we're actually going to uh it's going to be injected into into the text of the p PF so when when the PDF pops up you'll see some text and um we're returning some database values so earlier sea showed you an example of when he was performing this SQL injection attack he uh grabbed some user some some uh data from the from the database some passwords and and usernames and stuff like that what we were able to do is actually create a valid rendering uh PDF in which that stuff is presented um to the person looking at PDF just to demonstrate hey we can we can we can return a valid PDF

and um uh and it can have these database queries in it so um we wrote a Qui a quick tool called SQL squirrel we'll give you a link to the to the tool at the end and uh what it does is you you uh give some different options and it generates one of these attack URLs uh demonstrating these different kinds of taxs so um this is generating that one of the URLs Sean's going to grab all the payload after the image ID stuff and he's going to paste it into the browser for the test

environment the tool itself can perform a variety of different kinds of attacks that currently uh the tool all of the attacks that the tool is performing are based on returning a PDF in the future we'll be looking to extend that to um other kinds of content types as well so he's opening up the um he's opening up just a standard um use of the of the application which returns just a normal document and now he's going to perform the C equal injection on it at the end there after he gets rid of the other equal

sign as you can see it's pop up in the reader and we get a a JavaScript popup that um got the the admin credentials and if Sean were to uh change the the ID of the to two you'd get the next user in the database in that in that database um Joe is not very creative with his password so that's a demonstration of the tool the rest of them we're just going to grab from our notepad um the next attack that we're going to demonstrate is um is it the the JavaScript popup no it's the it's it's putting it into the content stream right the redirect sorry yeah so um so the the the last one that you saw um JavaScript

popup uh the next one is another JavaScript based attack um this is actually using the JavaScript in the PDF being rendered to redirect the reader window to another URL so um it's not a it's not a browser um redirect it's a it's coming from the the PDF IH hacks.com IH has hacks.com all right cool got one two more for

you so uh you notice this one is a bit longer um we'll we'll we'll talk about what's what's going on there but basically it's it's creating uh some text in the actual PDF instead of a little JS popup again it's returning these uh database credentials these credentials being pulled from the database and um you need that extra syntax to get it working but same thing but it's now it's text validly rendered in this PDF um and then this last uh demo that we have for you we're GNA pop some calculator so that looks pretty long but it's actually we put a bunch of work into reducing the size of it um so I'll talk about this a bit later

on but there are some restrictions in terms of how large your payload can be depending on what kind of requests you are

submitting and this uh this particular exploit is a modified version of an exploit from the Met exploit module it's the utel printf exploit for Adobe Reader we're actually in the demonstration we're using Adobe Reader version 8.1.2 I think um for the specific purpose of demonstrating this this um Cal popping exploit there are of course other more recent versions of Adobe Reader that have explo for them but the payloads are much larger that's why we decided to go to this one we we we popped what's that yes live demos living on the edge so um we just popped two CS because we're just that awesome yeah one wasn't good enough so now you know that we're doing

something interesting and useful with that so let's just talk a little bit about what's going on in the those payloads um so here's a JavaScript payload and what this is doing is it's going to just pop up with an alert box you can see app. alert and it's just going to say stuff goes here that's where your your payload would go in fact if you're using the script you get to say what goes there and um just to talk briefly about what we're doing for encoding so this is a a get request so all the spaces have to be encoded as pluses for it to be a valid get request um that also means uh as a result that

all of the uh concatenation operators in SQL which are a plus sign have to be URI encoded so that they're not confused by the the web server and one other encoding that we had to do for this is that since we're attacking a net based system uh net has a crossy scripting filter that's in included so anything that looks like a script tag or or any kind of tag HTML tag that will get par out so you have to insert a space after the less than symbol so you'll see that um in various places here and we have to replace it with a plus because a get get request did that make sense yeah all right uh one other payload to

look at so this one like I said this one's a bit longer but basic idea is that um again we're just putting some static text in the PDF in the in the payload part and um all this stuff setting it up is just saying okay reader this is going to be some textt here's a little here's a little box inside the PDF this this is actually a post based request um you can tell because there are spaces in there and again that the the plus signs and the SQL stuff are not URI encoded here is a way of passing in a base 64 uh encoded string as a PDF so um we're using an XML uh based element to

say this is a basic4 binary you can also do a hex encoded uh string there as well and you're passing it a b Bas 64 string now what's what's interesting about that to me is that before we were talking about okay you can do all this PDF tication right you can insert you know white space encrypted all this other stuff to mess up mess with your AV right now you're combining that with SQL based aisc and the this is one example is BAS 64 encoding the string so you know how many um how many ids's out there are not only looking for you know something that's going to have all this PDF OB vestigation but then is also a base 64

encoded string that's going to be rendered back as a regular PDF when the when the uh the user clicks on the URL not very many so I think that's pretty cool Sean you want to talk about the in

one a few notes on this last slide so um this is actually xquery and that was something introduced with SQL 2005 um so just to note that that won't work on SQL 2000 so thank you Ma okay so implications what does this mean what's the relevance so we thought of a maybe two two to three cases right so data exfiltration being the first one okay okay what can an attacker do uh let's present the scenario where an attacker is interested in some data that's um within the network okay and the target is a user of that that application so we assume it's an internet application that is accessing internal data of some type of sensitivity right could be credit cards

could be uh pii uh credentials whatever so the attacker might use social engineering techniques to get the user to click the malicious link that they they sent to that user right and the obviously the link would would have our payload or a payload of of that type that we just demot um a special note that the payload is actually not stored anywhere right it's it's fairly virtual or it's it's uh to the effect that its context is inert when it's passed right until it's processed part of that application so the user would click that particular payload right uh the where you would execute and for example say the attacker would would want the data rendered into the text box content

stream whatever you want to call it there um but might prepended a bunch of spaces or here she may format the PDF framework around the the query results in such a way that the results are not shown within that nice little white space that's rendered in the browser okay and the user say says maybe you know uh there's something wrong with your link I'm only seeing an empty document um you know I'm sorry I can't Grant you request you you asked of me the attacker would may say just go ahead and send me that PDF anyway I'll take a look at it we'll kind of figure it out and that may be one attack Factor right so uh data

exfiltration um there are ways to maybe uh munge with the data the data results uh so seq can uh saw how SQL can decode b64 can also incode and there are number of ways that that uh you can do some sort of exfiltration obis to to obtain that information perhaps the more interesting uh use case is the malware delivery so the attacker may not give a care about what's in the database okay or the database just may not be U you know available for data experation or the data is of of no interest U maybe the server Harden in every other way uh other than the process tsql commands when injected like this so um so the

attacker May uh to to Target this particular web application to deliver Mo's pays right so um anybody have any other use cases kind of curious to see if we miss one should we have

yeah yeah so the joke was that we could have delivered this uh nice report page uh to the client by rendering it from the web application itself some yeah yeah exactly yeah here's your report exactly so uh but that that also brings up an interesting point so the the actual PDF payload could be a sufficient um content as to present um a PDF form right so you can have form fillable PDFs that prompt for credentials or maybe mimic an existing PDF that's out there and you can also inject JavaScript that might send that information that's typed into the form via email via other uh channels right back to the tack right so PDF is really nice there's a lot of

functionality uh that we could potentially expl so um one other point related to implications so you know how many web reports uh have you written or have you seen where it says you know you have a SQL injection vulnerability um you need to fix it and by the way your website can uh proxy malware with classs you just don't see that right and you know I've personally been involved in in uh pent tests where uh I've come across SQL injection but you know when it was reported up the chain the management uh or application owner said something you know to the fact yeah we understand but you know it's it's locked down you know there's nothing of importance or it's

locked down the user is not uh privileged user you can't really execute hand shell or anything like that so you know you did

interesting pers persu personality try to say so yeah yeah and unfortunately a lot of developers get very protective of their code um we want to be respective of of their jobs and everything in Ence as penetration testers we want uh to to benefit the client by bringing up vulnerability so they can be immediate so speaking of remediation there is an important part to mention too so although we can do all this NE PDF um acrobat Maneuvers here so the root cause is still the same right you've got seel injection your website fix it so uh and and we feel that's important to call out uh in the in more or less what finding is right but the impact is is what may

be different so you know it really depends on the the app right if it's lock down in any other way but you know as a Fint tester maybe you have a relationship with the client that you know they're going to push back right we can call that out a little further you know not only do you have S injection but do you really want to go you know in the court or whatever to um to be a third party to a hack or something and some would say yeah take so right now uh obviously we just presented the taex that taret Microsoft SQL asp.net uh but we can adapt to other uh database uh syntaxes so

Oracle post grass performance whatever um PHP so uh and obviously you know we we did a pop C but as long as your payload is is uh a sufficient size you can do it through get can do through poost if if uh the application accepts uh that that collection the post collection and then also PDF well we picked a lot on PDFs today right but we can actually format it in any really type of open format right um we've got a a working explo exp against postcript and actually that there's there's several out uh that were results of research so postcript will actually execute JavaScript as well

right right right so yeah ex exactly yeah nice so I think there was a talk like how not to let your applications review themselves or something like that how not to let your applications write their own security okay okay yeah so I mentioned earlier that we have some there are some limitations they have to deal with this type of tech um the the most important limitation is if you're trying to do this over a get request you know trying to paste something into the URL you're going to have some size limitations that come up it turns out that the the one that's the sort of the most restrictive is for Internet Explorer client um so Internet

Explorer only it after the path it only allows 2,83 characters um in in the entire URI so that leaves you with not a whole lot of room to generate a PDF now you obviously have some alternative options available to you um if if that's not viable um you can attack you can Target other browsers um you know there there are some web server restrictions that come into play after IE but uh you know they're they're bigger um if you are able to do this over a post request instead of a get request the limitations are you know it's a much larger maximum size than than for get um that may require some additional uh vulnerabilities in the the site that

you're targeting like a cross-site scripting vulnerability and um but if you're if you just want to make sure that this is a universal attack there there are some big basic things that you can do to try and reduce the size of the payload um you may have to get rid of some of your PDF OBS station stuff because they tend to blow up the file real fast when I took the the you know the default thing that was coming out of Metasploit they had all kinds of encoding going on and it's good for upscan the the PDF and avoiding uh AB detection but they really make the the file much larger um so you're looking at things like JavaScript

optimization if you're if you're using a jav JavaScript based attack um a little bit a little bit strange thing about that is instead of trying to optimize it for Speed which is what you would typically be doing for JavaScript you're now tried to optimize it for size um and uh yeah so there there's some there are different ways to encode or not encode the file to reduce the size to get around that restriction by the way I think we failed to point out that on that XP box we did have AV enabled and the desk current so slid right by it right surprising not so so the obligatory defense slide right so uh nothing too

surprising hopefully for anyone here so uh you know on the application side we want developers to to Really um mitigate or prevent these these types of attacks by filtering untrusted input um encoding output blah blah blah encoding output a little different in this context because um you know what they're dealing with application uh the content Topo PDF so they have to support certain characters in the output um but the input they certainly could have uh filtered much more effectively you can do that number of ways you can uh assert that the data type coming in as inst instead of string you can do bounds checking you can do parameterized queries they should do parameterized queries right um so on and

on it really depends on the nature of the app as to how many prot measures the uh the code needs to um user training why don't we just do user training that's effective right um I I had to put it up there so uh obviously if they didn't cook the untrusted link this really uh would would slim down the uh the attack surface um I I mentioned wff and network IDs uh has a potential effective mitigation control so uh you potentially have a web application that's uh uh you know pulling from databases and uh they have parameters that are Dynamic right so uh the the WF for example could be configured to look at all requests um

with this particular parameter parameter name and ensure that it's a numerical value for inst and that would be effective by blocking this type of attack and there's other ideas if you have any shadow

okay so yeah for further reading this is uh a number of references that uh we use in our research and uh if you'd like to know more or if you haven't visited some of these sites we encourage you to do so again not not SQL 101 necessarily SQL injection 101 this is more the uh what I find more interesting uh having been a a database developer for a long time uh so more of the the advanced stuff the the one down the SQL injection cheat sheet it's an awesome resource uh it covers uh uh my SQL uh Ms SQL Oracle probably a few more um is is organized very well and it's it's a go-to source for me uh

when I do pent tasks um the the last few uh have to do with uh uh content sniffing so uh for example if you're a vulnerable web page instead of returning content type of PDF maybe it's open to uh tampering or maybe it's uh like uh octat stream uh you can actually exploit uh the feature of IE uh which sniffs content and you potentially render uh otherwise nerd strings as um for example JavaScript okay and and that's how we could potentially use um our payloads to for example um uh execute cross-site scripting attacks or uh some of the the other document formats okay and there's more right so this is more uh a a set of of good resources on PDF

formatting which you can get away with how to trim PDFs what's really necessary uh again Ste Stevens uh Julia Wolf's got a great couple of resources out on firey about uh PDF formats um awesome resource there um and that's about I have to say about that slide and we found a graphic for a tool so we we hope you like so check out the uh the script uh make comments I think that's a capability out on GitHub uh we've got some contact information out there so uh if you can think of other use cases or features you'd like to see uh we'd be more than happy to uh build those into the script so any questions

sure right right right so so yeah and if I could paraphrase so the the question was what what if parameterized queries aren't an option or if it's a a preference to handle some of the assertions of data type or bounds in code rather than uh using parameterized queries I don't think it's stupid at all in fact I see that all the time where even if it's a SQL Server backend I I see all the time where developers do that very thing and as long as you are uh um consistent with that so uh if if the code is maintainable and you can audit periodically that you know somebody else hasn't got in there and change things for one um there's

probably a ton of other scenarios to consider uh and if your controls are effective so I would encourage if that is in place uh to make sure you're doing those uh code reviews and pin tests just to make sure that number one you haven't missed anything number two maybe there's a new attack factor out there that you know can last year do your controls still work so yeah had a good question all right well thank you for uh your participation and attention very much

by the way that also escapes