How I found XSS and open redirect in Kamiapp.com accidentally

Why it’s important to always read JS files and look at the console

As the title says I found an XSS by mistake on Kamiapp.com when I was trying to convert one of my PNG files into a PDF. Kami has this neat feature where it would convert numerous file types into PDFs, edit them, add annotations, and then export them.

The same thing could have been found in the sources tab, but this is a reminder that developers often leave console logs and forget to remove them in production and sometimes they may contain sensitive information.

The story began when a file I uploaded failed to convert without a meaningful error message. Therefore, I opened up the console to see what was happening and that’s when I saw many messages left by the developers for debugging purposes. I got curious and I noticed one of the comments saying “PDF.js”. I did a quick Google search and it turned out to be a PDF rendering library made by Mozilla. I searched “PDFJS CVE Snyk” and clicked on the first link. After some googling, it turns out the library doesn’t sanitize functions in the PDF and trusts it blindly without escaping special characters either.

I searched on Git Hub for the CVE by literally typing “PDFJS CVE CVE-2018–5158 POC”, and downloaded the first PDF I could find. I uploaded it to Kamiapp and I was pretty stoked.

Unfortunately, I was not able to pop an alert box no matter how hard I tried. I couldn’t entirely figure out why, if you’re aware of why go ahead and comment so I can learn with you.

I was sure their other tools (OCR, merge & split) were also vulnerable to this CVE. After clicking around I uploaded the CVE PDF to their OCR feature and boom!

Still, I was not able to cause a redirect, or view cookies, I would get a simple error saying the object does not exist may be a protection, or perhaps the DOM has not fully loaded- it worked on this tool but not the main page, so who knows. If you know, again let me know I would love to learn with you.

Kami allows you to import a PDF template from their library. When you import it I noticed something interesting in the URL: ?file=… googlestorage…

I thought it may be a possible SSRF, which was not the case. However, it was making a request to the URL in the browser and if it failed it gave this generic error message. But here’s where things get interesting, if the resource gives an ERROR CODE (500, anything except 200) it will give you the option to download the resource instead.

Upon clicking download it simply redirects to the resource without checking if it’s actually the resource Kami intended.

Kami has a Responsible Vulnerability Disclosure Policy. I emailed the support and got a reply saying they would get back to me if it was a big issue, then I was ghosted. Therefore, it must have not been a critical issue or they simply don’t care. Either way, this article brings awareness and shows how recon is not always everything, sometimes it takes time to just use the main application, take your time, read the logs, JS, and just think.

Connect with me on Linkedin:https://www.linkedin.com/in/muhammadalisecured/?source=about_page

Twitter: https://x.com/ali_muhammadsec