OWASP AppSec Europe 2015

In this presentation Alex Inführ talks about possible attack vectors against web pages by using PDFs.
First the structure of a simple PDF will be presented to give
a quick overview about the concept of PDF. Additionally interesting features in the PDF specification will be discussed.
This includes information about privileged JavaScript,FormCalc, XFA, Actions and more.
Adobe Reader also has some interesting security concepts, which mostly focus on protecting the end user on a system level.

In the second part Alex Inführ will cover possible attacks against the user. This includes web related issues as well as attacks against the end user system.
The attacks show how privileged JavaScript can be used to steal local files from the user. Additionally possible XXE issues will be covered.
Another big topic is FormCalc and the possibility to read any file same origin. This gives attackers the possibility to break CSRF protection completely.

Last but not least Alex Inführ will talk about what protection could be applied.
This will cover methods for end users as well as for website owners.