0x39 - SSRF in PDF Generators
Did you know SSRF vulnerabilities are extremely common in applications that generate PDF files using user-provided input (invoices, contracts, reports, etc.)
This happens due to the insecure configuration of the PDF engines that follow/render the payloads injected by the attacker.
In just 10 minutes I found 7 vulnerable online PDF convertors on the first page of Google including wkhtmltopdf
, Select.Pdf
and PhantomJS
Among other things, SSRF vulnerabilities can be used to
access data behind firewalls
interact with hosts/services on the internal network
read cloud tokens/keys
-
remote code execution
How to do it
Find a feature in the app that generates a PDF file
Identify the piece of data that you can control within the generated file (i.e: firstname, email, address, etc.)
Inject a test payload to check if HTML rendering is enable (for example
<h1>test</h1>
will display the wordtest
in a larger font)-
Use one of the following payload to load files hosted on the internal network