0x39 - SSRF in PDF Generators

Did you know SSRF vulnerabilities are extremely common in applications that generate PDF files using user-provided input (invoices, contracts, reports, etc.)

This happens due to the insecure configuration of the PDF engines that follow/render the payloads injected by the attacker.

In just 10 minutes I found 7 vulnerable online PDF convertors on the first page of Google including wkhtmltopdf, Select.Pdf and PhantomJS

Among other things, SSRF vulnerabilities can be used to

  • access data behind firewalls

  • interact with hosts/services on the internal network

  • read cloud tokens/keys

  • remote code execution


How to do it

  1. Find a feature in the app that generates a PDF file

  2. Identify the piece of data that you can control within the generated file (i.e: firstname, email, address, etc.)

  3. Inject a test payload to check if HTML rendering is enable (for example <h1>test</h1> will display the word test in a larger font)

  4. Use one of the following payload to load files hosted on the internal network



References: