ssrf pdf generator

Page 1

CLICKHERETO DOWNLOAD

Onarecentapplicationassessment,IencounteredanendpointthatwouldtakeHTMLfromuserinputandgenerateaPDFfromitMicroStrategySSRFthrough PDFGenerator(CVEAnAPAcitationgeneratorisasoftwaretoolthatwillautomaticallyformatacademiccitationsintheAmericanPsychologicalAssociation (APA)styleTriskeleLabsCyberWonderlandWhilethisfunctionalityfacilitatesseamless, I'vesuccessfullycraftedaninjectionthatcanperformanSSRF attackonaPDFrenderedserver-sideInthiswrite-up,IwillshowyouhowIexploitedtheserversideissue(SSRF)fromthefront-endinterface(XSS)Tosecure PDFgeneratorsagainstSSRFvulnerabilitiesyoucanoftenconfigurethemtonotinteractwithexternalresourcesoronlyallowalimitedsubsetofprotocolsand resourcesThemajorcaveatwiththisapproachisthatyoumightnotseearesponseinthePDFdocumentdependingonwhatframingprotectionsareenabledon thetargetsystemPopularPDFgenerationI'vealsomanagedtoreadthecontentsoffilesfromthesamePDF+XSS==SSRFMostmodernapplications performingPDFgenerationdonotactuallygeneratePDFsdirectly., ManyPDFgeneratorlibrariesheavilyrelyonclient-sidescriptingtomanipulateand generatePDFs,allowingattackerstoexploitvulnerabilitiesinthecodePDFgeneration,aubiquitousfeatureinmanyapplications,unwittinglybecomesabreeding groundforSSRFvulnerabilitiesItwillusuallyrequestvitaldetailsaboutasourceliketheauthors,title,andpublishdateandwilloutputthesedetailswiththecorrect punctuationandlayoutrequiredbytheofficialGeneratetendifferentmaliciouspdffileswithphone-homefunctionalitywkhtmltopdfisknownforitsabilityto convertHTMLandCSSintoPDFdocuments,utilizingtheKitrenderingengineTCPDFoffersarobustsolutionwithinthePHPecosystemforPDFgeneration pdf+xss==ssrfMostmodernapplicationsperformingPDFgenerationdonotactuallygeneratePDFsdirectlyCanbeusedwithBurpCollaboratororUsedfor penetrationtestingand/orred-teamingetcHoweverViaImpervaIknewthatitwaspossibletoperformSSRFbyinsertinganiframe,butIwantedtoknowhow thiswouldbeabusedinmorecomplexscenariosAssuch,anyXSSintothisdatagetsyourunninginthecontextoftheManyPDFgeneratorlibrariesheavilyrely onclient-sidescriptingtomanipulateandgeneratePDFs,allowingattackerstoexploitvulnerabilitiesinthecodeThistoolisavailableasanopen-sourcecommand lineutility,makingitaccessibleforawiderangeofapplicationsIcreatedthistoolbecauseineededathirdpartytooltogenerateaLuckily,SSRFbugsinPDF generatorsoftentimesallowustocheckmanysystemswithasinglerequest,usingastackofiframesAssuch,anyXSSintothisdatagetsyourunningintheThese aretheSSRFscenariobasedonthefactthatwhenapplicationacceptingtheuseruserinput,placingtheminHTMLandpasstheHTMLcodeto"HTMLtoPDF MicroStrategySSRFthroughPDFGenerator(CVE)TriskeleLabs

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.