SSRF on PDF generator.
Hello, How are you guys doing? This is my first write-up. Sorry for my noobness. :D
I want to share an issue that I found on a private bug bounty program. There is an SSRF vulnerability on their PDF generator but the problem on their web app is, you cannot insert special characters. But, I noticed that they have a mobile app and we can insert the payload there. The “save as PDF” function is only available on the web app so we need to insert the payload via mobile app then login to the web app and use the function “save as pdf”. Luckily, payloads that are using forward-slash (/) for spacing are not filtered so we can use an iframe tag payload with a forward slash as the spacing.
This is the payload I used: <iframe/src=””>
I tried to insert <iframe/src=”http://localhost/”> and also <iframe/src=”http://127.0.0.1”> but the PDF will be blanked. The next step I did was to create a subdomain and change the DNS into 127.0.0.1. So, the payload should look like this <iframe/src=”http://sub-domain.mydomain.com”>. I inserted the payload via mobile app and used the function “save as PDF” on their web app. The payload worked but, what I saw on the PDF is the login form of the app. But, I have an idea. What if I am able to access the file which is only available internally. So what I did next is use dirsearch to brute force their directory. I checked the result and found “elmah.axd” which has a status code of 403 in dirsearch means that I am forbidden to access the file. I added “elmah.axd” on my payload and it should look like this.
Payload: <iframe/src=”http://sub-domain.mydomain.com/elmah.axd”>
So, I inserted the payload again via mobile app and used the “save as PDF” function on the web app and the payload works. What I saw on the PDF are their error logs. I reported the issue to the company and they rewarded me with a bounty. It only took them an hour to fix the issue and a day to send the bounty.
This is short but I hope you enjoy reading this. :)
-Michan
