Open in app

Sign in

Write

Sign in

PDF based SSRF’s are fun to exploit.

Prasheek Kamble
3 min readDec 31, 2023

Hello everyone, I’m back with a new article. In this article i’ll be demonstrating how i got a PDF based SSRF in an application which helps in exploiting AWS IAM disclosing Access Key and Secret Key.

While looking for APIs, I came upon an endpoint that was used to produce a PDF shipping label.

The intercepted request had a “description” input box, implying that the intercepted request included shipping label layouts. I quickly thought of creating an iframe to see if it was vulnerable to HTML Injection; when I tried to inject HTML codes into that “description” input field, I was successful.

Image 1

As observed in the preceding screenshot, I attempted to inject “iframe in “description field” by establishing a new collaborator link and seeing if I could get a hit back from the server.

Image 2

I can validate from the following screenshot that I received an HTTP hit back from the apps server, validating the feasibility of SSRF.

Image 3

I received confirmation from the above image that the “description input field” was vulnerable to HTML Injection, Clickjacking attacks, and to further escalate to check for the possibility of SSRF. Because this was housed on Amazon AWS S3, I considered looking for an attack that is exploiting the AWS metadata and accessing further, which is its IAM security credentials.

Image 4

I received a hitback from the server and was successful when I attempted the following payload: “http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role"

Image 5

I was able to successfully perform SSRF using the picture above, which allows me to access AWS metadata in the PDF receipt issued by the application. This revealed the following information: secret access key, token, area, and so on. So now, with its assistance, I can utilise the AWS Client to export all of the above-mentioned data and gain access.

My Reaction after succesfully getting access to AWS Metadata!

This bug allowed me to escalate and to achieve RCE using a PDF based SSRF Vulnerability.

Thanks for reading the article, Hope you liked it. :)

HAPPY HACKING!

CHEERS! 🥂

HAPPY NEW YEAR ✨

#bughunting #pentesting #ethicalhacking #cybersecurity #infosec

--

--

Prasheek Kamble

Written by Prasheek Kamble

58 Followers

Learner | Penetration Tester | Bug Hunter | Web Developer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams