Week 51 - HTML to PDF

Did you know was (legally) hacked in 2018 through an export to PDF feature? Buckle up, cause this is an interesting one. The researcher Nahamsec was testing Lyft through a bug bounty program and discovered an HTML injection within Lyft’s ‘generate expense report’ feature. This feature allowed the user to export their ride history within a PDF, and Nahamsec found a way to specify custom HTML that would be rendered by the server and converted into this PDF. Now if you’ve been following my web hacking series, you would know where to go from here: check for Server-Side Request Forgery, since we can render HTML as the server. I’ve posted before on using <iframe>, <embed> and even SVG files to exploit SSRF. Nahamsec tried several techniques but failed to create a working SSRF exploit. This is where things get interesting, and where I learned a new SSRF payload. Nahamsec found that you can use the following HTML payload: <link rel=attachment href="URL"> This payload will attach the content of any web page (the server response) from the specified URL. This response will be invisible within the PDF, as it will be embedded within the file contents. To view it, we will have to run a separate command to extract the embedded data. That command is: pdfdetach -saveall filename.pdf Now all you need to do is print out the embedded resource: cat attachment.bin And you will have the SSRF response! Using this technique, Nahamsec could reach out to the default AWS metadata server located at 169[.]254[.]169[.]254 and steal Lyft's AWS Access Keys!