# Week 51 - HTML to PDF

Did you know [#Lyft](https://www.linkedin.com/feed/hashtag/?keywords=lyft\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A7018937917653831680) was (legally) hacked in 2018 through an export to PDF feature?\
\
Buckle up, cause this is an interesting one. The researcher Nahamsec was testing Lyft through a bug bounty program and discovered an HTML injection within Lyft’s ‘generate expense report’ feature. This feature allowed the user to export their ride history within a PDF, and Nahamsec found a way to specify custom HTML that would be rendered by the server and converted into this PDF.\
\
Now if you’ve been following my web hacking series, you would know where to go from here: check for Server-Side Request Forgery, since we can render HTML as the server. I’ve posted before on using \<iframe>, \<embed> and even SVG files to exploit SSRF. Nahamsec tried several techniques but failed to create a working SSRF exploit.\
\
This is where things get interesting, and where I learned a new SSRF payload. Nahamsec found that you can use the following HTML payload:\
\
`<link rel=attachment href="URL">`\
\
This payload will attach the content of any web page (the server response) from the specified URL. This response will be invisible within the PDF, as it will be embedded within the file contents. To view it, we will have to run a separate command to extract the embedded data. That command is:\
\
pdfdetach -saveall filename.pdf\
\
Now all you need to do is print out the embedded resource:\
\
cat attachment.bin\
\
And you will have the SSRF response! Using this technique, Nahamsec could reach out to the default AWS metadata server located at 169\[.]254\[.]169\[.]254 and steal Lyft's AWS Access Keys!

![](/files/LuX5zOAKNdym5UdLLrdz)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/week-51-html-to-pdf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.