Web Hacking Tips
  • Web App Hacking Tips & Tricks
  • Weekly Tips
    • Week 1 - XSS Filter Evasion
    • Week 2 - CSRF Token Bypass
    • Week 3 - CORS Exploitation
    • Week 4 - Finding XSS
    • Week 5 - CSRF Explanation
    • Week 6 - XSS Types
    • Week 7 - Advanced SQLMap
    • Week 8 - Stealing HttpOnly Cookies from PHPINFO
    • Week 9 - SQLMap Tamper Scripts
    • Week 10 - XSS Obfuscated Payloads
    • Week 11 - XS-Search: Cross-Origin Enumeration
    • Week 12 - Subdomain Takeovers
    • Week 13 - XSS Keylogger
    • Week 14 - Algolia API Keys
    • Week 15 - GraphQL Introspection
    • Week 16 - Naming BurpSuite Repeater Tabs
    • Week 17 - GoBuster Tips
    • Week 18 - Burp Request to Python Script
    • Week 19 - Customizing Nikto Scans
    • Week 20 - Google Phishing Page
    • Week 21 - Google BITB
    • Week 22 - XSS Through SVG File
    • Week 23 - FoxyProxy Extension
    • Week 24 - CSP Bypasses
    • Week 25 - Pilfering LocalStorage with XSS
    • Week 26 - Cloud SSRF
    • Week 27 - Blind XSS
    • Week 28 - Firebase Misconfigurations
    • Week 29 - XSS to CSRF
  • Week 30 - SQLMap Debugging
  • Week 31 - WayBack Machine
  • Week 32 - O365 BITB
  • Week 33 - Burp Intruder Attacks
  • Week 34 - GraphQL Bruteforcing
  • Week 35 - User Accounts
  • Week 36 - CVE Submission
  • Week 37 - Second Order SQLi
  • Week 38 - Out of Band SQLi
  • Week 39 - Broken Link Hijacking
  • Week 40 - JWT Testing
  • Week 41 - BURP ATOR
  • Week 42 - ProxyChains
  • Week 43 - CSS Keylogging
  • Week 44 - SVG SSRF
  • Week 45 - Request Smuggling
  • Week 46 - XSS Payloads
  • Week 47 - DNS Re-binding
  • Week 48 - SSRF Bypass
  • Week 49 - File Upload Bypass
  • Week 50 - CRLF Injection
  • Week 51 - HTML to PDF
  • Week 52 - Parameter Pollution
  • Week 53 - Pre-Account Takeover
  • Week 54 - Race Conditions
  • Week 55 - SQLi to RCE
  • Week 56 - Cloud SSRF PrivEsc
  • Week 57 - Response Queue Poisoning
  • Week 58 - Directory Traversal
  • Week 59 - File Upload -> CSRF
  • Week 60 - Modern CSRF Attacks
Powered by GitBook
  1. Weekly Tips

Week 26 - Cloud SSRF

PreviousWeek 25 - Pilfering LocalStorage with XSSNextWeek 27 - Blind XSS

Last updated 2 years ago

Exploiting HTML -> PDF Features for Cloud SSRF

For this week’s web hacking tip, I’m discussing one of my favorite areas to focus on when testing a web application. Any time I see an ‘Export to File’ feature I immediately direct my attention to it.

Usually this means some kind of server-side logic is occurring on the back-end to create or convert a file. I especially like to see an ‘Export as PDF’ since it often means the server is rendering HTML, capturing a photo of it, and then embedding that photo within a PDF file. Commonly I see PhantomJS in use here.

You might be wondering how we can attack this? Since the server renders HTML passed to it, we need to try and pass our own HTML within a GET/POST parameter. I frequently find POST parameters being used to send HTML directly to the endpoint responsible for creating the screenshot. Many times, the request parameter will literally contain HTML tags like:

{paramName: “<p>some text here</p>”}

This makes our job easy. We can inject our own HTML right before the <p> tags above. We can use an iframe to link directly to localhost resources. Remember, this works because we are running within the context of localhost thanks to the server rendering the HTML, rather than the client:

<iframe src=’http[:]//localhost:80/’ >

The server will render the above iframe which will load a photo of whatever localhost service is running on port 80. A cool thing to try here too is requesting resources that are externally forbidden, such as ‘/server-status’ or even ‘/admin’ since often they will be accessible locally. Additionally, I’ve found that adding an inline-style attribute makes reading the result much easier:

<iframe src=’http[:]//localhost[:]80/’ style=’height:800px;width:800px’ >

From here, we can continue to port scan localhost or proceed to an even-more-fun method of attack: cloud-based SSRF. If the web server is existing within an AWS environment, you can reach out to the metadata server which contains access keys and other sensitive information. This metadata server is only accessible internally, but thanks to the SSRF you found you can now reach it!!

<iframe src=http[:]//169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials’ style=’height:800px;width:800px’ ></iframe>

The above iframe will show you the name(s) of any available security credentials within the metadata server. These security credentials contain access keys which can be used to access AWS features like S3 buckets, Lambda functions, EC2 instances and more. The IP address is the same for all AWS environments. More cloud pentesting tips may be coming soon, so like and follow for more :p

Extra Tip: Have you ever wondered why virtually all cloud-ssrf tips focus on AWS? Azure and GCP both have metadata servers as well, but they require an additional HTTP request header to be sent.

Page cover image
SRC:
https://systemweakness.com/story-behind-sweet-ssrf-40c705f13053