Real security vulnerabilities always speak louder.
Today we're going to talk about SSRF attack that allows hackers to send any network requests from the back-end server by using <img> tags.
I came across this vulnerability during penetration testing conducted for two separate projects. Screenshots are taken right out of testing reports. Any confidential data is hidden.
Definition: a server sends random network requests during PDF document generation
Description: users generated a PDF document from a fully rendered HTML page with all external resources. The document contained data users had filled in. We can put our external resources in a server rendering without being particularly careful in request filtering. Let's say it will be it-band.by/10gb.blob (supposedly it weights 10 Gb).
Risk evaluation (Likelihood*Impact): Medium(5)*High(7)=High(35) for both systems the risk was high anyway, though with different rates.
1. Create such file and attempt to inject it
2. Find vulnerable fields
3. Generate PDF
4. Go to a server and check if it had sent any requests for a huge 10Gb.blob
Summary. Both systems are now fixed. Instead of HTML purifying, system #1 now performs escaping during user data processing and PDF generation. System #2 during user data processing cuts out any absolute links to external resources.
Updated: before the article publication, I found new cases to review.
So-called System #3 failed this vulnerability protection in two places: through HTML and CSS injections.
D<b onmouseover=alert(1)>e</b>""&|;$'\!--#@\ć'e123456"><script src=https://[link to js]></script>d
The article is provided for training and educational purposes only. Presented examples illustrate mistakes that should be avoided in your work.
Denis Koloshko, Penetration Tester, CISSP
Penetration testing for your web application