Presentation Material
Abstract
Modern web applications often provide features like PDF generation to enhance user experience, but these functionalities can inadvertently introduce critical vulnerabilities when improperly secured. During a recent penetration test, we identified a severe HTML injection vulnerability in the PDF file generation feature of two separate applications. Exploiting this weakness, we demonstrated the potential to perform Server-Side Request Forgery (SSRF) attacks, enabling access to internal files and sensitive application source code.
This session provides a detailed, real-world example of how a seemingly minor vulnerability can have catastrophic consequences. It emphasizes the importance of secure development practices, robust cloud configurations, and proactive vulnerability mitigation. Attendees will walk away with practical strategies to strengthen their security posture, making this talk both educational and actionable.
AI Generated Summary
The talk details a penetration test where a basic HTML injection in a PDF generation feature was escalated to a full AWS account takeover. The attacker identified an application that created PDFs from user-supplied HTML, using vulnerable libraries like VCPrint or wkhtmltopdf. By injecting specific HTML tags (e.g., <link>, <iframe>), an SSRF (Server-Side Request Forgery) vulnerability was triggered, allowing the server to make requests to internal resources.
In the first scenario using VCPrint, a payload directed the server to fetch the /proc/self/environment file, which contained AWS credentials. These credentials were stored within the PDF’s metadata. After extracting the metadata, the attacker used the credentials to authenticate to AWS. The associated IAM user had excessive permissions—effectively full administrative access—allowing the creation of a new admin user and complete control over the account, which incurred a $90,000 monthly cost.
A second PDF generator (wkhtmltopdf) was also vulnerable but required a different payload, sourced from a public GitHub issue, to exfiltrate the default AWS Lambda function code, again revealing credentials.
The research highlights that PDF generation libraries are a common SSRF vector for accessing cloud metadata endpoints. The critical failure was the assignment of over-privileged IAM roles to the application. The primary takeaway for cloud engineers is to enforce the principle of least privilege, granting applications only the specific permissions required (e.g., file upload only), and to rigorously audit IAM role assignments. For penetration testers, the methodology involves identifying PDF generation points, testing for SSRF via HTML tags, extracting library versions, and searching for known exploits to access cloud instance metadata.