Dashboard Application SSRF via Nested iframe in PDF Export Feature (€2000 Euro)
We have an unnamed dashboard application here that allows users to specify objects that will be rendered into the dashboard through JSON blobs. Users can provide dashboard templates in the form of a JSON blob, including an item
array of which items to render. There is also a feature to export the dashboard as a PDF document which it handled by a headless browser.
The problem stems from the supported iframeobject
type which produces an iframe. While these frames could not be pointed at internal URLs due to the requirement that the URLs be https
. Frames within the framed page did not have this restriction. An attacker could render a remote https
URL, and on that page include an iframe
to an internal address, when rendered as a PDF they would visually see the response page.
This was used to access an internal application running on localhost
which would print among other things session tokens of active users.