I recently found an SSRF by injecting HTML content (via iframe) into a PDF file. This was the first bug of this kind for me. I am wondering if this also works for HTML injections on websites. More precisely, I found a XSS and HTML injection vulnerability on a website. I am able to inject an iframe via parameter and I was able to create an external SSRF by calling a webhook.site link through iframe source where referrer is the vulnerable site. But I have been failed so far to display internal server sources like /etc/passwd or doing a port search? Is it even possible that this kind of vulnerability is vulnerable to internal SSRF?
If I’m understanding correctly, you’re wondering whether you can use an HTML/JS injection vulnerability to get the content of local server files. Simple answer: No.
When you inject something into a PDF, the code is rendered server-side. This is not the case for HTML injection - they are rendered by your browser (client-side). Your webhook was activated by your own browser, because it sent a request to the webhook URL when you injected the iframe. That explains the referer header.
When you’re attempting to access /etc/passwd and do port scanning, you’re actually targeting your own system. You likely don’t have any local HTTP servers running, so you’re not finding anything, and browser don’t allow cross-site access to local files.
Remember: The server simply sends the HTML code to your browser - all images and iframes etc. are requested and rendered by your browser.
@waike Thanks a lot, this completely answers my question