SSRF through iframe injection?

I recently found an SSRF by injecting HTML content (via iframe) into a PDF file. This was the first bug of this kind for me. I am wondering if this also works for HTML injections on websites. More precisely, I found a XSS and HTML injection vulnerability on a website. I am able to inject an iframe via parameter and I was able to create an external SSRF by calling a webhook.site link through iframe source where referrer is the vulnerable site. But I have been failed so far to display internal server sources like /etc/passwd or doing a port search? Is it even possible that this kind of vulnerability is vulnerable to internal SSRF?

1 Like

If I’m understanding correctly, you’re wondering whether you can use an HTML/JS injection vulnerability to get the content of local server files. Simple answer: No.

When you inject something into a PDF, the code is rendered server-side. This is not the case for HTML injection - they are rendered by your browser (client-side). Your webhook was activated by your own browser, because it sent a request to the webhook URL when you injected the iframe. That explains the referer header.

When you’re attempting to access /etc/passwd and do port scanning, you’re actually targeting your own system. You likely don’t have any local HTTP servers running, so you’re not finding anything, and browser don’t allow cross-site access to local files.

Remember: The server simply sends the HTML code to your browser - all images and iframes etc. are requested and rendered by your browser.

2 Likes

@waike Thanks a lot, this completely answers my question :slight_smile:

1 Like

Htmli, xss to Ssrf only possible when your payload get processing via the backend, so for exp, the site have function make your info to pdf, so you injected
<iframe src =yourserver.com>
in your info, then u used the function to make pdf from your info, the backend will execute the payload and will send request to yourserver.com and print the content of it in the pdf

BUT, in the sec case u said, its not possible to get ssrf from xss that not processing by the backend, for ex site.com/hello?=xss_here
Hello paramter have xss, when you inject your payload
Like
<iframe src=yourserver.com>
You will get request to yourserver.com
But look for ip that the request came from, you will find your ip,its client side, but in the first case i think its server side, so u was able to get ssrf, in the end maybe i’m wrong, lets see others hacker