From HTML Injection to Full AWS Account Takeover: Discovering Critical Risks in PDF Generation Feature

Description

Modern web applications often provide features like PDF generation to enhance user experience, but these functionalities can inadvertently introduce critical vulnerabilities when improperly secured. During a recent penetration test, we identified a severe HTML injection vulnerability in the PDF file generation feature of two separate applications. Exploiting this weakness, we demonstrated the potential to perform Server-Side Request Forgery (SSRF) attacks, enabling access to internal files and sensitive application source code.

In one application, the SSRF further exposed environment variables containing IAM keys. These keys, contrary to best practices, had over-provisioned permissions, allowing us to escalate privileges by creating new users and attaching role policies. This resulted in administrative control over the AWS account, highlighting a critical lapse in IAM configuration and environment security.

Although the second application also had the same HTML injection vulnerability, it did not expose sensitive environment variables, underlining the importance of secure configurations and proper isolation of sensitive data.

This talk aims to showcase the technical exploitation process, demonstrate the cascading impact of insecure PDF generation features, and provide actionable recommendations to mitigate such risks. By highlighting the intersection of HTML injection, SSRF, and cloud misconfigurations, this session will emphasize the importance of a defense-in-depth approach for securing web applications and cloud infrastructure.