PDF generators are widely used in modern web applications to automatically create documents such as invoices, receipts, tickets, reports, and certificates. They are commonly found in e-commerce platforms, banking systems, SaaS dashboards, healthcare portals, and internal business tools where downloadable documents are required. Most PDF generators work by rendering HTML content in a headless browser like Puppeteer or wkhtmltopdf. Because these tools fetch external resources while rendering pages, they have a history of SSRF vulnerabilities. As a result, PDF generation features are a frequent target for attackers looking to exploit server-side request behavior.

Exploiting SSRF in PDF Generators

This code takes user data → builds an HTML receipt → converts it into a PDF. Step by step:

1. Launches a browser Puppeteer starts a headless Chrome browser on the server. 2. Opens a new page A new tab is created inside that browser. 3. Loads HTML content The receipt layout is written using HTML. User data (name, address, etc.) is inserted dynamically. 4. Converts page to PDF The rendered HTML is exported as an A4 PDF file. 5. Closes browser Browser session is closed to free resources.

What makes this code vulnerable to SSRF SSRF happens when the server makes a request to a URL controlled by the user.

This code becomes vulnerable because: 1. Puppeteer runs on the SERVER - Any request it makes comes from the backend, not the user's browser. - So firewall rules don't protect you. 2. User input is directly injected into HTML

<p>${clientName}</p> 
<p>${clientAddress}</p>

If these values are not sanitized, an attacker can inject HTML:

<img src="http://internal-service/secret">

Or Inject JavaScript

<script>
 var x = new XMLHttpRequest();
 x.onload=function(){ document.write(this.responseText) };
 x.open('GET','http://127.0.0.1'); // You can also read local system files such as "/etc/passwd"
 x.send();
</script>