webPromedium

BillForge — SSRF Chain via Chromium PDF Invoice Generation

hackadvisor

Task: Invoicing platform (BillForge) with headless Chromium PDF export where notes field exhibits differential rendering — HTML escaped in web view but rendered raw in PDF. Solution: 3-step SSRF chain — injected HTML/JS in notes to discover internal config service (port 3001), extracted vault credentials from config, then used JavaScript fetch() with X-Service-Key header to access vault secrets (port 3002) and retrieve the flag.

$ ls tags/ techniques/
ssrfnodejsnginxexpressinternal_servicehtml_injectiondecoy_flagvaultpdf_generationinvoicingchromium_headlessjavascript_fetchservice_keydifferential_rendering
internal_service_enumerationanti_honeypot_awarenessssrf_via_chromium_pdfdifferential_rendering_exploitationservice_key_extractionjavascript_fetch_with_custom_headers
🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Sign in with GitHub to continue. No email required.

$sign in

$ grep --similar

Similar writeups