PDF Converter Server-Side Request Forgery Prevention Configuration

  • 16 February 2021
  • 0 replies
  • 131 views

Badge +3
 

PDF Converter Server-Side Request Forgery Prevention Configuration

KB003666

PRODUCT
K2 Five
BASED ON
K2 Five

Introduction

A server-side-request-forgery (SSRF) risk was identified in the Save as PDF control and the underlying PDF Converter SmartObject, which allows interacting with and discovering internal endpoints.

For added security, you can now configure the PDF Converter to restrict which hosts and IP addresses it is allowed to load any type of resource from.

Resources include, but are not limited to:

  • Iframes
  • Images
  • Style sheets
  • Scripts

The configuration options apply to the main URL requested to be converted into PDF, and any resource within the site’s HTML. All HTTP requests that are made as part of the PDF conversion are validated against this configuration. This applies to iframes and the resources within the site that the iframe is for.

Use the guidance below to configure your environment to prevent SSRF. Each environment and solution is different and requires unique settings. If you don’t configure these settings, your environment is still at risk of SSRF.

Configuration

Use the appsettings.xml file found in [Program Files]K2K2 PDF Converter Service to configure your environment’s settings in the NetworkSecurityFilterSettings section as shown below.

19126iB154E48DFDD63C83.png

- Wildcard values are not supported
- By default, the configuration allows all requests

Use the table below to determine the settings you need to configure for your environment. Note that not all these settings are required. An administrator should choose which one, or combination of these settings is best in your environment.

Node Example Description
BlackListDomains

<BlackListDomains name="name1">internal.denallix.com</BlackListDomains>
<BlackListDomains name="name2">evil.com</BlackListDomains>

*See note

  • Blocks all requests to the domains that are in the list.
  • Each entry’s name attribute must be unique but can be set to any value to describe the rule.
  • We do not recommend using this setting on its own as it would be easy to miss certain internal endpoints which could lead to compromise.
Combining this setting with the BlackListIPAddresses, BlackListSubnets or any of the WhiteList settings is more effective.
WhiteListDomains

<WhiteListDomains name="name1">k2.denallix.com</WhiteListDomains>
<WhiteListDomains name="name2">external.denallix.com</WhiteListDomains>

*See note

  • Allows requests to the domains specified in the list and blocks all other requests.
  • If a request uses the IP address of the site instead of the configured value, it will still block the request. In other words, if the request isn’t to the exact value configured in the list, it will be blocked.
  • Each entry’s name attribute must be unique but can be set to any value to describe the rule.
  • For security purposes this is the most restrictive and recommended option as it allows only what is absolutely necessary.
BlackListIPAddresses

<BlackListIPAddresses name="name1">10.1.3.15</BlackListIPAddresses>
<BlackListIPAddresses name="name2">198.4.200.3</BlackListIPAddresses>

*See note
  • Blocks all requests where the IP address of the request resolves to an address in the configured list.
  • Each entry’s name attribute must be unique but can be set to any value to describe the rule.
  • We do not recommend using this setting on its own as it would be easy to miss certain internal endpoints which could lead to compromise.
Combining this setting with the BlackListDomains, BlackListSubnets or any of the WhiteList settings is more effective.
WhiteListIPAddresses

<WhiteListIPAddresses name="name1">10.1.10.23</WhiteListIPAddresses>
<WhiteListIPAddresses name="name2">192.168.30.200</WhiteListIPAddresses>

*See note

  • Allows all requests that resolves to the IP Addresses in the list and blocks all other requests.
  • Each entry’s name attribute must be unique but can be set to any value to describe the rule.
  • Although this option is very restrictive, it does require the system administrator to understand exactly what is available on a certain IP address. For example, two sites on the same machine could resolve to the same IP address, but are only differentiated by a host header. If one of these sites must be inaccessible to PDF conversion, then this setting alone is not sufficient.
Combining this setting with the BlacklistDomains setting is more effective.
BlackListSubnets

<BlackListSubnets name="name1">
      <IpAddress>1.1.1.1</IpAddress>
      <Mask>255.255.0.0</Mask>
</BlackListSubnets>
<BlackListSubnets name="name2">
      <IpAddress>2.2.2.2</IpAddress>
      <Mask>255.255.0.0</Mask>
</BlackListSubnets>

*See note
  • The IpAddress gives the base of the restriction where the Mask indicates what range in the subnet it applies to.
  • Each entry’s name attribute must be unique but can be set to any value to describe the rule.
  • This setting blocks all requests where the IP address of the request resolves to an address in the subnet range.
WhiteListSubnets

<WhiteListSubnets name="name1">
      <IpAddress>1.1.1.1</IpAddress>
      <Mask>255.255.0.0</Mask>
</WhiteListSubnets>
<WhiteListSubnets name="name2">
      <IpAddress>2.2.2.2</IpAddress>
      <Mask>255.255.0.0</Mask>
</WhiteListSubnets>

*See note
  • The IpAddress gives the base of the restriction where the Mask indicates what range in the subnet it applies to.
  • Each entry’s name attribute must be unique, but can be set to any value to describe the rule.
  • This setting allows all requests that resolves to an IP address within the subnet range and blocks all other requests.
BlockLocalIpAddresses <BlockLocalIpAddresses>true</BlockLocalIpAddresses>
  • If this setting is true, all requests that resolves to 127.0.0.1 or to any IP address that is within the same subnet of the machine where the PDF converter service is running will be blocked.
  • This option is useful to make sure no internal endpoints are discovered or interacted with.
BlockLocalExclusions

<BlockLocalExclusions name="name2">k2.denallix.com:443</BlockLocalExclusions>
 <BlockLocalExclusions name="name1">k2.denallix.com:80</BlockLocalExclusions>

*See note
  • This setting only applies when BlockLocalIpAddresses is set to true.
  • If a port number is supplied, only that specific address on that port is unblocked.
  • This setting is required when BlockLocalIpAddresses is set to true and when the SmartForms site is installed on the same machine or subnet of the K2Server.
    When configured, it resolves the host in the config file to an IP address and then checks all requests against the IP address and port (if specified) and if it matches, it then allows the request to go through. For example, if configured for k2.denallix.com:443, the address may resolve to 127.0.0.1. If a request comes in for external.denallix.com:443 and it resolves to 127.0.0.1, it will be allowed. In other words, everything on the same IP address and port is allowed regardless of the host header. In this scenario, if external.denallix.com must be blocked, you must add it to the BlackListDomains config setting.

*Remove the default XML comments from the configuration file or add new entries as per the examples above.

Troubleshooting

When you configure the settings in the appsettings.xml file, the configuration may be too restrictive causing it to block all requests to resources, or a specific solution now needs to convert a site to PDF which was originally not part of the configuration.

Depending on the resource that is blocked, you may see different behavior. If the main URL that is requested for conversion is blocked, one of the following errors may occur:

“The PDF could not be saved”
“The url is blocked or there is an issue with the SSL certificate for the site requested.”

If a resource like an image or an iframe is blocked, the conversion generates a PDF with everything it could load, but the blocked resources will not show, similar to what displays when a webpage cannot load a resource.

When a request is blocked, an error message is logged in the latest log file in [Program Files]K2K2 PDF Converter ServiceLogs folder. Use the error message in the log file to determine the reason for the block. Below is an example of an error message:

[2021-02-09 09:01:12][ERR][Host:][App:SourceCode.PdfConverter.Api][CID:][SID:][Path:][Src:]: Blocking loading of request due to rule:"WhiteList IpAddresses" and value:"13.107.42.14". Request to:"www.linkedin.com" with frame domain:"" IsMainFrame:False ResourceType:SubFrame TransitionType:AutoSubFrame Referrer:"simple.external.com"

Color Description
Yellow The configuration node blocking the request
Pink The value causing the block
Blue
  • IsMainFrame=False - The request is coming from an iframe
  • IsMainFrame=True - The request came from the main site or page that was requested for conversion
Green

The type of resource the request came from

Gray The site from where the request originated

0 replies

Be the first to reply!

Reply