SSRF — if the application renders .CSV

I came across an application which renders certain type of documents in the backend and creates it’s PDF for the user.

The application supports HTML, and CSV.

Apparently all the vectors for HTML files were being checked for security concerns.

On the official Microsoft documentation page I found an interesting formula “=WEBSERVICES()” . The formula is for EXCEL but as the same application also renders CSV, it works just fine in both case.

Rest is s1mple, use the formula with any URL as it’s argument and server will call the URL in backend (SSRF).

POC

Payload.csv

Create / Save in Text editor

Rendered_Document.pdf

PDF generated after rendering the CSV

Here I have also used INFO formula which reveals some information related to the document and the backend environment.

I also found an internal Tomcat Server running on localhost, HTTP response of which was in the cell as TEXT.