Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) found in the PDF generation endpoint of the Pentestify application version 1.0.0 and lower. It allows remote attackers to manipulate the server into making requests to arbitrary internal or external URLs by crafting the Host header. The server builds the target URL from the request's base URL without proper validation, which can be exploited to access sensitive internal resources such as cloud metadata services.

Useful 0 Not Useful 0

Impact Analysis

This SSRF vulnerability can allow attackers to make the server send requests to internal or external systems that are normally inaccessible to them. This can lead to unauthorized access to sensitive internal services, including cloud metadata endpoints, potentially exposing confidential information or enabling further attacks within the internal network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves Server-Side Request Forgery (SSRF) via the PDF generation endpoint GET /api/reports/{id}/pdf, where the server issues requests to arbitrary URLs based on a crafted Host header.

To detect this vulnerability on your system, you can monitor or test the behavior of the PDF generation endpoint by sending crafted requests with manipulated Host headers and observe if the server fetches external or internal URLs.

Example commands to test for SSRF might include using curl to send requests with a modified Host header to the vulnerable endpoint:

• curl -v -H "Host: http://169.254.169.254/latest/meta-data/" https://your-target/api/reports/123/pdf
• curl -v -H "Host: http://internal-service.local/" https://your-target/api/reports/123/pdf

Monitoring network traffic for unexpected outbound requests from the server to internal or cloud metadata IPs (e.g., 169.254.169.254) can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the security fixes introduced in Pentestify version 1.1.0, which address the SSRF vulnerability.

• Upgrade Pentestify to version 1.1.0 or later, which includes schema validation restricting client_logo and images fields to only accept data URLs, preventing arbitrary URL fetching.
• Ensure that any imported .db files are sanitized to prevent bypassing validation.
• Verify that frontend image src attributes are properly escaped to mitigate related XSS risks.

If upgrading immediately is not possible, consider implementing network-level restrictions to block the server from making outbound requests to internal or cloud metadata IP addresses.

Useful 0 Not Useful 0

Compliance Impact

The Server-Side Request Forgery (SSRF) vulnerability in Pentestify 1.0.0 and lower allows remote attackers to make the server issue requests to arbitrary internal or external URLs, including cloud metadata services, and return the rendered content in the resulting PDF. This could lead to unauthorized access to sensitive internal resources or data.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information from unauthorized access or disclosure.

The vulnerability could therefore increase the risk of data breaches or leaks, undermining the confidentiality and integrity requirements mandated by these regulations.

Useful 0 Not Useful 0