Server-Side Request Forgery (SSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
Passing untrusted user input directly to the wkhtmltopdf library in an Express app can allow attackers to make the server request arbitrary URLs. This can lead to exposing internal services or sensitive information.
Impact#
If exploited, an attacker could force the server to access internal resources or external sites, potentially leaking sensitive data or enabling further attacks on your network. This could compromise backend systems and lead to data breaches.