Private IP¶
Description¶
A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname... has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.
Remediation¶
- Remove the private IP address from the HTTP response body.
- For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.
REST Specific¶
Asp_net
Ensure that any sensitive information, including private IP addresses, is not included in the HTTP response body. Review your code to remove any hardcoded IP addresses or hostnames. If internal IPs need to be shared between backend services, use secure methods such as environment variables or configuration files with proper access controls. Additionally, implement proper error handling to prevent leakage of such information in error messages.Ruby_on_rails
In Ruby on Rails, ensure that any sensitive information, including private IP addresses, is not included in the HTTP response body. Use environment variables or Rails secrets to manage internal data and apply filters in your controllers or views to prevent accidental exposure. Additionally, configure your logging to avoid recording private IPs.Next_js
Ensure that server-side code does not include private IP addresses or sensitive hostnames in the HTTP response body. Review and sanitize any data sent to the client in Next.js pages or API routes. Use environment variables for sensitive data and avoid exposing them to the frontend.Laravel
To prevent the exposure of private IP addresses in HTTP responses within a Laravel application, ensure that any debug or error messages are properly sanitized before being sent to the client. Configure your logging settings to exclude sensitive information and use environment variables to manage configuration without hardcoding IP addresses. Additionally, consider implementing middleware that checks responses for private IP addresses and removes or obfuscates them before they reach the client.Express_js
To prevent private IP addresses from being exposed in the HTTP response body within an Express.js application, ensure that any sensitive information is not included in the response object. Use middleware to filter out private IPs from the response or avoid including any dynamic data that could potentially contain private IPs. Additionally, consider implementing a content security policy (CSP) to reduce the risk of information leakage.Django
To prevent the exposure of private IP addresses in the HTTP response body within a Django application, ensure that any templates or views do not include direct references to private IP addresses. Use environment variables or Django settings to manage internal URLs and IP addresses, and avoid hardcoding them in your codebase. Additionally, implement proper access controls and network security measures to restrict unauthorized access to internal resources.Symfony
In the Symfony framework, ensure that any sensitive information, including private IP addresses, is not included in the HTTP response body. Use Symfony's environment variables to manage configuration and avoid hardcoding sensitive data. Implement access controls and filters to prevent exposure of private network details to unauthorized users. Regularly review your code and use Symfony's security features to mitigate the risk of information leakage.Spring_boot
To prevent the exposure of private IP addresses in the HTTP response body within a Spring Boot application, ensure that any sensitive information is not included in the response objects. Use environment-specific configuration files or externalized configuration management to avoid hardcoding IP addresses. Implement proper logging to avoid inadvertently logging private IPs. Additionally, review your application's error handling to ensure that stack traces or error messages containing private IPs are not sent to the client.Flask
To prevent private IP addresses from being exposed in the HTTP response body within a Flask application, ensure that any templates or views do not include sensitive information. Use environment variables or configuration files to manage internal data, and avoid hardcoding IP addresses. Implement proper access controls and output encoding to safeguard against inadvertent data leaks. Additionally, consider using a proxy or firewall to filter outgoing data and monitor for unintentional disclosures.Nuxt
Ensure that server-side code does not include private IP addresses or sensitive hostnames in the HTTP response body. Review and sanitize any data sent to the client in Nuxt.js applications to prevent inadvertent exposure of internal network details.Fastapi
To prevent private IP addresses from being exposed in HTTP response bodies within the FastAPI framework, ensure that any sensitive information is not included in the response models or is explicitly excluded using Pydantic's `exclude` parameter. Additionally, implement middleware to filter out private IPs from responses before they are sent to the client.Frappe
Ensure that sensitive information, such as private IP addresses, is not exposed in HTTP response bodies by implementing proper access controls and data sanitization in the Frappe framework.Genzio
Ensure that the Genzio framework engine does not expose private IP addresses in HTTP response bodies by implementing proper data sanitization and validation techniques.Gin
Ensure that sensitive information such as private IPs is not included in HTTP response bodies by using middleware to sanitize responses in the Gin framework.Gorilla
Ensure that sensitive information, such as private IP addresses, is not exposed in HTTP response bodies by implementing proper data sanitization and access controls.Hapi
Ensure sensitive information like private IPs is not included in HTTP response bodies by using Hapi's response toolkit to filter or sanitize data before sending it to the client.Hono
Ensure that sensitive information, such as private IP addresses, is not included in HTTP response bodies by implementing proper data sanitization and validation within the Hono framework.Jersey
Ensure sensitive information such as private IPs is not exposed in HTTP responses by using appropriate data masking or filtering techniques in the Jersey framework.Koa
Ensure that sensitive information, such as private IP addresses, is not included in HTTP response bodies by implementing proper data sanitization and validation in your Koa framework application.Ktor
Ensure that sensitive information, such as private IP addresses, is not included in HTTP response bodies by using appropriate data filtering and validation techniques in the Ktor framework.Leptos
Ensure that private IP addresses are not exposed in HTTP response bodies by implementing proper access controls and data sanitization in the Leptos framework.Macaron
Ensure sensitive information like private IPs is not exposed in HTTP responses by using middleware to sanitize response data in the Macaron framework.Phoenix
Ensure that private IPs are not exposed in HTTP responses by reviewing and sanitizing response data in the Phoenix framework.Redwoodjs
Ensure sensitive information like private IPs is not exposed in HTTP responses by using environment variables and RedwoodJS's built-in security features to manage and sanitize data outputs.Rocket
Ensure that private IP addresses are not exposed in HTTP response bodies by implementing proper data sanitization and validation within the Rocket framework.Sveltekit
Ensure sensitive information like private IPs is not exposed in HTTP responses by using environment variables and server-side logic to handle such data securely in SvelteKit applications.Configuration¶
Identifier:
information_disclosure/private_ip
Examples¶
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
- OWASP: API1:2023
- OWASP LLM: LLM06:2023
- pci: 1.3.7
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.18.1
- nist: SP800-53
- fedramp: AC-4
Classification¶
- CWE: 200
Score¶
- CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CVSS_SCORE: 5.3