Private IP
Description
A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname... has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.
Remediation
- Remove the private IP address from the HTTP response body.
- For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.
REST Specific
Asp_net
Ensure that any sensitive information, including private IP addresses, is not included in the HTTP response body. Review your code to remove any hardcoded IP addresses or hostnames. If internal IPs need to be shared between backend services, use secure methods such as environment variables or configuration files with proper access controls. Additionally, implement proper error handling to prevent leakage of such information in error messages.
Ruby_on_rails
In Ruby on Rails, ensure that any sensitive information, including private IP addresses, is not included in the HTTP response body. Use environment variables or Rails secrets to manage internal data and apply filters in your controllers or views to prevent accidental exposure. Additionally, configure your logging to avoid recording private IPs.
Next_js
Ensure that server-side code does not include private IP addresses or sensitive hostnames in the HTTP response body. Review and sanitize any data sent to the client in Next.js pages or API routes. Use environment variables for sensitive data and avoid exposing them to the frontend.
Laravel
To prevent the exposure of private IP addresses in HTTP responses within a Laravel application, ensure that any debug or error messages are properly sanitized before being sent to the client. Configure your logging settings to exclude sensitive information and use environment variables to manage configuration without hardcoding IP addresses. Additionally, consider implementing middleware that checks responses for private IP addresses and removes or obfuscates them before they reach the client.
Express_js
To prevent private IP addresses from being exposed in the HTTP response body within an Express.js application, ensure that any sensitive information is not included in the response object. Use middleware to filter out private IPs from the response or avoid including any dynamic data that could potentially contain private IPs. Additionally, consider implementing a content security policy (CSP) to reduce the risk of information leakage.
Django
To prevent the exposure of private IP addresses in the HTTP response body within a Django application, ensure that any templates or views do not include direct references to private IP addresses. Use environment variables or Django settings to manage internal URLs and IP addresses, and avoid hardcoding them in your codebase. Additionally, implement proper access controls and network security measures to restrict unauthorized access to internal resources.
Symfony
In the Symfony framework, ensure that any sensitive information, including private IP addresses, is not included in the HTTP response body. Use Symfony's environment variables to manage configuration and avoid hardcoding sensitive data. Implement access controls and filters to prevent exposure of private network details to unauthorized users. Regularly review your code and use Symfony's security features to mitigate the risk of information leakage.
Spring_boot
To prevent the exposure of private IP addresses in the HTTP response body within a Spring Boot application, ensure that any sensitive information is not included in the response objects. Use environment-specific configuration files or externalized configuration management to avoid hardcoding IP addresses. Implement proper logging to avoid inadvertently logging private IPs. Additionally, review your application's error handling to ensure that stack traces or error messages containing private IPs are not sent to the client.
Flask
To prevent private IP addresses from being exposed in the HTTP response body within a Flask application, ensure that any templates or views do not include sensitive information. Use environment variables or configuration files to manage internal data, and avoid hardcoding IP addresses. Implement proper access controls and output encoding to safeguard against inadvertent data leaks. Additionally, consider using a proxy or firewall to filter outgoing data and monitor for unintentional disclosures.
Nuxt
Ensure that server-side code does not include private IP addresses or sensitive hostnames in the HTTP response body. Review and sanitize any data sent to the client in Nuxt.js applications to prevent inadvertent exposure of internal network details.
Fastapi
To prevent private IP addresses from being exposed in HTTP response bodies within the FastAPI framework, ensure that any sensitive information is not included in the response models or is explicitly excluded using Pydantic's exclude parameter. Additionally, implement middleware to filter out private IPs from responses before they are sent to the client.
Configuration
Identifier:
information_disclosure/private_ip
Examples
Ignore this check
checks:
information_disclosure/private_ip:
skip: true
Score
- Escape Severity: LOW
Compliance
- OWASP: API1:2023
- pci: 1.3.7
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.18.1
- nist: SP800-53
- fedramp: AC-4