Private IP Address Disclosure

OWASP 2013-A6 OWASP 2017-A3 OWASP PC-C8 CWE-200 WSTG-CRYP-03 WASC-13 ISO27001-A.18.1.4

The IP address is a numerical label assigned to each device in a network. These numbers are used to uniquely identify devices in a network. This number helps the devices to communicate with the internet. There are mainly two types of IP address:-

  • IPv4 - It is a 32-bit number
  • IPv6 - It is a 64-bit number

There are many servers that disclose the IP addresses of its users. This disclosure may leak information about the IP addressing scheme of a company’s/organisation’s internal network. An attacker can use the IP addresses to conduct further attacks on specific users. There are many ways through which an attacker can determine the private IP address of its users. By exploiting this vulnerability, an attacker can perform penetration attacks on the network’s internal infrastructure. This attack may disclose information about the IP addressing scheme of the internal network.

Impact

This vulnerability can have the following impacts:-

  • Network layer attacks
  • Possible loss of sensitive information

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Do not disclose the internal IP addresses.
  • Hide the private IPs in error messages.
  • Use innocuous identifiers for passing information
  • Prevent the application from displaying the IP addresses of its user.

Latest Articles