ZAP – Private IP Disclosure via WebSocket

Details
Alert ID	110006
Alert Type	WebSocket Passive
Status	release
Risk	Low
CWE
WASC
Technologies Targeted	All
Tags

Summary

A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the incoming WebSocket message. This information might be helpful for further attacks targeting internal systems.

Solution

Remove the private IP address from the WebSocket messages.

Other Info

References

https://tools.ietf.org/html/rfc1918

Code

scripts/templates/websocketpassive/Private IP Disclosure.js