Details
Alert Id 2
Alert Type Passive
Status release
Risk Low
CWE 200
WASC 13
Tags OWASP_2017_A03
OWASP_2021_A01

Summary

A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

Solution

Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

References

Code

org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java