ZAP – Private IP Disclosure

Details
Alert ID	2
Alert Type	Passive
Status	release
Risk	Low
CWE	200
WASC	13
Technologies Targeted	All
Tags	CWE-200 OWASP_2017_A03 OWASP_2021_A01
More Info	Scan Rule Help

Summary

A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

Solution

Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

Other Info

192.168.36.127

References

https://tools.ietf.org/html/rfc1918

Code

org/zaproxy/zap/extension/pscanrules/InfoPrivateAddressDisclosureScanRule.java