Technical information leak - IPs - C-Sharp

Technical information leak - IPs - C-Sharp

Need

Protection of internal IP addresses from being exposed

Context

  • Usage of C# for building robust and scalable applications
  • Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core MVC

Description

Non compliant code

        public class HomeController : Controller
{
    public IActionResult Index()
    {
        ViewData["Message"] = "Your application description page.";
        ViewData["ServerIP"] = HttpContext.Connection.LocalIpAddress.ToString(); // Vulnerable code
        return View();
    }
}
        
        

The above code represents a technical information leak vulnerability, specifically exposing the server's internal IP address. This is a significant security issue because by knowing the internal IP address, an attacker can directly target the server for attacks.

The vulnerability lies in the Index action of the HomeController. Here, the server's internal IP address is being retrieved using HttpContext.Connection.LocalIpAddress.ToString(). This information is then being stored in the ViewData dictionary with the key "ServerIP".

The ViewData dictionary is used to pass data from controllers to views in ASP.NET Core. In this case, it is being used to pass the server's internal IP address to the view. This means that the internal IP address is being exposed to anyone who can access this view.

This vulnerability could be exploited by an attacker to gain information about the internal structure of your network, which they could then use to plan and execute further attacks. Therefore, it is crucial to fix this vulnerability to protect your server and network.

Steps

  • Avoid exposing internal IP addresses in the web page response.
  • Remove the line of code that sets the 'ServerIP' ViewData value to the 'LocalIpAddress' of the HttpContext.
  • Consider using a separate configuration file or environment variable to store the server IP address.
  • If necessary, retrieve the server IP address from a trusted source or use a secure method to obtain it.
  • Ensure that the web server is properly configured to not expose internal IP addresses.

Compliant code

        public class HomeController : Controller
{
    public IActionResult Index()
    {
        ViewData["Message"] = "Your application description page.";
        // Removed the line that exposes the server IP
        return View();
    }
}
        
        

The original code was exposing the internal IP address of the server through the web page response. This is a security vulnerability as it provides potential attackers with valuable information about the internal network structure.

The fixed code removes the line that was setting the 'ServerIP' ViewData value to the 'LocalIpAddress' of the HttpContext. This prevents the internal IP address from being exposed in the web page response.

If the server IP address is needed for some functionality, consider storing it in a separate configuration file or environment variable. This way, it can be accessed securely without exposing it to the outside world.

Also, ensure that the web server is properly configured to not expose internal IP addresses. This includes settings in the web server software itself, as well as any network devices (like routers or firewalls) that the server is behind.

Remember, the less information a potential attacker has about your system, the harder it is for them to exploit it. Therefore, it's always a good idea to limit the amount of technical information (like IP addresses) that your application exposes.

References