Technical information leak - IPs - Java

Technical information leak - IPs - Java

Need

Prevention of internal IP address exposure

Context

  • Usage of Java 8 for developing applications with enhanced features and performance
  • Usage of javax.servlet-api for Java Servlet development
  • Usage of java.net for network communication in Java

Description

Non compliant code

        import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class ServerInfoServlet extends javax.servlet.http.HttpServlet {
    protected void doGet(javax.servlet.http.HttpServletRequest request, HttpServletResponse response) throws IOException {
        java.net.InetAddress inetAddress = java.net.InetAddress.getLocalHost();
        response.getWriter().write("Internal IP: "+ inetAddress.getHostAddress());
    }
}
        
        

The above code is a simple Java servlet that responds to HTTP GET requests by writing the internal IP address of the server to the response.

The doGet method is called whenever a GET request is made to the server. Inside this method, we're getting the local host's IP address using java.net.InetAddress.getLocalHost().getHostAddress(). This IP address is then written to the HTTP response using response.getWriter().write().

This is a serious vulnerability as it exposes the internal IP address of the server to anyone who can make a GET request to the server. An attacker can use this information to carry out more targeted attacks on the server.

This kind of vulnerability is known as an Information Leak, and in this specific case, it's a Technical Information Leak involving IP addresses. It's important to ensure that sensitive information like IP addresses, server configurations, etc., are not exposed through the web page response or any other client-facing channels.

Steps

  • Avoid exposing internal IP addresses in the web page response.
  • Remove the code that retrieves the internal IP address.
  • Consider using a reverse proxy or load balancer to handle client requests and hide the internal IP address of the web server.
  • Implement proper input validation and sanitization to prevent any potential injection attacks that could expose internal IP addresses.
  • Regularly update and patch the web server software to ensure any known vulnerabilities are addressed.

Compliant code

        import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class ServerInfoServlet extends javax.servlet.http.HttpServlet {
    protected void doGet(javax.servlet.http.HttpServletRequest request, HttpServletResponse response) throws IOException {
        response.getWriter().write("Request received");
    }
}
        
        

The original code was exposing the internal IP address of the server by writing it directly to the HTTP response. This is a security vulnerability as it provides potential attackers with information about the internal network structure.

The fixed code removes the line that retrieves and writes the internal IP address to the HTTP response. Instead, it simply writes a generic message "Request received" to the HTTP response. This way, no internal IP information is exposed to the client.

In addition to this code fix, it's recommended to use a reverse proxy or load balancer to handle client requests. This can further hide the internal IP address of the web server.

Also, it's important to implement proper input validation and sanitization to prevent any potential injection attacks that could expose internal IP addresses.

Lastly, regularly updating and patching the web server software can ensure any known vulnerabilities are addressed.

References