Technical information leak - IPs - Scala

Technical information leak - IPs - Scala

Need

Prevention of internal IP address leakage

Context

  • Usage of Scala for building scalable and functional applications
  • Usage of play.api.mvc for handling HTTP requests and building web applications in Play Framework
  • Usage of java.net.InetAddress for retrieving and manipulating IP addresses

Description

Non compliant code

        import play.api.mvc._

object Application extends Controller {

  def index = Action {
    val ip = java.net.InetAddress.getLocalHost.getHostAddress
    Ok("Server IP: " + ip).as("text/plain")
  }
}
        
        

The above code represents a web server built with Play framework in Scala. When a GET request is made to the root ("/") of the server, it responds with the server's internal IP address.

Here's how it works:

- java.net.InetAddress.getLocalHost.getHostAddress is used to get the local IP address of the server. This is where the server's internal IP address is being leaked.

- Ok("Server IP: " + ip).as("text/plain") sends a response with the server's IP address as plain text.

This code is vulnerable because it exposes the internal IP address of the server. An attacker could use this information to target the server directly, bypassing any security measures that might be in place at a higher level (like a firewall or load balancer). This could lead to unauthorized access, data breaches, or denial of service attacks.

Steps

  • Avoid exposing internal IP addresses in the web page response.
  • Remove the code that retrieves the local host IP address.
  • Consider using a reverse proxy or load balancer to handle client requests and hide the internal IP address of the server.
  • Configure the reverse proxy or load balancer to forward the client's IP address to the backend server.
  • Use a trusted third-party service or library to retrieve the client's IP address from the request headers.
  • Validate and sanitize the client's IP address to prevent any potential injection attacks.
  • Ensure that the response sent to the client does not contain any sensitive information, such as internal IP addresses.

Compliant code

        import play.api.mvc._

object Application extends Controller {

  def index = Action {
    Ok("Welcome to our server").as("text/plain")
  }
}
        
        

The previous version of the code was vulnerable because it was exposing the internal IP address of the server in the response sent to the client. This could potentially be used by an attacker to gain more information about the server and its network, which could be used in further attacks.

The new version of the code removes the line that retrieves the local host IP address and includes it in the response. Instead, it simply sends a generic welcome message to the client. This way, no technical information about the server is leaked.

In addition to modifying the code, it's recommended to use a reverse proxy or load balancer to handle client requests. This can help to hide the internal IP address of the server. The reverse proxy or load balancer can be configured to forward the client's IP address to the backend server, if necessary.

If the client's IP address is needed by the backend server, it's recommended to use a trusted third-party service or library to retrieve it from the request headers. This should be done in a way that validates and sanitizes the IP address to prevent any potential injection attacks.

Finally, it's important to ensure that the response sent to the client does not contain any sensitive information, such as internal IP addresses. This can be done by carefully reviewing the response before it's sent and removing any sensitive information.

References