In Play / JavaScript / SSRF.js:
When the security tests run on the platform, I see “Test router IP and return 400.” What “router IP” is supposed to be tested? Are you referring to the standard router IPs of private addressing?
In Play / JavaScript / SSRF.js:
When the security tests run on the platform, I see “Test router IP and return 400.” What “router IP” is supposed to be tested? Are you referring to the standard router IPs of private addressing?
Hey @jmwalk , yes exactly. Private subnet (e.g. 192.168.X.1, …)
TIP: Have a read through SecDim 2nd defensive programming principle, in particular Fourth Data Security Property where it recommend where possible to use official libraries for IP parsing and avoid using regex.
@Pedram, thank you for the guidance.