Play / JavaScript / SSRF.js

In Play / JavaScript / SSRF.js:

When the security tests run on the platform, I see “Test router IP and return 400.” What “router IP” is supposed to be tested? Are you referring to the standard router IPs of private addressing?

1 Like

Hey @jmwalk , yes exactly. Private subnet (e.g. 192.168.X.1, …)

TIP: Have a read through SecDim 2nd defensive programming principle, in particular Fourth Data Security Property where it recommend where possible to use official libraries for IP parsing and avoid using regex.

1 Like

@Pedram, thank you for the guidance.

1 Like