summaryrefslogtreecommitdiff
path: root/doc/user/application_security/dast/checks/200.1.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/application_security/dast/checks/200.1.md')
-rw-r--r--doc/user/application_security/dast/checks/200.1.md29
1 files changed, 29 insertions, 0 deletions
diff --git a/doc/user/application_security/dast/checks/200.1.md b/doc/user/application_security/dast/checks/200.1.md
new file mode 100644
index 00000000000..98a482b4a0f
--- /dev/null
+++ b/doc/user/application_security/dast/checks/200.1.md
@@ -0,0 +1,29 @@
+---
+stage: Secure
+group: Dynamic Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Exposure of sensitive information to an unauthorized actor (private IP address)
+
+## Description
+
+A private RFC 1918 was identified in the target application. Public facing websites should not be issuing
+requests to private IP Addresses. Attackers attempting to execute subsequent attacks, such as Server-Side
+Request Forgery (SSRF), may be able to use this information to identify additional internal targets.
+
+## Remediation
+
+Identify the resource that is incorrectly specifying an internal IP address and replace it with it's public
+facing version, or remove the reference from the target application.
+
+## Details
+
+| ID | Aggregated | CWE | Type | Risk |
+|:---|:--------|:--------|:--------|:--------|
+| 200.1 | true | 200 | Passive | Low |
+
+## Links
+
+- [CWE](https://cwe.mitre.org/data/definitions/200.html)
+- [RFC](https://datatracker.ietf.org/doc/html/rfc1918)
View Lorry Controller Status