Server-Side Request Forgery (SSRF) in frenchbread/private-ip
Mar 30th 2021
Private-ip is an NPM module that is used to check if the input IP address is private or not, so as to prevent SSRF attacks. It has ~12k downloads every week on NPM
However, I found that by crafting a malicious IP, an attacker can easily bypass this check.
🕵️♂️ Proof of Concept
First test case - 127.0.0.1, the application returns
true and is able to determine it's a private IP:
var privateIp = require("private-ip") console.log('Testing 127.0.0.1') require('private-ip')('127.0.0.1');
Bypass - 127.0.0.01, by adding a '0' to the the 4th octet for example can bypass this, and it would return
false thus bypassing the filter/regex (if you ping 127.0.0.01, it resolves to 127.0.0.1 i.e. localhost)
var privateIp = require("private-ip") console.log('Testing 127.0.0.01') require('private-ip')('127.0.0.01'); // returns false
It can be used to bypass SSRF filters wherever this NPM module is used to prevent SSRF.