Server-Side Request Forgery (SSRF) in frenchbread/private-ip
Jun 12th 2021
private-ip is an npm module that is used to check if the IP address is private or not for preventing SSRF attacks. It has nearly 11k+ weekly downloads on npmjs. However, I discovered that an attacker may simply get around this check by constructing a malicious IP.
🕵️♂️ Proof of Concept
Payloads: 127.000.000.1 2130706433 127.1 127.0.1
These payloads resolve to private IP and the application returns true for each case that I have tested and here are the test cases on runkit
Bypass SSRF in any webapp where private-ip npm module is used.