Skip to content

Hardcoded IP Address Vulnerability

What does this mean ?

Hardcoding IP addresses is risky in terms of security. Because of its scalability and redundancy requirements, today's services have an ever-changing architecture. It is a common misconception that a service will always have the same IP address. When it does change, the hardcoded IP address must be updated as well. This will affect product development, delivery, and deployment.

What can happen ?

Instead of having an operation team edit a configuration file, the developers will have to execute a quick repair every time this happens. It requires the same address to be used in all environments (dev, sys, QA, prod). Finally, it has an impact on application security. Attackers may be able to decompile the code and uncover a potentially sensitive address as a result. They can use this address to launch a Denial of Service attack or to spoof the IP address. Such an attack is always conceivable, but with a hardcoded IP address, the patch will be significantly slower, increasing the risk's impact.

Recommendation

Make the IP address changeable rather than hard-coded in the source code.

Sample Code

Vulnerable : 

var ip = "192.168.12.42";
var address = IPAddress.Parse(ip);

Non Vulnerable : 

var ip = ConfigurationManager.AppSettings["myapplication.ip"];
var address = IPAddress.Parse(ip);

Vulnerable : 

String ip = "192.168.12.42"; // Sensitive
Socket socket = new Socket(ip, 6667);

Non Vulnerable : 

String ip = System.getenv("IP_ADDRESS"); // Compliant
Socket socket = new Socket(ip, 6667);

Vulnerable : 

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($socket, '8.8.8.8', 23);  // Sensitive

Non Vulnerable : 

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($socket, IP_ADDRESS, 23);  // Compliant

Vulnerable : 

ip = "192.168.22.32"; // Vulnerable

const net = require('net');
const client = new net.Socket();
client.connect(80, ip, () => {
    // ...
});

Non Vulnerable : 

ip = process.env.IP_ADDRESS; // Non Vulnerable

const net = require('net');
const client = new net.Socket();
client.connect(80, ip, () => {
    // ...
});

References