Skip to content

Hardcoded IP Address Vulnerability

What does this mean ?

Hardcoding IP addresses is security-sensitive. Today's services have an ever-changing architecture due to their scaling and redundancy needs. It is a mistake to think that a service will always have the same IP address. When it does change, the hardcoded IP will have to be modified too. This will have an impact on the product development, delivery and deployment:

What can happen ?

The developers will have to do a rapid fix every time this happens, instead of having an operation team change a configuration file. It forces the same address to be used in every environment (dev, sys, qa, prod). Last but not least it has an effect on application security. Attackers might be able to decompile the code and thereby discover a potentially sensitive address. They can perform a Denial of Service attack on the service at this address or spoof the IP address. Such an attack is always possible, but in the case of a hardcoded IP address the fix will be much slower, which will increase an attack's impact.

Recommendation

Don't hard-code the IP address in the source code, instead make it configurable.

Sample Code

Vulnerable :

var ip = "192.168.12.42";
var address = IPAddress.Parse(ip);

Non Vulnerable :

var ip = ConfigurationManager.AppSettings["myapplication.ip"];
var address = IPAddress.Parse(ip);

Vulnerable :

String ip = "192.168.12.42"; // Sensitive
Socket socket = new Socket(ip, 6667);

Non Vulnerable :

String ip = System.getenv("IP_ADDRESS"); // Compliant
Socket socket = new Socket(ip, 6667);

Vulnerable :

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($socket, '8.8.8.8', 23);  // Sensitive

Non Vulnerable :

$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($socket, IP_ADDRESS, 23);  // Compliant

References