In crowd under Administration > Trusted proxy servers, we have added some of the IP address of the applications which are integrated with Crowd.
When our team work on security testing of Crowd application then testing reports an issue where Private IP addresses are getting diclosed on this URL. As it is a threat for comapny infrastructure because discovering the private addresses used within an organization can help an attacker in carrying out network-layer attacks aiming to penetrate the organization's internal infrastructure.
Can anyone please let me know if we have any other way to provide these machine names under "Trusted Proxy Servers" link? For an example : can we provide domain name there or any other solution?
I'm sorry to say that at the moment I believe the only option is to list te IP addresses of the proxies under the Trusted Proxies section as these are required for Crowd to correctly parse the header and understand that the packets have been forwarded by a known and trusted proxy. Unfortunately I don't believe it would be possible to change this without physically modifying the source code of the application to change how it handles the entire trusted proxies functionlaity and I'm not aware of any other workaround you could implement to mitigate against the IP addresses being exposed to people who have access to the Trusted Proxies section.
All the best,
Badges are a great way to show off community activity, whether you’re a newbie or a Champion.Learn more
Meet @Dinesh Dhinakaran, @Vishnu Vasudeva, @Rajeev Verma, and Jamshid Nalakath: Our extraordinary AUG leaders from Bengaluru, India. These four work together to strengthen the bonds of their local co...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs