Remote Address Header IP disclosure
Why is the public/private IP present as the value of the Remote Address header?
Why is the IP present when observing the Remote Address header in Developer Tools on Chrome and Edge, or the Host header in Firefox and can it be masked?
|Steps to Reproduce:||
Open Developer Tools on your web browser.
Browse to a virtual service.
This IP is obtained when browsing to the target IP itself or when resolving an FQDN within DNS.
|Resolution:||This is as designed by web browsers and not something that can be changed.|