10/01/2024

We all use localhost / 127.0.0.1 for local development, also called a loopback interface. Another way to point your machine is to use an IPv6 address: http://[::1]:port. Special case, 0.0.0.0 is not a real IP address. It represents all IP addresses on the localhost.

The least known way, however, is to use a single number: 2130706433. It is a simple binary to decimal conversion (using Python):

>>> 127 * (2**24) + 0 *(2**16) + 0 * (2**8) + 1 * (2**0)).

How can the above be used to exploit the web application? Many applications allow users to paste URLs and actually visit the page (like pingkat.com). If the application doesn't filter out all these special cases, the attacker could call some of the internal APIs.