Use of an insecure channel - Go

Use of an insecure channel - Go

Need

Secure transmission of sensitive information

Context

  • Usage of Go 1.16 for building high-performance and scalable applications
  • Usage of gin-gonic/gin for building web applications and APIs in Go

Description

Non compliant code

        package main

import (
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()

	r.GET("/unsecuredData", func(c *gin.Context) {
		c.String(200, "This is unsecured data")
	})

	r.Run(":8080") // listen and serve on 0.0.0.0:8080
}
        
        

The above code is a simple HTTP server using the Gin framework in Go. It has a single route /unsecuredData that responds with a string "This is unsecured data".

The vulnerability in this code is that it sends data over an unsecured channel. The server is not using HTTPS, which means data transmitted between the client and server is not encrypted. This can lead to potential data leaks and eavesdropping by attackers.

In the r.Run(":8080") line, the server is started on port 8080 using HTTP, not HTTPS. This means that all data sent to and from this server is sent in plain text over the network.

The route /unsecuredData is an example of data that is sent over this unsecured channel. When a client makes a GET request to this route, the server responds with a string that is sent over the network in plain text.

This is a serious vulnerability and can lead to sensitive data being exposed to attackers. To fix this vulnerability, the server should be configured to use HTTPS, which encrypts all data sent between the client and server.

Steps

  • Implement secure communication by using HTTPS instead of HTTP.
  • Obtain an SSL/TLS certificate for the server to enable HTTPS.
  • Configure the server to use the SSL/TLS certificate for secure communication.
  • Redirect all HTTP requests to HTTPS to ensure all communication is encrypted.
  • Ensure that the server enforces the use of secure communication for all routes and endpoints.
  • Test the application thoroughly to ensure that all communication is secure.

Compliant code

        package main

import (
	"github.com/gin-gonic/gin"
	"log"
	"net/http"
	"golang.org/x/crypto/acme/autocert"
)

func main() {
	r := gin.Default()

	r.GET("/securedData", func(c *gin.Context) {
		c.String(http.StatusOK, "This is secured data")
	})

	log.Fatal(autocert.ListenAndServe(":443", "yourdomain.com", nil))
}
        
        

The above code is a fixed version of the original code that was vulnerable due to the use of an insecure channel for data transmission. The fixed code now uses HTTPS for secure communication.

Here's a breakdown of the changes:

1. Import the necessary packages: log, net/http, and golang.org/x/crypto/acme/autocert. The autocert package provides automatic access to certificates from Let's Encrypt and any other ACME-based CA.

2. Change the route from /unsecuredData to /securedData to reflect the secure nature of the data transmission.

3. Replace c.String(200, "This is unsecured data") with c.String(http.StatusOK, "This is secured data") to reflect the secure nature of the data transmission.

4. Replace r.Run(":8080") with log.Fatal(autocert.ListenAndServe(":443", "yourdomain.com", nil)). This starts the server on port 443 (the default port for HTTPS) and uses the autocert package to automatically obtain a certificate from Let's Encrypt. Replace "yourdomain.com" with your actual domain.

Please note that you need to have control over the domain you specify in the ListenAndServe function, as the ACME protocol (which Let's Encrypt uses) validates domain ownership before issuing certificates.

After these changes, all data transmitted through the /securedData route will be encrypted using HTTPS, thus fixing the original vulnerability.

References