Technical information leak - Go

Technical information leak - Go

Need

Prevention of unauthorized disclosure of technical information

Context

  • Usage of Go 1.17.1 for building high-performance applications
  • Usage of gin-gonic/gin for building web applications in Go

Description

Non compliant code

        package main

import (
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()

	r.GET("/version", func(c *gin.Context) {
		c.String(200, "HTTP Server: Gin/1.7.4, Go version: 1.17.1")
	})

	r.GET("/config", func(c *gin.Context) {
		c.String(200, "Configuration: MaxMemory: 128MB, Timeout: 30s")
	})

	r.Run() // listen and serve on 0.0.0.0:8080
}
        
        

The above code is a simple Go application using the Gin framework that exposes two endpoints: /version and /config.

The /version endpoint reveals the version of the Gin framework and Go language used in the server. This kind of information can be exploited by attackers to find potential vulnerabilities that exist in these specific versions.

The /config endpoint exposes specific configuration details of the server such as maximum memory and timeout settings. This kind of information can be used by an attacker to understand the server's limitations and possibly exploit them.

Both endpoints are leaking technical information that should not be publicly accessible.

Steps

  • Remove the endpoints that expose technical information such as system component versions and specific server configuration.
  • Review the codebase to identify any other potential endpoints or areas where technical information may be leaked.
  • Ensure that sensitive information is not included in HTTP headers or service banners.
  • Consider implementing proper access controls to restrict access to sensitive information.
  • Regularly update and patch server components to minimize the risk of information leakage.
  • Implement security best practices and guidelines to prevent information leakage in the future.

Compliant code

        package main

import (
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()

	r.Run() // listen and serve on 0.0.0.0:8080
}
        
        

The original code had two endpoints, /version and /config, which were exposing sensitive technical information about the server. The /version endpoint was revealing the version of the Gin framework and Go language being used, while the /config endpoint was disclosing specific server configuration details.

In the revised code, these two endpoints have been removed to prevent the leakage of such information. This is a crucial step in mitigating the risk of potential attacks that could exploit known vulnerabilities in the disclosed software versions or take advantage of the revealed configuration details.

It's also important to note that this is just one part of the solution. The entire codebase should be reviewed to identify any other potential areas where technical information may be leaked. Additionally, sensitive information should not be included in HTTP headers or service banners.

Implementing proper access controls can further restrict access to sensitive information. Regular updates and patches to server components can also minimize the risk of information leakage.

Lastly, adhering to security best practices and guidelines can help prevent information leakage in the future. This includes practices such as least privilege, defense in depth, and regular security audits.

References