Insecure HTTP methods enabled - Go

Insecure HTTP methods enabled - Go

Need

Restriction of insecure HTTP methods

Context

  • Usage of Go 1.16 for building high-performance and scalable applications
  • Usage of gin-gonic/gin for building web applications and APIs in Go

Description

Non compliant code

        package main

import "github.com/gin-gonic/gin"

func main() {
    r := gin.Default()

    r.PUT("/put", func(c *gin.Context) {
        c.String(200, "PUT endpoint")
    })

    r.DELETE("/delete", func(c *gin.Context) {
        c.String(200, "DELETE endpoint")
    })

    r.TRACE("/trace", func(c *gin.Context) {
        c.String(200, "TRACE endpoint")
    })

    r.Run() // listen and serve on 0.0.0.0:8080
}
        
        

In the provided code snippet, we have a simple server setup using the Gin framework in Go. The server has three endpoints
- "/put", "/delete", and "/trace"
- which correspond to the HTTP methods PUT, DELETE, and TRACE respectively.

The PUT method is used to update a resource completely through a specific resource URL. If a new resource is created, it can be problematic as it allows an attacker to create a new resource that shouldn't exist.

The DELETE method is used to delete a resource specified by a particular URL. If this HTTP method is enabled, it can be dangerous as it allows an attacker to delete resources.

The TRACE method is used for diagnostic purposes. If this HTTP method is enabled, it can be used to perform Cross-Site Tracing (XST) attacks, which can compromise the user's session cookies.

In conclusion, enabling these HTTP methods without proper security controls can expose the server to a variety of attacks. It is recommended to disable these methods or implement adequate security measures to protect the server and its resources.

Steps

  • Disable or restrict the use of insecure HTTP methods such as TRACE, PUT, and DELETE.
  • Review the application's requirements and determine if these methods are necessary.
  • If these methods are not required, remove the corresponding route handlers.
  • If these methods are required, ensure that proper authorization and validation checks are implemented to prevent unauthorized access or misuse.
  • Consider implementing additional security measures such as rate limiting or request validation to protect against potential attacks.
  • Regularly update and patch the application and its dependencies to address any known vulnerabilities.

Compliant code

        package main

import "github.com/gin-gonic/gin"

func main() {
    r := gin.Default()

    // Removed PUT, DELETE, TRACE methods

    r.Run() // listen and serve on 0.0.0.0:8080
}
        
        

The original code had HTTP methods such as TRACE, PUT, and DELETE enabled on the server. These methods can potentially allow an attacker to include and/or delete files, or perform cross-site tracing attacks.

The updated code removes these methods, thus mitigating the risk of such attacks. If these methods are necessary for your application, you should implement proper authorization and validation checks to prevent unauthorized access or misuse.

In addition, consider implementing additional security measures such as rate limiting or request validation to protect against potential attacks. Regularly update and patch the application and its dependencies to address any known vulnerabilities.

References