Directory listing - Go

Directory listing - Go

Need

Prevention of unauthorized access to directory listings

Context

  • Usage of Go 1.16 for building high-performance and efficient applications
  • Usage of gin-gonic/gin for building web applications in Go
  • Usage of net/http for creating HTTP servers in Node.js

Description

Non compliant code

        package main

import (
	"github.com/gin-gonic/gin"
	"net/http"
)

func main() {
	r := gin.Default()

	r.StaticFS("/public", http.Dir("public"))

	// Listen and Server in 0.0.0.0:8080
	r.Run(":8080")
}

This is a simple Go application using the Gin framework. The application is set up to serve static files from the "public" directory on the server.

The r.StaticFS("/public", http.Dir("public")) line of code is where the vulnerability lies. Here, the application is set up to serve any file in the "public" directory over HTTP. This means that if an attacker knows or guesses the name of a file in that directory, they can access it just by navigating to "http://[your-server's-ip]:8080/public/[filename]".

Furthermore, if the "public" directory contains a file that the web server can parse (like an index.html file), then the server will automatically list all the files in the directory when the attacker navigates to "http://[your-server's-ip]:8080/public". This is known as a directory listing vulnerability, as it allows an attacker to see all the files in a directory, potentially revealing sensitive information or opening up further avenues for attack.

Steps

  • Disable directory listing in the web server configuration.
  • Ensure that the web server returns a 404 error for directories instead of displaying their content.
  • Implement proper access controls to restrict access to sensitive directories.
  • Regularly scan the application for any directory listing vulnerabilities and apply necessary patches or updates.
  • Consider using a web application firewall (WAF) to detect and block directory listing attempts.
  • Educate developers about the risks of directory listing and encourage secure coding practices.

Compliant code

        package main

import (
	"github.com/gin-gonic/gin"
	"net/http"
)

func main() {
	r := gin.Default()

	r.StaticFS("/public", http.Dir("public"))
	r.NoRoute(func(c *gin.Context) {
		c.JSON(404, gin.H{"message": "Not Found"})
	})

	// Listen and Server in 0.0.0.0:8080
	r.Run(":8080")
}

The original code was vulnerable to directory listing. This means that an attacker could access the directories of the application and view the content of the files stored on the server. This is a serious security risk as it could potentially expose sensitive information.

The updated code includes a NoRoute function that returns a 404 error when a user tries to access a directory that does not exist or is not allowed. This effectively disables directory listing and ensures that the web server does not display the content of its directories.

In addition to this code fix, it is recommended to implement proper access controls to restrict access to sensitive directories, regularly scan the application for any directory listing vulnerabilities and apply necessary patches or updates, consider using a web application firewall (WAF) to detect and block directory listing attempts, and educate developers about the risks of directory listing and encourage secure coding practices.

References