Skip to main content

Enabled default configuration

Need

Disable default configurations to prevent unauthorized access and information disclosure

Context

  • Usage of Go 1.16 for building efficient and scalable applications
  • Usage of gin-gonic/gin for building web applications and APIs in Go

Description

Non compliant code

package main

import "github.com/gin-gonic/gin"

func main() {
    r := gin.Default()
    r.GET("/", func(c *gin.Context) {
        c.String(200, "This is the default page!")
    })
    r.Run() // listen and serve on 0.0.0.0:8080 (for windows "localhost:8080")
}

The above code is a simple Go server using the Gin framework. The server is set to listen and serve on 0.0.0.0:8080. The vulnerability lies in the default route ("/") handler.

When a GET request is made to the root ("/") of the server, it responds with a string "This is the default page!". This is the default configuration of the server.

This is a vulnerability because it exposes technical information about the server to anyone who accesses the root URL. An attacker can use this information to understand the server setup and potentially find ways to exploit it.

The server should not expose any technical information or have a default page that can be accessed by anyone. Instead, it should respond with a 404 error or redirect to a login page.

Steps

  • Disable the default page in the server configuration.
  • Remove or modify the handler for the root route ('/') to return a custom error page or redirect to a different route.
  • Ensure that sensitive server information is not exposed in error messages or headers.

Compliant code

package main

import "github.com/gin-gonic/gin"

func main() {
    r := gin.Default()
    r.GET("/", func(c *gin.Context) {
        c.String(404, "Page not found!")
    })
    r.Run() // listen and serve on 0.0.0.0:8080 (for windows "localhost:8080")
}

The above code fixes the vulnerability by disabling the default page. Instead of returning a default page when the root route ('/') is accessed, it now returns a "Page not found!" message with a 404 status code. This prevents attackers from accessing the default page and obtaining relevant technical information about the server.

The gin.Default() function creates a router with default middleware. The r.GET() function adds a route for GET requests to the root route ('/'). The handler function for this route has been modified to return a 404 status code and a "Page not found!" message.

The r.Run() function starts the HTTP server and listens for requests on 0.0.0.0:8080. If you're using Windows, it listens on "localhost:8080".

Remember to always ensure that sensitive server information is not exposed in error messages or headers. This includes the server version, the technology stack used, and any internal IP addresses or file paths.

References

Last updated on