Technical information leak - Content response
Need
Prevention of unauthorized disclosure of technical information
Context
- Usage of Go 1.16 for developing high-performance and efficient applications
- Usage of gin-gonic/gin for building web applications in Go
Description
Non compliant code
package main
import (
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/", func(c *gin.Context) {
c.String(200, "version: 1.0.0, config: debug mode on")
})
r.Run()
}
This code is vulnerable because it exposes sensitive technical information to the client. When the root route ("/") is accessed, the server responds with a string that includes the version of the software and some configuration details (in this case, that debug mode is on).
This kind of information leakage can be exploited by malicious users to gain insights about the system and potentially find ways to exploit known vulnerabilities in the disclosed software version or configuration.
In the context of HTTP headers, this could also include revealing the server type and version, which can be used by an attacker to exploit known vulnerabilities specific to that server type and version.
In the context of service banners, this could include revealing the exact version of the service, which again can be used to exploit known vulnerabilities.
In the case of server component configuration files like php.ini or web.config, an attacker could gain valuable information about the server setup, like directory paths, database details, etc.
In a nutshell, the code is doing something that is considered a bad practice: revealing too much technical information to the client. This could potentially lead to more serious security vulnerabilities if an attacker is able to use this information to their advantage.
Steps
- Remove the technical information from the response body.
- Avoid exposing sensitive information such as system component versions and configuration details.
- Consider using a custom error message or a generic response instead of providing specific technical information.
- Review and update the code to ensure that only necessary and safe information is exposed in the response.
- Consider implementing proper error handling and logging mechanisms to handle and track technical errors without exposing sensitive information.
Compliant code
package main
import (
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/", func(c *gin.Context) {
c.String(200, "Welcome to our application")
})
r.Run()
}
The updated code removes the technical information from the response body. Instead of exposing the version and configuration details of the application, it now simply returns a generic welcome message. This prevents potential attackers from gaining insights into the system's internals, which could be used to exploit known vulnerabilities or to tailor attacks more effectively.
In the original code, the response to a GET request on the root path ("/") included the version of the application and the fact that debug mode was on. This information is useful for debugging and development, but it should not be exposed in a production environment as it can provide valuable information to an attacker.
The updated code replaces this response with a generic welcome message. This message does not provide any technical information about the system, reducing the risk of information leakage.
In addition to this change, it's recommended to implement proper error handling and logging mechanisms. This allows technical errors to be handled and tracked without exposing sensitive information to the users of the application. This wasn't implemented in the provided code as it's a more complex change and depends on the specifics of the application.