A new open source library designed to thwart server-side request forgery (SSRF) attacks plugs a significant gap in Go developers’ armory, according to its architects.
Safeurl, a one-line drop-in replacement for Go’s native net/http.Client, validates incoming HTTP requests against allow and block lists, as well as defending against DNS rebinding attacks.
“All the heavy work of parsing, validating, and issuing requests is done by the library,” said Doyensec security engineers and Safeurl creators Viktor Chuchurski and Alessandro Cotto in a blog post.
“The library works out-of-the-box with minimal configuration, while providing developers the customizations and filtering options they might need. Instead of fighting to solve application security problems, developers should be free to focus on delivering quality features to their customers.”
SafeCURL inspiration
Chuchurski and Cotto said they wanted to give Go applications the same protection afforded to counterparts written in other languages through SafeCURL and (the identically named but differently capitalized) SafeURL.
“Our clients were asking for recommendations on a Go-specific solution to mitigate [SSRF] attacks,” the pair told The Daily Swig. “There was nothing built specifically for Go so we took on the challenge.”
SSRF exploits involve inducing server-side applications into make requests to unintended locations.
“It is common for modern web applications to make HTTP requests, but a secure implementation can be quite difficult,” continued Chuchurski and Cotto.
“We hope our library will satisfy that need. It was designed with ease of use in mind and protects apps simply with its drop-in default settings.”
Erring on the side of caution
Safeurl blocks all traffic to private or reserved IP addresses by default, as prescribed by RFC1918.
“It’s easier (and safer) to explicitly set allowed destinations, as opposed to having to deal with updating a blocklist in today’s ever-expanding threat landscape,” explained the blog post.
The safeurl.Config can be used to customize the safeurl.Client to set AllowedPorts, AllowedSchemes, AllowedHosts, BlockedIPs, AllowedIPs, AllowedCIDR, BlockedCIDR, IsIPv6Enabled, AllowSendingCredentials, and IsDebugLoggingEnabled.
The open source library allows configuration of HTTP redirects, cookie jar settings, and request timeouts.
DNS rebinding attacks, which exploit mismatches in DNS responses between two or more consecutive HTTP requests, are repelled by performing allow/block list validations on the IP address used to make the HTTP request via Go’s net/dialer package and the Control hook.
Swag, gadgets up for grabs
The researchers have created a Capture the Flag (CTF) challenge for Safeurl with “swag and some cool gadgets” on offer to anyone who succeeds.
“We’re confident in our code and the CTF is putting that confidence to the test,” said Chuchurski and Cotto. “It’s a simple web server with an SSRF vulnerability.
“The twist is that the point where the vulnerability is triggered is protected by the ‘safeurl’ library. If anyone is able to find a bypass, they’ll find further instructions.”
Copyright 2021 Associated Press. All rights reserved.
Source: https://portswigger.net/daily-swig/safeurl-http-library-brings-ssrf-protection-to-go-applications