Safely use Go language in web programming
The article was written for developers who are beginning to master the Go programming language in order to meet their safe code requirements for writing web applications. The article describes possible vulnerabilities that can be left by web programmers, as well as ways to fix it either using standard libraries or using third-party solutions that have already shown themselves.
The Go programming language is a fairly young programming language — developed by Google in 2007 and officially introduced in 2009. Programmers really liked this language: compiled, multi-threaded, structured and imperative. It is used by companies such as Microsoft, GitHub, Cloudflare, Heroku, Vkontakte, Mail.Ru. Immediately after the release of the language, libraries and tools that help in developing on Go appeared and continue to be created. Libraries for protecting web applications also appeared among these tools. Many libraries, written by individual developers, are also built into the standard set of libraries.
We give the most typical methods of attacks on sites and the main ways to avoid them or at least minimize these threats:
I would like to make an overview of the tools to protect against these types of attacks.
')
Sessions are a clear target for a hacker, since they can be used to access a web server without the need for authentication. And it turns out that not competent implementation of the sessions may expose your entire service. If you decide to use sessions on your web service, then the gorilla library is useful to you. Session Gorilla's helps to cope with the storage of your cookies on the server, as well as simply transfer unique tokens. In addition, the SecureCookie library may be useful. Such secure cookies cannot be tampered with, because their values ​​are checked using the HMAC.
Recently, JSON WebTokens technology is also very often used. This will help you library jwt-go . Read more about JWT in Go here .
Now consider the fight against intersite request forgery or CSRF attacks on the site. A CSRF attack is performed on an authorized user of a web application using a vulnerability in this application. For example, an attacker could force (with the help of a letter a link) to transfer a user to a specially prepared site that performs some kind of malicious operation (for example, transferring money to an attacker’s account or changing a password). To carry out this attack, the victim must be authenticated on the server where the request is sent. To prevent a CSRF attack, generate a special secret key and save it to the user session and, based on this secret key, create a token according to a specific rule. The token is made so that, on the one hand, it is different from the key (in particular, there can be many tokens for one key), on the other, to make it easy to check by token whether it is generated based on this key or not. In 2015, researcher Mikhail Firstov stumbled upon a similar vulnerability on the Yota website. Recently, finding csrf vulnerabilities on many Microsoft services brought in $ 13,000 to a British researcher . This suggests that developers are still poorly solve this problem and not always competently.
This task in Go does the NoSurf library very well. For an example of the library, we give the program code.
As you can see, based on the request context, a token is formed, which is subsequently inserted into the required fields and headers.
Source code html document:
When you try to change the token in the request form, the server returns the error number 400 BadRequest.
I also found a similar GojiCSRF library. It works out of the box immediately with SecureCookie and generates tokens 32 bytes long. It works only with requests that can modify data and does not work with secure http methods (GET, HEAD, OPTIONS, TRACE).
Almost the same, but only in the simplified mode, allows the standard Go XSRFtoken library to be generated. It has only two functions - funcGenerate and funcValid, as well as the ability to set the token lifetime.
An XSS attack or cross-site scripting is a type of attack on a web system, consisting of embedding a malicious code page into a web-page. The most famous example is the hijacking of user cookies by an attacker.
In this case, quite good, in my opinion, libraries with consonant titles have been written. This is blackfriday and bluemonday . Libraries are quickly configured and conveniently run. They can work both together and separately. He gave a sample code of a simple program that receives a string from the console, escapes certain characters, and some simply overwrites. I took a few examples of JS scripts that can be used to implement an attack. An example of the program is shown in the screenshot below, the filtered sequence is displayed between the tags
Program Code:
The output of the work of the two libraries together:
And if you don’t want to use third-party libraries, then Go out of the box contains a couple of useful functions contained in the html / template package:
• funcHTMLEscape (w io.Writer, b [] byte) sends to w version b replacing potentially dangerous characters with their escape sequences.
• funcHTMLEscapeString (s string) string returns version s, replacing potentially dangerous characters with their escape sequences.
• funcHTMLEscaper (args ... interface {}) string forms a string from a set of arguments, replacing potentially dangerous characters with escape sequences.
Also, your input parameters can easily “clean” Sanitizing . On the githaba of this library there is a fairly complete test with input from the same OWASP .
There is also an attack known as Clickjacking . The clickjacking attack (Clickjacking) allows a hacker to click on the victim site “on behalf of the visitor”, also known as a substitution of the user interface. Thus, a hacker can come up with various scenarios and, for example, transfer money from your mobile bank to his account in just a couple of clicks. Strangely enough, such vulnerabilities are still found even in DBO remote banking systems , although it would seem that banking systems should be protected much better than regular web applications.
Also for protection, it is recommended to attach the X-Frame-Options header to each response of your server. Now all modern browsers support the X-Frame-Options header. It allows or denies displaying the page if it is open in a frame. The header can have three values:
• SAMEORIGIN - Rendering a document, when opened in a frame, is performed only if the top (top) document is from the same domain.
• DENY - Rendering a document within a frame is prohibited.
• ALLOW-FROM domain - Allows rendering if an external document from this domain (not supported in Safari, Firefox).
An example of the implementation of adding the response header in Go.
Secure - a small layer for easy configuration of the secure parameters of your service. Secure can work with a large number of frameworks, as well as with the standard net / http package.
SQl-injection is one of the most common ways to hack websites and programs that work with databases, based on the introduction of arbitrary SQL- code into a query.
In Go, you can use parameterized queries or as they also call prepared expressions. which help to avoid some problems with SQL-injection.
You can also use regular expression filtering. In this case, we use a working link containing only numbers in id and uid. An example of how Go can do this beautifully.
We use shielding of certain characters. For example, a single quote.
The output of the program. It is seen that the symbol "'" is replaced by a sequence of characters "'".
But you also should not forget that when implementing sql-injection we don’t have to have a quotation mark. The variable vuln1 just contains the given string and, passing through the EscapeString function, does not change at all.
SafeSQL
SafeSQL is a static code analyzer for Go that allows you to find SQL injections.
Despite the fact that Go is a fairly new programming language, the community is growing rapidly and implements basic solutions that are found in almost every project. Including solutions based on web application security. The article discussed ways to avoid SQL-injection, CSRF, XSS, Clickjacking. The considered methods are not a panacea for complete web application security. But help to solve most of the fundamental problems associated with information security.
https://learn.javascript.ru/csrf
https://nvisium.com/blog/2014/11/26/developing-secure-applications-with/
https://astaxie.gitbooks.io/build-web-application-with-golang/content/en/09.1.html
https://learn.javascript.ru/clickjacking
http://0xdabbad00.com/2015/04/18/go_code_auditing/
http://dghubble.com/blog/posts/json-web-tokens-and-go/
The Go programming language is a fairly young programming language — developed by Google in 2007 and officially introduced in 2009. Programmers really liked this language: compiled, multi-threaded, structured and imperative. It is used by companies such as Microsoft, GitHub, Cloudflare, Heroku, Vkontakte, Mail.Ru. Immediately after the release of the language, libraries and tools that help in developing on Go appeared and continue to be created. Libraries for protecting web applications also appeared among these tools. Many libraries, written by individual developers, are also built into the standard set of libraries.
We give the most typical methods of attacks on sites and the main ways to avoid them or at least minimize these threats:
- Predictable session identifier value (Credential / Session Prediction).
- Cross-site request forgery (CSRF).
- Cross-site Scripting (XSS).
- Clickjacking
- Implementation of SQL statements (SQL Injection).
I would like to make an overview of the tools to protect against these types of attacks.
')
Protect session and cookie correctly
Sessions are a clear target for a hacker, since they can be used to access a web server without the need for authentication. And it turns out that not competent implementation of the sessions may expose your entire service. If you decide to use sessions on your web service, then the gorilla library is useful to you. Session Gorilla's helps to cope with the storage of your cookies on the server, as well as simply transfer unique tokens. In addition, the SecureCookie library may be useful. Such secure cookies cannot be tampered with, because their values ​​are checked using the HMAC.
Recently, JSON WebTokens technology is also very often used. This will help you library jwt-go . Read more about JWT in Go here .
CSRF
Now consider the fight against intersite request forgery or CSRF attacks on the site. A CSRF attack is performed on an authorized user of a web application using a vulnerability in this application. For example, an attacker could force (with the help of a letter a link) to transfer a user to a specially prepared site that performs some kind of malicious operation (for example, transferring money to an attacker’s account or changing a password). To carry out this attack, the victim must be authenticated on the server where the request is sent. To prevent a CSRF attack, generate a special secret key and save it to the user session and, based on this secret key, create a token according to a specific rule. The token is made so that, on the one hand, it is different from the key (in particular, there can be many tokens for one key), on the other, to make it easy to check by token whether it is generated based on this key or not. In 2015, researcher Mikhail Firstov stumbled upon a similar vulnerability on the Yota website. Recently, finding csrf vulnerabilities on many Microsoft services brought in $ 13,000 to a British researcher . This suggests that developers are still poorly solve this problem and not always competently.
This task in Go does the NoSurf library very well. For an example of the library, we give the program code.
As you can see, based on the request context, a token is formed, which is subsequently inserted into the required fields and headers.
Source code html document:
When you try to change the token in the request form, the server returns the error number 400 BadRequest.
I also found a similar GojiCSRF library. It works out of the box immediately with SecureCookie and generates tokens 32 bytes long. It works only with requests that can modify data and does not work with secure http methods (GET, HEAD, OPTIONS, TRACE).
Almost the same, but only in the simplified mode, allows the standard Go XSRFtoken library to be generated. It has only two functions - funcGenerate and funcValid, as well as the ability to set the token lifetime.
Xss
An XSS attack or cross-site scripting is a type of attack on a web system, consisting of embedding a malicious code page into a web-page. The most famous example is the hijacking of user cookies by an attacker.
In this case, quite good, in my opinion, libraries with consonant titles have been written. This is blackfriday and bluemonday . Libraries are quickly configured and conveniently run. They can work both together and separately. He gave a sample code of a simple program that receives a string from the console, escapes certain characters, and some simply overwrites. I took a few examples of JS scripts that can be used to implement an attack. An example of the program is shown in the screenshot below, the filtered sequence is displayed between the tags
<p></p> Program Code:
The output of the work of the two libraries together:
And if you don’t want to use third-party libraries, then Go out of the box contains a couple of useful functions contained in the html / template package:
• funcHTMLEscape (w io.Writer, b [] byte) sends to w version b replacing potentially dangerous characters with their escape sequences.
• funcHTMLEscapeString (s string) string returns version s, replacing potentially dangerous characters with their escape sequences.
• funcHTMLEscaper (args ... interface {}) string forms a string from a set of arguments, replacing potentially dangerous characters with escape sequences.
Also, your input parameters can easily “clean” Sanitizing . On the githaba of this library there is a fairly complete test with input from the same OWASP .
Clickjacking
There is also an attack known as Clickjacking . The clickjacking attack (Clickjacking) allows a hacker to click on the victim site “on behalf of the visitor”, also known as a substitution of the user interface. Thus, a hacker can come up with various scenarios and, for example, transfer money from your mobile bank to his account in just a couple of clicks. Strangely enough, such vulnerabilities are still found even in DBO remote banking systems , although it would seem that banking systems should be protected much better than regular web applications.
Also for protection, it is recommended to attach the X-Frame-Options header to each response of your server. Now all modern browsers support the X-Frame-Options header. It allows or denies displaying the page if it is open in a frame. The header can have three values:
• SAMEORIGIN - Rendering a document, when opened in a frame, is performed only if the top (top) document is from the same domain.
• DENY - Rendering a document within a frame is prohibited.
• ALLOW-FROM domain - Allows rendering if an external document from this domain (not supported in Safari, Firefox).
An example of the implementation of adding the response header in Go.
Secure - a small layer for easy configuration of the secure parameters of your service. Secure can work with a large number of frameworks, as well as with the standard net / http package.
SQL injection
SQl-injection is one of the most common ways to hack websites and programs that work with databases, based on the introduction of arbitrary SQL- code into a query.
In Go, you can use parameterized queries or as they also call prepared expressions. which help to avoid some problems with SQL-injection.
You can also use regular expression filtering. In this case, we use a working link containing only numbers in id and uid. An example of how Go can do this beautifully.
We use shielding of certain characters. For example, a single quote.
The output of the program. It is seen that the symbol "'" is replaced by a sequence of characters "'".
But you also should not forget that when implementing sql-injection we don’t have to have a quotation mark. The variable vuln1 just contains the given string and, passing through the EscapeString function, does not change at all.
SafeSQL
SafeSQL is a static code analyzer for Go that allows you to find SQL injections.
Conclusion
Despite the fact that Go is a fairly new programming language, the community is growing rapidly and implements basic solutions that are found in almost every project. Including solutions based on web application security. The article discussed ways to avoid SQL-injection, CSRF, XSS, Clickjacking. The considered methods are not a panacea for complete web application security. But help to solve most of the fundamental problems associated with information security.
References
https://learn.javascript.ru/csrf
https://nvisium.com/blog/2014/11/26/developing-secure-applications-with/
https://astaxie.gitbooks.io/build-web-application-with-golang/content/en/09.1.html
https://learn.javascript.ru/clickjacking
http://0xdabbad00.com/2015/04/18/go_code_auditing/
http://dghubble.com/blog/posts/json-web-tokens-and-go/
Source: https://habr.com/ru/post/308088/
All Articles