Cache Poisoning in Gorilla Mux with Hmac Signatures

Cache poisoning occurs when an attacker manipulates a cache key so that malicious content is stored and subsequently served to other users. In Gorilla Mux, a common pattern is to use request metadata such as headers, query parameters, or cookies to build cache keys. When Hmac Signatures are introduced to validate request integrity, a misconfigured key that includes attacker-influenced values can cause the signature to remain valid for different cache entries, leading to cache poisoning.

Consider a scenario where the HMAC is computed over a subset of headers that an attacker can control, such as X-User-Role or a selected query parameter. If the caching layer uses the same input used for the HMAC as part of the cache key, the attacker can craft a request with a valid HMAC but a poisoned path or query that results in a malicious response being cached under a key that appears legitimate. Because Gorilla Mux routes are matched based on path patterns and methods, an attacker might leverage a parameterized route to inject a crafted segment that influences both routing and cache key derivation.

For example, suppose a handler is registered with a path template /api/v1/resource/{id} and the cache key is built from the raw URL and a subset of headers protected by an HMAC. An attacker could supply a valid HMAC for /api/v1/resource/123 but then manipulate the cache key by altering a non-authenticated query parameter such as locale. If the cache treats the combination of authenticated path plus unauthenticated query as a distinct cache entry, the poisoned response for locale=malicious might be stored and later served to users who did not intend that content, without invalidating the HMAC verification.

This combination is particularly risky when upstream caching or CDN logic mirrors the application’s cache key construction without fully understanding the security assumptions behind the Hmac Signatures. The signature may validate integrity of certain headers, but if the cache key includes additional mutable inputs not covered by the signature, an attacker can effectively decouple the integrity check from the cache key, leading to the storage and retrieval of manipulated responses.

In practice, the vulnerability maps to the OWASP API Top 10 category 2023 – Injection and can facilitate information disclosure or cache-based request smuggling when different users receive distinct content under what should be a uniform cached representation.

To mitigate cache poisoning when using Hmac Signatures in Gorilla Mux, ensure the cache key incorporates only those elements that are both authenticated by the HMAC and immutable for the request. Avoid including query parameters or headers in the cache key that are not part of the signature input.

Below is a concrete example of computing an HMAC over selected headers and the request path, then using a normalized key for routing and cache isolation. This ensures the signature and the cache key remain aligned.

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "net/http"
    "github.com/gorilla/mux"
)

func computeHmac(requestPath string, headers map[string]string, secret []byte) string {
    h := hmac.New(sha256.New, secret)
    h.Write([]byte(requestPath))
    for _, k := range []string{"X-Request-ID", "X-User-ID"} {
        if v, ok := headers[k]; ok {
            h.Write([]byte(v))
        }
    }
    return hex.EncodeToString(h.Sum(nil))
}

func secureHandler(secret []byte) http.HandlerFunc {
    return func(w http.ResponseWriter, r *http.Request) {
        vars := mux.Vars(r)
        id := vars["id"]
        path := "/api/v1/resource/" + id
        headersToSign := map[string]string{
            "X-Request-ID": r.Header.Get("X-Request-ID"),
            "X-User-ID":    r.Header.Get("X-User-ID"),
        }
        expectedMac := computeHmac(path, headersToSign, secret)
        suppliedMac := r.Header.Get("X-Request-Mac")
        if !hmac.Equal([]byte(expectedMac), []byte(suppliedMac)) {
            http.Error(w, "invalid signature", http.StatusUnauthorized)
            return
        }
        // Use a cache key that excludes non-authenticated query parameters
        cacheKey := path + "|X-Request-ID:" + headersToSign["X-Request-ID"] + "|X-User-ID:" + headersToSign["X-User-ID"]
        // Proceed with request handling, using cacheKey for caching logic
        w.Write([]byte("secure response for " + id))
    }
}

func main() {
    r := mux.NewRouter()
    secret := []byte("super-secret-key-32-bytes-long-for-hmac-sha256")
    r.HandleFunc("/api/v1/resource/{id}", secureHandler(secret)).Methods("GET")
    http.ListenAndServe(":8080", r)
}

Key remediation practices:

• Include in the cache key only the components used to generate the HMAC, such as the canonical path and authenticated headers.
• Do not append unauthenticated query parameters or cookies to the cache key when they are not part of the signature input.
• Normalize header names to lowercase to avoid case-sensitive mismatches that could lead to different cache entries for semantically identical requests.
• Use hmac.Equal for signature comparison to prevent timing attacks.

By tightly coupling the HMAC validation scope with the cache key construction, you reduce the risk of an attacker leveraging header or query manipulation to poison cached responses in Gorilla Mux-based services.