Cors Wildcard in Gorilla Mux
How CORS Wildcard Manifests in Gorilla Mux
CORS wildcard configurations in Gorilla Mux applications create critical security vulnerabilities when developers use overly permissive * origins. In Gorilla Mux, this typically appears when developers call HandleFunc or Handle without proper CORS middleware, or when they apply a wildcard CORS policy globally to all routes.
router := mux.NewRouter()
router.HandleFunc("/api/users/{id}", getUser).Methods("GET")
router.Use(middleware.CORS(cors.AllowAll())) // ❌ Wildcard CORS
The most dangerous manifestation occurs when API endpoints handling sensitive data—like user profiles, account details, or administrative functions—are exposed to any origin. An attacker can host malicious JavaScript on any domain that makes authenticated requests to your Gorilla Mux API, exploiting the browser's CORS mechanism to exfiltrate data.
Gorilla Mux's routing flexibility makes this particularly insidious. Developers often create route groups for different API versions or services:
apiV1 := router.PathPrefix("/api/v1").Subrouter()
apiV1.HandleFunc("/users/{id}", getUser).Methods("GET")
apiV1.Use(middleware.CORS(cors.AllowAll())) // ❌ Affects all v1 endpoints
Cross-origin attacks in this context can include: credential forwarding where browsers automatically include cookies or auth headers, timing attacks that probe for valid user IDs, and combined with other vulnerabilities like BOLA (Broken Object Level Authorization), complete account takeover becomes possible.
The wildcard policy becomes especially problematic in development environments that accidentally get promoted to production, or when microservices architectures use Gorilla Mux for internal APIs that should never be exposed externally but inherit permissive CORS policies.
Gorilla Mux-Specific Detection
Detecting CORS wildcard issues in Gorilla Mux requires examining both the middleware chain and the actual runtime behavior. Start by inspecting your middleware stack:
router := mux.NewRouter()
// Check what middleware is applied
for _, m := range router.Middlewares() {
fmt.Printf("Middleware: %T\n", m)
}
Look for CORS middleware implementations that use wildcard origins. Common patterns include:
// Problematic patterns
cors.AllowAll()
cors.New(cors.Options{
AllowedOrigins: []string{"*"},
AllowCredentials: true, // Especially dangerous
})
middleBrick's scanner specifically identifies these Gorilla Mux CORS configurations by analyzing the HTTP response headers during scanning. It looks for:
Access-Control-Allow-Origin: *combined withAccess-Control-Allow-Credentials: true- Wildcard policies on routes handling sensitive data (user profiles, admin endpoints)
- Inconsistent CORS policies across related endpoints
- Missing CORS headers on endpoints that should have them
The scanner tests actual CORS behavior by making cross-origin requests from different domains and analyzing the browser's preflight response. For Gorilla Mux applications, it specifically checks if the wildcard policy applies to authenticated endpoints that should be origin-restricted.
middleBrick also correlates CORS findings with other API security issues. A wildcard CORS policy combined with BOLA vulnerabilities creates a much higher risk score than either issue alone, as it enables remote exploitation scenarios.
Gorilla Mux-Specific Remediation
Remediating CORS wildcard issues in Gorilla Mux requires implementing origin-specific policies and proper middleware configuration. The most secure approach uses a whitelist of allowed origins:
allowedOrigins := []string{
"https://yourdomain.com",
"https://app.yourservice.com",
}
corsMiddleware := middleware.CORS(cors.New(cors.Options{
AllowedOrigins: allowedOrigins,
AllowedMethods: []string{"GET", "POST", "PUT", "DELETE"},
AllowedHeaders: []string{"Content-Type", "Authorization"},
AllowCredentials: true,
Debug: false,
}))
router := mux.NewRouter()
router.Use(corsMiddleware)
For applications with multiple API groups or versions, apply CORS policies at the appropriate router level:
apiV1 := router.PathPrefix("/api/v1").Subrouter()
apiV1.Use(corsMiddleware) // Apply to specific group
admin := router.PathPrefix("/admin").Subrouter()
admin.Use(corsMiddleware) // Different policy for admin
Gorilla Mux's AllowedOriginValidator function provides dynamic origin validation for complex scenarios:
corsMiddleware := middleware.CORS(cors.New(cors.Options{
AllowedOriginValidator: func(origin string) bool {
// Custom validation logic
allowed := regexp.MustCompile(`^(https://)([a-zA-Z0-9-]+\.)?yourdomain\.com$`).MatchString(origin)
return allowed
},
AllowedMethods: []string{"GET", "POST"},
AllowCredentials: true,
}))
For development environments, use environment-specific configurations:
func getCorsMiddleware() middleware.CORS {
if os.Getenv("ENV") == "production" {
return middleware.CORS(cors.New(cors.Options{
AllowedOrigins: []string{"https://yourdomain.com"},
AllowCredentials: true,
}))
}
return middleware.CORS(cors.New(cors.Options{
AllowedOrigins: []string{"http://localhost:3000", "http://dev.yourservice.com"},
AllowCredentials: true,
}))
}
middleBrick's GitHub Action can automatically scan your Gorilla Mux application in CI/CD pipelines, failing builds if wildcard CORS policies are detected on sensitive endpoints. This ensures CORS misconfigurations never reach production.
Related CWEs: dataExposure
| CWE ID | Name | Severity |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information | HIGH |
| CWE-209 | Error Information Disclosure | MEDIUM |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | HIGH |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | MEDIUM |
| CWE-312 | Cleartext Storage of Sensitive Information | HIGH |
| CWE-359 | Exposure of Private Personal Information (PII) | HIGH |
| CWE-522 | Insufficiently Protected Credentials | CRITICAL |
| CWE-532 | Insertion of Sensitive Information into Log File | MEDIUM |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File | HIGH |
| CWE-540 | Inclusion of Sensitive Information in Source Code | HIGH |