Dns Rebinding in Echo Go with Basic Auth
Dns Rebinding in Echo Go with Basic Auth — how this specific combination creates or exposes the vulnerability
DNS rebinding is a network-based attack that manipulates DNS responses to make a victim’s browser believe a remote host is reachable at an internal IP address (e.g., 127.0.0.1 or 192.168.x.x). When combined with an Echo Go service protected only by Basic Auth, the attack can bypass protections that rely on IP-based assumptions, because Basic Auth does not prevent rebinding at the network layer.
In Echo Go, a typical setup might use basic authentication middleware to protect an endpoint. Consider the following Basic Auth example in Echo Go:
func basicAuthMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
user, pass, ok := c.Request().BasicAuth()
if !ok || user != "admin" || pass != "secret" {
return c.String(http.StatusUnauthorized, "unauthorized")
}
return next(c)
}
}
app := echo.New()
auth := app.Group("", basicAuthMiddleware)
auth.GET("/admin", func(c echo.Context) error {
return c.String(http.StatusOK, "admin panel")
})
app.Start(":8080")
An attacker can register a domain (e.g., rebind.example) that initially resolves to a public attacker-controlled server, then quickly switches to 127.0.0.1. If the victim is authenticated (or the Basic Auth credentials are sent automatically by the browser) and visits the attacker’s page, the browser may send the Basic Auth header to the rebound internal endpoint. Although the Basic Auth check runs on the server, the attack shifts the trust boundary: the server assumes that requests reaching it originate from a trusted network, but DNS rebinding circumvents network-level boundaries by exploiting DNS and browser behavior.
In a black-box scan context, middleBrick tests such combinations by probing endpoints with and without authentication while monitoring for internal network exposure via rebinding indicators. The scan checks whether authentication headers are accepted on unexpected origins and whether the service relies solely on Basic Auth without additional origin or IP validation.
Remediation guidance centers on defense-in-depth: do not rely on Basic Auth alone to protect sensitive endpoints; augment with CSRF protections, strict CORS policies, and server-side validation that does not assume a trusted network perimeter.
Basic Auth-Specific Remediation in Echo Go — concrete code fixes
To harden Echo Go services using Basic Auth against DNS rebinding and related threats, apply server-side checks that do not rely on network perimeter assumptions. Below are concrete, working code examples.
1. Validate the Host Header and Origin
Restrict requests to expected hostnames and validate the Origin header to mitigate simple rebinding scenarios where the browser sends credentials to an internal IP after DNS switching.
func secureBasicAuth(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
// Validate Host header
host := c.Request().Host
if host != "api.yourdomain.com:8080" {
return c.String(http.StatusForbidden, "invalid host")
}
// Validate Origin for cross-origin requests
origin := c.Request().Header.Get("Origin")
if origin != "https://app.yourdomain.com" {
return c.String(http.StatusForbidden, "invalid origin")
}
user, pass, ok := c.Request().BasicAuth()
if !ok || user != "admin" || pass != "secret" {
return c.String(http.StatusUnauthorized, "unauthorized")
}
return next(c)
}
}
app := echo.New()
auth := app.Group("", secureBasicAuth)
auth.GET("/admin", func(c echo.Context) error {
return c.String(http.StatusOK, "admin panel")
})
app.Start(":8080")
2. Use Anti-CSRF Tokens Alongside Basic Auth
Basic Auth is static per browser session; pairing it with anti-CSRF tokens ensures that requests originate from your intended UI context.
import "github.com/labstack/echo-contrib/session"
func csrfProtected(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
s, _ := session.Get("session", c)
token := s.Values["csrf_token"]
if c.Request().Header.Get("X-CSRF-Token") != token {
return c.String(http.StatusForbidden, "invalid csrf token")
}
return next(c)
}
}
// Combine with Basic Auth
authGroup := app.Group("", secureBasicAuth, csrfProtected)
authGroup.POST("/transfer", func(c echo.Context) error {
return c.JSON(http.StatusOK, map[string]string{"status": "ok"})
})
app.Start(":8080")
3. Avoid Sending Basic Auth Over Non-TLS Connections
Always use HTTPS in production; Basic Auth sends credentials in an easily decoded header. Enforce TLS in Echo Go to prevent credential exposure during rebinding or network interception.
func secureTLS(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
if !c.Request().TLS.IsHandshakeComplete() {
return c.Redirect(http.StatusMovedPermanently, "https://"+c.Request().Host+c.Request().RequestURI)
}
return next(c)
}
}
app := echo.New()
app.Use(secureTLS)
auth := app.Group("", secureBasicAuth)
auth.GET("/admin", func(c echo.Context) error {
return c.String(http.StatusOK, "admin panel")
})
app.Start(":8080")
These measures reduce the risk that DNS rebinding will successfully exploit Basic Auth–protected endpoints by adding server-side origin validation, anti-CSRF protections, and mandatory encryption.