Dns Rebinding in Echo Go with Bearer Tokens

DNS rebinding is a network-level attack that manipulates DNS responses to make a victim’s browser believe a malicious host shares an origin with a trusted service. When combined with an Echo Go service that uses Bearer tokens for authorization, the attack can bypass same-origin protections and expose authenticated endpoints to a malicious resolver or rogue access point.

In Echo Go, routing and middleware are typically configured to validate authorization headers on each request. If an endpoint accepts a Bearer token but does not sufficiently validate the request’s network origin, a DNS rebinding sequence can cause the client to send credentials to a domain that later resolves to an internal address (e.g., 127.0.0.1 or a corporate service). Because the token is included automatically by the browser, the request appears legitimate to the Echo Go service, even though the network path has been manipulated.

This risk is especially relevant when an Echo Go service accepts Authorization headers like Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 and does not enforce referrer or origin checks. An attacker can register a domain (example.evil.com), serve a page that loads resources from a victim’s authenticated Echo Go domain (app.example.com), and then switch the DNS target to an internal IP. The victim’s browser will send the Bearer token to the rebinding endpoint, and the Echo Go service may treat the request as valid due to token presence, not network context.

To illustrate, consider an Echo Go handler that relies solely on Bearer token validation without additional network or context checks:

package main

import (
	"net/http"

	"github.com/labstack/echo/v4"
)

func main() {
	e := echo.New()
	e.Use(middleware.JWTWithConfig(middleware.JWTConfig{
		SigningKey:    []byte("secret"),
		TokenLookup:   "header:Authorization",
		AuthScheme:    "Bearer",
	}))
	e.GET("/profile", func(c echo.Context) error {
		return c.JSON(http.StatusOK, map[string]string{"message": "profile"})
	})
	e.Logger.Fatal(e.Start(":8080"))
}

In this setup, if the token is extracted from the Authorization header but the handler does not validate the request’s source IP, referrer, or host header, an attacker can leverage DNS rebinding to make cross-origin requests appear authenticated. The vulnerability is not in token handling itself, but in the lack of origin validation in conjunction with token acceptance.

Because middleBrick tests unauthenticated attack surfaces, it can surface such misconfigurations by analyzing how the API behaves across network boundaries and header combinations, even without access to valid tokens. The scanner checks for missing host and referrer validation when authentication headers are present, which is critical for mitigating DNS rebinding in Echo Go services that rely on Bearer tokens.

Remediation centers on ensuring that Bearer token validation is paired with strict origin and referrer checks, and that the server does not implicitly trust rebindable network paths. Below are concrete, safe patterns for Echo Go that reduce DNS rebinding risk while preserving proper authentication.

First, explicitly validate the Origin and Referer headers in your middleware or handler to ensure requests originate from expected sources:

package main

import (
	"net/http"
	"strings"

	"github.com/labstack/echo/v4"
)

func secureMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
	return func(c echo.Context) error {
		origin := c.Request().Header.Get("Origin")
		referer := c.Request().Header.Get("Referer")
		allowedOrigin := "https://app.example.com"
		allowedReferer := "https://app.example.com/profile"

		if origin != allowedOrigin || !strings.HasPrefix(referer, allowedReferer) {
			return echo.NewHTTPError(http.StatusForbidden, "invalid origin or referer")
		}
		return next(c)
	}
}

func main() {
	e := echo.New()
	e.Use(secureMiddleware)
	e.Use(middleware.JWTWithConfig(middleware.JWTConfig{
		SigningKey:  []byte("secret"),
		TokenLookup: "header:Authorization",
		AuthScheme:  "Bearer",
	}))
	e.GET("/profile", func(c echo.Context) error {
		return c.JSON(http.StatusOK, map[string]string{"message": "profile"})
	})
	e.Logger.Fatal(e.Start(":8080"))
}

This approach ensures that even if a Bearer token is presented, the request must also pass origin and referer validation, which DNS rebinding cannot satisfy when the attacker’s controlled domain differs from the allowed origin.

Second, avoid using the Host header for routing decisions when tokens are involved. Instead, bind authentication strictly to the expected service domain and use explicit routing:

package main

import (
	"net/http"

	"github.com/labstack/echo/v4"
)

func main() {
	e := echo.New()
	e.Use(middleware.JWTWithConfig(middleware.JWTConfig{
		SigningKey:    []byte("secret"),
		TokenLookup:   "header:Authorization",
		AuthScheme:    "Bearer",
		ContextKey:    "user",
		ValidateFunc: func(token string) error {
			// Perform token validation without relying on Host
			return nil
		},
	}))

	// Explicit route registration; avoid wildcard hosts
	e.GET("/*", func(c echo.Context) error {
		c.Response().Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
		return c.Next()
	})

	e.Logger.Fatal(e.StartTLS(":8443", &tls.Config{
		MinVersion: tls.VersionTLS12,
	}))
}

Additionally, configure your DNS and hosting environment so that internal services are not exposed via public DNS records that can be targeted for rebinding. Use private networking and firewall rules to ensure that internal IPs are not reachable from external clients, which complements the application-level mitigations.

By combining these practices—Bearer token validation with strict origin checks, explicit routing, and network segregation—you can significantly reduce the attack surface for DNS rebinding in Echo Go services. middleBrick’s scans can help verify that these controls are in place by detecting missing referrer/origin validation and improperly exposed endpoints during its unauthenticated assessment.