Dns Rebinding in Echo Go with Cockroachdb
Dns Rebinding in Echo Go with Cockroachdb — how this specific combination creates or exposes the vulnerability
DNS Rebinding is a network-based attack that can bypass same-origin policies and access internal services. In an Echo Go application that exposes a Cockroachdb HTTP endpoint (for example, a status or admin interface), an attacker can use DNS Rebinding to make the server believe an internal address is reachable through a public domain. When the Echo Go server performs HTTP requests to the hostname provided by the client—such as when proxying database status calls or fetching configuration—it may follow the rebind to an internal Cockroachdb HTTP service that is not intended to be exposed.
The vulnerability emerges when the Echo Go application does not validate or restrict the hostname used for outgoing HTTP calls to Cockroachdb. If the application resolves a user-supplied hostname once and then uses the resulting IP for communication, DNS Rebinding can cause the second resolution to point to a private IP (e.g., 127.0.0.1 or a Cockroachdb listener on 26257 with an HTTP gateway). Because the Echo Go runtime does not re-validate the IP after the DNS refresh, the request may reach the internal Cockroachdb instance. This can expose administrative endpoints or allow unauthenticated actions if the Cockroachdb HTTP interface is accessible from the application’s network namespace.
In a typical deployment, Cockroachdb’s HTTP endpoints (such as the /_status/vars or admin UI when enabled) are bound to localhost or a private network interface. An Echo Go service that acts as a proxy or health aggregator might inadvertently allow a remote attacker to reach these endpoints via crafted DNS responses. The attack chain relies on the Echo Go service making outbound HTTP calls using a hostname controlled by the client, without ensuring that the resolved target is not a private or loopback address. Because the scan testing in middleBrick evaluates unauthenticated attack surfaces, it can detect whether endpoint definitions allow outbound paths to internal services when user-influenced hostnames are used.
To identify this class of issue, security scans check whether the application’s HTTP client follows redirects or retries using different IPs after an initial DNS lookup, and whether network boundaries are enforced. Without strict hostname pinning or IP validation, the Echo Go service can be used as a pivot to reach Cockroachdb interfaces that should remain isolated. middleBrick’s checks for SSRF and unsafe consumption patterns highlight cases where user-influenced URLs or hostnames can lead to internal network exposure, including interactions with database management endpoints.
Remediation focuses on ensuring that any hostname used to reach Cockroachdb is validated before use. Do not allow arbitrary user input to dictate the target host for HTTP calls to database services. When the Echo Go application must communicate with Cockroachdb, use explicit configuration for host and port, and avoid runtime resolution of attacker-controlled values. Network-level controls and service mesh policies can further reduce the risk, but code-level validation remains the primary defense.
Cockroachdb-Specific Remediation in Echo Go — concrete code fixes
Secure the interaction between Echo Go and Cockroachdb by enforcing strict hostname allowlists and avoiding dynamic resolution of user-provided values. The following examples show how to implement safe HTTP calls to Cockroachdb’s admin or status endpoints in an Echo Go service.
1. Use a fixed configuration for Cockroachdb endpoints
Define the Cockroachdb target host and port in configuration or environment variables at startup, and use that value for all outbound requests. This prevents runtime changes to the target host.
// config.go
package config
type CockroachConfig struct {
Host string
Port int
}
// main.go
func loadConfig() config.CockroachConfig {
// Use environment variables set by deployment, not user input.
host := os.Getenv("COCKROACH_HOST")
if host == "" {
host = "127.0.0.1"
}
port := 8080
if p := os.Getenv("COCKROACH_PORT"); p != "" {
if v, err := strconv.Atoi(p); err == nil {
port = v
}
}
return config.CockroachConfig{Host: host, Port: port}
}
2. Validate hostnames and IPs before making requests
Implement a dialer or HTTP transport that rejects private and loopback addresses unless explicitly allowed in a trusted environment. This prevents an attacker from causing the Echo Go service to connect to 127.0.0.1 or internal IPs after a DNS rebind.
// secure_transport.go
package main
import (
"context"
"fmt"
"net"
"net/http"
"net/url"
"strings"
)
func isPrivateIP(ipStr string) bool {
ip := net.ParseIP(ipStr)
if ip == nil {
return false
}
return ip.IsLoopback() || ip.IsPrivate() || ip.IsLinkLocalUnicast()
}
func safeRoundTripper(req *http.Request) error {
// Ensure the host is not an IP and is explicitly allowed.
host := req.URL.Hostname()
if ip := net.ParseIP(host); ip != nil {
if isPrivateIP(host) {
return fmt.Errorf("blocked private IP: %s", host)
}
}
// Optionally enforce an allowlist of DNS names.
allowedHosts := map[string]bool{
"localhost": true,
"cockroachdb.example.com": true,
}
if !allowedHosts[host] {
return fmt.Errorf("hostname not allowed: %s", host)
}
return nil
}
func makeCockroachRequest(cfg config.CockroachConfig, dbName string) (*http.Response, error) {
endpoint := fmt.Sprintf("http://%s:%d/_status/vars", cfg.Host, cfg.Port)
req, err := http.NewRequestWithContext(context.Background(), "GET", endpoint, nil)
if err != nil {
return nil, err
}
if err := safeRoundTripper(req); err != nil {
return nil, err
}
client := &http.Client{}
return client.Do(req)
}
3. Use the official Cockroachdb Go client for database operations
For database interactions, prefer the Cockroachdb Go client (which uses the PostgreSQL wire protocol) instead of making HTTP calls to admin endpoints. This removes the risk of SSRF via HTTP-based management interfaces.
// dbclient.go
package main
import (
"context"
"fmt"
"github.com/cockroachdb/cockroach-go/v2/crdb"
"github.com/jackc/pgx/v4"
)
func queryCockroach(ctx context.Context) error {
connStr := "postgresql://[email protected]:26257/defaultdb?sslmode=disable"
conn, err := pgx.Connect(ctx, connStr)
if err != nil {
return fmt.Errorf("failed to connect: %w", err)
}
defer conn.Close(ctx)
var version string
err = crdb.ExecuteTx(ctx, conn, nil, func(tx pgx.Tx) error {
return tx.QueryRow(ctx, "SELECT version()").Scan(&version)
})
if err != nil {
return fmt.Errorf("query failed: %w", err)
}
fmt.Println("Cockroachdb version:", version)
return nil
}
4. Enforce network policies and service mesh controls
Even with code-level checks, deploy network policies that prevent the Echo Go pods from initiating connections to Cockroachdb except on the required ports. Combine this with mTLS where applicable to ensure that only authorized services can reach the database endpoints.
5. Use middleBrick to validate remediation
After applying fixes, run a middleBrick scan against your public endpoints to confirm that no SSRF path remains to Cockroachdb HTTP interfaces. The dashboard and CLI output will highlight unresolved exposures and map findings to frameworks such as OWASP API Top 10 and SOC2.