HIGH dns rebindingginbasic auth

Dns Rebinding in Gin with Basic Auth

Scan for dns rebinding in gin

Dns Rebinding in Gin with Basic Auth — how this specific combination creates or exposes the vulnerability

DNS Rebinding is an application-layer attack that manipulates DNS responses to make a victim’s browser believe a remote host is reachable at an internal IP address. In Gin, a common Go web framework, using HTTP Basic Authentication without additional host validation can allow an attacker to bypass intended network boundaries when DNS Rebinding is combined with Basic Auth.

Consider a Gin endpoint that performs an outbound HTTP request to a user-supplied URL after verifying Basic Auth credentials. If the server does not validate the hostname against a strict allowlist, an attacker can register a domain that initially resolves to a public IP, then switches to an internal IP (such as 127.0.0.1 or 192.168.x.x) after authentication succeeds. Because Gin may treat the request as originating from an authenticated session, the server could forward privileged internal resources to the attacker-controlled IP, effectively exposing internal services to the external client.

In a real scenario, an authenticated admin user triggers a Gin handler that calls http.Get on a URL provided in a query parameter. The handler uses Basic Auth to confirm identity but does not sanitize or resolve the target hostname. An attacker crafts a URL like http://admin:[email protected]/api/fetch. The first DNS query for evil.com returns a public IP, allowing the request to pass authentication and reach the Gin server. Immediately afterward, the attacker’s DNS switches the A record to 127.0.0.1. The Gin server, still operating under the authenticated context, proceeds to make the request to the rebind IP, potentially accessing localhost services that should never be exposed externally.

The interaction between Basic Auth and DNS Rebinding is dangerous because Basic Auth establishes a trusted identity for the session, which Gin may implicitly trust when making secondary outbound calls. Without explicit hostname verification, Gin does not differentiate between an authenticated request and a proxied request to internal infrastructure. This can lead to SSRF-like outcomes where internal endpoints are scanned or exfiltrated through the authenticated channel.

To detect such patterns in practice, scanning tools like middleBrick analyze the unauthenticated attack surface and cross-reference OpenAPI specifications with active checks. For example, if your API spec defines a parameter that accepts a URL, middleBrick examines whether host validation and network isolation are explicitly enforced. In LLM/AI Security testing, probes check for prompt injection and output leakage, but for API endpoints like those in Gin, the focus remains on input validation and whether authentication is used to gate network calls without restricting target hosts.

Basic Auth-Specific Remediation in Gin — concrete code fixes

Defense against DNS Rebinding in Gin when using Basic Auth centers on strict hostname validation and avoiding the use of user-controlled URLs for outbound requests. When Basic Auth credentials are accepted, you must ensure that the authenticated context is not leveraged to reach unintended internal endpoints.

First, avoid passing user-controlled URLs directly to http.Get or http.NewRequest. Instead, use a strict allowlist of domains or IPs. Below is a secure Gin handler example that validates the target host before making an outbound call:

package main

import (
    "fmt"
    "net/http"
    "net/url"
    "strings"

    "github.com/gin-gonic/gin"
)

var allowedHosts = map[string]bool{
    "api.example.com": true,
    "10.0.0.1":        true,
}

func safeFetch(c *gin.Context) {
    rawURL := c.Query("url")
    parsed, err := url.ParseRequestURI(rawURL)
    if err != nil {
        c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "invalid url"})
        return
    }

    if !allowedHosts[parsed.Host] {
        c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"error": "host not allowed"})
        return
    }

    req, err := http.NewRequest("GET" parsed.String(), nil)
    if err != nil {
        c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "request creation failed"})
        return
    }

    req.SetBasicAuth("user", "password")
    resp, err := http.DefaultClient.Do(req)
    if err != nil {
        c.AbortWithStatusJSON(http.StatusBadGateway, gin.H{"error": "upstream error"})
        return
    }
    defer resp.Body.Close()

    c.String(http.StatusOK, fmt.Sprintf("status: %d", resp.StatusCode))
}

func main() {
    r := gin.Default()
    r.GET("/fetch", safeFetch)
    r.Run()
}

Second, enforce transport-layer controls by binding Basic Auth to specific host headers and rejecting requests where the Host header does not match expected values. You can also disable external outbound calls entirely in environments where such functionality is not required.

When integrating with CI/CD, the GitHub Action can enforce these rules by scanning your Gin API definitions and failing builds if risky patterns are detected. The CLI tool can be used locally to verify that host validation is present in your handlers. For teams using the Pro plan, continuous monitoring alerts you when a new endpoint lacks strict hostname checks, reducing the risk of DNS Rebinding via authenticated contexts.

Scan for dns rebinding in gin Free API security scan

Frequently Asked Questions

Why does Basic Auth make DNS Rebinding more dangerous in Gin handlers?
Basic Auth establishes a trusted identity for the session. If Gin uses that authenticated context to make outbound network calls without hostname validation, an attacker can rebind DNS to internal IPs and the server will forward requests as if they were legitimately authenticated, exposing internal services.
What is the most effective mitigation for DNS Rebinding in Gin with Basic Auth?
The most effective mitigation is strict hostname allowlisting before making any outbound HTTP requests, combined with avoiding user-controlled URLs entirely. Validate the target host against a predefined set of domains or IPs and reject requests that do not match.

Related Pages

Dns Rebinding in GinProtect your Gin applications from Dns Rebinding attacks with specific detection and remediation techniques. Learn how tDns Rebinding with Basic AuthDns Rebinding attacks exploit Basic Auth credential caching across origins. Learn specific detection methods and remediaDns Rebinding in Gin on GcpLearn how DNS rebinding affects Gin on GCP, with concrete Gin middleware and GCP network controls to prevent internal seDns Rebinding in Gin on KubernetesExplore DNS rebinding in Gin on Kubernetes, understand the risk, and apply Kubernetes-specific remediation with concreteDns Rebinding in Gin on AwsExplore DNS Rebinding in Gin on AWS, understand the risks, and apply concrete AWS-aware code fixes in Gin.Dns Rebinding in Gin on FirebaseExplore DNS rebinding in Gin with Firebase, understand risks, and apply concrete code fixes with safe project validationOwasp Api Top 10: Dns Rebinding in GinExplore DNS rebinding risks in Gin APIs under OWASP API Top 10, with Gin-specific remediation patterns and middleware exHipaa: Dns Rebinding in GinExplore DNS rebinding risks in Gin APIs under HIPAA. Learn Gin-specific fixes and see code examples for hostname validatGdpr: Dns Rebinding in GinExplore DNS rebinding risks in Gin services under GDPR, with Gin-specific fixes and code examples for host validation anNist: Dns Rebinding in GinExplore DNS rebinding in Gin applications per NIST guidance, with Gin-specific remediation code examples and practical sDns Rebinding in Gin with DynamodbExplore DNS Rebinding in Gin with DynamoDB, understand the risks, and apply secure coding patterns with concrete Go examDns Rebinding in Gin with CockroachdbExplore DNS rebinding in Gin with Cockroachdb, understand the risks, and apply concrete remediation through strict host