Open Redirect in Gorilla Mux with Basic Auth

An Open Redirect in a Gorilla Mux router can be exposed or amplified when Basic Authentication is used in a way that leaks the validated target URL or mishandles the redirect flow. In a typical configuration, a route may capture a destination parameter (e.g., destination) and use http.Redirect to forward the user. If the parameter is used without strict validation, an attacker can supply a malicious external URL.

When Basic Auth wraps the handler, the presence of credentials can create a false sense of security, leading developers to assume the endpoint is safe because authentication is required. However, authentication does not prevent an authenticated user from being redirected to a malicious site. If the handler does not verify that the target URL is relative or belongs to a strict allowlist, the authenticated session can be abused to phish users or facilitate social engineering by leveraging the browser’s built-in credentials popup or session cookies.

Moreover, if the Basic Auth credentials are passed via URL query parameters or headers that are inadvertently reflected, the combination of redirect and exposed credentials can lead to credential leakage. For example, a misconfigured middleware may log or echo the Authorization header, and when combined with an open redirect, an attacker could craft a URL that both leaks credentials and directs the user to a malicious site. This pattern is especially risky when the redirect URL is taken from request headers such as Referer or from query parameters without canonicalization, allowing an attacker to bypass simple prefix checks.

To mitigate Open Redirect in a Gorilla Mux router with Basic Auth, validate the target URL strictly and avoid using user-supplied values directly. Prefer relative paths for redirects, or enforce an allowlist of permitted hosts. Below is a secure example that uses a relative path and a host allowlist to prevent open redirects while preserving Basic Auth for access control.

package main

import (
	"net/http"
	"strings"

	"github.com/gorilla/mux"
)

var allowedHosts = map[string]bool{
	"app.example.com": true,
	"dashboard.example.com": true,
}

func safeRedirectHandler(w http.ResponseWriter, r *http.Request) {
	// Basic Auth is expected; reject if missing or invalid
	user, pass, ok := r.BasicAuth()
	if !ok || !validateCredentials(user, pass) {
		http.Error(w, "Unauthorized", http.StatusUnauthorized)
		return
	}

	// Extract destination safely; prefer a controlled internal flow
	destination := r.URL.Query().Get("to")
	if destination == "" {
		http.Error(w, "Missing target", http.StatusBadRequest)
		return
	}

	// Ensure destination is relative or host is explicitly allowed
	if !strings.HasPrefix(destination, "/") {
		// Parse and validate host if a full URL is provided
		host := extractHost(destination)
		if !allowedHosts[host] {
			http.Error(w, "Forbidden redirect target", http.StatusForbidden)
			return
		}
	}

	// Safe redirect using http.Redirect
	http.Redirect(w, r, destination, http.StatusFound)
}

func validateCredentials(user, pass string) bool {
	// Replace with secure credential validation (e.g., constant-time compare)
	return user == "admin" && pass == "securepass"
}

func extractHost(urlStr string) string {
	// Simplified extraction; in production, use net/url with proper error handling
	u, err := http.Parse(urlStr)
	if err != nil {
		return ""
	}
	return u.Host
}

func main() {
	r := mux.NewRouter()
	r.HandleFunc("/secure/redirect", safeRedirectHandler).Methods("GET")
	http.ListenAndServe(":8080", r)
}

This approach ensures that even with Basic Auth protecting the endpoint, the redirect target is constrained. For broader API security coverage across frameworks and runtimes, teams using the middleBrick web dashboard or the middlebrick CLI can automatically scan endpoints to detect open redirect patterns and other misconfigurations. The GitHub Action can enforce a security gate in CI/CD, while the MCP Server enables scanning directly from your IDE when working with routing logic.