Phishing Api Keys in Fiber with Cockroachdb

When a Fiber application connects to a CockroachDB backend, mishandling API keys can expose the system to phishing-style attacks even though no user credentials are involved. The risk arises when API keys or database credentials are embedded in JavaScript bundles, client‑side configuration, or logs that an attacker can read or manipulate.

Consider a scenario where a Fiber route renders a page and injects a CockroachDB connection string or an API key into HTML or a JSON response. If the route does not validate or sanitize the data, an attacker can hook into error messages, reflection endpoints, or open‑redirect flows to harvest the key. For example, an unauthenticated endpoint that echoes configuration for debugging might return the database URL, giving an attacker the exact string needed to phish downstream services.

Because middleBrick scans the unauthenticated attack surface, it can detect whether API‑key‑like strings appear in responses, whether authentication is missing on routes that expose configuration, and whether input validation is weak around identifiers that could lead to IDOR‑type leakage. In a Fiber + CockroachDB stack, the database driver typically receives the connection URI at startup; if that URI is dynamically constructed from user input or reflected without validation, the effective attack surface grows. A compromised or leaked key enables an attacker to run SQL statements directly against CockroachDB, bypassing application‑level controls.

During a scan, middleBrick’s checks for Data Exposure and Unsafe Consumption are especially relevant. Data Exposure can identify responses that contain database connection strings or key‑like patterns. Unsafe Consumption checks whether external input is safely handled before being used in database queries, which helps catch concatenation patterns that could lead to injection or phishing. The LLM/AI Security checks also look for system prompt leakage and prompt injection attempts, which can be relevant if the API exposes model endpoints that interact with CockroachDB and inadvertently reveal key material in error messages or logs.

In practice, you can reduce risk by ensuring that all configuration, including CockroachDB connection URIs, remain on the server side and are never echoed to the client. Use environment variables, restrict debug endpoints, and validate all inputs that influence query construction. middleBrick can highlight routes that expose sensitive strings and provide prioritized findings with remediation guidance so you can adjust code and rotate keys safely.

To secure a Fiber app that uses CockroachDB, keep credentials out of client‑facing code and enforce strict input validation. Below are concrete, realistic examples you can apply immediately.

1. Keep connection configuration server‑side

Do not construct or echo the CockroachDB URI from request parameters. Instead, read it from environment variables at startup and pass the driver a static URI.

// server.js
const { app } = require('express')(); // Fiber uses similar patterns
const { Pool } = require('pg'); // CockroachDB speaks PostgreSQL wire protocol

const pool = new Pool({
  connectionString: process.env.COCKROACHDB_URL,
  ssl: {
    rejectUnauthorized: true
  }
});

// Unsafe: never do this
// app.get('/debug', (req, res) => res.json({ dbUrl: process.env.COCKROACHDB_URL }));

app.get('/users/:id', async (req, res) {
  const client = await pool.connect();
  try {
    const result = await client.query('SELECT id, name FROM users WHERE id = $1', [req.params.id]);
    res.json(result.rows);
  } finally {
    client.release();
  }
});

2. Validate and sanitize all inputs that influence queries

Even when using parameterized queries, validate IDs and paths to reduce the risk of injection or information leakage. With CockroachDB, always use placeholders ($1, $2) and never concatenate user input into SQL strings.

const validateId = (value) => /^[0-9]+$/.test(value);

app.get('/account/:accountId', async (req, res) => {
  if (!validateId(req.params.accountId)) {
    return res.status(400).send('Invalid account ID');
  }
  const client = await pool.connect();
  try {
    const result = await client.query('SELECT account_id, owner FROM accounts WHERE account_id = $1', [req.params.accountId]);
    if (result.rows.length === 0) {
      return res.status(404).send('Not found');
    }
    res.json(result.rows[0]);
  } finally {
    client.release();
  }
});

3. Restrict debug and configuration endpoints

Remove or protect endpoints that could disclose connection details. If you need a health route, ensure it returns minimal information and does not expose environment variables or stack traces.

app.get('/healthz', (req, res) => {
  res.status(200).send('ok');
});

// Avoid exposing routes like:
// app.get('/config', (req, res) => res.json({ env: process.env }));

4. Rotate keys and monitor findings

If middleBrick detects exposure of key‑like strings, rotate your CockroachDB credentials and update environment variables. Use the CLI to re‑scan and confirm that sensitive strings no longer appear in responses.

# Example CLI usage
middlebrick scan https://your-api.example.com

By following these patterns, you reduce the phishing surface and ensure that CockroachDB credentials are handled securely within a Fiber application. middleBrick findings can guide you to remaining risks specific to your endpoints.