Ssrf in Chi with Basic Auth

Server-Side Request Forgery (SSRF) in Chi when endpoints are protected with HTTP Basic Auth can create a misleading sense of security while still exposing internal resources. Chi is a lightweight HTTP router for Go, and it is commonly used to define routes and middleware. When an endpoint uses Basic Auth, developers may assume that internal network calls made by the server are also protected, but SSRF arises from the server’s ability to initiate requests to arbitrary URLs based on attacker-controlled input.

In a Chi-based service, an SSRF vulnerability can occur if a handler accepts a URL parameter and uses an HTTP client to fetch that URL without validation. Even when the target endpoint requires Basic Auth, the server-side code typically includes the credentials in the request. An attacker who cannot directly reach the Basic Auth-protected endpoint might trick the server into making the request on their behalf, effectively bypassing the need to know or supply the credentials. The server becomes an SSRF proxy, and internal services that rely on network segmentation may be exposed because the server is trusted from within the network.

Chi itself does not enforce any network egress policies; it simply provides routing and middleware hooks. If a developer builds an endpoint like /fetch that takes a url query parameter and uses http.Get or a custom client with embedded credentials, an attacker can supply an internal address such as http://169.254.169.254/latest/meta-data/ (cloud metadata) or http://redis:6379 (internal database). The Basic Auth credentials supplied by the server are sent automatically to the target, and the attacker can enumerate internal services via error messages, response timing, or response content. OpenAPI/Swagger analysis performed by a scanner like middleBrick can help detect such risky endpoint definitions by correlating spec definitions with runtime behavior, highlighting parameters that are passed to outbound HTTP calls without strict allowlists.

An example of a vulnerable Chi route is one that forwards requests to a user-supplied host and includes Basic Auth headers unconditionally. If the route is defined without validating the destination, the Basic Auth credentials are used for any outbound request, which can lead to credential exposure in logs or to unintended internal endpoints. middleBrick’s checks for SSRF and Inventory Management can identify whether outbound calls are made based on unchecked input and whether credentials are managed securely. Even when authentication is enforced on the inbound route, the server-side call may lack the same restrictions, creating a path for attackers to pivot within the infrastructure.

Additionally, certain frameworks and HTTP clients may follow redirects automatically, which can cause the Basic Auth credentials to be sent to a different domain if the attacker controls the redirect chain. In Chi, developers must ensure that the HTTP client’s redirect policy is restricted and that the target host is validated against an allowlist. The presence of Basic Auth does not mitigate SSRF; it simply means that if SSRF exists, the attacker may be able to authenticate to internal services on the server’s behalf. Proper input validation, network segmentation, and avoiding the use of server-side credentials for arbitrary user-supplied URLs are essential to reduce the attack surface.

To remediate SSRF in Chi when using Basic Auth, you should avoid using server-side credentials for requests to user-supplied URLs and strictly validate all outbound targets. Below are concrete code examples that demonstrate secure patterns.

First, use a whitelist of allowed hosts for any outbound request. Do not forward requests to arbitrary URLs. Here is an example of a Chi route that validates the host before making an HTTP call:

allowedHosts := map[string]bool{
    "api.example.com": true,
    "internal.service": true,
}

r.Get("/fetch", func(c chi.Context) {
    target := c.URLParam("url")
    parsed, err := url.Parse(target)
    if err != nil {
        http.Error(c.Writer, "invalid url", http.StatusBadRequest)
        return
    }
    if !allowedHosts[parsed.Host] {
        http.Error(c.Writer, "host not allowed", http.StatusForbidden)
        return
    }

    req, _ := http.NewRequest("GET", target, nil)
    req.SetBasicAuth("user", "password")
    resp, err := http.DefaultClient.Do(req)
    if err != nil {
        http.Error(c.Writer, "request failed", http.StatusInternalServerError)
        return
    }
    defer resp.Body.Close()
    // handle response
})

Second, avoid embedding credentials in code and instead use environment variables with strict access controls. If credentials must be used for outbound calls, ensure they are scoped to the minimal required permissions and are not reused across services.

Third, disable automatic redirects and enforce strict transport settings:

client := &http.Client{
    CheckRedirect: func(req *http.Request, via []*http.Request) error {
        return http.ErrUseLastResponse
    },
    Transport: &http.Transport{
        TLSClientConfig: &tls.Config{
            MinVersion: tls.VersionTLS12,
        },
    },
}

req, _ := http.NewRequest("GET", target, nil)
req.SetBasicAuth(os.Getenv("BASIC_USER"), os.Getenv("BASIC_PASS"))
resp, err := client.Do(req)

Fourth, if you must accept a target URL, use an allowlist of URL prefixes instead of hostnames alone, and sanitize any path or query components that could lead to SSRF. Do not rely on Basic Auth to protect the server-side call; treat it as an additional layer for the target service, not as a mitigation for SSRF.

Finally, integrate middleBrick into your workflow to continuously scan your Chi endpoints for SSRF and related misconfigurations. The CLI tool can be used in scripts to validate configurations, and the GitHub Action can fail builds if insecure patterns are detected. Using the MCP Server, you can also scan APIs directly from your IDE while developing, helping you catch risky outbound calls early.