Xss Cross Site Scripting in Fiber with Hmac Signatures

Cross-site scripting (XSS) in a Fiber application becomes more nuanced when HMAC signatures are used to bind requests to a trusted origin. XSS typically arises when untrusted data is reflected into HTML, JavaScript, or URL contexts without proper escaping. In Fiber, developers sometimes place data into query parameters, headers, or cookie values and then verify an HMAC to confirm the data originated from a trusted source. If the HMAC is computed only over trusted metadata (e.g., a user identifier or a timestamp) and does not include the user-controlled portion, an attacker can inject malicious payloads that pass verification and are later rendered unsafely by the server or a client-side component.

Consider a scenario where an endpoint builds a redirect or a signed token using HMAC, and the application embeds user input directly into the signed payload or into the response without context-aware escaping. Even though the signature validates integrity, it does not prevent the signed data itself from containing reflected scripts if the server later outputs that data into a script context, an event handler, or an attribute without escaping. For example, if a query parameter like redirectUrl is included in the HMAC computation but not validated for safe URL semantics, an attacker might supply redirectUrl=javascript:alert(1) or a URL with an injected <script> in a fragment that the server places into an HTML page. The HMAC will verify because the attacker’s input was part of the signed material, yet the output context is unsafe, leading to stored or reflected XSS.

Another specific pattern involves server-side rendering in Fiber templates where a developer signs a portion of the model to prevent tampering but forgets to HTML-escape values when interpolating them. HMAC signatures ensure that the signed fields have not been altered, but they do not enforce encoding rules. An attacker might exploit a profile page where the username is signed and then rendered via a template like {{.Username}}. Without proper escaping, a username such as <img src=x onerror=steal()> would execute in the browser of any viewer, despite the signature being valid. This shows how XSS emerges not from a broken HMAC, but from a mismatch between integrity checks and output encoding based on the final rendering context.

To reduce XSS risk while using HMAC signatures in Fiber, ensure that you (1) include all user-controlled data in the signature so that tampering is detected, and (2) apply context-specific escaping before any rendering or redirection. Do not rely on the signature alone to neutralize malicious input; treat HMAC as an integrity layer, not an encoding layer.

Below are concrete, realistic examples for a Fiber route that signs a redirect target and for a template that renders user data. These snippets use the standard crypto/hmac and crypto/sha256 packages and assume you are working with Go templates for rendering.

First, a safe signed redirect where the target URL is validated and encoded before use:

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/base64"
    "net/url"
    "strings"
)

func isValidRedirect(target string, secret []byte, signature string) bool {
    // Normalize and restrict scheme/host as appropriate
    parsed, err := url.Parse(target)
    if err != nil || (parsed.Scheme != "https" && parsed.Scheme != "http") {
        return false
    }
    // Optionally restrict hosts to a known allowlist
    allowedHosts := map[string]bool{"example.com": true, "app.example.com": true}
    if !allowedHosts[parsed.Host] {
        return false
    }
    return true
}

func signData(data string, secret []byte) string {
    mac := hmac.New(sha256.New, secret)
    mac.Write([]byte(data))
    return base64.URLEncoding.EncodeToString(mac.Sum(nil))
}

// Usage in a handler
func redirectHandler(c *fiber.Ctx) error {
    secret := []byte("your-256-bit-secret")
    rawTarget := c.Query("url")
    providedSig := c.Query("sig")

    if !isValidRedirect(rawTarget, secret, providedSig) {
        return c.Status(fiber.StatusBadRequest).SendString("invalid target")
    }

    expectedSig := signData(rawTarget, secret)
    if !hmac.Equal([]byte(expectedSig), []byte(providedSig)) {
        return c.Status(fiber.StatusForbidden).SendString("invalid signature")
    }

    // Safe: validated and canonical URL; still use net/url for escaping when building HTML
    safeURL := url.QueryEscape(rawTarget)
    c.Set("Content-Security-Policy", "default-src 'none'")
    return c.Redirect(rawTarget, fiber.StatusFound)
}

Second, a template example that signs a user profile payload and renders data with proper escaping:

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "html/template"
    "net/http"
)

type ProfileData struct {
    Username       template.HTML // escaped by context-aware template.HTML when set correctly
    PublicBio      template.HTML
    Signature      string
    SigningPayload string
}

func makeProfile(username, bio, secret string) ProfileData {
    payload := username + "|" + bio
    mac := hmac.New(sha256.New, []byte(secret))
    mac.Write([]byte(payload))
    sig := hex.EncodeToString(mac.Sum(nil))

    // Use template.HTML only after escaping for the intended context; here we rely on explicit escaping
    // to avoid XSS when the template author uses {{.Username}} inside text content.
    return ProfileData{
        Username:       template.HTMLEscapeString(username),
        PublicBio:      template.HTMLEscapeString(bio),
        Signature:      sig,
        SigningPayload: payload,
    }
}

func profileHandler(w http.ResponseWriter, r *http.Request) {
    // Example static secret; in practice use secure configuration/key management
    secret := "server-secret-key"
    username := r.URL.Query().Get("user")
    bio := r.URL.Query().Get("bio")

    data := makeProfile(username, bio, secret)
    tmpl := template.Must(template.New("profile").Parse(`
        <div>User: {{.Username}}</div>
        <div>Bio: {{.PublicBio}}</div>
        <div>Payload: {{.SigningPayload}}</div>
        <div>Sig: {{.Signature}}</div>
    `))
    tmpl.Execute(w, data)
}

Key takeaways: include user input in the HMAC so tampering is detected, validate and normalize values (e.g., URLs, hostnames), and apply context-aware escaping (HTML, attribute, URL) before rendering. HMAC ensures integrity; escaping ensures that even when input is included in the signed material, it cannot break out of its rendering context and execute as script.