Xss Cross Site Scripting in Gorilla Mux with Basic Auth

Cross-site scripting (XSS) in a Gorilla Mux router combined with HTTP Basic Auth can arise when user-controlled data is reflected into HTML, JavaScript, or attribute contexts without proper encoding, and authentication state is communicated in ways that amplify impact. Gorilla Mux is a URL router and dispatcher; it does not automatically sanitize inputs or outputs, so developers must ensure context-aware escaping wherever dynamic values are rendered. When Basic Auth credentials are handled via request headers (e.g., Authorization: Basic base64(username:password)), the application may still leak account names or use them to personalize responses. If those values are later embedded into HTML (for example, a welcome message that includes the username extracted from the credentials), an attacker could supply a crafted username containing a script payload. Because Basic Auth is often used in internal or legacy services, pages may be served with a relaxed Content-Security-Policy or without the HttpOnly flag on cookies, making injected scripts more likely to execute in the victim’s browser.

Another vector specific to this combination occurs when error messages or debug output from Gorilla Mux handlers include path variables or query parameters that are not encoded. An attacker can provide a payload as a route parameter (e.g., /user/{name} with name=) and, if Basic Auth is required to reach that endpoint, the presence of authentication may encourage the developer to assume the context is safe, leading to insufficient output encoding. Moreover, if the application uses Basic Auth to gate an API that returns JSON and the frontend renders the data without escaping, reflected XSS can occur via JSONP or unsafe JavaScript evaluation. The scanner checks outlined in the product — including input validation and DOM-related rules — help detect places where untrusted data reaches HTML, script, or URL contexts, while LLM/AI Security probes can identify prompt or data leakage that might otherwise encourage unsafe handling of authenticated responses.

In practice, a realistic scenario is a dashboard served behind Basic Auth where the server embeds the decoded username into a JavaScript initialization object. If the username is not escaped for a JavaScript string context, an attacker who can influence the username (e.g., via directory traversal or an account they control) can execute script in the dashboard session. Because Gorilla Mux does not enforce encoding, the burden falls on the developer to apply context-specific escaping (HTML, CSS, URL, JS) and to enforce strict Content-Security-Policy directives. The scanner’s cross-referencing of OpenAPI specs with runtime findings can highlight mismatches where an endpoint declares safe behavior but runtime probes reflect unescaped user input, even when Basic Auth gates access.

Remediation centers on never trusting data derived from authentication headers or route parameters and ensuring context-aware escaping before rendering. Below are concrete, working examples for Gorilla Mux that demonstrate safe handling when Basic Auth is used.

package main

import (
    "encoding/base64"
    "fmt"
    "net/http"
    "strings"

    "github.com/gorilla/mux"
)

// decodeBasicAuth extracts username and password from the Authorization header.
// It returns empty strings if the header is missing or malformed.
func decodeBasicAuth(r *http.Request) (username, password string) {
    auth := r.Header.Get("Authorization")
    if auth == "" {
        return "", ""
    }
    const prefix = "Basic "
    if !strings.HasPrefix(auth, prefix) {
        return "", ""
    }
    payload, err := base64.StdEncoding.DecodeString(auth[len(prefix):])
    if err != nil {
        return "", ""
    }
    // credentials are in the form "username:password"
    parts := strings.SplitN(string(payload), ":", 2)
    if len(parts) != 2 {
        return "", ""
    }
    return parts[0], parts[1]
}

// safeHTML returns a simple HTML response with properly escaped data.
func safeHTML(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    name := vars["name"]
    username, _ := decodeBasicAuth(r)

    // Context-aware escaping: escape for HTML body.
    safeName := html.EscapeString(name)
    safeUser := html.EscapeString(username)

    w.Header().Set("Content-Type", "text/html; charset=utf-8")
    fmt.Fprintf(w, "<html><body>Hello, %s! (user: %s)</body></html>", safeName, safeUser)
}

// jsonHandler returns JSON with values escaped for JavaScript when rendered in a browser.
// Do not embed untrusted strings directly into script tags; use JSON encoding and CSP.
func jsonHandler(w http.ResponseWriter, r *http.Request) {
    vars := mux.Vars(r)
    name := vars["name"]
    username, _ := decodeBasicAuth(r)

    w.Header().Set("Content-Type", "application/json; charset=utf-8")
    // Proper approach: serve JSON and let the frontend encode when inserting into DOM.
    resp := map[string]string{
        "name":   name,   // frontend must escape when using innerHTML
        "user":   username,
        "status": "ok",
    }
    // Using a standard encoder avoids manual concatenation errors.
    if err := json.NewEncoder(w).Encode(resp); err != nil {
        http.Error(w, "internal error", http.StatusInternalServerError)
    }
}

func main() {
    r := mux.NewRouter()
    // Example route with path variable; ensure escaping in all render paths.
    r.HandleFunc("/user/{name}", safeHTML).Methods("GET")
    r.HandleFunc("/api/user/{name}", jsonHandler).Methods("GET")

    http.ListenAndServe(":8080", r)
}

Key practices illustrated:

• Always decode and validate Basic Auth credentials and treat the username as untrusted input.
• Use html.EscapeString when inserting data into HTML text or attributes; use JSON serialization for JavaScript contexts and avoid inline event handlers or JavaScript evaluation of user data.
• Serve a strict Content-Security-Policy header to reduce the impact of any potential injection (e.g., Content-Security-Policy: default-src 'self'; script-src 'self').
• Do not rely on the presence of Basic Auth to imply safety; apply defense-in-depth by validating, sanitizing, and encoding based on output context.

These steps align with the scanner’s checks for input validation and data exposure, and they help ensure that even when authentication is required, reflected XSS risks are minimized through correct handling of user-controlled data.