Go-based apps are vulnerable to attack due to URL parsing issue

Israeli cloud-native application security testing company Oxeye has discovered that the way URL scanning is implemented in some Go-based applications creates vulnerabilities that could allow threat actors to carry out unauthorized actions.

Go, or Golang, is an open-source programming language designed to build reliable and efficient software at scale. Supported by Google, Go is operated by some of the world’s largest companies and is often used to develop cloud-native applications, including for Kubernetes.

Oxeye researchers conducted an analysis of Go-based cloud-native applications and discovered an edge case that could have serious implications.

The problem, which they dubbed ParseThru, is related to insecure URL scanning. Until version 1.17, Go considered semicolons in the query part of a URL to be a valid delimiter. Starting with this release, an error is thrown if the URL query contains a semicolon.

Oxeye researchers found that if a user-facing application is running on Go 1.17 or later and the associated backend service is running on an earlier version of Go, an attacker can contraband requests with query parameters that would normally be rejected.

The cybersecurity firm described the following theoretical attack scenario:

Researchers have identified several open source projects affected by this behavior. The list includes Skipper HTTP Router and Reverse Proxy for Service Composition, Traefik HTTP Reverse Proxy and Load Balancer, and porta CNCF project designed to secure artifacts and ensure container images are free of vulnerabilities and reliable.

Daniel Abeles, one of the Oxeye researchers who discovered the vulnerability, said safety week that in the case of Harbor, a malicious actor could read private and restricted Docker images that could not otherwise be accessed.

Oxeye reported its findings to the affected apps and their developers released fixes.

Application developers are advised to consider using other methods to parse query strings or ensure that queries containing a semicolon are rejected to prevent abuse.

Related: ‘Sysrv’ Botnet Targeting Recent Spring Cloud Gateway Vulnerability

Related: New Database Catalog Cloud Vulnerabilities, Security Concerns

Related: Vulnerability in Amazon Photos Android app exposed to user information

views counter

Edouard Kovacs (@EduardKovacs) is a SecurityWeek Contributing Editor. He worked as a high school computer teacher for two years before starting a career in journalism as a security reporter for Softpedia. Eduard holds a bachelor’s degree in industrial computing and a master’s degree in computer techniques applied to electrical engineering.

Previous columns by Eduard Kovacs:
Key words:

Comments are closed.