Cross Site Request Forgery in Echo Go with Hmac Signatures

Cross-Site Request Forgery (CSRF) occurs when an authenticated user is tricked into executing unwanted actions on a web application. In Echo Go, using Hmac Signatures for request authentication can inadvertently create or expose a CSRF vulnerability if the Hmac is computed or verified in a way that still allows a malicious site to forge valid requests.

When Hmac Signatures are used but the server-side verification does not enforce strict origin and referer checks, or if the Hmac is derived from data that an attacker can partially predict or influence, a CSRF attack becomes feasible. For example, if the Hmac is calculated from a combination of HTTP method, path, and a shared secret but does not include a per-request nonce or a strict anti-CSRF token tied to the user’s session, an attacker can craft a request with a valid Hmac using the user’s credentials. This can happen when the client-side code embeds the shared secret or allows the Hmac to be computed in an environment the attacker can influence, such as JavaScript running in the browser.

Consider an Echo Go handler that expects an X-API-Signature header computed as Hmac-SHA256 of the request method, path, and body using a shared secret. If the endpoint accepts state-changing methods like POST from any origin and only validates the Hmac without verifying the request origin, an attacker can trick a logged-in user into submitting a forged POST request from a malicious site. The browser will include cookies (including session identifiers) with the request, and if the Hmac validation does not require a synchronized anti-CSRF token, the server may treat the forged request as legitimate.

A concrete scenario: a banking API endpoint in Echo Go uses Hmac Signatures to authenticate requests from a mobile app. The Hmac is computed from the HTTP method, URL path, timestamp, and a shared secret stored in the app’s client-side code. An attacker builds a page that sends a POST to the transfer endpoint with a valid timestamp and a forged amount. The attacker uses the stolen shared secret (or a leaked client-side key) to generate a valid Hmac. Because the server only checks the Hmac and does not validate the Origin header or require a cryptographically random CSRF token per session, the request is processed, leading to unauthorized fund transfers.

To map this to the OWASP API Top 10, this pattern aligns with API1:2023 Broken Object Level Authorization when CSRF leads to unauthorized actions, and it intersects with authentication weaknesses when Hmac is mishandled. Inadequate enforcement of same-site cookies and missing anti-CSRF tokens in combination with Hmac-based authentication significantly increases the risk of successful CSRF attacks.

Remediation focuses on ensuring Hmac validation is tightly coupled with anti-CSRF protections and strict request metadata checks. The server must require a per-request anti-CSRF token in a header, validate the Origin and Referer headers, and ensure the Hmac covers a nonce or timestamp bound to the user session.

Below is a concrete, secure example of Hmac verification in Echo Go that mitigates CSRF. It includes a per-request CSRF token, Origin/Referer checks, and Hmac that incorporates a server-side nonce stored in the session.

import (
    "crypto/hmac"
    "crypto/sha256"
    "encoding/hex"
    "net/http"
    "strings"
)

func verifyHmac(next echo.HandlerFunc) echo.HandlerFunc {
    return func(c echo.Context) error {
        // Expected headers
        signature := c.Request().Header.Get("X-API-Signature")
        csrfToken := c.Request().Header.Get("X-CSRF-Token")
        origin := c.Request().Header.Get("Origin")
        referer := c.Request().Header.Get("Referer")

        // Basic origin/referer validation
        if origin == "" || !strings.HasPrefix(origin, "https://trusted.example.com") {
            return c.NoContent(http.StatusForbidden)
        }
        if referer == "" || !strings.HasPrefix(referer, "https://trusted.example.com") {
            return c.NoContent(http.StatusForbidden)
        }

        // Retrieve session-bound nonce (stored server-side in session)
        session := c.Get("session")
        // Assume session is a map with nonce
        sessMap, ok := session.(map[string]interface{})
        if !ok {
            return c.NoContent(http.StatusInternalServerError)
        }
        nonce, hasNonce := sessMap["nonce"].(string)
        if !hasNonce {
            return c.NoContent(http.StatusUnauthorized)
        }

        // Recompute Hmac over method, path, nonce, and raw body
        bodyBytes, _ := io.ReadAll(c.Request().Body)
        c.Request().Body = io.NopCloser(bytes.NewBuffer(bodyBytes)) // reset for downstream handlers
        mac := hmac.New(sha256.New, []byte("server-shared-secret"))
        mac.Write([]byte(c.Request().Method))
        mac.Write([]byte(c.Request().URL.Path))
        mac.Write([]byte(nonce))
        mac.Write(bodyBytes)
        expected := hex.EncodeToString(mac.Sum(nil))

        // Constant-time compare
        if !hmac.Equal([]byte(expected), []byte(signature)) {
            return c.NoContent(http.StatusUnauthorized)
        }

        // Validate CSRF token (must match session-bound token)
        expectedCSRF := sessMap["csrfToken"].(string)
        if !hmac.Equal([]byte(expectedCSRF), []byte(csrfToken)) {
            return c.NoContent(http.StatusForbidden)
        }

        return next(c)
    }
}

On the client side (e.g., mobile app or SPA), the CSRF token must be obtained from a separate, same-site cookie or an initial handshake endpoint that sets it in a secure, HttpOnly cookie. The client then includes this token in X-CSRF-Token for state-changing requests. The Hmac is computed with the same shared secret and the server-side nonce, ensuring that even if an attacker can trick the user’s browser into making a request, they cannot forge a valid Hmac without the nonce and cannot pass the CSRF token check.

For continuous monitoring and compliance, using the middleBrick CLI to scan your Echo Go endpoints can help detect missing CSRF protections and Hmac misconfigurations. You can run: middlebrick scan <your-api-url> to get a security risk score and findings. If you integrate into your development workflow, the middlebrick GitHub Action can fail builds when the score drops below your threshold, and the middlebrick MCP Server allows scanning APIs directly from your AI coding assistant within the IDE.