Llm Data Leakage in Echo Go with Bearer Tokens

When an Echo Go service exposes an unauthenticated or weakly protected LLM endpoint and also relies on Bearer Tokens for authorization, the combination can lead to LLM data leakage. In this scenario, an attacker may coax the backend into including sensitive authorization data—such as bearer tokens or other credentials—in prompts sent to an LLM, or they may directly probe the LLM to reveal training or runtime data that should remain private.

Echo Go APIs often use Bearer Tokens in HTTP Authorization headers to gate access to resources. If route handlers forward user-controlled inputs into LLM prompts without sanitization, tokens can be reflected or inadvertently included in the context. For example, a handler that builds a prompt like "User says: " + userInput while also attaching the Authorization header to an external service call may expose token values to the LLM if the input is not strictly validated. Similarly, if the service exposes an admin or introspection endpoint that returns token metadata (e.g., scopes, expiry) and that endpoint feeds data into an LLM response, leakage occurs.

The LLM/AI Security checks in middleBrick specifically look for system prompt leakage patterns that match ChatML, Llama 2, Mistral, and Alpaca formats, and for active prompt injection probes including system prompt extraction and data exfiltration. These checks can surface cases where an Echo Go endpoint allows an LLM to return or reflect Bearer Token values. Because Bearer Tokens are high-sensitivity credentials, their presence in LLM outputs or logs greatly increases the impact of a leak, potentially enabling token replay or lateral movement across services.

Additionally, if an Echo Go service provides an unauthenticated LLM endpoint, middleBrick’s unauthenticated LLM endpoint detection will flag it. Attackers can send crafted inputs designed to trick the service into echoing tokens or internal instructions back through the LLM, effectively turning the model into a data exfiltration channel. The risk is compounded when the service embeds authorization metadata in prompts, because the LLM may regurgitate that metadata in responses visible to untrusted clients.

In practice, this vulnerability manifests when developers do not separate authorization context from LLM context. For instance, an Echo Go route that reads authHeader.Get("Authorization") and concatenates it into a prompt like fmt.Sprintf("Authorization context: %s\nUser query: %s", authHeader, userQuery) creates a direct path for token leakage if the LLM response is returned to an attacker. middleBrick’s findings for such patterns include severity-ranked remediation guidance to ensure tokens are never part of prompt content and that LLM endpoints enforce strict input validation and scope separation.

To prevent LLM data leakage involving Bearer Tokens in Echo Go, you must ensure tokens never enter LLM prompts and that endpoints are appropriately guarded. Below are concrete, realistic code examples showing insecure patterns and their secure alternatives.

Insecure pattern: concatenating Authorization header into LLM prompts

// Insecure: token may leak into LLM prompt
func handler(c echo.Context) error {
    authHeader := c.Request().Header.Get("Authorization") // Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
    userInput := c.FormValue("query")
    prompt := fmt.Sprintf("Authorization context: %s\nUser query: %s", authHeader, userInput)
    llmResponse, err := callLLM(prompt)
    if err != nil {
        return err
    }
    return c.JSON(http.StatusOK, llmResponse)
}

Secure pattern: strip tokens from prompts and enforce scope checks

// Secure: keep tokens out of prompts, validate scope
func handler(c echo.Context) error {
    authHeader := c.Request().Header.Get("Authorization")
    if authHeader == "" {
        return echo.NewHTTPError(http.StatusUnauthorized, "missing authorization header")
    }
    // Parse and validate token without embedding it in prompts
    parts := strings.Split(authHeader, " ")
    if len(parts) != 2 || parts[0] != "Bearer" {
        return echo.NewHTTPError(http.StatusBadRequest, "invalid authorization header format")
    }
    token := parts[1]
    claims, err := validateToken(token) // your JWT validation logic
    if err != nil || !hasScope(claims, "assistant") {
        return echo.NewHTTPError(http.StatusForbidden, "insufficient scope")
    }
    // Use only user-controlled, sanitized input for the LLM prompt
    userInput := sanitizeInput(c.FormValue("query"))
    prompt := fmt.Sprintf("User query: %s", userInput)
    llmResponse, err := callLLM(prompt)
    if err != nil {
        return err
    }
    return c.JSON(http.StatusOK, llmResponse)
}

func sanitizeInput(input string) string {
    // Implement strict allowlist filtering relevant to your use case
    return strings.TrimSpace(input)
}

func validateToken(token string) (*Claims, error) {
    // Example using a JWT library; implement with your actual signing method
    return jwtParser.ParseToken(token)
}

func hasScope(claims *Claims, scope string) bool {
    for _, s := range claims.Scopes {
        if s == scope {
            return true
        }
    }
    return false
}

Additional protections include disabling or carefully scoping any introspection or admin endpoints that return token metadata, ensuring LLM endpoints require authentication where appropriate, and applying input validation that removes or rejects patterns resembling tokens. middleBrick’s CLI can be used to scan your Echo Go endpoints from the terminal with middlebrick scan <url>, while the Pro plan enables continuous monitoring and CI/CD integration to catch regressions early.