Man In The Middle in Gin with Cockroachdb

A Man In The Middle (MitM) attack against a Gin service using CockroachDB occurs when an attacker intercepts or alters traffic between the application and the database. Because CockroachDB supports secure connections with TLS, failure to enforce strict TLS settings in the Gin HTTP stack and database driver allows an on-path attacker to observe or modify credentials, query results, or session tokens.

In this stack, the Gin router typically opens an HTTPS port and opens a SQL connection pool to CockroachDB. If the server does not require verified certificates (e.g., using sslmode=disable or sslmode=allow), an attacker can terminate or inject traffic. Similarly, if the Gin app does not validate the server name in the TLS handshake, a certificate presented by an attacker’s proxy may be accepted. Sensitive data such as authentication tokens, user identifiers, or PII flowing in SQL queries or HTTP responses can then be captured or altered. Common attack patterns include intercepting traffic on shared networks, compromising a proxy, or exploiting weak routing to inject malicious certificates.

Operational practices also affect risk. For example, storing database credentials in environment variables that are exposed in logs or failing to rotate TLS certificates increases the likelihood of interception. Because CockroachDB uses a distributed SQL layer, an attacker who compromises one node or connection may attempt to pivot across the cluster if client connections lack encryption and identity verification. The Gin layer may inadvertently trust unverified database responses, leading to insecure data handling or SSRF-like exposures when redirecting or logging database metadata.

To detect this class of issue, scans check whether TLS is required for CockroachDB connections, whether server names are validated, and whether sensitive endpoints in Gin leak database metadata in error messages or logs. These checks map to the Encryption and Data Exposure security categories, highlighting gaps in transport security and information handling.

Remediation focuses on enforcing TLS for CockroachDB and ensuring Gin does not expose database details. Use strong sslmode=verify-full with certificate validation, avoid insecure defaults, and ensure the Gin application validates the database server identity.

The following example shows a secure Gin setup with a CockroachDB connection string and TLS configuration. It uses standard PostgreSQL driver parameters compatible with CockroachDB and demonstrates how to load a CA certificate to verify the server.

// File: main.go
package main

import (
    "database/sql"
    "fmt"
    "log"
    "net/http"
    "os"

    "github.com/gin-gonic/gin"
    _ "github.com/lib/pq"
)

func main() {
    // Enforce TLS verification with the CockroachDB CA.
    connStr := "host=cockroachdb.example.com port=26257 " +
        "user=appuser password=SecurePass123 " +
        "dbname=appdb sslmode=verify-full " +
        "sslrootcert=/certs/ca.crt " +
        "sslcert=/certs/client.crt " +
        "sslkey=/certs/client.key"

    db, err := sql.Open("postgres", connStr)
    if err != nil {
        log.Fatalf("failed to open database: %v", err)
    }
    defer db.Close()

    if err := db.Ping(); err != nil {
        log.Fatalf("failed to connect to CockroachDB: %v", err)
    }

    r := gin.Default()

    r.GET("/user/:id", func(c *gin.Context) {
        id := c.Param("id")
        var username string
        // Use parameterized queries to avoid injection and ensure query integrity.
        row := db.QueryRow("SELECT username FROM users WHERE id = $1", id)
        if err := row.Scan(&username); err != nil {
            // Avoid exposing DB internals; return generic error.
            c.JSON(http.StatusInternalServerError, gin.H{"error": "service unavailable"})
            return
        }
        c.JSON(http.StatusOK, gin.H{"username": username})
    })

    // Serve securely with TLS using certificates separate from CockroachDB.
    if err := r.RunTLS(":8443", "/certs/server.crt", "/certs/server.key"); err != nil {
        log.Fatalf("server failed: %v", err)
    }
}

Key points in this configuration:

• sslmode=verify-full ensures the client verifies the CockroachDB server certificate and hostname, preventing MitM where an attacker presents a mismatched certificate.
• Separate TLS termination for Gin (application layer) and CockroachDB (database layer) avoids confusion and ensures each hop is encrypted.
• Loading CA and client certificates from secure file paths prevents accidental use of insecure settings.
• Parameterized queries protect against injection, which complements transport security by ensuring data integrity within SQL commands.

In production, rotate certificates regularly and restrict file permissions on certificate stores. Use environment variables for secrets when necessary, but avoid logging them. If you use the middleBrick CLI (middlebrick scan <url>) or GitHub Action, these configurations will be evaluated under Encryption and Data Exposure checks, and findings will include specific remediation guidance.