Request Smuggling in Echo Go
How Request Smuggling Manifests in Echo Go
Request smuggling in Echo Go typically occurs when the framework's HTTP request parsing collides with intermediary proxies or load balancers that interpret content-length and transfer-encoding headers differently. Echo Go's echo.Context structure processes incoming requests through its built-in HTTP server, but when multiple content-length headers are present or when transfer-encoding headers are malformed, the framework can become confused about where one request ends and another begins.
The most common manifestation involves sending requests with conflicting Content-Length headers. For example, a request might include both Content-Length: 5 and Content-Length: 10 headers. Echo Go's default HTTP server, which wraps Go's standard net/http library, will typically use the first Content-Length header it encounters, while upstream proxies might use the last one. This discrepancy creates an opportunity for smuggling attacks.
Another Echo Go-specific pattern involves the framework's handling of chunked transfer encoding. When a request contains both Content-Length and Transfer-Encoding: chunked headers, Echo Go may process the chunked data but fail to properly validate the content length, allowing attackers to append additional requests that the framework interprets as part of the original payload.
Echo Go's middleware chain can also be exploited. Since middleware processes requests sequentially, a smuggled request that appears as part of the body to Echo Go's router might be processed by an earlier middleware as a separate HTTP request. This is particularly problematic with authentication middleware, where a smuggled request could bypass security checks entirely.
Consider this vulnerable Echo Go endpoint:
func main() {
e := echo.New()
e.POST("/api/upload", func(c echo.Context) error {
file, err := c.FormFile("file")
if err != nil {
return err
}
// Process file upload
return c.JSON(http.StatusOK, map[string]string{
"status": "uploaded",
})
})
e.Start(":8080")
}
This endpoint is vulnerable because Echo Go's form file parsing doesn't validate that the Content-Length header matches the actual payload size when multiple headers are present. An attacker could send:
POST /api/upload HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Length: 5
Content-Length: 15
-----WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="test.txt"
12345
------WebKitFormBoundary--
POST /api/secret HTTP/1.1
Host: localhost:8080
Content-Type: application/json
Content-Length: 27
{"action":"delete_all"}
The first request's Content-Length: 5 tells Echo Go to read only 5 bytes, but the actual body contains more data. The remaining bytes, including the second POST request, are left in the connection buffer and processed as part of the next request, potentially bypassing authentication.
Echo Go-Specific Detection
Detecting request smuggling in Echo Go applications requires both manual testing and automated scanning. The Echo framework's default configuration doesn't provide built-in protections against smuggling, so detection must focus on identifying vulnerable patterns in the code and testing the runtime behavior.
Manual detection starts with examining Echo Go handlers that process multipart form data, file uploads, or any content where the framework parses the request body. Look for handlers that use c.FormFile(), c.MultipartForm(), or c.Bind() without validating Content-Length headers. The vulnerability often appears in endpoints that accept file uploads, JSON payloads with large objects, or any endpoint where the request body size isn't strictly validated against the Content-Length header.
Automated detection with middleBrick can identify Echo Go-specific smuggling vulnerabilities by sending malformed requests that test the framework's header parsing logic. The scanner sends requests with multiple Content-Length headers, mixed Content-Length and Transfer-Encoding headers, and requests with Content-Length headers that don't match the actual payload size. For Echo Go applications, middleBrick specifically tests the framework's form file parsing and JSON binding functions, which are common attack vectors.
Here's how middleBrick detects Echo Go smuggling vulnerabilities:
# Scan an Echo Go API endpoint
middlebrick scan https://yourechoapi.com/api/upload
# The scanner tests:
# 1. Multiple Content-Length headers
# 2. Content-Length + Transfer-Encoding: chunked
# 3. Mismatched Content-Length values
# 4. Large payloads with small Content-Length headers
# 5. Malformed transfer encoding
middleBrick's LLM/AI security module also tests for smuggling vulnerabilities in Echo Go applications that use AI features. If your Echo Go API includes endpoints for AI model interactions, the scanner tests for system prompt leakage and prompt injection that could be combined with smuggling attacks to extract sensitive data.
During runtime testing, use tools like netcat or curl to send crafted requests:
curl -X POST http://localhost:8080/api/upload \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Content-Length: 5" \
-H "Content-Length: 15" \
-d "data=12345&extra=678"
Monitor the server logs and responses to identify inconsistent behavior. If the server processes the request differently based on which Content-Length header it uses, or if subsequent requests are affected, you've identified a smuggling vulnerability.
Echo Go's debug logging can help detect smuggling attempts. Enable debug mode during testing:
e := echo.New()
log := logrus.New()
log.SetLevel(logrus.DebugLevel)
e.Logger = &echo.Logger{log}
This logging will show you how Echo Go parses incoming requests and can reveal when the framework receives malformed headers or unexpected payload sizes.
Echo Go-Specific Remediation
Remediating request smuggling in Echo Go requires a multi-layered approach that addresses both the framework's configuration and the application's request handling logic. The most effective solution combines Echo Go's built-in validation features with custom middleware that enforces strict HTTP header parsing.
First, configure Echo Go to use strict HTTP parsing. Echo Go's HTTP server inherits Go's default behavior, which can be modified to reject malformed requests:
func main() {
e := echo.New()
// Create a custom HTTP server with strict settings
server := &http.Server{
ReadTimeout: 10 * time.Second,
WriteTimeout: 10 * time.Second,
MaxHeaderBytes: 1 << 20, // 1MB max header size
}
// Use Echo's middleware to validate Content-Length
e.Use(validateContentLength)
e.POST("/api/upload", func(c echo.Context) error {
// Strict form file parsing with size limits
if err := c.Request().ParseMultipartForm(10 << 20); err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid form data")
}
file, err := c.FormFile("file")
if err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "File upload error")
}
// Additional validation
if file.Size > 5<<20 { // 5MB max file size
return echo.NewHTTPError(http.StatusRequestEntityTooLarge, "File too large")
}
return c.JSON(http.StatusOK, map[string]string{
"status": "uploaded",
})
})
e.StartServer(server)
}
// Custom middleware to validate Content-Length headers
func validateContentLength(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
req := c.Request()
// Check for multiple Content-Length headers
contentLength := req.Header["Content-Length"]
if len(contentLength) > 1 {
return echo.NewHTTPError(http.StatusBadRequest, "Multiple Content-Length headers not allowed")
}
// Validate Content-Length matches actual body size for non-chunked requests
if req.Header.Get("Transfer-Encoding") == "" {
declaredLength, err := strconv.Atoi(contentLength[0])
if err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid Content-Length")
}
// This is a simplified check - in production you'd need to read and verify
// the actual body size matches the declared length
}
return next(c)
}
}
The key remediation steps are:
- Reject multiple Content-Length headers - The custom middleware checks for and rejects requests with multiple Content-Length headers, which is the most common smuggling vector.
- Validate Content-Length values - Ensure the Content-Length header is a valid integer and matches the actual payload size for non-chunked requests.
- Set strict timeouts - Configure ReadTimeout and WriteTimeout to prevent slowloris-style attacks that can be combined with smuggling.
- Limit header sizes - Use MaxHeaderBytes to prevent oversized headers that might contain smuggling payloads.
- Validate file uploads - Always validate file sizes and types when using FormFile or MultipartForm parsing.
For Echo Go applications that use JSON APIs extensively, add content-type validation:
e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
if c.Request().Header.Get("Content-Type") == "application/json" {
// For JSON requests, validate that Content-Length matches JSON payload
// This prevents smuggling attacks that embed additional requests in JSON bodies
}
return next(c)
}
})
Additionally, consider using Echo Go's context binding with strict validation:
type UploadRequest struct {
File *multipart.FileHeader `form:"file" validate:"required"`
Description string `form:"description" validate:"max=500"`
}
// In your handler:
var req UploadRequest
if err := c.Bind(&req); err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid request format")
}
// Use a validation library to validate the struct
if err := validate.Struct(req); err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "Validation failed")
}
This approach ensures that Echo Go properly validates all incoming request parameters and rejects malformed requests before they can be processed, effectively preventing request smuggling attacks.