HIGH ssrf server sideecho goapi keys

Ssrf Server Side in Echo Go with Api Keys

Scan for ssrf server side in echo go

Ssrf Server Side in Echo Go with Api Keys — how this specific combination creates or exposes the vulnerability

Server-side request forgery (SSRF) in an Echo Go service that uses API keys can arise when user-supplied input is used to build HTTP requests, and those requests include static or dynamically injected API keys for downstream authentication. If an attacker can control the target URL and the code does not validate or restrict the destination host, the server can be forced to make internal calls that expose metadata services or internal endpoints, while the API key may be inadvertently included in outbound headers or query parameters. This combination expands the impact because the API key may grant additional permissions that the attacker can leverage through the SSRF vector.

For example, suppose an Echo Go handler accepts a URL query parameter target and forwards a request to that URL, adding an Authorization header containing an API key intended only for a specific external service. If no strict allowlist is applied to target, an attacker can point the handler to http://169.254.169.254/latest/meta-data/iam/security-credentials/ on a cloud provider instance, causing the server to make a request that includes the API key in headers. The SSRF path now reaches an internal metadata service, and the leaked API key can be exfiltrated via the SSRF response or captured in logs. This pattern is often seen when integrations rely on outbound HTTP clients without network-level controls, and the API key is treated as a static credential rather than being scoped to specific, verified endpoints.

Another scenario involves webhook or callback URLs where an attacker provides a malicious endpoint under their control. The Echo Go service makes an outbound request to the supplied URL, including the API key in headers or a bearer token. The SSRF here is less about reaching internal infrastructure and more about tricking the service into relaying authenticated requests to a hostile endpoint, effectively proxying the API key through the server. This can bypass IP-based restrictions on the downstream service and may enable replay or credential harvesting if responses are not carefully inspected.

In practice, SSRF in this context is not just about reaching internal IPs; it is about how API keys are attached to outbound requests and whether those keys are exposed to user-influenced destinations. Because Echo Go does not inherently restrict outbound connections, developers must enforce strict destination validation and avoid including sensitive credentials in requests that traverse user-controlled paths. The API key should be used only for verified, fixed endpoints or injected at a layer that does not depend on untrusted input, and network controls should prevent the server from reaching sensitive internal addresses.

Api Keys-Specific Remediation in Echo Go — concrete code fixes

To mitigate SSRF when using API keys in Echo Go, ensure that any user-supplied URL is strictly validated against an allowlist of permitted hosts and schemes before being used in an outbound HTTP request. Do not concatenate or directly forward user input into the request target. Instead, resolve and verify the URL using standard library functions, and configure the HTTP client to prevent redirects to internal or unexpected destinations.

// Example: safe request forwarding in Echo Go with API key usage
package main

import (
	"context"
	"errors"
	"net"
	"net/http"
	"net/url"
	"strings"

	"github.com/labstack/echo/v4"
)

var allowedHosts = map[string]bool{
	"api.external.com": true,
	"data.service.net":  true,
}

var apiKey = "your-static-api-key" // Prefer environment or secret manager

func safeForward(c echo.Context) error {
	target := c.QueryParam("target")
	if target == "" {
		return echo.NewHTTPError(http.StatusBadRequest, "target parameter is required")
	}

	parsed, err := url.Parse(target)
	if err != nil {
		return echo.NewHTTPError(http.StatusBadRequest, "invalid target URL")
	}

	// Validate host against an allowlist
	if !allowedHosts[parsed.Host] {
		return echo.NewHTTPError(http.StatusBadRequest, "host not allowed")
	}

	// Ensure scheme is HTTPS to protect the API key in transit
	if parsed.Scheme != "https" {
		return echo.NewHTTPError(http.StatusBadRequest, "only HTTPS targets are allowed")
	}

	// Prevent unexpected behaviors with hosts containing ports
	host, _, err := net.SplitHostPort(parsed.Host)
	if err != nil {
		host = parsed.Host
	}
	if net.ParseIP(host) != nil {
		// Optionally block private IPs explicitly
		if ip := net.ParseIP(host); ip != nil && (ip.IsPrivate() || ip.IsLoopback() || ip.IsLinkMulticast()) {
			return echo.NewHTTPError(http.StatusBadRequest, "private IP addresses are not allowed")
		}
	}

	req, err := http.NewRequestWithContext(c.Request().Context(), http.MethodGet, parsed.String(), nil)
	if err != nil {
		return echo.NewHTTPError(http.StatusInternalServerError, "failed to create request")
	}

	// Attach API key only to verified external endpoints
	req.Header.Set("Authorization", "Bearer "+apiKey)
	req.Header.Set("X-Request-ID", c.Request().Header.Get("X-Request-ID"))

	client := &http.Client{
		// Disable redirects to avoid SSRF via open redirects
		CheckRedirect: func(req *http.Request, via []*http.Request) error {
			return http.ErrUseLastResponse
		},
	}

	resp, err := client.Do(req)
	if err != nil {
		return echo.NewHTTPError(http.StatusBadGateway, "failed to reach target")
	}
	defer resp.Body.Close()

	if resp.StatusCode != http.StatusOK {
		return echo.NewHTTPError(resp.StatusCode, "target returned non-200 status")
	}

	// Forward or process response safely, avoiding reflection of raw input
	return c.Blob(http.StatusOK, "application/octet-stream", nil) // placeholder
}

Key remediation points:

  • Use an explicit allowlist for hosts rather than a blocklist; this prevents bypass via subdomains or encoded IPs.
  • Enforce HTTPS to protect API keys in transit and avoid downgrade attacks.
  • Disable HTTP redirects in the client to prevent SSRF via open redirects or chained requests to internal addresses.
  • Avoid including API keys in requests to user-controlled endpoints; if the API key must be used, ensure the destination is verified before adding the header.
  • Sanitize and validate the URL using url.Parse and additional checks for IP literals and private ranges before making the request.

When using the CLI (middlebrick scan <url>) or the GitHub Action to monitor API security, ensure that any API key–protected endpoints are whitelisted in your pipeline checks so that findings related to insecure forwarding are surfaced early.

Scan for ssrf server side in echo go Free API security scan

Frequently Asked Questions

Can SSRF be exploited when API keys are stored as environment variables in Echo Go?
Yes. If user-controlled input influences the target URL and the server makes authenticated outbound requests, an SSRF vulnerability can expose the server's ability to use the API key, regardless of whether the key is stored in environment variables. The key is leaked via the request made by the server, not via the environment itself.
Does middleBrick detect SSRF involving API keys in outbound requests?
middleBrick runs 12 security checks in parallel, including SSRF and authentication checks, and it tests unauthenticated attack surfaces. While it identifies SSRF-related findings and provides remediation guidance, it does not fix or block requests; it reports what it detects so you can apply fixes such as host allowlisting and secure handling of API keys.

Related Pages

Ssrf Server Side in Echo GoLearn how SSRF vulnerabilities manifest in Echo Go applications, how to detect them with middleBrick scanning, and impleSsrf Server Side with Api KeysSSRF with API keys: attack patterns, detection, and remediation. Learn how leaked credentials amplify SSRF risks and howSsrf Server Side in Echo Go on GcpExplore SSRF server-side in Echo Go on GCP, understand the risks, and apply GCP-specific remediation with concrete code Ssrf Server Side in Echo Go on KubernetesSSRF server-side in Echo Go on Kubernetes: causes, Kubernetes-specific risks, and concrete Go code fixes with allowlistsSsrf Server Side in Echo Go on AwsUnderstand SSRF server-side in Echo Go on AWS and apply concrete Go fixes for URL validation and AWS SDK configuration.Ssrf Server Side in Echo Go on FirebaseSSRF server-side in Echo Go with Firebase: causes, risks, and hardening patterns including input validation and safe FirOwasp Api Top 10: Ssrf Server Side in Echo GoExplore SSRF in OWASP API Top 10 specific to Echo Go, with secure code examples and remediation guidance.Hipaa: Ssrf Server Side in Echo GoExplore HIPAA risks from SSRF in Echo Go APIs, with concrete remediation code examples and how middleBrick detects and rGdpr: Ssrf Server Side in Echo GoUnderstand how SSRF in Echo Go can expose GDPR-sensitive data and apply concrete Echo Go code fixes to restrict destinatNist: Ssrf Server Side in Echo GoNIST-aligned SSRF guidance for Echo Go services, with concrete remediation code and how middleBrick detects SSRF withoutSsrf Server Side in Echo Go with DynamodbExplore SSRF server-side in Echo Go with DynamoDB: how the combo exposes credentials, and concrete remediation with valiSsrf Server Side in Echo Go with CockroachdbExplore SSRF in Echo Go with CockroachDB, understand how this combination exposes risks, and apply concrete remediation