Link Search Menu Expand Document

Broken Authorization in Go Lang

Play SecureFlag Play Go Lang Labs on this vulnerability with SecureFlag!

Even though Go does not provide native solutions to this problem, third-party frameworks may offer dedicated approaches to implement robust access control mechanisms.

Vulnerable Example

As an example, consider a handler from the echo Go framework that performs some kind of action for authenticated users:

e := echo.New()
e.POST("/action/:id", ActionHandler, authenticationMiddleware)

The above ensures that ActionHandler can only be executed by authenticated users, but it may not be enough. In fact, a proper authorization must be enforced in order to avoid a bypass as shown in the following implementation:

func ActionHandler(c echo.Context) error {
    id := c.Param("id")
    resource := getResourceBy("id")
    resource.Action()
    return c.String(http.StatusOK, "OK")
}

When implementating ActionHandler, developers should ensure access control checks are performed, for example by restricting access only to the owner of the resource:

func ActionHandler(c echo.Context) error {
    id := c.Param("id")
    resource := getResourceBy("id")

    if resource.Owner() != getOwnerFromContext(c) {
        return c.String(http.StatusUnauthorized, "Action not authorizated")
    }

    resource.Action()
    return c.String(http.StatusOK, "OK")
}

References

MITRE - CWE 285 - Improper Authorization

OWASP Top 10:2021 - Broken Access Control

OWASP - Authorization Cheat Sheet