Go Insecure Http Server
Description
Identifies when Go applications are configured to use plain HTTP servers without TLS/HTTPS encryption. This creates a security risk since data transmitted between clients and the server is not encrypted and can be intercepted by attackers.
Detection Strategy
• Check if the application imports any HTTP server related packages
• Look for specific function calls that create or start HTTP servers without TLS configuration
• Analyze server initialization code to confirm the use of insecure HTTP methods like ListenAndServe() instead of secure alternatives like ListenAndServeTLS()
• Verify that the identified server configuration does not have TLS enabled through other means
Vulnerable code example
package main
import (
"net/http"
"github.com/gin-gonic/gin"
)
// VULNERABLE: Server starts in plaintext HTTP without TLS...✅ Secure code example
package main
import (
"log"
"net/http"
"github.com/gin-gonic/gin"
)
func main() {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.