Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Go

How to mitigate SSRF vulnerabilities in Go

Securing HTTP requests is crucial when developing Go applications to prevent vulnerabilities like Server-Side Request Forgery (SSRF). SSRF occurs when an attacker manipulates a server to make unintended requests, potentially accessing internal services or sensitive data. We will explore how to secure HTTP requests by employing URL parsing and validation techniques, and provide example code to fortify the http.Get HTTP GET request handler.

Understanding command injection vulnerabilities in Go

Go developers might need to use system commands for various scenarios, such as image manipulation, where they need to process or resize images or execute system commands to manage resources or gather metrics or logs. At other times, perhaps you are building a new system in Go that needs to interface with existing legacy systems. This interface leans on executing system commands and processing their output.

CherryLoader: A New Go-based Loader Discovered in Recent Intrusions

Arctic Wolf Labs has been tracking two recent intrusions where threat actors leveraged a new Go-based malware downloader we are calling “CherryLoader” that allowed them to swap exploits without recompiling code. The loader’s icon and name masqueraded as the legitimate CherryTree note taking application to trick the victims.

Secure password hashing in Go

User credentials are the information required to authenticate a user's identity and grant them access to a system or application. Typically, this includes a username or email address and a password. While a username can be stored as plaintext in a database, sensitive information like email addresses or passwords should not. If a malicious actor gains access to your database where you store this information, you don't want to hand over this information to them easily.

Improvements in Go Fuzzing (Golang 1.19)

Golang was the first programming language to support fuzzing as a first-class experience in version 1.18. This made it really easy for developers to write fuzz tests. Golang 1.14 introduced native compiler instrumentation for libFuzzer, which enables the use of libFuzzer to fuzz Go code. libFuzzer is one of the most advanced and widely used fuzzing engines and provides the most effective method for Golang Fuzzing.

CVE-2022-24675 - Stack overflow (exhaustion) in Go's PEM decoder

A few days ago it was reported that the new Go versions 1.18.1 and 1.17.9 contain fixes for a stack overflow vulnerability in the encoding/pem builtin package, in the Decode function. Given the high popularity of Go among our customers and in the industry at large, this update led us to investigate the vulnerability in previous versions.

Best practices for containerizing Go applications with Docker

Containerization describes the creation of a self-contained computing environment that runs on a host machine and any operating system (OS) with an available container runtime engine. Built from an image, a container holds an app and the filesystem alongside configurations, dependencies, binaries, and other specifications needed to run it successfully. Containers are typically much smaller than virtual machines and run in the host’s OS rather than containing OSs themselves.

How to set up a Private, Remote and Virtual Go Registry

The simplest way to manage and organize your Go dependencies is with a Go Repository. You need reliable, secure, consistent and efficient access to your dependencies that are shared across your team, in a central location. Including a place to set up multiple registries, that work transparently with the Go client. With the JFrog free cloud subscription, including JFrog Artifactory, Xray and Pipelines, you can set up a free local, remote and virtual Go Registry in minutes.