Protect Go Application

Instructions to protect Go application with K2 Platform

Overview

In this section, we outline the steps for protecting your first Go application with the K2 Platform.

Prerequisites

Core Features: SQLI, FILE_ACCESS, CMDI, SSRF,NOSQLI(mongo),JS,XPATH,XSS,LDAP

Package-specific features(list of packages listed):

RCEval* (need to find evaluate package),XXE(golang clients don't support execution)

GRPC support.

Packages	K2 imports needed	Supported & Tested versions	K2 releases
golang core net os system database/sql	k2secure	1.14 1.15 1.16
SQL database drivers used with database/sql golang core : GitHub - go-sql-driver/mysql: Go MySQL Driver is a MySQL driver for Go's (golang) database/sql package GitHub - mattn/go-sqlite3: sqlite3 driver for go using database/sql
ldap github.com/go-ldap/ldap/v3 github.com/go-ldap/ldap/v2 TBD	k2secure_ldap	v3
mongo-driver go.mongodb.org/mongo-driver/mongo	k2secure_mongo
xpath https://github.com/antchfx/xpath	k2secure_xpath
xquery GitHub - antchfx/xmlquery: xmlquery is Golang XPath package for XML query.	k2secure_xquery
gokogiri - xpath GitHub - moovweb/gokogiri: A light libxml wrapper for Go	?
xmlpath https://gopkg.in/xmlpath.v2	?
gorilla/mux GitHub - gorilla/mux: A powerful HTTP router and URL matcher for building Go web servers with 🦍
gin web framework GitHub - gin-gonic/gin: Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.
beego REST APIs GitHub - astaxie/beego: beego is an open-source, high-performance web framework for the Go programming language.
echo REST APIs GitHub - labstack/echo: High performance, minimalist Go web framework
go-kit web framework GitHub - go-kit/kit: A standard library for microservices.
fasthttp GitHub - valyala/fasthttp: Fast HTTP package for Go. Tuned for high performance. Zero memory allocations in hot paths. Up to 10x faster than net/http
httprouter GitHub - julienschmidt/httprouter: A high performance HTTP request router that scales well
revel web framework GitHub - revel/revel: A high productivity, full-stack web framework for the Go language.
web.go GitHub - hoisie/web: The easiest way to create web applications with Go
Goji framework GitHub - zenazn/goji: Goji is a minimalistic web framework for Golang that's high in antioxidants.
Negroni GitHub - urfave/negroni: Idiomatic HTTP Middleware for Golang
syscall/JS = Javascript WASM (experimental in GoLang) https://golang.org/pkg/syscall/js/
Otto - Javascript interpreter GitHub - robertkrimen/otto: A JavaScript interpreter in Go (golang)	k2secure_otto
v8 in Go GitHub - augustoroman/v8: A Go API for the V8 javascript engine.	k2secure_v8
GRPC GitHub - grpc/grpc-go: The Go language implementation of gRPC. HTTP/2 based RPC	k2secure_grpc

Supported Frameworks

Framework	Supported	Remark
gin	Supported	Used net/http hooks
beego	Supported	Used net/http hooks
kit	Supported	Used net/http hooks
echo	Supported	Used net/http hooks
fasthttp	Not Supposed
mux	Supported	A powerful HTTP router and URL matcher for building Go web servers Not a web server
fiber	Not Supposed	Build over fasthttp
kratos
httprouter	Supported	A high performance HTTP request router that scales well Not a web server
revel	Supported	Used net/http hooks
martini	Supported	No longer maintained Classy web framework for Go
go-zero
micro
chi	Supported	lightweight, idiomatic and composable router for building Go HTTP services Not a web server
go-swagger
buffalo	Supported	Rapid Web Development w/ Go Not a web server
gf
ponzu
goa
go-restful
go-json-rest
gizmo
macaron
armor
web
dotweb
rest-layer
goyave
goji
tango
aah
gearbox
traffic
yoyogo
neo
gramework
aegis
webgo
gorouter
copper
gorest

Steps

Step 1 : K2 Portal and Account Creation

We need to make sure In order to use K2 Platform You need to create an account on K2 Portal.

K2 Portal can be used as SaaS model or you can deploy entire portal on your On-Premises.

K2 SaaS(Recommended)

K2 Platform is offered as SaaS software and can be used directly visiting SaaS portal i.e. https://k2io.net or if you are an AWS customer then you can buy subscription to K2 SaaS portal on AWS Marketplace.

K2 Portal As SaaS

K2 OnPremise

At this point you have successfully created an account with K2 Portal

Step 2 : K2 Agents Installation

Install K2 Agent in your environment to perform CVE Scan and Vulnerability Detection in your applications.

Choose the environment from tabs below and follow the instructions for agent installation.

Node/VM/EC2

Checkout our K2 Agents Installation Page for Node/VM/EC2

Node/VM/EC2

Kubernetes

AWS ECS/Fargate

AWS EKS

Windows

Step 3 : Protect Go Web Application

‌To protect your Go web applications and APIs, your application must be started with K2's Go Language Agent.

Please choose your environment and go through K2's Go language agent installation from below tabs and follow instructions

Node/VM/EC2

Check out our Go Language Agent Installation Page for Node/VM/EC2

Node/VM/EC2

Step 4 : Attacking and Preventing first Attack

For demonstration purposes we are creating a docker container with vulnerable application and running it with our already downloaded K2 Go language agent.

docker run -itd -p 8084:8084 --name k2-go-vulernable-app k2cyber/test_application:syscall-go

‌SQL Injection Attack

curl 'http://localhost:8084/sqltest1?input=%27+or+%271%27%3D%271'

Now you can go to Attacks section in K2 Manager and see there will be one attack captured by K2 Manager or Alternatively go to Attacks | K2 Portal.

Congratulations you've successfully prevented SQL injection attack.

What Next ?

if you are interested in looking at various genres of attacks prevented by K2 platform, Checkout below page

Run Demo Exploits