Go web application binary disclosure
Description
A Go web application binary file is directly accessible and downloadable from the web server. This exposure typically occurs due to web server misconfiguration where the server serves the compiled Go executable instead of executing it, or when the binary is placed within the web root directory without proper access controls.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediate Action: Remove the Go binary file from the web-accessible directory or restrict access using web server configuration rules.
2. Web Server Configuration: Configure your web server to deny access to binary files. For Nginx, add the following to your server block:
location ~ \.(exe|bin|elf)$ {
deny all;
return 404;
}For Apache, add to your .htaccess or virtual host configuration:
<FilesMatch "\.(exe|bin|elf)$">
Require all denied
</FilesMatch>3. Proper Deployment: Store the Go binary outside the web root directory and use a reverse proxy or process manager (such as systemd, supervisord, or PM2) to run the application as a service.
4. Verification: After implementing fixes, verify that the binary is no longer accessible by attempting to download it directly. Review all web-accessible directories to ensure no other sensitive files are exposed.