# Credential Exfiltration via User-Controlled Endpoint - ID: go-webhook-credential-exfiltration - Severity: CRITICAL - CWE: CWE-201 (CWE-201) - Languages: Go - Frameworks: stdlib, gin, echo, fiber, chi, gorilla ## Description Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```go // User controls 'endpoint' from request endpoint := r.FormValue("webhook_url") // Server sends its internal API key to attacker-controlled URL req, _ := http.NewRequest("POST", endpoint, nil) req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY")) client.Do(req) ``` This is different from standard SSRF (which accesses internal resources) - here the attacker exfiltrates server credentials to their own controlled endpoint. ## Detection Message User input from {source} controls the destination of an HTTP request at {sink}. If credentials are included in the request headers or body, attackers can exfiltrate them by providing a malicious endpoint URL. ## Remediation 1. Never send internal credentials to user-controlled endpoints 2. Validate webhook URLs against a strict allowlist of trusted domains 3. Use webhook secrets for authentication instead of sending API keys ```go allowedDomains := map[string]bool{ "api.slack.com": true, "hooks.stripe.com": true, } parsed, err := url.Parse(webhookURL) if err != nil || !allowedDomains[parsed.Host] { return errors.New("untrusted webhook domain") } // Use webhook-specific secret, not internal API key req, _ := http.NewRequest("POST", webhookURL, body) req.Header.Set("X-Webhook-Secret", userWebhookSecret) client.Do(req) ``` Learn more: https://shoulder.dev/learn/go/cwe-201/credential-exfiltration ## Documentation [object Object] ## Related Rules - **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: - **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: