This is a creation in Article, where the information may have evolved or changed. IPV4 scan exposed ' net/http/pprof ' endpoint (endpoint) Original date: 2017/9/27go language [net/http/pprof] (https://golang.org/pkg/net/http/ pprof/) package is incredibly powerful, debugging a running production server with this functionality negligible, while in this debugging process it is easy to inadvertently expose debug information to the world. In this article, we use [Zmap Project] (HTTPS://GITHUB.COM/ZMAP) as an example to show a real problem in real life and explain the precautions you can take. > Earlier versions suggested that exposed endpoints could leak source code. [Aram Hăvărneanu pointed out the error] (https://github.com/golang/go/issues/22085#issuecomment-333166626), this article has been amended. # # Introduction through an ' import _ ' net/http/pprof ', you can add the analysis endpoint to the HTTP server. "' Gopackage mainimport (" FMT "" Log "" Net/http "_" net/http/pprof "//Here is Dragons) Func main () {http. Handlefunc ("/", Func (w http.) Responsewriter, R *http. Request) {fmt. fprintf (W, "Hello world!")}) Log. Fatal (http. Listenandserve (": 8080", nil)} "this service will not only say ' Hello world! ' to you, it will also return the diagnostic report through the URI path '/debug/pprof '. -'/debug/pprof/profile ': CPU status information for 30 seconds-'/debug/pprof/heap ': Heap information for memory-'/debug/pprof/goroutine?debug=1 ': stack trace of all the threads-'/ Debug/pprof/trace ': Execution of tracking information for example, if we use [Hey] (https://github.com/rakyll/hey) (Load test tool) to add some load to this service, while we look at the stack information, as follows ' shell$ wget-o trace.out http://localhost:8080/debug/pprof/trace$ go tool trace trace.out ' in seconds, We check the server with finer granularity! [] (Https://raw.githubusercontent.com/studygolang/gctt-images/master/pprof-showing/trace.png) This feature is important for tracking errors and performance issues that occur only in the production environment. However, the greater the privilege, the greater the responsibility. # # Open Pprof Service This mechanism is very simple, he only need an import! It can be import anywhere, even in the library you use. When you are excited to use it to track your co-leakage problem, you may forget to remove the debug portal afterwards. This leads to the problem: how many pprof services are exposed to the network? To answer this question, we can try to scan the server in IPv4 to open pprof. To limit the scope of the search, we can select some reasonable ports. -6060 Official documentation recommended-8080 often appear in the Getting Started tutorial-80 standard HTTP Port-443 HTTPS Port next let you down, because you received a warning email from the cloud server, so the author did not complete this search job. Although I can do the work in a more cunning way, I have enough evidence to convince myself that this problem is real. [Zmap Project] (HTTPS://GITHUB.COM/ZMAP) These types of scans can be performed with a single line of command "sh$ zmap-p 6060 | Zgrab--port 6060--http= "/debug/pprof/" "[Zmap] (HTTPS://GITHUB.COM/ZMAP/ZMAP) scan the IPv4 range to open a 6060 port service and invoke it, then ' banner Grabber ' 's [Zgrab] (Https://github.com/zmap/zgrab) collects the response results of the HTTP request ' Get/debug pprof ' and the problem. We can assume that a server with an arbitrary response of ' OK ' and a response body containing ' goroutine ' is hit. Here's what we found:-At least 69 IPs use ' pprof ' to open 6060 ports-ditto, at least 70IP turned on port 8080-before scanning port 80, [Google Cloud] (https://cloud.google.com/) suspected that my server had been hacked into a mining machine (mining cryptocurrency) and stopped my account. Okay, this "digging" section is a little weird, but stop. Now we know that there are a lot of machines on the public Internet to open the ' pprof ' service, which is what I stressed the problem. I sent a message to the server owner based on WHOIS information to report a problem. I have to say that the response from [Linode] (https://www.linode.com/) is very quick and positive. I would love to see more talented people complete this full-screen scan, and I suspect there are more servers on port 80 with 443 ports exposed to the PPROF service. # # Risk Security issues:-Show function name and file path-analyze data may reveal commercially sensitive information (for example, traffic to Web services)-analytics can degrade performance, add assists for DoS attacks # # Prevent farsight Security [warning this issue, and provide recommendations] (https ://www.farsightsecurity.com/2016/10/28/cmikk-go-remote-profiling/) > A simple and effective way is to place the Pprof HTTP server on a separate port on the local host , separate from the application HTTP server. In short, you need to schedule two HTTP servers. The common setting is-application services exposes 80 ports to the public network-the ' pprof ' service listens on local 6060 ports and is limited to local access native notation to build the main application without using the global HTTP method (using the Hide config ' http. Defaultservemux '), instead, start your pprof service in a standard way. "' go//Pprof server.go func () {log. Fatal (http. Listenandserve ("localhost:8081", Nil)} ()//Application Server.mux: = http. Newservemux () Mux. Handlefunc ("/", Func (w http.) Responsewriter, R *http. Request) {fmt. fprintf (W, "Hello world!")}) Log. Fatal (http. Listenandserve (": 8080",MUX) "If for any reason you need to be global ' http. Defaultservemux ' is used for your application server, you can switch it and then execute as usual. "' go//Save pprof handlers First.pprofmux: = http. Defaultservemuxhttp.defaultservemux = http. Newservemux ()//Pprof server.go func () {log. Fatal (http. Listenandserve ("localhost:8081", Pprofmux)} ()//Application Server.http.HandleFunc ("/", Func (w http.) Responsewriter, R *http. Request) {fmt. fprintf (W, "Hello world!")}) Log. Fatal (http. Listenandserve (": 8080", nil) "I encapsulated a [Professor package] (Https://github.com/mmcloughlin/professor), using it to use ' net/ Http/pprof ' package, and provides some convenient methods. "' go//Pprof server.professor.Launch (" localhost:8081 ")//Application Server.http.HandleFunc ("/", func (w http). Responsewriter, R *http. Request) {fmt. fprintf (W, "Hello world!")}) Log. Fatal (http. Listenandserve (": 8080", nil)) ' # # # conclusion ' Net/http/pprof ' is very powerful, but please do not let your debugging information be exposed to the world, follow the above precautions, you will be OK.
Via:http://mmcloughlin.com/posts/your-pprof-is-showing
Author: mmcloughlin Translator: Lightfish-zhang proofreading: polaris1119
This article by GCTT original compilation, go language Chinese network honor launches
This article was originally translated by GCTT and the Go Language Chinese network. Also want to join the ranks of translators, for open source to do some of their own contribution? Welcome to join Gctt!
Translation work and translations are published only for the purpose of learning and communication, translation work in accordance with the provisions of the CC-BY-NC-SA agreement, if our work has violated your interests, please contact us promptly.
Welcome to the CC-BY-NC-SA agreement, please mark and keep the original/translation link and author/translator information in the text.
The article only represents the author's knowledge and views, if there are different points of view, please line up downstairs to spit groove
432 reads ∙1 likes
