Sensitive Information Sent Insecurely - Elixir

Sensitive Information Sent Insecurely - Elixir

Need

Secure transfer of sensitive data

Context

  • Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
  • Usage of Phoenix web framework for building scalable and fault-tolerant web applications

Description

Non compliant code

        def login(conn, %{"username" => username, "password" => password}) do
  redirect(conn, to: "/home?username=#{username}&password=#{password}")
end
        
        

In the insecure code example, the server sends sensitive information (user credentials) as GET parameters. These parameters are included in the URL and can be easily intercepted by malicious parties. This puts the user's credentials at risk of being compromised.

Steps

  • Instead of sending sensitive information as GET parameters, send them as POST parameters.
  • Update the routes and the form to use the POST method instead of GET.
  • Modify the function to accept POST parameters instead of GET parameters.
  • Test the changes to make sure everything works as expected.

Compliant code

        def login(conn, %{"username" => username, "password" => password}) do
  # store the username and password in the session
  conn
  |> put_session(:username, username)
  |> put_session(:password, password)
  |> redirect(to: "/home")
end
        
        

In the secure code example, sensitive information (user credentials) is stored in the session instead of being sent as GET parameters. This prevents the sensitive information from being included in the URL and therefore reduces the risk of it being intercepted by malicious parties.

References