Uncontrolled External Site Redirect - Host Header Injection - Elixir

Uncontrolled External Site Redirect - Host Header Injection - Elixir

Need

Prevent malicious redirection and potential SSRF attacks

Context

  • Usage of Elixir for functional and concurrent programming
  • Usage of Plug.Conn for handling HTTP connections in Elixir
  • Usage of Plug.Conn for request handling

Description

Non compliant code

        defmodule VulnerableController do
  use MyApp.Web, :controller

  def redirect(conn, _params) do
    redirect_to = conn.host
    conn
    |> put_resp_header("location", redirect_to)
    |> send_resp(302, "")
  end
end
        
        

The following Elixir code is vulnerable because it uses the host from the conn object directly to construct a redirection URL. An attacker could provide a malicious host in the HTTP request's Host header to cause redirection to an external site or possibly exploit SSRF vulnerabilities.

Steps

  • Add a function to validate the host before using it for redirection.
  • Do not use the host from the incoming HTTP request directly for generating redirection responses. Instead, use a predefined and validated list of acceptable hosts or a fixed host configured in the application settings.
  • Use pattern matching or similar to ensure the host matches the expected format.

Compliant code

        defmodule SecureController do
  use MyApp.Web, :controller

  def redirect(conn, _params) do
    redirect_to = "https://secure.example.com"
    conn
    |> put_resp_header("location", redirect_to)
    |> send_resp(302, "")
  end
end
        
        

The following Elixir code is secure because it does not use the host from the conn object directly. Instead, it uses a predefined host for the redirection, preventing potential misuse of the Host header.

References