User Enumeration Vulnerability - Elixir

User Enumeration Vulnerability - Elixir

Need

Prevent attackers from enumerating valid usernames in the system

Context

  • Usage of Elixir (1.11 and above) for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework (1.5 and above) for building web applications

Description

Non compliant code

        defmodule UserController do
  use MyAppWeb, :controller
  def login(conn, %{'username' => username, 'password' => password}) do
    case Accounts.get_user_by_username(username) do
      nil -> send_resp(conn, 400, "User does not exist")
      user ->
        if user.password == password,
          do: send_resp(conn, 200, "Logged in successfully")
          else: send_resp(conn, 400, "Wrong password")
        end
    end
  end
end
        
        

The above code is vulnerable to user enumeration. When a user tries to log in, the application responds differently depending on whether the provided username exists or not. If the username doesn't exist, it sends back a 'User does not exist' message. If the username exists but the password is wrong, it sends back a 'Wrong password' message. An attacker could use these differing responses to enumerate the existing users.

Steps

  • Change the server response to be the same for both existent and non-existent users.
  • Ensure that the response does not leak any information about the existence or non-existence of a user.

Compliant code

        defmodule UserController do
  use MyAppWeb, :controller
  def login(conn, %{'username' => username, 'password' => password}) do
    case Accounts.get_user_by_username(username) do
      nil -> send_resp(conn, 400, "Incorrect credentials")
      user ->
        if user.password == password,
          do: send_resp(conn, 200, "Logged in successfully")
          else: send_resp(conn, 400, "Incorrect credentials")
        end
    end
  end
end
        
        

In the secure code example, the server's response is the same ('Incorrect credentials') for both existent and non-existent users. This prevents an attacker from being able to enumerate the existing users based on the server's responses.

References