Hidden Fields Manipulation - Elixir

Hidden Fields Manipulation - Elixir

Need

To prevent users from manipulating hidden fields in the application that could lead to undesired behaviors

Context

  • Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework for building web applications

Description

Non compliant code

        def update(conn, %{"user" => user_params}) do
  user = Repo.get!(User, user_params["id"])
  case Accounts.update_user(user, user_params) do
    {:ok, user} -> redirect(conn, to: user_path(conn, :show, user))
    {:error, _changeset} -> :error
  end
end
        
        

This code snippet is vulnerable because it accepts all the parameters from the client-side, including the id field. An attacker could manipulate this id field in a hidden form input, thus potentially altering data they do not have access to.

Steps

  • Do not expose sensitive information such as the user id to the client side.
  • Always validate the user input at the server side, never trust user input blindly.
  • Enforce authorization checks to ensure that the user is allowed to perform the action.

Compliant code

        def update(conn, %{"user" => user_params}) do
  user = Accounts.get_user!(conn.assigns.current_user.id)
  case Accounts.update_user(user, user_params) do
    {:ok, user} -> redirect(conn, to: user_path(conn, :show, user))
    {:error, _changeset} -> :error
  end
end
        
        

In this secure version, instead of getting the user's id from the client-side, it's obtained from the server-side using the authenticated user's session. This prevents attackers from manipulating the id field.

References