Security Controls Bypass or Absence - Elixir

Security Controls Bypass or Absence - Elixir

Need

Prevent denial of service or system overloading by limiting request rate

Context

  • Usage of Elixir for building scalable and fault-tolerant applications
  • Usage of Plug Cowboy for building web applications with Elixir
  • Handling high incoming requests
  • Usage of API abuse detection and prevention techniques

Description

Non compliant code

        defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Hello, world!")
  end

  match _ do
    send_resp(conn, 404, "Oops, not found!")
  end
end

This Elixir code is vulnerable because it exposes an API endpoint without any rate limiting. This allows a host to send unlimited requests.

Steps

  • Add a rate limiting package, such as 'plug_attack'.
  • Configure the rate limit rules in the 'plug_attack' config.

Compliant code

        defmodule MyApp.Router do
  use Plug.Router

  plug PlugAttack

  plug_attack_handler do
    PlugAttack.Storage.Memory.set_rules([%{bans: 100, period: 60_000}])
  end

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Hello, world!")
  end

  match _ do
    send_resp(conn, 404, "Oops, not found!")
  end
end

This Elixir code is safe because it includes 'plug_attack' for rate limiting. The plug is configured to limit requests to 100 per minute from a single IP address.

References