Business Information Leak - Credit Cards - Elixir

Business Information Leak - Credit Cards - Elixir

Need

Prevent credit card information from being exposed in responses

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework for building web applications (version 1.5.0 and above)

Description

Non compliant code

        defmodule MyApp.UserController do
  use MyApp, :controller

  def show(conn, %{"id" => id}) do
    user = Repo.get!(User, id)
    render(conn, "show.json", user: user)
  end
end

defmodule MyApp.UserView do
  use MyApp, :view

  def render("show.json", %{user: user}) do
    %{id: user.id, name: user.name, credit_card: user.credit_card}
  end
end
        
        

This code is returning the user's credit card information in the response to the 'show' request. If an attacker can access the responses to these requests, they can obtain sensitive credit card information.

Steps

  • Do not include sensitive information like credit card data in the response.
  • Always sanitize data before sending it in a response.

Compliant code

        defmodule MyApp.UserController do
  use MyApp, :controller

  def show(conn, %{"id" => id}) do
    user = Repo.get!(User, id)
    render(conn, "show.json", user: user)
  end
end

defmodule MyApp.UserView do
  use MyApp, :view

  def render("show.json", %{user: user}) do
    %{id: user.id, name: user.name}
  end
end
        
        

The secure code does not include the user's credit card information in the response, thus protecting sensitive data.

References