Business Information Leak - Token - Elixir

Business Information Leak - Token - Elixir

Need

Prevent user information from being exposed in session tokens

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Plug (1.12.1 and above) for building composable web applications in Elixir
  • Usage of Guardian for authentication and authorization

Description

Non compliant code

        defmodule MyApp.GuardianSerializer do
  @behaviour Guardian.Serializer

  def for_token(user = %User{}), do: { :ok, "User:#{user.id}:#{user.email}:#{user.name}" }
  def from_token("User:" <> id <> ":" <> email <> ":" <> name), do: { :ok, %User{id: id, email: email, name: name} }
end
        
        

This code is including the user's email and name in the session token. If an attacker can decode this token, they can obtain the user's email and name.

Steps

  • Do not include sensitive information like email and name in the session token.
  • Always sanitize data before including it in a token.

Compliant code

        defmodule MyApp.GuardianSerializer do
  @behaviour Guardian.Serializer

  def for_token(user = %User{}), do: { :ok, "User:#{user.id}" }
  def from_token("User:" <> id), do: { :ok, %User{id: id} }
end
        
        

The secure code does not include the user's email and name in the session token, thus protecting sensitive data.

References