Authentication Mechanism Absence or Evasion - Redirect - Elixir

Authentication Mechanism Absence or Evasion - Redirect - Elixir

Need

Prevent unauthorized access by implementing proper authentication

Context

  • Usage of Elixir 1.12 for building scalable and concurrent applications
  • Usage of Phoenix Framework 1.6 for web development

Description

Non compliant code

        defmodule MyAppWeb.SessionController do
  use MyAppWeb, :controller
  def create(conn, %{"user" => user_params, "redirect" => redirect_url}) do
    case MyApp.Auth.authenticate(user_params) do
      {:ok, user} ->
        conn
        |> put_session(:user_id, user.id)
        |> redirect(to: redirect_url)
      _ ->
        conn
    end
  end
end

The code provided shows a function that uses a URL parameter to determine where to redirect the user after login. An attacker could change this parameter to bypass authentication, gaining unauthorized access to the application.

Steps

  • Implement a strong authentication process for every business-critical resource
  • Instead of using a URL parameter for redirection, set a static redirect page in the application code

Compliant code

        defmodule MyAppWeb.SessionController do
  use MyAppWeb, :controller
  def create(conn, %{"user" => user_params}) do
    case MyApp.Auth.authenticate(user_params) do
      {:ok, user} ->
        conn
        |> put_session(:user_id, user.id)
        |> redirect(to: "/dashboard")
      _ ->
        conn
    end
  end
end

The code now redirects to a static page instead of using a URL parameter. This ensures that the redirection process cannot be manipulated by attackers.

References