Need

To protect the application against automated attacks aimed at guessing promotional codes.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and concurrent applications
• Usage of Phoenix Framework for building web applications

Description

Non compliant code

        defmodule MyAppWeb.PromoController do
  use MyAppWeb, :controller

  def check_promo(conn, %{"promo_code" => promo_code}) do
    if PromoCode.valid?(promo_code) do
      render(conn, "success.html")
    else
      render(conn, "failure.html")
    end
  end
end
        
        

The code above is vulnerable because it directly accepts and verifies promo codes without any rate limiting or captcha protection. This can be exploited by an attacker to conduct brute force attacks, i.e., trying different codes until a valid one is found.

Steps

• Install a rate limiting package or use built-in features in your web framework.
• Implement rate limiting on the 'check_promo' endpoint to limit the number of requests from an IP address within a certain period.
• Consider adding a captcha to further prevent automated submissions.

Compliant code

        defmodule MyAppWeb.PromoController do
  use MyAppWeb, :controller

  plug MyAppWeb.Plugs.RateLimiter when action in [:check_promo]

  def check_promo(conn, %{"promo_code" => promo_code}) do
    if PromoCode.valid?(promo_code) do
      render(conn, "success.html")
    else
      render(conn, "failure.html")
    end
  end
end
        
        

The updated code now includes a rate limiter which limits the number of requests that can be made to the 'check_promo' endpoint within a certain timeframe. This mitigates the risk of brute force attacks by making it infeasible to guess a valid promo code within a reasonable time.

References

• 330. Lack of protection against brute force attacks - Credentials