Cross-Site Request Forgery

Need

Prevent attackers from tricking authenticated users into executing actions without their consent.

Context

• Usage of Elixir 1.13.0 for functional programming and building scalable applications

• Usage of Plug for request management

• Usage of Plug.CSRFProtection for protecting against CSRF attacks

• Usage of cookie-based sessions for application authentication and state management

Description

1. Non compliant code

defmodule VulnerableController do
  use Plug.Router

  plug :match
  plug :dispatch

  post "/change_password" do
    User.change_password(conn.params["new_password"])...

The endpoint '/change_password' changes the password of a user based on the provided parameters. However, it does not validate the authenticity of the request, making it vulnerable to CSRF attacks. An attacker can create a malicious site that sends a POST request to this endpoint, changing the password without the user's knowledge or consent.

2. Steps

• Import the Plug.CSRFProtection package in your controller.

• Add a plug to the controller to use CSRF protection.

• Ensure every form or action that modifies state on the server includes the CSRF token in the request.

3. Secure code example

defmodule SecureController do
  use Plug.Router
  use Plug.CSRFProtection

  plug :match
  plug :dispatch
  plug :put_secure_browser_headers
  post "/change_password" do...

This solution introduces CSRF protection by including Plug.CSRFProtection in the controller. This plug will automatically generate and validate CSRF tokens in the session. Any state-modifying operation will require a valid CSRF token, otherwise, a 'Invalid CSRF token.' message is returned to the client, thus preventing CSRF attacks.

References

• 007. Cross-Site Request Forgery

On this page