Sensitive Information Sent Via URL Parameters - Elixir

Need

Secure transmission of sensitive information

Context

Usage of Elixir (1.11 and above) for building scalable and fault-tolerant applications
Usage of Phoenix Framework for building web applications (version 1.5 and above)

Description

Insecure Code Example

defmodule UserController do
  use MyAppWeb, :controller
  def show(conn, %{'id' => id}) do
    user = Repo.get!(User, id)
    render(conn, 'show.html', user: user)
  end
end

The above code is vulnerable because it allows the user id to be passed as a URL parameter. This exposes the user's sensitive information as the user id is visible in the URL and can be stored in browser history, sent to external sites via the referrer HTTP header, or intercepted by malicious scripts.

Steps

Avoid sending sensitive information in URL parameters.
Use the POST method to transmit sensitive data.
Use secure sessions or cookies to store user identifiers.

Secure Code Example

defmodule UserController do
  use MyAppWeb, :controller
  def show(conn, _params) do
    id = get_session(conn, :user_id)
    user = Repo.get!(User, id)
    render(conn, 'show.html', user: user)
  end
end

In the secure code example, the user id is obtained from a secure session or a cookie, rather than being passed in the URL. This mitigates the risk of sensitive information being exposed via the URL.

References

030 - Sensitive Information Sent Via URL Parameters

Last updated

2023/09/18