Technical Information Leak - Elixir

Need

To prevent unauthorized access to sensitive system and configuration data

Context

1. Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
2. Usage of Phoenix Framework for the application

Description

Insecure Code Example

defmodule MyAppWeb.Router do
 use MyAppWeb, :router

 pipeline :api do
 plug :accepts, ["json"]
 end

 scope "/api", MyAppWeb do
 pipe_through :api

 resources "/users", UserController, only: [:index, :show, :create]
 end
end

The vulnerable code below doesn't handle the HTTP headers and response properly. Thus, it leaks the Phoenix version information which can expose the application to potential risks. The version information can help an attacker find known vulnerabilities and launch specific attacks.

Steps

1. Add a new function inside the router module that removes or alters the server response header.
2. Call this function inside the pipeline that will be used by the desired routes.

Secure Code Example

defmodule MyAppWeb.Router do
 use MyAppWeb, :router

 pipeline :api do
 plug :accepts, ["json"]
 plug :remove_version_header
 end

 defp remove_version_header(conn, _opts) do
 Plug.Conn.put_resp_header(conn, "server", "My App")
 end

 scope "/api", MyAppWeb do
 pipe_through :api

 resources "/users", UserController, only: [:index, :show, :create]
 end
end

In the secure code, the version header is removed using the put_resp_header function. This prevents leaking the Phoenix version information to the client. This is a simple yet effective way to reduce the information an attacker could potentially use.

References

Last updated

2023/09/18