Insecure HTTP methods enabled - Elixir

Need

To ensure that HTTP methods such as TRACE, PUT and DELETE are disabled to avoid potential security risks

Context

1. Usage of Elixir for building scalable and fault-tolerant applications
2. Usage of Plug Phoenix Framework for building web applications
3. Usage of the application as a web server for handling HTTP requests

Description

Insecure Code Example

defmodule VulnerableController do
  use MyApp.Web, :controller

  def update(conn, _params) do
    # update action
  end

  def delete(conn, _params) do
    # delete action
  end
end

The following Elixir code is vulnerable because it allows PUT and DELETE HTTP methods. This configuration can make the application susceptible to potential security threats.

Steps

1. Use Plug to limit the allowed HTTP methods in your application.
2. Remove or comment out any code that handles unwanted HTTP methods.

Secure Code Example

defmodule SecureController do
  use MyApp.Web, :controller

  def show(conn, _params) do
    # show action
  end

  def create(conn, _params) do
    # create action
  end

  # The PUT and DELETE methods are not handled
end

The following Elixir code is secure because it does not include handlers for PUT and DELETE HTTP methods. This prevents potential security threats associated with these methods.

References

Last updated

2023/09/18