logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecurely Generated Token - Elixir

Need

Create secure, unpredictable session tokens to prevent reuse

Context

  1. Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
  2. Usage of Phoenix.Token for token generation and verification

Description

Insecure Code Example

defmodule InsecureToken do
  def generate_token(user_id) do
    user_id
    |> Integer.to_string
    |> String.reverse
  end
end

The `generate_token` function is insecure because it simply reverses the user_id and uses it as a token. This approach is predictable and can easily be reverse-engineered, which could allow an attacker to reuse a session token after 14 days.

Steps

  1. Install the Phoenix.Token package if it's not already installed.
  2. Use `Phoenix.Token.sign/3` to generate a secure token, providing the user_id as the salt.
  3. Use `Phoenix.Token.verify/4` to verify tokens before use.

Secure Code Example

defmodule SecureToken do
  @secret_key_base "s3cr3t"

  def generate_token(user_id) do
    Phoenix.Token.sign(@secret_key_base, "user salt", user_id)
  end

  def verify_token(token, user_id) do
    Phoenix.Token.verify(@secret_key_base, "user salt", token, max_age: 14 * 24 * 60 * 60)
  end
end

The `generate_token` function now uses `Phoenix.Token.sign/3` to generate a secure token, and `verify_token` uses `Phoenix.Token.verify/4` to verify the token's integrity and timeliness. The token is cryptographically secure and unpredictable, and it cannot be reused after 14 days.

References

  • 078 - Insecurely Generated Token

    • Last updated

    2023/09/18