Business Information Leak - Customers or Providers

Need

Ensure the privacy and security of sensitive business information

Context

• Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications

• Usage of Plug for creating middleware

• Usage of Phoenix Framework for web interface development

Description

1. Non compliant code

defmodule UnsecuredController do
  use Phoenix.Controller

  def list_customers(conn, _params) do
    customers = Repo.all(Customer)
    render(conn, "index.html", customers: customers)
  end
end

This code retrieves all customer information from the database and renders it without any authentication or authorization check. This can lead to exposure of sensitive customer data, which can be used to craft new attack vectors.

2. Steps

• Use a middleware like Plug to handle authentication and authorization.

• Create a function to check if the user is authenticated and authorized before allowing access to the customer data.

• Wrap your sensitive routes with this middleware.

3. Secure code example

defmodule SecuredController do
  use Phoenix.Controller

  plug :authenticate_user

  def list_customers(conn, _params) do
    customers = Repo.all(Customer)
  end...

This code checks if the user is authenticated and authorized before retrieving and rendering customer data. This prevents unauthorized users from accessing sensitive customer data.

References

• 080. Business Information Leak - Customers or Providers

On this page