Hidden Fields Manipulation

Need

To prevent users from manipulating hidden fields in the application that could lead to undesired behaviors

Context

• Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications

• Usage of Phoenix Framework for building web applications

Description

1. Non compliant code

def update(conn, %{"user" => user_params}) do
  user = Repo.get!(User, user_params["id"])
  case Accounts.update_user(user, user_params) do
    {:ok, user} -> redirect(conn, to: user_path(conn, :show, user))
    {:error, _changeset} -> :error
  end
end

This code snippet is vulnerable because it accepts all the parameters from the client-side, including the id field. An attacker could manipulate this id field in a hidden form input, thus potentially altering data they do not have access to.

2. Steps

• Do not expose sensitive information such as the user id to the client side.

• Always validate the user input at the server side, never trust user input blindly.

• Enforce authorization checks to ensure that the user is allowed to perform the action.

3. Secure code example

def update(conn, %{"user" => user_params}) do
  user = Accounts.get_user!(conn.assigns.current_user.id)
  case Accounts.update_user(user, user_params) do
    {:ok, user} -> redirect(conn, to: user_path(conn, :show, user))
    {:error, _changeset} -> :error
  end
end

In this secure version, instead of getting the user's id from the client-side, it's obtained from the server-side using the authenticated user's session. This prevents attackers from manipulating the id field.

References

• 093. Hidden Fields Manipulation

On this page