Security Controls Bypass or Absence

Need

Prevent denial of service or system overloading by limiting request rate

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug Cowboy for building web applications with Elixir

• Handling high incoming requests

• Usage of API abuse detection and prevention techniques

Description

1. Non compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
  end...

This Elixir code is vulnerable because it exposes an API endpoint without any rate limiting. This allows a host to send unlimited requests.

2. Steps

• Add a rate limiting package, such as 'plug_attack'.

• Configure the rate limit rules in the 'plug_attack' config.

3. Secure code example

defmodule MyApp.Router do
  use Plug.Router

  plug PlugAttack

  plug_attack_handler do
    PlugAttack.Storage.Memory.set_rules([%{bans: 100, period: 60_000}])
...

This Elixir code is safe because it includes 'plug_attack' for rate limiting. The plug is configured to limit requests to 100 per minute from a single IP address.

References

• 115. Security Controls Bypass or Absence

On this page