logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Business Information Leak - JWT - Elixir

Need

Prevent leakage of sensitive business information through JWTs

Context

  1. Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  2. Usage of Guardian for authentication and authorization

Description

Insecure Code Example

defmodule MyApp.Guardian do
  use Guardian, otp_app: :my_app

  def subject_for_token(user, _claims) do
    {:ok, "User:#{user.id}"}
  end

  def resource_from_claims(claims) do
    {:ok, %{username: claims["sub"], password: claims["password"]}}
  end
end

The code generates JWTs with sensitive user information like the username and password. An attacker obtaining the JWT can decode it to access this sensitive information.

Steps

  1. Remove sensitive information from the JWT.
  2. Handle sensitive information on the server side and not include it in JWTs.

Secure Code Example

defmodule MyApp.Guardian do
  use Guardian, otp_app: :my_app

  def subject_for_token(user, _claims) do
    {:ok, "User:#{user.id}"}
  end

  def resource_from_claims(claims) do
    {:ok, %{user_id: claims["sub"]}}
  end
end

The code generates JWTs with just the user ID, and not other sensitive information like the username and password. Thus, even if an attacker obtains the JWT, they can't access sensitive business information.

References

  • 213 - Business Information Leak - JWT

    • Last updated

    2023/09/18