logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Business Information Leak - Credit Cards - Elixir

Need

Prevent credit card information from being exposed in responses

Context

  1. Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  2. Usage of Phoenix Framework for building web applications (version 1.5.0 and above)

Description

Insecure Code Example

defmodule MyApp.UserController do
  use MyApp, :controller

  def show(conn, %{"id" => id}) do
    user = Repo.get!(User, id)
    render(conn, "show.json", user: user)
  end
end

defmodule MyApp.UserView do
  use MyApp, :view

  def render("show.json", %{user: user}) do
    %{id: user.id, name: user.name, credit_card: user.credit_card}
  end
end

This code is returning the user's credit card information in the response to the 'show' request. If an attacker can access the responses to these requests, they can obtain sensitive credit card information.

Steps

  1. Do not include sensitive information like credit card data in the response.
  2. Always sanitize data before sending it in a response.

Secure Code Example

defmodule MyApp.UserController do
  use MyApp, :controller

  def show(conn, %{"id" => id}) do
    user = Repo.get!(User, id)
    render(conn, "show.json", user: user)
  end
end

defmodule MyApp.UserView do
  use MyApp, :view

  def render("show.json", %{user: user}) do
    %{id: user.id, name: user.name}
  end
end

The secure code does not include the user's credit card information in the response, thus protecting sensitive data.

References

  • 217 - Business Information Leak - Credit Cards

    • Last updated

    2023/09/18