logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Business Information Leak - Token - Elixir

Need

Prevent user information from being exposed in session tokens

Context

  1. Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  2. Usage of Plug (1.12.1 and above) for building composable web applications in Elixir
  3. Usage of Guardian for authentication and authorization

Description

Insecure Code Example

defmodule MyApp.GuardianSerializer do
  @behaviour Guardian.Serializer

  def for_token(user = %User{}), do: { :ok, "User:#{user.id}:#{user.email}:#{user.name}" }
  def from_token("User:" <> id <> ":" <> email <> ":" <> name), do: { :ok, %User{id: id, email: email, name: name} }
end

This code is including the user's email and name in the session token. If an attacker can decode this token, they can obtain the user's email and name.

Steps

  1. Do not include sensitive information like email and name in the session token.
  2. Always sanitize data before including it in a token.

Secure Code Example

defmodule MyApp.GuardianSerializer do
  @behaviour Guardian.Serializer

  def for_token(user = %User{}), do: { :ok, "User:#{user.id}" }
  def from_token("User:" <> id), do: { :ok, %User{id: id} }
end

The secure code does not include the user's email and name in the session token, thus protecting sensitive data.

References

  • 220 - Business Information Leak - Token

    • Last updated

    2023/09/18