Technical information leak - IPs - Elixir

Need

To prevent exposure of internal technical information.

Context

1. Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
2. Usage of Plug for building modular web applications
3. Usage of Cowboy as the HTTP server

Description

Insecure Code Example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    conn
    |> put_resp_header("X-Server-IP", "192.168.0.1")
    |> send_resp(200, "Welcome to MyApp!")
  end
end

This code is vulnerable because it sets a response header (`X-Server-IP`) with the internal IP address of the server (`192.168.0.1`). This exposes internal technical information that could be exploited by an attacker.

Steps

1. Remove any code that sets response headers with sensitive technical information.
2. Review your codebase and remove any other instances of sensitive information leaks.
3. Ensure your team is aware of the risk of exposing technical information.

Secure Code Example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    send_resp(conn, 200, "Welcome to MyApp!")
  end
end

In this secure code example, the response header setting the `X-Server-IP` has been removed. The application no longer exposes the server's internal IP address in its responses.

References

Last updated

2023/09/18