Technical information leak

Technical information leak - IPs

Need

To prevent exposure of internal technical information.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications

• Usage of Plug for building modular web applications

• Usage of Cowboy as the HTTP server

Description

1. Non compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    |> put_resp_header("X-Server-IP", "192.168.0.1")...

This code is vulnerable because it sets a response header (`X-Server-IP`) with the internal IP address of the server (`192.168.0.1`). This exposes internal technical information that could be exploited by an attacker.

2. Steps

• Remove any code that sets response headers with sensitive technical information.

• Review your codebase and remove any other instances of sensitive information leaks.

• Ensure your team is aware of the risk of exposing technical information.

3. Secure code example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
  end...

In this secure code example, the response header setting the `X-Server-IP` has been removed. The application no longer exposes the server's internal IP address in its responses.

References

• 290. Technical information leak - IPs

On this page