Weak credential policy - Password Change Limit
Need
To prevent denial of service by repeatedly changing user's password.
Context
• Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
• Usage of Phoenix Framework for building web applications
• Usage of Ecto for data persistence
Description
1. Non compliant code
defmodule MyAppWeb.AccountController do
use MyAppWeb, :controller
def change_password(conn, %{"password" => password, "user_id" => id}) do
user = Repo.get!(User, id)
changeset = User.changeset(user, %{password: password})
Repo.update!(changeset)
end...This code is vulnerable because it allows a user's password to be changed without any limit on the number of requests. If an attacker is able to authenticate as a user, they can lock the user out of their account by repeatedly changing the password.
2. Steps
• Implement a rate limit on password change requests.
• Consider using a library or built-in framework feature to enforce rate limiting.
• Monitor account activity for suspicious behavior such as repeated password change requests.
3. Secure code example
defmodule MyAppWeb.AccountController do
use MyAppWeb, :controller
def change_password(conn, %{"password" => password, "user_id" => id}) do
user = Repo.get!(User, id)
if can_change_password?(user) do
changeset = User.changeset(user, %{password: password})
update_last_password_change(user)...In this secure code example, the `can_change_password?` function checks if the user has already changed their password within the rate limit period. If they have, the password change request is rejected and a different view is rendered.