Authentication Mechanism Absence or Evasion

Authentication Mechanism Absence or Evasion - Redirect

Need

Prevent unauthorized access by implementing proper authentication

Context

• Usage of Elixir 1.12 for building scalable and concurrent applications

• Usage of Phoenix Framework 1.6 for web development

Description

1. Non compliant code

defmodule MyAppWeb.SessionController do
  use MyAppWeb, :controller
  def create(conn, %{"user" => user_params, "redirect" => redirect_url}) do
    case MyApp.Auth.authenticate(user_params) do
      {:ok, user} ->
        conn
        |> put_session(:user_id, user.id)
      _ ->...

The code provided shows a function that uses a URL parameter to determine where to redirect the user after login. An attacker could change this parameter to bypass authentication, gaining unauthorized access to the application.

2. Steps

• Implement a strong authentication process for every business-critical resource

• Instead of using a URL parameter for redirection, set a static redirect page in the application code

3. Secure code example

defmodule MyAppWeb.SessionController do
  use MyAppWeb, :controller
  def create(conn, %{"user" => user_params}) do
    case MyApp.Auth.authenticate(user_params) do
      {:ok, user} ->
        conn
        |> put_session(:user_id, user.id)
      _ ->...

The code now redirects to a static page instead of using a URL parameter. This ensures that the redirection process cannot be manipulated by attackers.

References

• 298. Authentication Mechanism Absence or Evasion - Redirect

On this page