Authentication Mechanism Absence or Evasion - Redirect - Elixir

Need

Prevent unauthorized access by implementing proper authentication

Context

Usage of Elixir 1.12 for building scalable and concurrent applications
Usage of Phoenix Framework 1.6 for web development

Description

Insecure Code Example

defmodule MyAppWeb.SessionController do
  use MyAppWeb, :controller
  def create(conn, %{"user" => user_params, "redirect" => redirect_url}) do
    case MyApp.Auth.authenticate(user_params) do
      {:ok, user} ->
        conn
        |> put_session(:user_id, user.id)
        |> redirect(to: redirect_url)
      _ ->
        conn
    end
  end
end

The code provided shows a function that uses a URL parameter to determine where to redirect the user after login. An attacker could change this parameter to bypass authentication, gaining unauthorized access to the application.

Steps

Implement a strong authentication process for every business-critical resource
Instead of using a URL parameter for redirection, set a static redirect page in the application code

Secure Code Example

defmodule MyAppWeb.SessionController do
  use MyAppWeb, :controller
  def create(conn, %{"user" => user_params}) do
    case MyApp.Auth.authenticate(user_params) do
      {:ok, user} ->
        conn
        |> put_session(:user_id, user.id)
        |> redirect(to: "/dashboard")
      _ ->
        conn
    end
  end
end

The code now redirects to a static page instead of using a URL parameter. This ensures that the redirection process cannot be manipulated by attackers.

References

298 - Authentication Mechanism Absence or Evasion - Redirect

Last updated

2023/09/18