Security Controls Bypass or Absence

Security Controls Bypass or Absence - Session Invalidation

Need

To ensure proper session management and invalidate sessions appropriately

Context

• Usage of Elixir 1.12 for building scalable and concurrent applications

• Usage of Plug.Session for HTTP session management

Description

1. Non compliant code

defmodule MyApp.Accounts do
  def get_user_email(conn) do
    session = Plug.Conn.get_session(conn, :user)
    if session == "auto", do: "test@test.com", else: session.email
  end
end

In the insecure code example, the `get_user_email` function checks the session to find the user's email. However, there is debug code left in that allows anyone to pass in a session with the word 'auto' and get access to a testing email. This is insecure as it allows unauthorized access.

2. Steps

• Remove the debugging code from the production environment

• Ensure all test code is isolated from production code

3. Secure code example

defmodule MyApp.Accounts do
  def get_user_email(conn) do
    session = Plug.Conn.get_session(conn, :user)
    session.email
  end
end

In the secure code example, the `get_user_email` function only checks the session for the user's email, and there is no debug code that can be exploited for unauthorized access.

References

• 345. Security Controls Bypass or Absence - Session Invalidation

On this page