Skip to main content

Insecure Object Reference


Prevent unauthorized access to user data


  • Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework for building web applications
  • Usage of Ecto ORM for data access


Non compliant code

def show(conn, %{'id' => id}) do
user = Repo.get(User, id)
render(conn, 'show.json', user: user)

The insecure code example takes an 'id' parameter from the incoming request and directly uses it to fetch the user data from the database. This means that an attacker can modify the 'id' in the request to access data of any user.


  • Avoid using direct references to internal objects.
  • Use session-based user authentication and associate this with the users' actions.
  • Instead of using the user-provided 'id', use the 'id' associated with the authenticated session.

Compliant code

def show(conn, %{'id' => id}) do
if == id do
user = Repo.get(User, id)
render(conn, 'show.json', user: user)
send_resp(conn, :forbidden, 'Access denied')

In the secure code example, the server first checks whether the authenticated user's 'id' matches the 'id' in the request. If it does not, the server returns a '403 Forbidden' response. This ensures that users can only access their own data.