Administrative Credentials Stored in Cache Memory
Need
Prevent unauthorized access to administrative credentials
Context
- Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
- Usage of ETS for caching
Description
Non compliant code
defmodule MyApp.Cache do
def store_credentials(username, password) do
:ets.new(:creds, [:public, :named_table])
:ets.insert(:creds, {username, password})
end
end
In the below code, admin credentials are stored directly into the Elixir's ETS (Erlang Term Storage) which acts as in-memory store. If an attacker manages to dump the ETS table, they can gain access to sensitive data.
Steps
- Install the Comeonin library for password hashing: mix deps.get comeonin.
- Hash sensitive data before storing them in cache or memory.
- Avoid storing sensitive information in plain text.
- Ensure secure configuration of cache or memory storage.
Compliant code
defmodule MyApp.Cache do
def store_credentials(username, password) do
hashed_password = Bcrypt.hashpwsalt(password)
:ets.new(:creds, [:public, :named_table])
:ets.insert(:creds, {username, hashed_password})
end
end
In the below secure code, the admin credentials are hashed before being stored into the ETS. This means even if an attacker dumps the ETS table, they cannot gain access to the actual admin credentials.