Uncontrolled External Site Redirect - Host Header Injection
Need
Prevent malicious redirection and potential SSRF attacks
Context
- Usage of Elixir for functional and concurrent programming
- Usage of Plug.Conn for handling HTTP connections in Elixir
- Usage of Plug.Conn for request handling
Description
Non compliant code
defmodule VulnerableController do
use MyApp.Web, :controller
def redirect(conn, _params) do
redirect_to = conn.host
conn
|> put_resp_header("location", redirect_to)
|> send_resp(302, "")
end
end
The following Elixir code is vulnerable because it uses the host
from the conn
object directly to construct a redirection URL. An attacker could provide a malicious host in the HTTP request's Host header to cause redirection to an external site or possibly exploit SSRF vulnerabilities.
Steps
- Add a function to validate the host before using it for redirection.
- Do not use the host from the incoming HTTP request directly for generating redirection responses. Instead, use a predefined and validated list of acceptable hosts or a fixed host configured in the application settings.
- Use pattern matching or similar to ensure the host matches the expected format.
Compliant code
defmodule SecureController do
use MyApp.Web, :controller
def redirect(conn, _params) do
redirect_to = "https://secure.example.com"
conn
|> put_resp_header("location", redirect_to)
|> send_resp(302, "")
end
end
The following Elixir code is secure because it does not use the host
from the conn
object directly. Instead, it uses a predefined host for the redirection, preventing potential misuse of the Host header.