Technical Information Leak
Need
To prevent unauthorized access to sensitive system and configuration data
Context
- Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
- Usage of Phoenix Framework for the application
Description
Non compliant code
defmodule MyAppWeb.Router do
use MyAppWeb, :router
pipeline :api do
plug :accepts, ["json"]
end
scope "/api", MyAppWeb do
pipe_through :api
resources "/users", UserController, only: [:index, :show, :create]
end
end
The vulnerable code below doesn't handle the HTTP headers and response properly. Thus, it leaks the Phoenix version information which can expose the application to potential risks. The version information can help an attacker find known vulnerabilities and launch specific attacks.
Steps
- Add a new function inside the router module that removes or alters the server response header.
- Call this function inside the pipeline that will be used by the desired routes.
Compliant code
defmodule MyAppWeb.Router do
use MyAppWeb, :router
pipeline :api do
plug :accepts, ["json"]
plug :remove_version_header
end
defp remove_version_header(conn, _opts) do
Plug.Conn.put_resp_header(conn, "server", "My App")
end
scope "/api", MyAppWeb do
pipe_through :api
resources "/users", UserController, only: [:index, :show, :create]
end
end
In the secure code, the version header is removed using the put_resp_header function. This prevents leaking the Phoenix version information to the client. This is a simple yet effective way to reduce the information an attacker could potentially use.