Hidden Fields Manipulation

Need

To prevent users from manipulating hidden fields in the application that could lead to undesired behaviors

Context

Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
Usage of Phoenix Framework for building web applications

Description

Non compliant code

def update(conn, %{"user" => user_params}) do
  user = Repo.get!(User, user_params["id"])
  case Accounts.update_user(user, user_params) do
    {:ok, user} -> redirect(conn, to: user_path(conn, :show, user))
    {:error, _changeset} -> :error
  end
end

This code snippet is vulnerable because it accepts all the parameters from the client-side, including the id field. An attacker could manipulate this id field in a hidden form input, thus potentially altering data they do not have access to.

Steps

Do not expose sensitive information such as the user id to the client side.
Always validate the user input at the server side, never trust user input blindly.
Enforce authorization checks to ensure that the user is allowed to perform the action.

Compliant code

def update(conn, %{"user" => user_params}) do
  user = Accounts.get_user!(conn.assigns.current_user.id)
  case Accounts.update_user(user, user_params) do
    {:ok, user} -> redirect(conn, to: user_path(conn, :show, user))
    {:error, _changeset} -> :error
  end
end

In this secure version, instead of getting the user's id from the client-side, it's obtained from the server-side using the authenticated user's session. This prevents attackers from manipulating the id field.

References

093.Hidden fields manipulation

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​