Technical information leak - IPs
Need
To prevent exposure of internal technical information.
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Plug for building modular web applications
- Usage of Cowboy as the HTTP server
Description
Non compliant code
defmodule MyApp.Router do
use Plug.Router
plug :match
plug :dispatch
get "/" do
conn
|> put_resp_header("X-Server-IP", "192.168.0.1")
|> send_resp(200, "Welcome to MyApp!")
end
end
This code is vulnerable because it sets a response header (X-Server-IP
) with the internal IP address of the server (192.168.0.1
). This exposes internal technical information that could be exploited by an attacker.
Steps
- Remove any code that sets response headers with sensitive technical information.
- Review your codebase and remove any other instances of sensitive information leaks.
- Ensure your team is aware of the risk of exposing technical information.
Compliant code
defmodule MyApp.Router do
use Plug.Router
plug :match
plug :dispatch
get "/" do
send_resp(conn, 200, "Welcome to MyApp!")
end
end
In this secure code example, the response header setting the X-Server-IP
has been removed. The application no longer exposes the server's internal IP address in its responses.