Authentication Mechanism Absence or Evasion - Redirect
Need
Prevent unauthorized access by implementing proper authentication
Context
- Usage of Elixir 1.12 for building scalable and concurrent applications
- Usage of Phoenix Framework 1.6 for web development
Description
Non compliant code
defmodule MyAppWeb.SessionController do
use MyAppWeb, :controller
def create(conn, %{"user" => user_params, "redirect" => redirect_url}) do
case MyApp.Auth.authenticate(user_params) do
{:ok, user} ->
conn
|> put_session(:user_id, user.id)
|> redirect(to: redirect_url)
_ ->
conn
end
end
end
The code provided shows a function that uses a URL parameter to determine where to redirect the user after login. An attacker could change this parameter to bypass authentication, gaining unauthorized access to the application.
Steps
- Implement a strong authentication process for every business-critical resource
- Instead of using a URL parameter for redirection, set a static redirect page in the application code
Compliant code
defmodule MyAppWeb.SessionController do
use MyAppWeb, :controller
def create(conn, %{"user" => user_params}) do
case MyApp.Auth.authenticate(user_params) do
{:ok, user} ->
conn
|> put_session(:user_id, user.id)
|> redirect(to: "/dashboard")
_ ->
conn
end
end
end
The code now redirects to a static page instead of using a URL parameter. This ensures that the redirection process cannot be manipulated by attackers.