Is there a well known Phoenix/Elixir project similar to the OWASP Webgoat or railsgoat projects?
The “goat” projects usually showcase common security problems from the OWASP Top Ten in order to learn about them and to help building security tooling for them.
Many of these are at least hard in Elixir:
Ecto.Query then SQL injections are hard.xmerl is safe against such attacks, but I haven’t checked. Other than that - Phoenix do not support XML by default.httpc, but as this is very primitive client, then it is not that commonly used. Another source of problems can be ssl module, by default it uses TLSv1.1 and TLSv1.2, but you should probably change it to 1.2 and 1.3 if you can. Others are highly dependant on the application, but Phoenix could generate endpoints with more secure headers though.:erlang.binary_to_term/{1,2} on unsafe inputs then there are no built-in unsafe serialisation formats. And default JSON decoder (Jason) is safe enough unless you explicitly ask for making map keys atoms.telemetry, OpenTelemetry, etc.) and logging (integration of Erlang’s logging facilities in Erlang’s logger, Elixir’s Logger is mostly completed, lager is still in the works).Additionally a lot of Erlang/Elixir specific issues can be detected by already mentioned Sobelow project.
I once tried to build just such a project for an Elixir/Phoenix security training, but for reasons mentioned by @hauleth it turned out to be quite difficult to translate the existing projects to Elixir: in many cases I had to explicitly bypass the default protections of Plug/Phoenix/Ecto to introduce a vulnerability, so the whole thing turned out to be quite contrived.
That’s not to say Phoenix/Elixir projects don’t have security vulnerabilities, and I guess it would be interesting to see what a Phoenix/Elixir TOP 10 would like like. My guess is there would not be much overlap with OWASP TOP 10.
xmerl is vulnerable to XXE attacks by default, and in some modes also to DoS by atom exhaustion; see here for mitigations.
See here and here for mitigations.
Phoenix’ default protections against XSS work well in specific contexts, but if you inject variables outside of the primary page HTML context you may find that the default protections are not sufficient. Keep in mind that the escaping rules vary depending on the exact context where the data is injected, and Phoenix only covers the most common ones. For other languages there are sophisticated XSS prevention frameworks that actually detect the injection context and adapt the escaping rules accordingly.
Just beware that there are subtle ways in which (de)serialization (with :erlang.binary_to_term & co) can lead to severe vulnerabilities in Erlang/Elixir apps; see here.
If I had some time I’d love to try and create a deliberately vulnerable application, perhaps not following OWASP TOP 10 but rather showcasing some of the issues mentioned above. It would make for a great training resource.
One more thing…
Elixir’s System.cmd/2,3 provides protections against OS command injection, but I sometimes see people use Erlang’s :os.cmd/1,2, which does not; see here…
Recently launched: Potion Shop is an intentionally vulnerable Elixir/Phoenix application, for teaching developers about web application security. This project is vulnerable to common vulnerabilities such as XSS, CSRF, and RCE.
© Copyright Elixir Forum | Terms | Privacy & Cookies
