defsprite

defsprite

Phoenix/Elixir project similar to OWASP Webgoat

Is there a well known Phoenix/Elixir project similar to the OWASP Webgoat or railsgoat projects?

The “goat” projects usually showcase common security problems from the OWASP Top Ten in order to learn about them and to help building security tooling for them.

Most Liked

voltone

voltone

I once tried to build just such a project for an Elixir/Phoenix security training, but for reasons mentioned by @hauleth it turned out to be quite difficult to translate the existing projects to Elixir: in many cases I had to explicitly bypass the default protections of Plug/Phoenix/Ecto to introduce a vulnerability, so the whole thing turned out to be quite contrived.

That’s not to say Phoenix/Elixir projects don’t have security vulnerabilities, and I guess it would be interesting to see what a Phoenix/Elixir TOP 10 would like like. My guess is there would not be much overlap with OWASP TOP 10.

xmerl is vulnerable to XXE attacks by default, and in some modes also to DoS by atom exhaustion; see here for mitigations.

See here and here for mitigations.

Phoenix’ default protections against XSS work well in specific contexts, but if you inject variables outside of the primary page HTML context you may find that the default protections are not sufficient. Keep in mind that the escaping rules vary depending on the exact context where the data is injected, and Phoenix only covers the most common ones. For other languages there are sophisticated XSS prevention frameworks that actually detect the injection context and adapt the escaping rules accordingly.

Just beware that there are subtle ways in which (de)serialization (with :erlang.binary_to_term & co) can lead to severe vulnerabilities in Erlang/Elixir apps; see here.

If I had some time I’d love to try and create a deliberately vulnerable application, perhaps not following OWASP TOP 10 but rather showcasing some of the issues mentioned above. It would make for a great training resource.

hauleth

hauleth

Many of these are at least hard in Elixir:

  1. If you use Ecto.Query then SQL injections are hard.
  2. This is going to be resolved by the auth generation library that was announced. However if you use proper auth with cookies and Comeonin, then you should be probably good already.
  3. This is hard to be checked for automatically.
  4. I believe that xmerl is safe against such attacks, but I haven’t checked. Other than that - Phoenix do not support XML by default.
  5. Similar to 3.
  6. The most important offender there is httpc, but as this is very primitive client, then it is not that commonly used. Another source of problems can be ssl module, by default it uses TLSv1.1 and TLSv1.2, but you should probably change it to 1.2 and 1.3 if you can. Others are highly dependant on the application, but Phoenix could generate endpoints with more secure headers though.
  7. Phoenix templates secure against XSS by default. So unless you explicitly make yourself vulnerable, then it should be safe enough.
  8. Unless you use :erlang.binary_to_term/{1,2} on unsafe inputs then there are no built-in unsafe serialisation formats. And default JSON decoder (Jason) is safe enough unless you explicitly ask for making map keys atoms.
  9. There is work for that by @voltone and EEF Security WG with generators for Cyclone DX SBoM and Sobelow
  10. It is in the works by EEF Observability WG with adding more tools for proper observability (telemetry, OpenTelemetry, etc.) and logging (integration of Erlang’s logging facilities in Erlang’s logger, Elixir’s Logger is mostly completed, lager is still in the works).

Additionally a lot of Erlang/Elixir specific issues can be detected by already mentioned Sobelow project.

realcorvus

realcorvus

Recently launched: Potion Shop is an intentionally vulnerable Elixir/Phoenix application, for teaching developers about web application security. This project is vulnerable to common vulnerabilities such as XSS, CSRF, and RCE.

https://github.com/securityelixir/potion_shop

Where Next?

Popular in Questions Top

Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
Kurisu
For example for a current url like http://localhost:4000/cosmetic/products?_utf8=✓&query=perfume&page=2, I would like to get: ...
New
myronmarston
The Elixir Typespec docs show the following syntax for keyword lists in typespecs: # ... | [key: type] # keyword lists...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
PeterCarter
There are pre-rolled solutions for other frameworks that do work. However, Phoenix does not seem to have these. Have people had good expe...
New

Other popular topics Top

TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41539 114
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
Lily
In templates/appointment/index.html.eex: <%= for appointment <- @appointments do %> <tr> <td><%= appoi...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
Qqwy
Update: How to use the Blogs & Podcasts section You can post links to your blog posts or podcasts either in one of the Official Blog...
3271 126479 1222
New

We're in Beta

About us Mission Statement