Client-Side Enforcement of LiveView Security

Posted 2023-02-24 17:37:28.138248

One of the classical security vulnerabilities in web applications is “Client-Side Enforcement of Server-Side Security” (CWE-602). In the OWASP Top 10 of 2021 it appeared in 1st place as part of “A01:2021 – Broken Access Control”.

This issue is pretty well understood by most web developers, but I have seen it resurface recently in Phoenix LiveView applications. In this post we will look at what it takes to prevent such issues in a LiveView application. But we will start by reviewing server-side access controls in non-LiveView apps.

Traditional Phoenix web app

In a traditional Phoenix web application, where the server renders HTML and each link or button click triggers a new HTTP request, access controls typically need to be considered in two places: in page rendering, and in request dispatching.

During rendering the application needs to decide what parts of the page to make available to the current user depending on their permissions. This may mean omitting certain information, such as restricted parts of the application’s data model, or hiding certain menu items, links or buttons that represent actions not available to the current user.

When dispatching an incoming request, in the application’s router, within a controller or in a context module, the application should verify the current user’s permissions, and deny unauthorized requests with an HTTP 401/403 error response. Hiding the menu items, links or buttons pointing to these routes during rendering is done for the user’s benefit, but the actual enforcement must be done on the server when requests are handled.

DST Root CA X3 expiration update

Posted 2021-08-29 11:47:43.370644

A few things have happened since my previous post:

• Patches were released for Erlang/OTP 23.3 and 24
• Production certificates issued by Let’s Encrypt now have a validity that allows for realistic testing
• I have had some more time to verify the impact on different clients

This post corrects a few statements I made in the original post, in particular regarding the impact on Hackney: if you are a Hackney (or HTTPoison, or Tesla-with-Hackney) user you’ll find some good news further below.

I won’t cover the background again in this post, so please refer to the original post to learn more about how the DST Root CA X3 expiration on September 30th may impact BEAM TLS clients that connect to servers with Let’s Encrypt certificates.

Patch packages

The Erlang/OTP team have improved the handling of alternate certificate chains and released the following patch packages:

• OTP 23.3.4.5, with ssl-10.3.1.2 and public_key-1.10.0.1
• OTP 24.0.4, with ssl-10.4.2 and public_key-1.11.1

If you are on OTP 23.3 or 24.0 I would strongly recommend you upgrade to a patched version before the end of September. Older versions are not impacted in the same way, so no patch is available. However, those versions may still experience issues after September: keep reading for details.

Note that the new logic makes the partial_chain hook used by many TLS clients superfluous in most cases: shorter chains are now recognized and selected by the built-in certificate chain verification logic.

Erlang/OTP impact of DST Root CA X3 expiration

Posted 2021-05-18 15:10:47.161830

Update: please check out this post for updates, especially regarding the impact on Hackney!

On September 30 2021, the root CA certificate DST Root CA X3 will expire. This should not have a noticeable impact on the Internet at large, as any recently issued server certificate will have been issued with a different trust chain that’s rooted in a newer root CA.

Let’s Encrypt has relied on the DST Root CA X3 to bootstrap its services, while in parallel working to get its own root CA (ISRG Root X1) included in all OS and browser trust stores. Now that the old root is reaching its end-of-life, it is time for Let’s Encrypt to stand on its own. However, there are still devices and applications out there that do not include Let’s Encrypt’s new root CA, in particular older Android devices. So Let’s Encrypt have arranged for a fall-back solution that will work with those older devices, and it involves an ‘alternate chain’ with a ‘cross-signed’ intermediate CA.

Unfortunately Erlang/OTP applications are likely to experience TLS handshake errors when trying to connect to servers that present the longer chain. Let’s have a closer look at what is likely to happen over the next few months, and why.

Older posts

• Erlang/OTP ssl-10.2 vulnerability explained (Posted 2021-02-14 11:55:43.909512)
• Certificate verification vulnerability in Erlang/OTP 23.2 (Posted 2021-01-15 12:06:59.472819)
• Off BEAM: Secure Coding for the BEAM (Posted 2020-05-04 07:26:41.557621)
• Why Mix no longer installs from HTTP(S) URLs (Posted 2020-01-01 20:02:12.309037)
• Creating an SBoM for Mix projects (Posted 2019-10-24 19:44:48.169213)
• Learn you some `:ssl` for much security (Posted 2019-04-09 12:43:35.136065)
• Hex package registry vulnerability (Posted 2019-01-29 14:13:52.780049)
• OCSP stapling for Erlang/OTP (Posted 2018-07-11 18:42:50.698413)
• PSA: retiring TLS test domains (Posted 2018-07-11 07:30:04.473948)
• Dual cert RSA/ECDSA server with Erlang/OTP 21 (Posted 2018-07-03 18:55:58.000000)
• Erlang/OTP 21 (Posted 2018-06-23 08:36:19.000000)
• Erlang/OTP 20.3 (Posted 2018-03-14 19:00:53.000000)
• CipherSuites package updated (Posted 2018-03-12 20:16:18.000000)
• Practical security for Elixir/Phoenix (Posted 2018-01-05 08:35:18.000000)
• Security training at ElixirConf EU 2018 (Posted 2017-11-02 20:48:35.000000)
• Unauthorized Erlang? (Posted 2017-04-15 08:26:16.000000)
• Hostname verification with Erlang/OTP 19.3 (Posted 2017-03-17 06:35:40.000000)
• Plug vulnerabilities: impact assessment (Posted 2017-03-01 13:16:28.000000)
• Catching up (Posted 2017-02-27 09:28:27.000000)
• The great HTTPS client shoot-out (Posted 2016-11-05 08:03:50.000000)
• "aRSA+ECDH+AES:@STRENGTH" FTW (Posted 2016-07-05 17:30:20.000000)
• Thou shalt not trust thy neighbour's password (Posted 2016-06-24 19:20:05.000000)
• Who wants cookies? (Posted 2016-06-13 19:35:52.000000)
• Erlang/OTP 19.0 (Posted 2016-06-06 19:02:02.000000)
• ElixirConf.EU talk: video (Posted 2016-06-01 18:52:50.000000)