Client-Side Enforcement of LiveView Security

Posted 2023-02-24 17:37:28.138248

One of the classical security vulnerabilities in web applications is “Client-Side Enforcement of Server-Side Security” (CWE-602). In the OWASP Top 10 of 2021 it appeared in 1st place as part of “A01:2021 – Broken Access Control”.

This issue is pretty well understood by most web developers, but I have seen it resurface recently in Phoenix LiveView applications. In this post we will look at what it takes to prevent such issues in a LiveView application. But we will start by reviewing server-side access controls in non-LiveView apps.

Traditional Phoenix web app

In a traditional Phoenix web application, where the server renders HTML and each link or button click triggers a new HTTP request, access controls typically need to be considered in two places: in page rendering, and in request dispatching.

During rendering the application needs to decide what parts of the page to make available to the current user depending on their permissions. This may mean omitting certain information, such as restricted parts of the application’s data model, or hiding certain menu items, links or buttons that represent actions not available to the current user.

When dispatching an incoming request, in the application’s router, within a controller or in a context module, the application should verify the current user’s permissions, and deny unauthorized requests with an HTTP 401/403 error response. Hiding the menu items, links or buttons pointing to these routes during rendering is done for the user’s benefit, but the actual enforcement must be done on the server when requests are handled.

Continue reading...

DST Root CA X3 expiration update

Posted 2021-08-29 11:47:43.370644

A few things have happened since my previous post:

This post corrects a few statements I made in the original post, in particular regarding the impact on Hackney: if you are a Hackney (or HTTPoison, or Tesla-with-Hackney) user you’ll find some good news further below.

I won’t cover the background again in this post, so please refer to the original post to learn more about how the DST Root CA X3 expiration on September 30th may impact BEAM TLS clients that connect to servers with Let’s Encrypt certificates.

Patch packages

The Erlang/OTP team have improved the handling of alternate certificate chains and released the following patch packages:

If you are on OTP 23.3 or 24.0 I would strongly recommend you upgrade to a patched version before the end of September. Older versions are not impacted in the same way, so no patch is available. However, those versions may still experience issues after September: keep reading for details.

Note that the new logic makes the partial_chain hook used by many TLS clients superfluous in most cases: shorter chains are now recognized and selected by the built-in certificate chain verification logic.

Continue reading...

Erlang/OTP impact of DST Root CA X3 expiration

Posted 2021-05-18 15:10:47.161830

Update: please check out this post for updates, especially regarding the impact on Hackney!

On September 30 2021, the root CA certificate DST Root CA X3 will expire. This should not have a noticeable impact on the Internet at large, as any recently issued server certificate will have been issued with a different trust chain that’s rooted in a newer root CA.

Let’s Encrypt has relied on the DST Root CA X3 to bootstrap its services, while in parallel working to get its own root CA (ISRG Root X1) included in all OS and browser trust stores. Now that the old root is reaching its end-of-life, it is time for Let’s Encrypt to stand on its own. However, there are still devices and applications out there that do not include Let’s Encrypt’s new root CA, in particular older Android devices. So Let’s Encrypt have arranged for a fall-back solution that will work with those older devices, and it involves an ‘alternate chain’ with a ‘cross-signed’ intermediate CA.

Unfortunately Erlang/OTP applications are likely to experience TLS handshake errors when trying to connect to servers that present the longer chain. Let’s have a closer look at what is likely to happen over the next few months, and why.

Continue reading...

Older posts