The Paraxial.io Blog

Paraxial.io is an alternative to reCaptcha and Cloudflare for defending Elixir apps. Subscribe for new posts about Elixir and Phoenix security.

Announcing Elixir and Phoenix Security Consulting Services

by Michael Lubas

As Elixir and Phoenix adoption continues to increase in industry, the need for security expertise has grown as well. Finding engineers with a deep understanding of the Elixir ecosystem, and software security, is a difficult task.

Continue Reading ->

Securing Elixir/Phoenix Applications: 5 Tips to Get Started

by Michael Lubas

There are a number of resources online related to Elixir and Phoenix security, however when it comes to securing your own project, determining where to begin is a difficult task. Here are five recommendations to get started improving the security of your application.

Continue Reading ->

Cross Site Scripting (XSS) Patterns in Phoenix

by Michael Lubas

Cross Site Scripting (XSS) refers to a class of vulnerability in web applications, where an attacker is able to inject a script into the browsing context of a victim. The root cause of this vulnerability is untrusted user input being rendered in a web browser, where JavaScript written by an attacker is executed. If a website has user authentication, and an attacker is able to exploit XSS in the site, the end result is user accounts will be compromised.

Continue Reading ->

Detecting SQL Injection in Phoenix with Sobelow

by Michael Lubas

SQL injection is a type of attack against a web application, where some malicious input is parsed by the underlying database, resulting in an unauthorized operation being performed. This can be the disclosure of sensitive data, modification of the database, or deletion of entire tables.

Continue Reading ->

Elixir code style, a brief example

by Michael Lubas

Write a function in Elixir named build_string that takes 4 arguments:

Continue Reading ->

ElixirConf 2022 Teller Challenge Writeup

by Michael Lubas

At this year’s ElixirConf Teller hosted a challenge in Elixir, write an Elixir client for a banking application to get the secret account number and balance. This is a writeup for the remote attendee instance, if you played this in-person at ElixirConf the setup was different.

Continue Reading ->

Setting User-Agent in Elixir with Finch, HTTPoison, Req, or Tesla

by Michael Lubas

Paraxial.io Printing User Agents

In 1996 Google co-founder Larry Page posted in comp.lang.java, Q: Setting User-Agent Field?. 26 years later, you may still need to set the User-Agent in your project. Here are four examples from the Elixir HTTP clients Finch, HTTPoison, Req, and Tesla.

Continue Reading ->

eBook Release: Inside a Web Bot Attack 🤖

by Paraxial.io

It was an ordinary day at work for Peter, until he saw a spike in login attempts 1,000 times higher than average! Go inside the response to a bot attack and learn how Paraxial.io can keep your business secure.

Click here to get the eBook!

Continue Reading ->

Paraxial.io Featured in ElixirCasts Episode 149

by Paraxial.io

Paraxial.io was featured in the excellent ElixirCasts, a series of video tutorials on Elixir and Phoenix. The episode walks through the installation of Paraxial.io in less than seven minutes, and the configuration of a rule to stop automated credential stuffing attacks.

Click here to watch the episode on elixircasts.io.

Continue Reading ->

Testing a Phoenix application for credential stuffing with Elixir, Floki, and HTTPoison

by Michael Lubas

Credential stuffing is a type of attack performed against web applications, where the attacker uses username/password pairs from a data breach as input to a program, which performs automated login attempts against a victim application. This is a highly effective technique for stealing user accounts, because password reuse is so common.

This post will demonstrate how to test a Phoenix web application to see if credential stuffing from one IP address is possible. If you work on a public-facing web application, and want to improve its security, this is an excellent test. Credential stuffing attacks are easy for attackers to perform, and lead to user accounts getting compromised. If you currently have defenses in place, such as a bot prevention tool, captcha, or custom plugs, this project will reveal discrepancies between how you expect the system to behave, and how it actually does.

Continue Reading ->

🎉 Announcing the Paraxial.io Beta Launch! 🎉

by Paraxial.io

The Paraxial.io Web Interface

Paraxial.io protects your Elixir/Phoenix application from bots attempting automated logins, scraping, and disruption of service. Today we are happy to announce the beta program is open to new users!

Continue Reading ->

Classifying Data Center IP Addresses in Phoenix Web Applications with Radix Trees

by Michael Lubas

A route that blocks data center IPs

Several cloud hosting companies publish the IP address ranges of their services. Examples include AWS, Azure, GCP, Oracle, and DigitalOcean. This information is useful to website owners, because the expected behavior of a client coming from a cloud server is different from a residential IP address. Consider a website that sells concert tickets, and wants to prevent bots from quickly purchasing all available tickets. The website owner notices that when tickets go on sale, hundreds of clients with data center IP addresses are making automated requests, purchasing tickets for resale before real visitors can.

Continue Reading ->

Throttling and Blocking Bad Requests in Phoenix Web Applications with PlugAttack

by Paraxial.io

A credential stuffing attack

Web applications that accept username and password pairs for authentication may experience credential stuffing by malicious clients. We use the term “credential stuffing” to refer to the act of using credentials, taken from a website’s public data breach, to preform many authentication attempts against victim accounts on a different website. This tutorial will demonstrate how to mitigate credential stuffing against a Phoenix Framework application, using PlugAttack.

Continue Reading ->