When deploying your Phoenix application, it seems like there is a never ending list of security problems to worry about. XSS, CSRF, RCE, timing attacks, the list of acronyms and jargon goes on. How should you get started securing your Phoenix app? What is worth focusing on? This training will be an introduction to the web application security concepts most relevant to Phoenix applications, common vulnerabilities, and recommended best practices. This training is fully remote, September 1, 2023.

The authentication mechanism had been subject to numerous design reviews and penetration tests. The owners were confident that no feasible means existed of attacking the mechanism to gain unauthorized access.

Sobelow is the static analysis tool for finding security issues in Elixir and Phoenix code. If you’re using Elixir in production, running Sobelow is highly recommended, because it automatically checks for common security issues. Today, detailed guidance on how to triage, verify, and fix each finding is included in Paraxial.io Application Secure. Enterprise customers can also request professional assistance when fixing reported vulnerabilities. This guide is open source, for the benefit of the Elixir community, on the Paraxial.io Github - https://github.com/paraxialio/sobelow_guide

In Elixir and Erlang, the atom is a basic type, a constant whose value is its own name. There is a hard limit on the number of atoms that can be created, the default is 1_048_576. If external user input results in atoms being created at runtime, this can cause the entire system to crash. There is an obvious question raised from all this, “If my application is vulnerable, what is the impact?”

Sobelow version 0.12.1 was released recently, adding support for HEEx templates, which are used in Phoenix LiveView. Sobelow is a static analysis tool for finding security issues in Elixir and Phoenix code. If you’re using Elixir in production, running Sobelow is highly recommended, because it automatically checks for common security issues.

Watch Fast IP Address Matching in Elixir with Radix Trees & Persistent Term by Michael Lubas - Founder of Paraxial.io, Code BEAM America 2022.

The typical description of cross site request forgery (CSRF) involves a POST request being triggered without a secure token. If there’s a state changing HTML form making a POST, with a CSRF token, that’s validated by the server, that should be secure. Consider a web application where both a GET and POST request can perform the same state changing action. This is likely not the developer’s intention, but that is the root of most security problems in software.

Potion Shop is a Phoenix application vulnerable to common web security issues, such as RCE, XSS, and CSRF. Software developers interested in learning more about Elixir security can examine the source code and functionality of Potion Shop, to better understand how these vulnerabilities occur in a Phoenix project.

Michael: Hi Holden, what are you currently working on? How is it related to Elixir?

Holden: Hey there! Currently I operate as the Security Architect at Podium where I help our various security teams build out the future of security for a rapidly growing SaaS business which caters to local businesses around the globe.

In a Phoenix application, is the code :erlang.binary_to_term(user_input, [:safe]) secure? The answer is no, as the Erlang documentation states, “The safe option ensures the data is safely processed by the Erlang runtime but it does not guarantee the data is safe to your application. You must always validate data from untrusted sources.” Unsafe usage of binary_to_term/2 can lead to a remote code execution (RCE) vulnerability in your application. This means an attacker sends a string of input, which executes malicious code on your production server.

Our founder Michael was on the Elixir Mix podcast this week, discussing bot defense, Elixir application security, and how developers can learn more about these topics. Listen now.

Phoenix applications with user accounts share a common set of features: a login page, account creation, and password reset via an email. These systems are exposed to bot attacks, and developers should be aware of the risks that the public internet imposes on their software. This article will show a risk assessment of a Phoenix application’s login system, and how to use the Hammer library to rate limit the number of requests to each endpoint based on IP address.

Learn how to prevent SQL injection in Elixir/Phoenix applications during this live coding webinar. The founder of Paraxial.io, Michael Lubas, will walk through an example Phoenix application, showing secure and insecure Ecto code examples, and how an SQL injection attack works.

Paraxial.io is an application security platform created for Elixir. The two primary use cases are defense against malicious web bots and vulnerability management. Similar tools on the market today include reCaptcha, Snyk, and Cloudflare bot defense. Paraxial.io’s backend is written in Elixir, all our customers are using Elixir, and even this blog is a Phoenix application running Dashbit’s NimblePublisher.

Paraxial.io is an application security platform designed for Elixir and Phoenix. We provide an alternative to tools such as Snyk, reCaptcha, and Cloudflare bot defense. You may have questions about these statements, such as, “Why do businesses buy this software?”.

Dependencies in a software project are a frequent source of security concern. The ability to detect outdated packages, and update to the latest version without breaking the project, is necessary for modern teams. In Elixir, dependencies are hosted by the Hex package manager, and managed by the Mix build tool. To better understand the ecosystem, let’s examine the different components in detail.

Paraxial.io now supports vulnerability scanning and management for Elixir applications. This is done via a mix task, which can be integrated into your CI/CD pipeline, that uploads the result of each scan to the Paraxial.io backend for tracking and reporting. This fulfills the compliance requirements for a number of security standards, and gives your team actionable metrics on the security of your project.

Rocket Validator helps website owners detect accessibility and HTML issues in their pages. The founder, Jaime Iniesta, was dealing with an annoying problem: spam user registrations. Bots would register for the service, but these signups were spam, not real humans. Jaime decided to create a Paraxial.io account, and create honeypot forms for the bots to submit. What happened next?

In Elixir, the atom is a basic type, a constant whose value is its own name. Atoms are often hard-coded, meaning the atom :red appears in source code, and is not dynamically created at runtime or compile time. However, it is possible for your application to accept user input, then create a new atom based on that input, for example:

Our founder Michael Lubas was on the Thinking Elixir Podcast this week, discussing Phoenix security and useful resources to get started defending your own applications. https://podcast.thinkingelixir.com/131

“Limit the number of login attempts for one IP address to 5 in a 30 second period” is a standard rule for many web applications, and makes sense from the perspective of a site owner dealing with malicious credential stuffing. With the rise of cloud computing, it has become much easier for an attacker to access thousands of different IP addresses, for free, to bypass IP based blocking. This article will use a Phoenix application to demonstrate what the attack looks like, and how Paraxial.io stops it.

Betafi is a user research platform that makes it easy to capture and make sense of customer feedback sessions. User interviews, usability testing, and sharing business insights are all supported. Built on Elixir and Phoenix, the team at Betafi was preparing to launch on Product Hunt, and wanted to ensure the big launch day was not disrupted by bot attacks.

Cross site request forgery (CSRF) is a type of vulnerability in web applications, where an attacker is able to forge commands from a victim user. For example, consider a social media website that is vulnerable to CSRF. An attacker creates a malicious website aimed at legitimate users. When a victim visits the malicious site, it triggers a POST request in the victim’s browser, sending a message that was written by the attacker. This results in the victim’s account making a post written by the attacker.

As Elixir and Phoenix adoption continues to increase in industry, the need for security expertise has grown as well. Finding engineers with a deep understanding of the Elixir ecosystem, and software security, is a difficult task.

There are a number of resources online related to Elixir and Phoenix security, however when it comes to securing your own project, determining where to begin is a difficult task. Here are five recommendations to get started improving the security of your application.

Cross Site Scripting (XSS) refers to a class of vulnerability in web applications, where an attacker is able to inject a script into the browsing context of a victim. The root cause of this vulnerability is untrusted user input being rendered in a web browser, where JavaScript written by an attacker is executed. If a website has user authentication, and an attacker is able to exploit XSS in the site, the end result is user accounts will be compromised.

SQL injection is a type of attack against a web application, where some malicious input is parsed by the underlying database, resulting in an unauthorized operation being performed. This can be the disclosure of sensitive data, modification of the database, or deletion of entire tables.

Write a function in Elixir named build_string that takes 4 arguments:

At this year’s ElixirConf Teller hosted a challenge in Elixir, write an Elixir client for a banking application to get the secret account number and balance. This is a writeup for the remote attendee instance, if you played this in-person at ElixirConf the setup was different.

In 1996 Google co-founder Larry Page posted in comp.lang.java, Q: Setting User-Agent Field?. 26 years later, you may still need to set the User-Agent in your project. Here are four examples from the Elixir HTTP clients Finch, HTTPoison, Req, and Tesla.

It was an ordinary day at work for Peter, until he saw a spike in login attempts 1,000 times higher than average! Go inside the response to a bot attack and learn how Paraxial.io can keep your business secure.

Click here to get the eBook!

Paraxial.io was featured in the excellent ElixirCasts, a series of video tutorials on Elixir and Phoenix. The episode walks through the installation of Paraxial.io in less than seven minutes, and the configuration of a rule to stop automated credential stuffing attacks.

Click here to watch the episode on elixircasts.io.

Credential stuffing is a type of attack performed against web applications, where the attacker uses username/password pairs from a data breach as input to a program, which performs automated login attempts against a victim application. This is a highly effective technique for stealing user accounts, because password reuse is so common.

This post will demonstrate how to test a Phoenix web application to see if credential stuffing from one IP address is possible. If you work on a public-facing web application, and want to improve its security, this is an excellent test. Credential stuffing attacks are easy for attackers to perform, and lead to user accounts getting compromised. If you currently have defenses in place, such as a bot prevention tool, captcha, or custom plugs, this project will reveal discrepancies between how you expect the system to behave, and how it actually does.

Paraxial.io protects your Elixir/Phoenix application from bots attempting automated logins, scraping, and disruption of service. Today we are happy to announce the beta program is open to new users!

Several cloud hosting companies publish the IP address ranges of their services. Examples include AWS, Azure, GCP, Oracle, and DigitalOcean. This information is useful to website owners, because the expected behavior of a client coming from a cloud server is different from a residential IP address. Consider a website that sells concert tickets, and wants to prevent bots from quickly purchasing all available tickets. The website owner notices that when tickets go on sale, hundreds of clients with data center IP addresses are making automated requests, purchasing tickets for resale before real visitors can.

Web applications that accept username and password pairs for authentication may experience credential stuffing by malicious clients. We use the term “credential stuffing” to refer to the act of using credentials, taken from a website’s public data breach, to preform many authentication attempts against victim accounts on a different website. This tutorial will demonstrate how to mitigate credential stuffing against a Phoenix Framework application, using PlugAttack.