Sobelow is a static analysis tool for discovering vulnerabilities in Phoenix applications.

Command Injection

Command Injection vulnerabilities are a result of passing untrusted input to an operating system shell, and may result in complete system compromise.

Missing Content-Security-Policy

Content-Security-Policy is an HTTP header that helps mitigate a number of attacks, including Cross-Site Scripting.

Cross-Site Request Forgery

In a Cross-Site Request Forgery (CSRF) attack, an untrusted application can cause a user's browser to submit requests or perform actions on the user's behalf.

Cross-Site Request Forgery

In a Cross-Site Request Forgery (CSRF) attack, an untrusted application can cause a user's browser to submit requests or perform actions on the user's behalf.

Cross-Site Websocket Hijacking

Websocket connections are not bound by the same-origin policy. Connections that do not validate the origin may leak information to an attacker.

HSTS

The HTTP Strict Transport Security (HSTS) header helps defend against man-in-the-middle attacks by preventing unencrypted connections.

HTTPS

Without HTTPS, attackers in a priveleged network position can intercept and modify traffic.

Missing Secure HTTP Headers

By default, Phoenix HTTP responses contain a number of secure HTTP headers that attempt to mitigate XSS, click-jacking, and content-sniffing attacks.

Hard-coded Secrets

In the event of a source-code disclosure via file read vulnerability, accidental commit, etc, hard-coded secrets may be exposed to an attacker. This may result in database access, cookie forgery, and other issues.

Denial of Service via Unsafe Atom Interpolation

In Elixir, atoms are not garbage collected. As such, if user input is used to create atoms (as in :"foo#{bar}", or in :erlang.binary_to_atom), it may result in memory exhaustion. Prefer the String.to_existing_atom function for untrusted user input.

Denial of Service via List.to_atom

In Elixir, atoms are not garbage collected. As such, if user input is passed to the List.to_atom function, it may result in memory exhaustion. Prefer the List.to_existing_atom function for untrusted user input.

Denial of Service via String.to_atom

In Elixir, atoms are not garbage collected. As such, if user input is passed to the String.to_atom function, it may result in memory exhaustion. Prefer the String.to_existing_atom function for untrusted user input.

IO helpers. Mostly mirror Mix.Shell.IO, but Mix will not always be available to Sobelow.

Insecure use of binary_to_term

If user input is passed to Erlang's binary_to_term function it may result in memory exhaustion or code execution. Even with the :safe option, binary_to_term will deserialize functions, and shouldn't be considered safe to use with untrusted input.

Insecure use of File and Path

Note: This check has been deprecated. File/Path issues were addressed with the release of OTP 21.

Remote Code Execution

Remote Code Execution vulnerabilities are a result of untrusted user input being executed or interpreted by the system and may result in complete system compromise.

Insecure EEx evaluation

If user input is passed to EEx eval functions, it may result in arbitrary code execution. The root cause of these issues is often directory traversal.

SQL Injection

SQL injection occurs when untrusted input is interpolated directly into a SQL query. In a typical Phoenix application, this would mean using the Ecto.Adapters.SQL.query method and not using the parameterization feature.

Path Traversal

Path traversal vulnerabilities are a result of interacting with the filesystem using untrusted input. This class of vulnerability may result in file disclosure, code execution, denial of service, and other issues.

Known Vulnerable Dependencies

An application with known vulnerabilities is more easily subjected to automated or targeted attacks.

Cross-Site Scripting

Cross-Site Scripting (XSS) vulnerabilities are a result of rendering untrusted input on a page without proper encoding. XSS may allow an attacker to perform actions on behalf of other users, steal session tokens, or access private data.

XSS in put_resp_content_type

If an attacker is able to set arbitrary content types for an HTTP response containing user input, the attacker is likely to be able to leverage this for cross-site scripting (XSS).

Sobelow is a static analysis tool for discovering vulnerabilities in Phoenix applications.