API Reference Sobelow v0.11.1
Modules
Sobelow is a static analysis tool for discovering vulnerabilities in Phoenix applications.
Command Injection
Command Injection vulnerabilities are a result of passing untrusted input to an operating system shell, and may result in complete system compromise.
Missing Content-Security-Policy
Content-Security-Policy is an HTTP header that helps mitigate a number of attacks, including Cross-Site Scripting.
Cross-Site Request Forgery
In a Cross-Site Request Forgery (CSRF) attack, an untrusted application can cause a user's browser to submit requests or perform actions on the user's behalf.
Cross-Site Request Forgery
In a Cross-Site Request Forgery (CSRF) attack, an untrusted application can cause a user's browser to submit requests or perform actions on the user's behalf.
Cross-Site Websocket Hijacking
Websocket connections are not bound by the same-origin policy. Connections that do not validate the origin may leak information to an attacker.
HSTS
The HTTP Strict Transport Security (HSTS) header helps defend against man-in-the-middle attacks by preventing unencrypted connections.
HTTPS
Without HTTPS, attackers in a priveleged network position can intercept and modify traffic.
Missing Secure HTTP Headers
By default, Phoenix HTTP responses contain a number of secure HTTP headers that attempt to mitigate XSS, click-jacking, and content-sniffing attacks.
Hard-coded Secrets
In the event of a source-code disclosure via file read vulnerability, accidental commit, etc, hard-coded secrets may be exposed to an attacker. This may result in database access, cookie forgery, and other issues.
Denial of Service via Unsafe Atom Interpolation
In Elixir, atoms are not garbage collected. As such, if user input
is used to create atoms (as in :"foo#{bar}"
, or in :erlang.binary_to_atom
),
it may result in memory exhaustion. Prefer the String.to_existing_atom
function for untrusted user input.
Denial of Service via List.to_atom
In Elixir, atoms are not garbage collected. As such, if user input
is passed to the List.to_atom
function, it may result in memory
exhaustion. Prefer the List.to_existing_atom
function for untrusted
user input.
Denial of Service via String.to_atom
In Elixir, atoms are not garbage collected. As such, if user input
is passed to the String.to_atom
function, it may result in memory
exhaustion. Prefer the String.to_existing_atom
function for untrusted
user input.
IO helpers. Mostly mirror Mix.Shell.IO, but Mix will not always be available to Sobelow.
Insecure use of binary_to_term
If user input is passed to Erlang's binary_to_term
function
it may result in memory exhaustion or code execution. Even with
the :safe
option, binary_to_term
will deserialize functions,
and shouldn't be considered safe to use with untrusted input.
Remote Code Execution
Remote Code Execution vulnerabilities are a result of untrusted user input being executed or interpreted by the system and may result in complete system compromise.
Insecure EEx evaluation
If user input is passed to EEx eval functions, it may result in arbitrary code execution. The root cause of these issues is often directory traversal.
SQL Injection
SQL injection occurs when untrusted input is interpolated
directly into a SQL query. In a typical Phoenix application,
this would mean using the Ecto.Adapters.SQL.query
method
and not using the parameterization feature.
Path Traversal
Path traversal vulnerabilities are a result of interacting with the filesystem using untrusted input. This class of vulnerability may result in file disclosure, code execution, denial of service, and other issues.
Known Vulnerable Dependencies
An application with known vulnerabilities is more easily subjected to automated or targeted attacks.
Cross-Site Scripting
Cross-Site Scripting (XSS) vulnerabilities are a result of rendering untrusted input on a page without proper encoding. XSS may allow an attacker to perform actions on behalf of other users, steal session tokens, or access private data.
XSS in put_resp_content_type
If an attacker is able to set arbitrary content types for an HTTP response containing user input, the attacker is likely to be able to leverage this for cross-site scripting (XSS).
Mix Tasks
Sobelow is a static analysis tool for discovering vulnerabilities in Phoenix applications.