Document Open Access Logo

Identifying Security Issues in Elixir Web Applications

Authors Smiljana Knežev , István Bozó , Melinda Tóth

PDF HTML 5

Files

Thumbnail PDF
PDF
OASIcs.Programming.2025.22.pdf
  • Filesize: 0.64 MB
  • 15 pages
HTML5 Logo HTML (experimental)
OASIcs.Programming.2025.22.html

Document Identifiers

Subject Classification

ACM Subject Classification
  • Security and privacy → Web application security
Keywords
  • Static analysis
  • Elixir
  • security vulnerabilities
  • XSS

Metrics

Abstract

The security of software products is extremely important in the era of internet-based applications. Building secure web applications is not straightforward. Several guidelines and tools were developed to support this process. The biggest challenge for those tools is to not overwhelm the developers with false-positive hits. This paper aims to investigate the use of static analysis for accurate vulnerability identification in the case of Elixir web applications.

Cite As Get BibTex

Smiljana Knežev, István Bozó, and Melinda Tóth. Identifying Security Issues in Elixir Web Applications. In Companion Proceedings of the 9th International Conference on the Art, Science, and Engineering of Programming (Programming 2025). Open Access Series in Informatics (OASIcs), Volume 134, pp. 22:1-22:15, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2025) https://doi.org/10.4230/OASIcs.Programming.2025.22

Author Details

Smiljana Knežev
  • Faculty of Informatics, ELTE, Eötvös Lóránd University, Budapest, Hungary
István Bozó
  • Faculty of Informatics, ELTE, Eötvös Lóránd University, Budapest, Hungary
Melinda Tóth
  • Faculty of Informatics, ELTE, Eötvös Lóránd University, Budapest, Hungary

Funding

Project no. TKP2021-NVA-29 has been implemented with the support provided by the Ministry of Culture and Innovation of Hungary from the National Research, Development and Innovation Fund, financed under the TKP2021-NVA funding scheme.

References

  1. Brigitta Baranyai, István Bozó, and Melinda Tóth. Supporting secure coding with RefactorErl. In 13th Joint Conference on Mathematics and Informatics - MaCS 2020, pages 24-25, 2020. Google Scholar
  2. Dibyendu Brinto Bose, Kaitlyn Cottrell, and Akond Rahman. Vision for a secure elixir ecosystem: An empirical study of vulnerabilities in elixir programs. In Proceedings of the 2022 ACM Southeast Conference, ACM SE '22, pages 215-218, New York, NY, USA, 2022. Association for Computing Machinery. URL: https://doi.org/10.1145/3476883.3520204.
  3. I. Bozó, D. Horpácsi, Z. Horváth, R. Kitlei, J. Köszegi, Tejfel. M., and M Tóth. Refactorerl - source code analysis and refactoring in erlang. In Proceedings of the 12th Symposium on Programming Languages and Software Tools, ISBN 978-9949-23-178-2, pages 138-148, Tallin, Estonia, October 2011. Google Scholar
  4. Brakeman. Brakeman. https://brakemanscanner.org/. Accessed: 29-04-2025.
  5. G. Ann Campbell and Patroklos P. Papapetrou. SonarQube in Action. Manning Publications, June 2013. Google Scholar
  6. Carnegie Mellon University, Software Engineering Institute. Cert coding standards. https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards. Accessed: 29-04-2025.
  7. Francesco Cesarini and Simon Thompson. Erlang programming. O'Reilly, June 2009. Google Scholar
  8. Erlang Ecosystem Foundation Security Working Group. Security working group. https://erlef.github.io/security-wg/web_app_security_best_practices_beam/index. Accessed: 29-04-2025.
  9. Erlang Ecosystem Foundation Security Working Group. Web application security best practices for beam languages. https://erlef.org/wg/security. Accessed: 29-04-2025.
  10. ESLint. Eslint. https://eslint.org/. Accessed: 29-04-2025.
  11. Zoltán Horváth, László Lövei, Tamás Kozsik, Róbert Kitlei, Anikó Nagyné Víg, Tamás Nagy, Melinda Tóth, and Roland Király. Modeling semantic knowledge in Erlang for refactoring. In Knowledge Engineering: Principles and Techniques, Proceedings of the International Conference on Knowledge Engineering, Principles and Techniques, KEPT 2009, volume 54(2009) Sp. Issue of Studia Universitatis Babeş-Bolyai, Series Informatica, pages 7-16, Cluj-Napoca, Romania, July 2009. Google Scholar
  12. Horváth, Kovács, Szalay, Porkoláb, Orbán, and Krupp. Codechecker. https://codechecker.readthedocs.io/en/latest/. Accessed: 29-04-2025.
  13. Saša Jurić. Elixir in Action. Manning, 2024. URL: https://www.manning.com/books/phoenix-in-action.
  14. Geoffrey Lessel. Pheonix in Action. Manning, 2019. URL: https://www.manning.com/books/elixir-in-action-third-edition.
  15. NCC Group. Sobelow. https://github.com/nccgroup/sobelow#installation. Accessed: 29-04-2025.
  16. PyCQA (Python Code Quality Authority). Bandit. https://bandit.readthedocs.io/en/latest/. Accessed: 29-04-2025.
  17. Semgrep, Inc. Semgrep. https://github.com/semgrep/semgrep. Accessed: 29-04-2025.
  18. SpotBugs Team. Spotbugs. https://spotbugs.readthedocs.io/en/latest/introduction.html. Accessed: 29-04-2025.
  19. Erik Stenman. The BEAM book. https://blog.stenmans.org/theBeamBook/. Accessed: 29-04-2025.
  20. Richárd Szalay and Ádám Balogh. On the applicability of static analysis for system software using codechecker. In 2024 7th International Conference on Software and System Engineering (ICoSSE), April 2024. URL: https://doi.org/10.1109/ICoSSE62619.2024.00011.
  21. The OWASP Foundation. Application security verification standard. https://owasp.org/www-pdf-archive/OWASP_Application_Security_Verification_Standard_4.0-en.pdf. Accessed: 29-04-2025.
  22. Melinda Tóth and István Bozó. Supporting secure coding for erlang. In Proceedings of the 39th ACM/SIGAPP Symposium on Applied Computing, SAC '24, pages 1307-1311, New York, NY, USA, 2024. Association for Computing Machinery. URL: https://doi.org/10.1145/3605098.3636185.
  23. M. Tóth. Don’t let it crash - How we applied our security checks on elixir code. Talk at ELixirConf, Lisbon, 2024, URL: https://www.elixirconf.eu/talks/dont-let-it-crash-how-we-applied-our-security-checks-on-elixir-code/.
  24. M. Tóth and I. Bozó. Static analysis of complex software systems implemented in erlang. Central European Functional Programming Summer School – Fourth Summer School, CEFP 2011, Revisited Selected Lectures, Lecture Notes in Computer Science (LNCS), Vol. 7241, pp. 451-514, Springer-Verlag, ISSN: 0302-9743, 2012. Google Scholar
  25. W3. W3. https://www.w3.org/TR/CSP2/#directives. Accessed: 29-04-2025.
Any Issues?
X

Feedback on the Current Page

CAPTCHA

Thanks for your feedback!

Feedback submitted to Dagstuhl Publishing

Could not send message

Please try again later or send an E-mail
© 2023-2025 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact