Clickjacking in Phoenix with Dynamodb

Clickjacking is a client-side UI redress attack where an invisible or disguised element tricks a user into performing unwanted actions. In a Phoenix application that uses Amazon DynamoDB as a backend, the risk arises when rendered pages include predictable or sensitive UI flows that are not protected by anti-clickjacking controls. For example, an admin settings page in Phoenix that performs a sensitive DynamoDB operation such as delete_item or update_item might be embedded inside an iframe on a malicious site. If the page relies only on simple GET requests for state-changing operations (violating idempotency and safety expectations) and does not enforce SameSite cookies or frame-deny headers, an authenticated user could be induced to click a crafted link that issues unintended DynamoDB writes.

DynamoDB itself does not enforce UI-level protections, so the responsibility falls to the Phoenix layer. If the application generates URLs or links that directly map to DynamoDB item keys (e.g., using an item ID in query parameters without additional authorization checks), an attacker may construct a URL that triggers a DynamoDB mutation when loaded in a hidden iframe. This is especially risky when combined with insufficient authorization checks at the controller level (e.g., missing ownership validation) and predictable primary key patterns. The exposure is not in DynamoDB’s wire protocol but in how the Phoenix app exposes state-changing operations via HTTP, which can be embedded and activated without user consent.

Consider a scenario where a Phoenix controller calls dynamodb.update_item based on an item ID provided in the URL. If the response includes CSRF-like vectors—such as a page that performs a write on visit without a same-site cookie policy or anti-CSRF token—an attacker can trick a victim into loading an iframe or image tag pointing to that URL. Because DynamoDB operations are performed with the permissions of the victim’s authenticated session, unauthorized updates or deletions can occur. The scanner can surface such patterns by flagging missing frame-deny headers and unsafe method usage, tying findings to the OWASP API Top 10 and common web UI risks.

Remediation focuses on ensuring that every operation that results in a DynamoDB call is protected by proper authorization, same-site cookie policies, and anti-clickjacking headers. In Phoenix, use Plug pipeline protections and ensure that actions that invoke DynamoDB are not idempotent-safe for unsafe methods (e.g., POST for writes, not GET). Below are concrete examples that combine Phoenix controller practices with AWS SDK for DynamoDB calls.

First, set security headers in your endpoint module to prevent framing:

defmodule MyAppWeb.Plugs.SecurityHeaders do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    conn
    |> put_resp_header("x-frame-options", "DENY")
    |> put_resp_header("content-security-policy", "frame-ancestors 'self'")
    |> put_resp_header("strict-transport-security", "max-age=31536000; includeSubDomains")
  end
end

Then, ensure your controller that performs DynamoDB operations requires explicit POST and includes anti-CSRF protections (such as verifying authenticity tokens or custom headers). Never allow GET requests to trigger update_item or delete_item. Example controller:

defmodule MyAppWeb.ItemController do
  use MyAppWeb, :controller
  alias Aws.DynamoDb, as: DDB

  plug MyAppWeb.Plugs.SecurityHeaders
  plug :require_authenticated_user when action in [:delete, :update]

  def delete(conn, %{"id" => id}) do
    # Ensure the item belongs to the user (ownership check)
    with {:ok, item} <- fetch_item(id), do: authorize_user!(conn, item)

    # Perform DynamoDB delete
    DDB.delete_item(
      table: "Items",
      key: %{id: id}
    )

    send_resp(conn, :no_content, "")
  end

  defp fetch_item(id) do
    # Replace with actual DynamoDB get_item call
    DDB.get_item(table: "Items", key: %{id: id})
  end

  defp authorize_user!(conn, item) do
    if item["user_id"] == conn.assigns.current_user.id do
      :ok
    else
      halt(conn)
      |> put_status(:forbidden)
      |> json(%{error: "forbidden"})
    end
  end
end

On the DynamoDB side, ensure your SDK calls use IAM roles with least privilege and avoid exposing raw item IDs in URLs. Use path parameters only after validating ownership. In your router, prefer scoped pipelines for destructive actions:

scope "/api", MyAppWeb do
  pipe_through [:api_auth]

  delete "/items/:id", ItemController, :delete
  put "/items/:id", ItemController, :update
end

Finally, for applications that embed third-party content or use iframes, ensure strict CSP frame-ancestors rules and avoid including sensitive pages in contexts where they can be embedded. Combine this with regular scans using the middleBrick CLI to detect missing headers and unsafe method exposure: middlebrick scan https://your-app.example.com. Teams on the Pro plan can enable continuous monitoring to catch regressions, and the GitHub Action can fail builds if risk scores drop below your chosen threshold.