Elixir Cross Site Scripting
Description
This detector identifies Cross-Site Scripting (XSS) vulnerabilities in Elixir applications where user-controlled data is sent in HTTP responses without proper content type headers or output encoding. XSS allows attackers to inject malicious scripts that execute in victims' browsers, potentially leading to session hijacking, data theft, or account takeover.
Detection Strategy
• Reports vulnerabilities when code uses the 'send_resp' function to send HTTP responses
• The response must not have safe content type headers (like 'application/json' or 'text/plain') that prevent script execution
• The response body must contain data that originates from user input without proper sanitization
• Applies to both direct function calls and piped expressions using the '|>' operator in Elixir
Vulnerable code example
import Plug.Conn
defmodule XssController do
def vulnerable_concat(conn, _params) do
user = conn.params["user"]
# User input directly concatenated into HTML response
html = "<h1>Hello " <> user <> "</h1>"
conn = put_resp_content_type(conn, "text/html")...✅ Secure code example
import Plug.Conn
defmodule XssController do
def vulnerable_concat(conn, _params) do
user = conn.params["user"]
# User input escaped before concatenation into HTML
html = "<h1>Hello " <> Phoenix.HTML.html_escape(user) <> "</h1>"
conn = put_resp_content_type(conn, "text/html")...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.