Elixir Tesla Request Forgery
Description
This detector identifies Server-Side Request Forgery (SSRF) vulnerabilities in Elixir applications using the Tesla HTTP client library. It flags instances where Tesla client requests are configured in an unsafe manner that could allow attackers to control request destinations.
Detection Strategy
• Analyze Elixir source code for Tesla HTTP client usage patterns
• Examine Tesla.client(), Tesla.get(), Tesla.post(), and similar function calls
• Flag Tesla requests where the URL or destination is dynamically constructed from user input
• Report vulnerabilities when Tesla clients accept external input for request URLs without proper validation
• Identify unsafe Tesla middleware configurations that could enable request manipulation
Vulnerable code example
defmodule ExampleController do
use Phoenix.Controller
alias Tesla
def vulnerable_request(conn, _params) do
url = conn.params["target"]
...✅ Secure code example
defmodule ExampleController do
use Phoenix.Controller
alias Tesla
def secure_request(conn, _params) do
url = conn.params["target"]
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.