How to fix SSRF (Server Side Request Forgery)
in Phoenix
Executive Summary
SSRF in Phoenix/Elixir environments occurs when an application accepts a user-controlled URL and fetches it without verifying the destination. This allows attackers to pivot from the public web into your internal VPC, hitting internal-only APIs, databases, or cloud provider metadata services (like AWS IMDS). In Elixir, standard libraries like HTTPoison or Req don't block internal requests by default.
The Vulnerable Pattern
defmodule MyAppWeb.ImageController do use MyAppWeb, :controller
def proxy_avatar(conn, %{“url” => url}) do # CRITICAL VULNERABILITY: Blindly fetching user input # Attacker can pass “http://localhost:4000/admin” or “http://169.254.169.254/” case HTTPoison.get(url) do {:ok, %{body: body, status_code: 200}} -> conn |> put_resp_content_type(“image/png”) |> send_resp(200, body) _ -> send_resp(conn, 400, “Failed to fetch image”) end end end
The Secure Implementation
The secure implementation introduces a 'Verify-Before-Connect' pattern. First, it parses the URL and ensures the scheme is restricted to HTTP/HTTPS. Second, it performs a DNS resolution using :inet.getaddr and checks the resulting IP against a blacklist of private/reserved ranges (RFC1918, Loopback, and Link-Local). This prevents the server from hitting its own internal services. To harden this further against DNS Rebinding, you should use an HTTP client that allows you to specify the destination IP explicitly while keeping the original Host header.
defmodule MyAppWeb.ImageController do use MyAppWeb, :controllerdef proxy_avatar(conn, %{“url” => url}) do with {:ok, uri} <- URI.new(url), :ok <- validate_protocol(uri), {:ok, ip} <- resolve_and_verify_ip(uri.host) do # Use a library like Fincher or a custom adapter that pins the IP # to prevent DNS Rebinding attacks. case HTTPoison.get(url) do {:ok, %{body: body}} -> send_resp(conn, 200, body) _ -> send_resp(conn, 400, “Error”) end else {:error, reason} -> send_resp(conn, 403, “Access Denied: #{reason}”) end end
defp validate_protocol(%URI{scheme: s}) when s in [“http”, “https”], do: :ok defp validate_protocol(_), do: {:error, “Invalid protocol”}
defp resolve_and_verify_ip(host) do case :inet.getaddr(to_charlist(host), :inet) do {:ok, ip} -> if private_ip?(ip), do: {:error, “Internal IP restricted”}, else: {:ok, ip} {:error, _} -> {:error, “Resolution failed”} end end
defp private_ip?({10, _, _, _}), do: true defp private_ip?({172, s, _, _}) when s >= 16 and s <= 31, do: true defp private_ip?({192, 168, _, _}), do: true defp private_ip?({127, _, _, _}), do: true defp private_ip?({169, 254, _, }), do: true defp private_ip?(), do: false end
Your Phoenix API
might be exposed to SSRF (Server Side Request Forgery)
74% of Phoenix apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.