GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Dropwizard

SSRF in Dropwizard environments usually stems from JAX-RS resources using a shared Jersey Client to fetch user-supplied URLs. Without strict validation, an attacker can pivot to internal services, hit the 169.254.169.254 cloud metadata endpoint, or scan internal management ports. In a Dropwizard stack, you must intercept the request flow at the socket or DNS level to prevent bypasses like DNS rebinding.

The Vulnerable Pattern

@Path("/fetch")
@Produces(MediaType.APPLICATION_JSON)
public class ProxyResource {
    private final Client client;

public ProxyResource(Client client) {
    this.client = client;
}

@GET
public Response proxy(@QueryParam("url") String url) {
    // CRITICAL: No validation on the 'url' parameter.
    // Attacker can pass 'http://localhost:8080/admin' or 'http://169.254.169.254/latest/meta-data/'
    return client.target(url).request().get();
}


}

The Secure Implementation

The fix implements a multi-layered defense: 1. Protocol Whitelisting (enforcing HTTPS to prevent gopher/file/ftp schema smuggling). 2. IP Destination Filtering: Resolving the hostname and checking against private/link-local CIDR blocks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1, and 169.254.169.254). 3. Host Allowlisting: Restricting outbound traffic to a known set of trusted domains. For high-security environments, configure the underlying Apache HttpClient used by Dropwizard with a custom DnsResolver to ensure the IP validated is the same IP used for the connection, mitigating DNS Rebinding attacks.

public class SafeClient {
    private static final Set ALLOWED_HOSTS = Set.of("trusted-api.com");

public Response safeFetch(String urlString) throws Exception {
    URL url = new URL(urlString);
    if (!"https".equalsIgnoreCase(url.getProtocol())) {
        throw new WebApplicationException("Only HTTPS allowed", 400);
    }

    InetAddress address = InetAddress.getByName(url.getHost());
    if (address.isLoopbackAddress() || address.isSiteLocalAddress() || address.isLinkLocalAddress()) {
        throw new WebApplicationException("Internal access forbidden", 403);
    }

    if (!ALLOWED_HOSTS.contains(url.getHost())) {
        throw new WebApplicationException("Domain not in allowlist", 403);
    }

    // Use a dedicated client with a custom DnsResolver to prevent DNS Rebinding
    return client.target(url.toURI()).request().get();
}


}

System Alert • ID: 2101
Target: Dropwizard API
Potential Vulnerability

Your Dropwizard API might be exposed to SSRF (Server Side Request Forgery)

74% of Dropwizard apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X