GuardAPI Logo
GuardAPI

Fix SSRF (Server Side Request Forgery) in Vert.x

SSRF in Vert.x occurs when an attacker manipulates the server into making unauthorized requests to internal resources or third-party systems. This typically happens when unvalidated user input is passed into the Vert.x WebClient or HttpClient. Exploitation can lead to internal port scanning, access to cloud metadata services (like AWS IMDS), or bypassing firewalls.

The Vulnerable Pattern

WebClient client = WebClient.create(vertx);

router.get(“/proxy”).handler(ctx -> {
// DANGER: User provides the full URL directly
String targetUrl = ctx.request().getParam(“url”);


client.getAbs(targetUrl)
.send()
.onSuccess(res -> ctx.response().end(res.bodyAsString()))
.onFailure(err -> ctx.fail(500));
});

The Secure Implementation

To kill SSRF in Vert.x, you must implement a multi-layered defense. First, parse the input using java.net.URI to extract the host; never use regex on raw strings. Second, apply a strict allowlist of domains—do not use denylists as they are easily bypassed with decimal IPs or local aliases. Third, restrict protocols to HTTPS to prevent file:// or gopher:// smuggling. For high-security environments, configure the Vert.x WebClient with a custom AddressResolverOptions to block resolution of private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata IPs (169.254.169.254), preventing DNS rebinding attacks.

private static final Set ALLOWED_DOMAINS = Set.of("api.trusted.com", "static.trusted.com");

router.get(“/proxy”).handler(ctx -> {
String userUrl = ctx.request().getParam(“url”);


try {
java.net.URI uri = new java.net.URI(userUrl);
String host = uri.getHost();


// 1. Enforce HTTPS only
if (!"https".equalsIgnoreCase(uri.getScheme())) {
  ctx.response().setStatusCode(400).end("Invalid protocol");
  return;
}

// 2. Strict Host Allowlisting
if (host == null || !ALLOWED_DOMAINS.contains(host)) {
  ctx.response().setStatusCode(403).end("Forbidden Domain");
  return;
}

// 3. Prevent internal IP access via DNS resolution (Simplified check)
// In production, use a custom NameResolver to block RFC1918 addresses
client.getAbs(uri.toString())
  .timeout(2000)
  .send()
  .onSuccess(res -> ctx.response().end(res.bodyAsString()))
  .onFailure(err -> ctx.fail(502));


} catch (Exception e) {
ctx.response().setStatusCode(400).end(“Malformed URL”);
}
});

System Alert • ID: 9911
Target: Vert.x API
Potential Vulnerability

Your Vert.x API might be exposed to SSRF (Server Side Request Forgery)

74% of Vert.x apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X