SafeURL for PHP

SafeURL is a library, created by Jack Whitton (aka @fin1te), that protects against SSRF by validating each part of the URL against a white or black list before making the request. SafeURL can also be used to validate URLs.

Installation and usage instructions can be found on the GitHub repository.

Bug Bounty Contest

This server contains a file called "key.txt" in /var/www/html/ that contains a string of random characters. There is a .htaccess file with the following policy:

<Files key.txt>
    Order deny,allow
    Deny from all
    Allow from
    Allow from
    ErrorDocument 403 /oops.html

If you are able to read the contents of the file by bypassing safeURL, contact us explaining how you did so. Please include the contents of the "key.txt", as well as which language(s) the issue exists in the email.

The rules for the contest are as follows. For each security** issue in the safeURL library (write-up required), we will award Bitcoin proportionate to the threat level posed. All prizes will be awarded at the end of the contest after verification by our team.

** Mistakes in the configuration of the server or site do not count. The bounty only counts for issues in the code of the safeURL library. Additonally, please do not perform Denial of Service attacks. It will not contribute to the bounty contest, it will only make you look like a jerk.


SafeURL works by checking each part of a URL (i.e. scheme, domain, port) against a white and or black list, as well as resolving the domain to an IP address. Here are some examples of payloads that would throw an exception by the default configuration:

Local URL
Private IP
Invalid Scheme
Invalid Port
Blacklisted Domain
Valid Domain
Enter a URL here and see if you can bypass SafeURL's protections

The following settings are used. Non-default options are italic.

    //Don't send credentials, temporarily
    $sendCredentials = false;

    //Force DNS pinning
    $pinDns = true;

    $whitelist = array('ip'     => array(),
               'port'   => array('80','443', '8080'),
               'domain' => array(),
               'scheme' => array('http', 'https'));

    $blacklist = array('ip'     => array('',      '',     '',
                                 '',    '', '',
                                 '',   '',   '',
                                 '', '',  '',
                                 '', '',    '',
               'port'   => array(),
               'domain' => array('\.?'),
               'scheme' => array());

Copyright © 2016, Include Security LLC. Design by Star Graphic Design