SafeURL is a library, created by Jack Whitton (aka @fin1te), that protects against SSRF by validating each part of the URL against a white or black list before making the request. SafeURL can also be used to validate URLs.
Installation and usage instructions can be found on the GitHub repository.
This server contains a file called "key.txt" in /var/www/html/ that contains a string of random characters. There is a .htaccess file with the following policy:
<Files key.txt> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from 126.96.36.199 ErrorDocument 403 /oops.html </Files>
If you are able to read the contents of the file by bypassing safeURL, contact us explaining how you did so. Please include the contents of the "key.txt", as well as which language(s) the issue exists in the email.
The rules for the contest are as follows. For each security** issue in the safeURL library (write-up required), we will award Bitcoin proportionate to the threat level posed. All prizes will be awarded at the end of the contest after verification by our team.
** Mistakes in the configuration of the server or site do not count. The bounty only counts for issues in the code of the safeURL library. Additonally, please do not perform Denial of Service attacks. It will not contribute to the bounty contest, it will only make you look like a jerk.
SafeURL works by checking each part of a URL (i.e. scheme, domain, port) against a white and or black list, as well as resolving the domain to an IP address. Here are some examples of payloads that would throw an exception by the default configuration:
The following settings are used. Non-default options are italic.
//Don't send credentials, temporarily $sendCredentials = false; //Force DNS pinning $pinDns = true; $whitelist = array('ip' => array(), 'port' => array('80','443', '8080'), 'domain' => array(), 'scheme' => array('http', 'https')); $blacklist = array('ip' => array('0.0.0.0/8', '10.0.0.0/8', '100.64.0.0/10', '127.0.0.0/8', '169.254.0.0/16', '172.16.0.0/12', '192.0.0.0/29', '192.0.2.0/24', '188.8.131.52/24', '192.168.0.0/16', '198.18.0.0/15', '198.51.100.0/24', '203.0.113.0/24', '184.108.40.206/4', '240.0.0.0/4', '220.127.116.11'), 'port' => array(), 'domain' => array('safeurl-php.excludesecurity.com\.?'), 'scheme' => array());
Copyright © 2016, Include Security LLC. Design by Star Graphic Design