SafeURL for PHP

SafeURL is a library, created by Jack Whitton (aka @fin1te), that protects against SSRF by validating each part of the URL against a white or black list before making the request. SafeURL can also be used to validate URLs.

Installation and usage instructions can be found on the GitHub repository.

Bug Bounty Contest

This server contains a file called "key.txt" in /var/www/html/ that contains a string of random characters. There is a .htaccess file with the following policy:

<Files key.txt>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
    Allow from 52.38.175.232
    ErrorDocument 403 /oops.html
</Files>
	

If you are able to read the contents of the file by bypassing safeURL, contact us explaining how you did so. Please include the contents of the "key.txt", as well as which language(s) the issue exists in the email.

The rules for the contest are as follows. For each security** issue in the safeURL library (write-up required), we will award Bitcoin proportionate to the threat level posed. All prizes will be awarded at the end of the contest after verification by our team.

** Mistakes in the configuration of the server or site do not count. The bounty only counts for issues in the code of the safeURL library. Additonally, please do not perform Denial of Service attacks. It will not contribute to the bounty contest, it will only make you look like a jerk.

Demo

SafeURL works by checking each part of a URL (i.e. scheme, domain, port) against a white and or black list, as well as resolving the domain to an IP address. Here are some examples of payloads that would throw an exception by the default configuration:

Local URL
http://localhost
Private IP
http://10.0.0.1
Invalid Scheme
ftp://safeurl-php.excludesecurity.com
Invalid Port
http://safeurl-php.excludesecurity.com:22
Blacklisted Domain
http://safeurl-php.excludesecurity.com
Valid Domain
https://google.com
Enter a URL here and see if you can bypass SafeURL's protections
URL:

The following settings are used. Non-default options are italic.

    //Don't send credentials, temporarily
    $sendCredentials = false;

    //Force DNS pinning
    $pinDns = true;

    $whitelist = array('ip'     => array(),
               'port'   => array('80','443', '8080'),
               'domain' => array(),
               'scheme' => array('http', 'https'));

    $blacklist = array('ip'     => array('0.0.0.0/8',      '10.0.0.0/8',     '100.64.0.0/10',
                                 '127.0.0.0/8',    '169.254.0.0/16', '172.16.0.0/12',
                                 '192.0.0.0/29',   '192.0.2.0/24',   '192.88.99.0/24',
                                 '192.168.0.0/16', '198.18.0.0/15',  '198.51.100.0/24',
                                 '203.0.113.0/24', '224.0.0.0/4',    '240.0.0.0/4',
                                 '52.38.175.232'),
               'port'   => array(),
               'domain' => array('safeurl-php.excludesecurity.com\.?'),
               'scheme' => array());
        

Copyright © 2016, Include Security LLC. Design by Star Graphic Design