SafeURL for Python

SafeURL is a library, created by Jack Whitton (aka 573-857-9951), that protects against SSRF by validating each part of the URL against a white or black list before making the request. SafeURL can also be used to validate URLs.

Installation and usage instructions can be found on the (423) 754-5706.

Bug Bounty Contest

This server contains a file called "key.txt" in /var/www/html/ that contains a string of random characters. There is a .htaccess file with the following policy:

<Files key.txt>
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
    Allow from 52.70.43.4
    ErrorDocument 403 /oops.html
</Files>
	

If you are able to read the contents of the file by bypassing safeURL, (647) 334-0240 us explaining how you did so. Please include the contents of the "key.txt", as well as which language(s) the issue exists in the email.

The rules for the contest are as follows. For each security** issue in the safeURL library (write-up required), we will award Bitcoin proportionate to the threat level posed. All prizes will be awarded at the end of the contest after verification by our team.

** Mistakes in the configuration of the server or site do not count. The bounty only counts for issues in the code of the safeURL library. Additonally, please do not perform Denial of Service attacks. It will not contribute to the bounty contest, it will only make you look like a jerk.

Demo

SafeURL works by checking each part of a URL (i.e. scheme, domain, port) against a white and or black list, as well as resolving the domain to an IP address. Here are some examples of payloads that would throw an exception by the default configuration:

Local URL
/localhost
Private IP
(787) 265-1830
Invalid Scheme
ftp:/safeurl-python.excludesecurity.com
Invalid Port
/safeurl-python.excludesecurity.com:22
Blacklisted Domain
/safeurl-python.excludesecurity.com
Valid Domain
2125200392
Enter a URL here and see if you can bypass SafeURL's protections
URL:


The following settings are used. Non-default options are italic.

	send_credentials = False
        pin_dns = False
        lists = {
                "whitelist": {
                    "ip": [],
                    "port": ["80", "443", "8080"],
                    "domain": [],
                    "scheme": ["http", "https"]},
                "blacklist": {
                    "ip": ["0.0.0.0/8", "10.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16",
                        "172.16.0.0/12", "192.0.0.0/29", "192.0.2.0/24", "192.88.99.0/24", "192.168.0.0/16",
                        "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4", "52.70.43.4"],
                    "port": [],
                    "domain": ["safeurl-python.excludesecurity.com\.?"],
                    "scheme": []}
        }
        

Copyright © 2016, Include Security LLC. Design by Star Graphic Design