A Go library created to help developers protect their applications from Server Side Request Forgery (SSRF) attacks. It implements a safeurl.Client wrapper around Go's native net/http.Client and performs validation on the incoming request against the configured allow and block lists. It also implements mitigation for DNS rebinding attacks.
The safeurl.Client can be configured through the safeurl.Config struct. It enables configuration of the following options:
AllowedPorts - list of ports the application is allowed to connect to
AllowedSchemes - list of schemas the application can use
AllowedHosts - list of hosts the application is allowed to communicate with
BlockedIPs - list of IP addresses the application is not allowed to connect to
AllowedIPs - list of IP addresses the application is allowed to connect to
AllowedCIDR - list of CIDR ranges the application is allowed to connect to
BlockedCIDR - list of CIDR ranges the application is not allowed to connect to
IsIPv6Enabled - specifies wether communication through IPv6 is enabled
AllowSendingCredentials - specifies wether HTTP credentials should be sent
IsDebugLoggingEnabled - enables debug logs
First, you need to include the safeurl module. To do that, simply add github.com/doyensec/safeurl to your project's go.mod file.
Sample:
import (
"fmt"
"github.com/doyensec/safeurl"
)
func main() {
config := safeurl.GetConfigBuilder().
SetAllowedHosts("example.com").
Build()
client := safeurl.Client(config)
resp, err := client.Get("https://example.com")
if err != nil {
fmt.Errorf("request return error: %v", err)
}
// read response body
}To successfully run all the unit tests, you will need to run a local DNS and HTTP server. That can be done by executing the following command:
go run testing/servers.goOnce the servers are up and running, the unit test can be ran with:
go test -vThis tool has been created by Viktor Chuchurski and Alessandro Cotto of Doyensec LLC during our 25% research time.