2020-10-22, a Thursday

bypassing securly

school programming

If your school uses Securly for Chromebooks, there’s a pretty easy way to bypass some blocked websites like Discord.

TL;DR: Add ?suicidepreventionlifeline.org to the end of the URL.

Inspecting the code

Chrome extensions are “open source” (as are websites and apps) because Chrome needs to know what to execute. So, looking at Securly’s code, in securly.min.js, most of the code responsibly checks for domain names in url.hostname.

However, on line 913,

910 if (e.requestHeaders.forEach(function(e) {
911         "Purpose" == e.name && "prefetch" == e.value && (t = !0)
912     }), !t) {
913     if (-1 != e.url.indexOf("suicidepreventionlifeline.org")) return onBeforeRequestListener(e);
914     var o = e.url;
915     if (1 == interceptOrNot(e)) {

Here, if it finds suicidepreventionlifeline.org in the user’s URL, it’ll short circuit and allow the web page request through. Interestingly, although it’s checking for a domain name here, it’s checking it in e.url. Indeed, adding ?suicidepreventionlifeline.org to the end of the URL includes it in e.url, so -1 != e.url.indexOf("suicidepreventionlifeline.org") evaluates to true, allowing any site to be let through.

Why might this be the case? Perhaps it is to allow redirect links like https://l.facebook.com/l.php to suicide prevention material from being blocked even if the parent site is blocked, which could happen if someone copies a URL from the site without visiting it first.

For some reason, however, some sites like JSFuck can’t be bypassed using this technique.

See source and revision history on GitHub.