dimva 2019 on the perils of leaking referrers in online
play

DIMVA 2019 On the Perils of Leaking Referrers in Online - PowerPoint PPT Presentation

Jan 01, 2023 •175 likes •636 views

DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz Kaleli Manuel Egele Gianluca Stringhini bkaleli@bu.edu megele@bu.edu gian@bu.edu Online Collaboration Services (OCSs)

  1. DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz Kaleli Manuel Egele Gianluca Stringhini bkaleli@bu.edu megele@bu.edu gian@bu.edu

  2. Online Collaboration Services (OCSs) File operations; ▪ Upload/Create ▪ View/Edit online Online ▪ Share Collaboration Services Beliz Kaleli 2

  3. Sharing a File on an OCS Upload secret location: or Create Share https://www.ocs-name.com/ < UniqueIdentifier > } OCS Ideally unguessable Beliz Kaleli 3

  4. This year McAfee reported that; “8% of shared files contain sensitive data” [1] ▪ OCS Files, used by individuals and companies, can contain sensitive information . [1] Where cloud files are shared. [1] https://www.skyhighnetworks.com/cloud-computing-trends-2019/ Beliz Kaleli 4

  5. Introduction We show that: The secret location of OCS files can be leaked by the improper handling of links embedded in these files. ▪ 21 OCS are analyzed on 6 different web browsers Beliz Kaleli 5

  6. Background - HTTP Referer ▪ HTTP Request Header that identifies the URI from which the request originated. Request Headers Value http://ocs.com/file1 HTTP Accept text/html, application/xhtml+xml Request Accept-Encoding gzip, deflate Accept-Language en-US, en; q=0.5 -------------- Connection keep-alive -------------- -------------- DNT 1 -------------- Host ocs.com Referer http://ocs.com/file1 User-Agent Mozilla/5.0 (X11; Linux x86_64) Beliz Kaleli 6

  7. Background - HTTP Referer Purpose: ▪ Personalize the website: provide specific help, suggest relevant pages to targeted users ▪ Generate special offers ▪ Webpage analytics (e.g., analyzing where most of the traffic is coming from) ▪ Block visitors from specific domains The HTTP Referer field is configurable with the Referrer Policy [1] [1] W3C Candidate Recommendation referrer policy. https://www.w3.org/TR/referrer-policy/. Beliz Kaleli 7

  8. Background - Existing Mitigations ● "no-referrer" ● "no-referrer-when-downgrade" ● "same-origin" ▪ Referrer Policy ● "origin" ● "strict-origin" ● "origin-when-cross-origin" ▪ HTML Link Type ● "strict-origin-when-cross-origin" (i.e. rel=”noreferrer”) ● "unsafe-url" HTTP Referer Referrer Structure No Referrer - ASCII Serialized http(s)://www.service-name.com/ Full Referrer http(s)://www.service-name.com/<UniqueIdentifier> Beliz Kaleli 8

  9. Attack Model maggi.cc Eve Beliz Kaleli 9

  10. Attack Model secret maggi.cc URL Eve Beliz Kaleli 10

  11. Attack Model secret URL secret maggi.cc URL Eve Beliz Kaleli 11

  12. Attack Model secret URL secret maggi.cc Referrer: secret URL URL Eve Beliz Kaleli 12

  13. Attack Model secret URL secret maggi.cc Referrer: secret URL URL maggi.cc Eve Beliz Kaleli 13

  14. Alice: Upload/Create file Beliz Kaleli 14

  15. Alice: Share file https://docs.google.com/document/d /17AA7PNbyu94pHe8QxKHKq8SsK PuLZV-9-ZrWvV-k45o/edit?usp=sha ring Beliz Kaleli 15

  16. Bob: Visit link Beliz Kaleli 16

  17. Implementation - Methodology To test our attack model on real-world OCSs: 1. Identifying relevant services 2. Creating files 3. Sharing files 4. Examining the referrer Beliz Kaleli 17

  18. Implementation - Identifying Relevant Services ▪ We obtained the most popular services by Google queries and crawling Alexa lists ▪ Top/Computers/Internet/File_Sharing ▪ Top/Computers/Internet/On_the_Web/Web_Applications/Storage ▪ Test manually: --------------------- -------------------o ▪ Setup an account ur-server.com ▪ Upload/Create file with link to our server ------------------- --------------------- ▪ Check if clickable ------------------- ▪ Check if shareable via a URL Uploaded file Beliz Kaleli 18

  19. Implementation - Creating Files ▪ Created different types of files: “.doc”, “.docx”, “.pdf”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.note”, etc. Embedded Our web HTTP headers are logged URL server Beliz Kaleli 19

  20. Implementation - Sharing Files Relevant OCSs = File Hosting Services + Instant Messaging Services For file hosting services and instant messaging services; ▪ Shared through links which are editable or view-only For some instant messaging services; (e.g., Flock) ▪ File sent directly to chat between two accounts Beliz Kaleli 20

  21. Implementation - Examining Referrers Alice OCS --------------------- -------------------o ur-server.com Share Upload ------------------- secret URL --------------------- ------------------- Beliz Kaleli 21

  22. Implementation - Examining Referrers Alice OCS --------------------- -------------------o ur-server.com Share Upload ------------------- secret URL --------------------- ------------------- Beliz Kaleli 22

  23. Implementation - Examining Referrers Bob our-server Click on --------------------- embedded Collect Referrer -------------------o link Visit link URL from output ur-server.com secret URL of script ------------------- --------------------- ------------------- Beliz Kaleli 23

  24. Implementation - Examining Referrers Bob our-server Click on --------------------- embedded Collect Referrer -------------------o link Visit link URL from output ur-server.com secret URL of script ------------------- --------------------- ------------------- Beliz Kaleli 24

  25. Implementation - Examining Referrers Bob our-server Click on --------------------- embedded Collect Referrer -------------------o link Visit link URL from output ur-server.com secret URL of script ------------------- --------------------- ------------------- Beliz Kaleli 25

  26. Implementation - Examining Referrers Visit recorded Referrer URL Beliz Kaleli 26

  27. Implementation - Examining Referrers Visit recorded Referrer URL File is NOT accessed Beliz Kaleli 27

  28. Implementation - Examining Referrers Visit recorded Referrer URL File is NOT accessed Secret URL is NOT leaked Beliz Kaleli 28

  29. Implementation - Examining Referrers Visit recorded Referrer URL File is NOT File is accessed accessed Secret URL is NOT leaked Beliz Kaleli 29

  30. Implementation - Examining Referrers Visit recorded Referrer URL File is NOT File is accessed accessed Secret URL Secret URL is NOT leaked is leaked Beliz Kaleli 30

  31. Referrer Policy First Public Draft (2014): Working Draft (2016): ▪ "none" ▪ "no-referrer" ▪ "none-when-downgrade" ▪ "no-referrer-when-downgrade" ▪ "origin-only" ▪ "same-origin" ▪ "origin-when-cross-origin" ▪ "origin" ▪ "unsafe-url" ▪ "origin-when-cross-origin" ▪ "unsafe-url" Beliz Kaleli 31

  32. Referrer Policy First Public Draft (2014): Working Draft (2016): ▪ "none" ▪ "no-referrer" ▪ "none-when-downgrade" ▪ "no-referrer-when-downgrade" ▪ "origin-only" ▪ "same-origin" ▪ "origin-when-cross-origin" ▪ "origin" ▪ "unsafe-url" ▪ "strict-origin" ▪ "origin-when-cross-origin" ▪ "strict-origin-when-cross-origin" ▪ "unsafe-url" Currently a Candidate Recommendation Beliz Kaleli 32

  33. Evaluation - Common Insights Reasons behind vulnerabilities; ▪ Referrer Policy is not set by the OCS ▪ Referrer Policy option is not Services secure enough ▪ Different behavior on mobile and desktop browsers ▪ Edge and iOS Safari support Browsers older draft of Referrer Policy Beliz Kaleli 33

  34. Evaluation 7/21 Vulnerable : Vulnerable : Not vulnerable : N/A Beliz Kaleli 34

  35. Evaluation ▪ Edge and iOS Safari supports older draft of Referrer Policy e.g., Overleaf ▪ "origin-when-cross-origin" → Overleaf changed to "no-referrer" and added "rel=noreferrer" → No longer vulnerable Beliz Kaleli 35

  36. Evaluation ▪ Different behaviors on desktop and mobile browsers ▪ PDF.js removes referrers, built-in mechanisms may not e.g., Box ▪ Desktop browsers - PDF.js (removes referrers in requests) ▪ Mobile browsers - native PDF viewer (no referrer removal) ▪ "no-referrer-when-downgrade" Vulnerable: HTTPS → HTTPS ▪ Beliz Kaleli 36

  37. Evaluation ▪ Referrer Policy is not set by the OCS e.g., Onehub, Linkedin Slideshare, Evernote Fallback to "no-referrer-when-downgrade" ▪ Vulnerable: HTTPS → HTTPS ▪ Beliz Kaleli 37

  38. Adoption of Referrer Policy ▪ First 100K of lists : less safe option Beliz Kaleli 38

  39. Countermeasures User Provider ▪ Configure browser settings ▪ Trim HTTP Referer to only ▪ Use browser extensions display the hostname ▪ Use private browsing mode ▪ Use rel=”noreferrer” (on Firefox) ▪ Redirect links inside documents Beliz Kaleli 39

  40. Future Steps ▪ Analyze different browsers and OCSs ▪ Investigate whether this vulnerability is known ▪ Embed links to several real-world websites ▪ Analyze the use of information ▪ Fill files with fake sensitive data Beliz Kaleli 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DIMVA 2019 June 19-20, 2019 Welcome from the General Chair 16th Conference on Detection of

DIMVA 2019 June 19-20, 2019 Welcome from the General Chair 16th Conference on Detection of

Gothenburg, Sweden DIMVA 2019 June 19-20, 2019 Welcome from the General Chair 16th Conference on Detection of Intrusions and Malware &amp; Vulnerability Assessment Magnus Almgren Chalmers University of Technology Sweden DIMVA 2019 Thanks to

345 views • 23 slides
The Libel Perils of Publishing a Print and/or Online Newspaper Tom Cronin October 4, 2019

The Libel Perils of Publishing a Print and/or Online Newspaper Tom Cronin October 4, 2019

The Libel Perils of Publishing a Print and/or Online Newspaper Tom Cronin October 4, 2019 Presenter Tom Cronin Partner - Gordon Rees Scully Mansukhani LLP Chicago 2 3 TOPICAL OVERVIEW Defamation and Libel Generally Liability for Newspaper

855 views • 50 slides
Businesses and Tax The Perils of Perception October 2015 Business and Tax Perils of

Businesses and Tax The Perils of Perception October 2015 Business and Tax Perils of

Businesses and Tax The Perils of Perception October 2015 Business and Tax Perils of Perception | October 2015 | FINAL | Public 1 Business contributes the largest proportion of tax of any group of tax payers (29%), yet people massively

270 views • 14 slides
Bintrimmer: Towards Static Binary Debloating Through Abstract Interpretation DIMVA, June 19 th

Bintrimmer: Towards Static Binary Debloating Through Abstract Interpretation DIMVA, June 19 th

Bintrimmer: Towards Static Binary Debloating Through Abstract Interpretation DIMVA, June 19 th 2019 Nilo Redini Computer Science @ UC Santa Barbara nredini@cs.ucsb.edu Motivation - Software complexity pushes developers toward component

958 views • 50 slides
The Promise and Perils of AI and Big Data in the City October 29, 2019 Martino Tran PhD

The Promise and Perils of AI and Big Data in the City October 29, 2019 Martino Tran PhD

The Promise and Perils of AI and Big Data in the City October 29, 2019 Martino Tran PhD Principle Investigator, Urban Predictive Analytics Lab Assistant Professor, School of Community &amp; Regional Planning, UBC 1 The rise of cities Urban

290 views • 12 slides
Disclosures I have no disclosures. CNS INFECTIONS: PEARLS AND PERILS Felicia Chow, MD, MAS

Disclosures I have no disclosures. CNS INFECTIONS: PEARLS AND PERILS Felicia Chow, MD, MAS

3/12/2019 Disclosures I have no disclosures. CNS INFECTIONS: PEARLS AND PERILS Felicia Chow, MD, MAS Assistant Professor University of California, San Francisco March 28, 2019

392 views • 17 slides
Preservation by Prevention Avoiding Losses from Catastrophes &amp; Common Perils October 5 th 2019

Preservation by Prevention Avoiding Losses from Catastrophes &amp; Common Perils October 5 th 2019

Preservation by Prevention Avoiding Losses from Catastrophes &amp; Common Perils October 5 th 2019 Sheila E. Courtney scourtney@pureinsurance.com WATER DAMAGE CLAIMS COST U.S. INSURANCE COMPANIES $10 BILLION A YEAR PURE Insurance | 3 TOILET

352 views • 18 slides
The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication

The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication

The Perils of Poor Communication Paul Kenny Pensions Ombudsman Perils of Poor communication (Its the way you tell it..) www.iapf.ie More confusion and more complaints result from poor communication than from almost any other single

408 views • 18 slides
Outline Background on Ketamine The Promise and Perils of Ketamine The Promise

Outline Background on Ketamine The Promise and Perils of Ketamine The Promise

Outline Background on Ketamine The Promise and Perils of Ketamine The Promise Single Infusion Therapy for TRD, Suicidal in Psychiatric Practice Ideation, PTSD Continuation Therapy Sanjay J. Mathew, MD The Perils

577 views • 9 slides
SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security

SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security

SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security Sanjeev Das , Jan Werner, Manos Antonakakis, Michalis Polychronakis, and Fabian Monrose SoK: The Challenges, Pitfalls, and Perils of Using Hardware

529 views • 28 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Pro rotection a and S d Securi rity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veteran s data Data on laptop stolen from employee s home (5/06) Veterans names Social Security

580 views • 30 slides
Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and Stephen Remias COMPASS Lab Wayne State University DIMVA, June 19, 2019 Understanding the Security of Traffic Signal Infrastructure, DIMVA 19 1

906 views • 51 slides
Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and Stephen Remias COMPASS Lab Wayne State University DIMVA, June 19, 2019 Understanding the Security of Traffic Signal Infrastructure, DIMVA 19 1

952 views • 53 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Protection tion and Se Secur urity ity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veterans data Data on laptop stolen from employees home (5/06) Veterans names Social Security

619 views • 27 slides
Capitol View V O L U M E 2 , N U M B E R 6 M A R C H 2 0 0 4 PERILS OF PAULINE: THE

Capitol View V O L U M E 2 , N U M B E R 6 M A R C H 2 0 0 4 PERILS OF PAULINE: THE

Capitol View V O L U M E 2 , N U M B E R 6 M A R C H 2 0 0 4 PERILS OF PAULINE: THE ADVENTURES OF THE ENERGY BILL On March 4, 2004 the Chairman of the Senate Energy Committee, Pete Domenici (R-NM), stated that he hopes Congress can

181 views • 7 slides
Past Perils Promise Happy Birthday Zoning: 1916-2016 Recent Challenges to Zoning Case Law

Past Perils Promise Happy Birthday Zoning: 1916-2016 Recent Challenges to Zoning Case Law

Welcome to Pace Law School A conference celebrating its past, acknowledging its perils, and anticipating its promise. Past Perils Promise Happy Birthday Zoning: 1916-2016 Recent Challenges to Zoning Case Law Update Patricia E. Salkin,

1.39k views • 78 slides
How to Write a Project Proposal What is the problem you are addressing? What is the context?

How to Write a Project Proposal What is the problem you are addressing? What is the context?

How to Write a Project Proposal What is the problem you are addressing? What is the context? What is your approach? How will you evaluate your approach? Based on your results what future directions will be possible? What is the timeline of

273 views • 3 slides
EE E6820: Speech &amp; Audio Processing &amp; Recognition Lecture 10: ASR: Sequence Recognition

EE E6820: Speech &amp; Audio Processing &amp; Recognition Lecture 10: ASR: Sequence Recognition

EE E6820: Speech &amp; Audio Processing &amp; Recognition Lecture 10: ASR: Sequence Recognition 1 Signal template matching 2 Statistical sequence recognition 3 Acoustic modeling 4 The Hidden Markov Model (HMM) Dan Ellis

615 views • 34 slides
CS 294-73 Software Engineering for Scientific Computing Lecture 3

CS 294-73 Software Engineering for Scientific Computing Lecture 3

CS 294-73 Software Engineering for Scientific Computing Lecture 3 C++: References, User-defined Types, and Templates Moving On to C++ Rounding out the C type system: ref, const Classes: making

714 views • 40 slides
A Knowledge-based Approach to Citation Extraction Min-Yuh Day 1,2 , Tzong-Han Tsai 1,3 ,

A Knowledge-based Approach to Citation Extraction Min-Yuh Day 1,2 , Tzong-Han Tsai 1,3 ,

A Knowledge-based Approach to Citation Extraction Min-Yuh Day 1,2 , Tzong-Han Tsai 1,3 , Cheng-Lung Sung 1 , Cheng-Wei Lee 1 , Shih-Hung Wu 4 , Chorng-Shyong Ong 2 , Wen-Lian Hsu 1 1 Institute of Information Science, Academia Sinica, Nankang,

261 views • 22 slides
Apache Traffic Server &amp; Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale

Apache Traffic Server &amp; Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale

Apache Traffic Server &amp; Lua Kit Chan (kichan@yahoo-inc.com) Agenda Intro Rationale Details Security Future 11/16/2014 2 Apache Traffic Server Fast, scalable and extensible HTTP/1.1 compliant caching proxy server

1.52k views • 45 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis

Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis

Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login CSRF attack? Whats the

846 views • 30 slides
PRIVACYSCORE.ORG Investiatni security and privacy propertes of reaated Web sites Tobias Mueaaer

PRIVACYSCORE.ORG Investiatni security and privacy propertes of reaated Web sites Tobias Mueaaer

PRIVACYSCORE.ORG Investiatni security and privacy propertes of reaated Web sites Tobias Mueaaer Universitt Hamburg with Pascal Wichmann (Uni Hamburg) Max Maa (TU Darmstadt) Henning Pridhl (Uni Bamberg) und Dominik Herrmann (Uni Bamberg)

352 views • 24 slides

More recommend