uses and abuses of server side requests
play

Uses and Abuses of Server-Side Requests Giancarlo Pellegrino 1 , Onur - PowerPoint PPT Presentation

May 27, 2023 •176 likes •564 views

Uses and Abuses of Server-Side Requests Giancarlo Pellegrino 1 , Onur Catakoglu 2 , Davide Balzarotti 2 , and Christian Rossow 1 giancarlo.pellegrino@cispa.saarland 19th International Symposium on Research in Attacks, Intrusions and Defenses

  1. Uses and Abuses of Server-Side Requests Giancarlo Pellegrino 1 , Onur Catakoglu 2 , Davide Balzarotti 2 , and Christian Rossow 1 giancarlo.pellegrino@cispa.saarland 19th International Symposium on Research in Attacks, Intrusions and Defenses Paris, September 21 st , 2016 1 2

  2. Uses and Abuses of Server-Side Requests An increasing number of web applications use Server-Side Requests (SSRs) ● to fetch resources E.g., social networks, business applications, and many more – SSRs adopted before security consequences were fully understood ● Simple to implement; severe consequences if not done properly – ➔ Our work: first extensive assessment of SSRs security implication 1. Classification 2. Two new SSR-based attacks 3. Eight mitigations September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 2

  3. Server-Side Requests

  4. SSR Communication Pattern S C ES Three entities: browser C , SSR service S , External Server ES ● September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 4

  5. SSR Communication Pattern S C ES req( url ES ) Three entities: browser C , SSR service S , External Server ES ● C provides url ES to S ● September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 5

  6. SSR Communication Pattern S C ES url ES req( url ES ) SSR! Three entities: browser C , SSR service S , External Server ES ● C provides url ES to S ● S instantiates an HTTP client to retrieve url ES ● September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 6

  7. SSR Communication Pattern S C ES url ES req( url ES ) res S res ES Three entities: browser C , SSR service S , External Server ES ● C provides url ES to S ● S instantiates an HTTP client to retrieve url ES ● S can return either res ES to C , e.g., res S = res ES , or a transformation, e.g., res S = f ( res ES ) ● September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 7

  8. What are they used for? ● Share content in social networks url ES ● Import data in online documents ● Security protocols (e.g., OpenID) – avoid exposing sensitive data, e.g., security tokens, to untrusted users ● Feed aggregators ● Others ... res S September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 8

  9. Simple to implement S C ES url ES req(url ES ) res S res ES $ssr = curl_init(); $ssr = curl_init(); curl_setopt($ssr, CURLOPT_URL, url ES ); curl_setopt($ssr, CURLOPT_URL, url ES ); ssr = urllib.urlopen( url ES ) ssr = urllib.urlopen( url ES ) curl_setopt($ssr, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ssr, CURLOPT_RETURNTRANSFER, 1); data = ssr.read() data = ssr.read() $data = curl_exec($ssr); $data = curl_exec($ssr); curl_close($ssr); curl_close($ssr); ● HTTP client libs available in most popular programming languages – PHP: e.g., cURL, and file_get_contents – Python: e.g., urllib, httplib, and requests September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 9

  10. The Problems of SSRs S C ES url ES req(url ES ) res S res ES ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) [1] September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 10

  11. The Problems of SSRs S C ES url ES req(url ES ) 1 res S res ES ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) [1] September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 11

  12. The Problems of SSRs S C ES url ES req(url ES ) 1 2 res S res ES ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) [1] September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 12

  13. The Problems of SSRs S C ES url ES req(url ES ) 1 2 res S res ES 3 ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) [1] September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 13

  14. The Problems of SSRs S C ES url ES req(url ES ) 1 2 res S res ES 3 4 ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) [1] September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 14

  15. The Problems of SSRs S C ES url ES req(url ES ) 1 2 res S res ES 3 4 ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 15

  16. Server-Side Request Forgery S C ES Attack payload ● C aims to exploit vulnerability in ES or access local resources of S ● ES behind a firewall that blocks direct access from the Internet ● S is exposed both to the Internet and to the local network September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 16

  17. Server-Side Request Forgery S C ES attack payload req( attack payload ) res S res ES ● SSR used to bypass firewalls and deliver attack payload to ES URL encoded buffer overflow shell code – e.g., gopher:// ES /X %EB%2A%5E%89v%08%C6 […] %FF%FF /bin/sh %00%89%EC%5D%C3 ● SSR used to access local resources as well: Filename – e.g., file:///etc/passwd September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 17

  18. Server-Side Request Forgery S C ES attack payload req( attack payload ) res S res ES Do we, now, know better? Do we, now, know better? ● SSR used to bypass firewalls and deliver attack payload to ES URL encoded buffer overflow shell code – e.g., gopher:// ES /X %EB%2A%5E%89v%08%C6 […] %FF%FF /bin/sh %00%89%EC%5D%C3 ● SSR used to access local resources as well: Filename – e.g., file:///etc/passwd September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 18

  19. Awareness of Security Risks: The Present S C ES url ES req(url ES ) 1 2 res S res ES 4 3 ● Reviewed of academic/non-academic literature and development best practices: Unawareness of risks, and guidelines on implementing SSRs are missing September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 19

  20. Awareness of Security Risks: The Present S C ES url ES req(url ES ) 1 2 res S res ES 4 3 Academic/non-academic literature: ● No attention from academic literature – Non-academic works focused only on SSRF – ➔ Attacks against C and S not considered Devel. best practices (design patterns, coding rules, and API doc.) ● Default programming language APIs offer no defense mechanism – No patterns nor coding rules specific for SSRs – ➔ Lack of both proper ways to implement S and attack countermeasures September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 20

  21. Awareness of Security Risks: The Present S C ES url ES req(url ES ) 1 2 res S res ES 4 3 How does this lack of knowledge How does this lack of knowledge Academic/non-academic literature: ● affect SSR implementations? affect SSR implementations? No attention from academic literature – Non-academic works focused only on SSRF – ➔ Attacks against C and S not considered Devel. best practices (design patterns, coding rules, and API doc.) ● Default programming language APIs offer no defense mechanism – No patterns nor coding rules specific for SSRs – ➔ Lack of both proper ways to implement S and attack countermeasures September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 21

  22. Our Contribution ● Systematic study of security implication of SSRs 1. Propose a classification that establishes common terminology and supersedes pre-existing works 2. Present two new attack scenarios against C and S Web Origin Laundering and Denial of Service ● 3. Analyse of 68 popular online services 4. Present list of mitigations September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 22

  23. SSR Classification

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Server side basics 1 CS380 URLs and web servers 2 http://server/path/file Usually when you

Server side basics 1 CS380 URLs and web servers 2 http://server/path/file Usually when you

Server side basics 1 CS380 URLs and web servers 2 http://server/path/file Usually when you type a URL in your browser: Your computer looks up the server's IP address using DNS Your browser connects to that IP address and requests

732 views • 39 slides
Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Server Side Scripting Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a server script provides a way to extend an html page to include logic and insertion of data Understand the

612 views • 12 slides
An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html document SCRIPT HTTP SCRIPT Script engine Pages are generated by a program A html document at the server side includes the code to be

741 views • 72 slides
Introduction to Web built on a two-tier client/server system Requests and responses through

Introduction to Web built on a two-tier client/server system Requests and responses through

Introduction to Web built on a two-tier client/server system Requests and responses through which a Web browser and Web server communicate happen with HTTP Behavior W3C W3C The World Wide Web Consortium "The dream behind

1.33k views • 63 slides
COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart

COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart

COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart Licence de droits dusage Outline HTML forms Principles Input fields Server-side languages An example: PHP Introduction to database

1.08k views • 74 slides
JDBC 1 Three-Tier Architecture Web-browser e.g., Chrome, Safari, IE, HTTP Requests

JDBC 1 Three-Tier Architecture Web-browser e.g., Chrome, Safari, IE, HTTP Requests

JDBC 1 Three-Tier Architecture Web-browser e.g., Chrome, Safari, IE, HTTP Requests HTML Java App Server Application e.g., Apache Tomcat JDBC Tuples Requests DB Server 2 Example Data Entry Forms 123456789 1 John Doe Muir

771 views • 12 slides
Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st June 2012 Explain Server Side options Objective = Efficient use of 1. your time 2. resources (server, client and data network) 1st June 2012 Agenda

626 views • 51 slides
Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of Computer Science CS 431/531 Fall 2019 Sawood Alam <salam@cs.odu.edu> 2019-10-24 Original slides by Michael L. Nelson Common Gateway Interface

653 views • 16 slides
SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW

SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW

SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW PHILLIPS GITHUB.COM/CANJS/CAN-SSR GITHUB.COM/CANJS/CAN-SSR TERMS TERMS Shared codebase Isomorphic Universal WHY BOTHER WHY BOTHER This sucks

453 views • 29 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side)

Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side)

Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side) Remote.JDBC (Client/Server) Server Query Interface Tx Planner Parse Algebra Storage Interface Sql/Util Concurrency Recovery Metadata Index

787 views • 66 slides
Server Side Internet Programming Objectives The basics of servlets mapping and

Server Side Internet Programming Objectives The basics of servlets mapping and

Server Side Internet Programming Server Side Internet Programming Objectives The basics of servlets mapping and configuration compilation and execution Cookies and sessions Request and session attributes JSP execution,

946 views • 53 slides
Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2 http://server/path/file Usually when you type a URL in your browser: Your computer looks up the server's IP address using DNS Your browser connects

645 views • 36 slides
Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the

Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the

Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the web server. The web server is configured to understand the Perl scripts and to execute them. The web server on CCC is configured to connect to both

352 views • 7 slides
Control What You Include! Server-Side Protec7on against Third

Control What You Include! Server-Side Protec7on against Third

Control What You Include! Server-Side Protec7on against Third Party Web Tracking Dolire Francis Som, Nataliia Bielova, Tamara Rezk Privaski 2017

567 views • 18 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Introduction Meta-notes These notes are intended for

CS/COE 1520 pitt.edu/~ach54/cs1520 Introduction Meta-notes These notes are intended for

CS/COE 1520 pitt.edu/~ach54/cs1520 Introduction Meta-notes These notes are intended for use by students in CS1520 at the University of Pittsburgh. They are provided free of charge and may not be sold in any shape or form. These

539 views • 19 slides
Web Browser Privacy & Security Fan Du CMSC 818D Class Presentation 4/16/2015 1 Outline

Web Browser Privacy & Security Fan Du CMSC 818D Class Presentation 4/16/2015 1 Outline

Web Browser Privacy & Security Fan Du CMSC 818D Class Presentation 4/16/2015 1 Outline Q1: How to Prevent Web Tracking ? Q2: How to Opt Out Online Behavioral Advertising ? Q3: How to Design Phishing Websites ? 2 Outline

555 views • 51 slides
Modeling Video Traffic Sources for RMCAT Evalua9ons Our experience with the Mozilla web browser

Modeling Video Traffic Sources for RMCAT Evalua9ons Our experience with the Mozilla web browser

Modeling Video Traffic Sources for RMCAT Evalua9ons Our experience with the Mozilla web browser dra:-ie<-rmcat-video-traffic-model Xiaoqing Zhu, Sergio Mena, and Zaheduzzaman Sarker 1 Mozilla for transient behavior Outline Why we did it

470 views • 22 slides
Samsung Internet for GearVR Laszlo Gombos, Web Platform, Samsung @laszlogombos Samsung GearVR

Samsung Internet for GearVR Laszlo Gombos, Web Platform, Samsung @laszlogombos Samsung GearVR

Samsung Internet for GearVR Laszlo Gombos, Web Platform, Samsung @laszlogombos Samsung GearVR Controls GearVR Large field of view Improved tracking due to additional IMU (inertial measurement unit) - When docked, system does not use

215 views • 19 slides
IT350: Web & Internet Programming JavaScript Dynamic HTML CGI / PHP Set 12: CGI

IT350: Web & Internet Programming JavaScript Dynamic HTML CGI / PHP Set 12: CGI

Things well learn and do HTML5 basics, tables, forms Cascading Style Sheets IT350: Web & Internet Programming JavaScript Dynamic HTML CGI / PHP Set 12: CGI and PHP 1 Outline The Three-Tier Architecture

362 views • 18 slides
Announcements Class cancelled on Wednesday Web Security CS642:

Announcements Class cancelled on Wednesday Web Security CS642:

Announcements Class cancelled on Wednesday Web Security CS642: Computer Security Professor Ristenpart h=p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot

516 views • 36 slides
Web Security 1 last time: command injection placing user input in more complicated language SQL

Web Security 1 last time: command injection placing user input in more complicated language SQL

Web Security 1 last time: command injection placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string constant) defenses: better APIs:

630 views • 50 slides
End End-to-end File Encr Encryp yption i in n the the Web Br eb Browser er A Ca Case

End End-to-end File Encr Encryp yption i in n the the Web Br eb Browser er A Ca Case

End End-to-end File Encr Encryp yption i in n the the Web Br eb Browser er A Ca Case e Study dy Thomas Konrad, SBA Research Vue.js Meetup Vienna, Feb 11, 2020 SBA Research gGmbH, 2020 Classification: Public 1 ~ $ whoami Thomas

770 views • 50 slides

More recommend