Uses and Abuses of Server-Side Requests Giancarlo Pellegrino 1 , Onur - - PowerPoint PPT Presentation

Uses and Abuses of Server-Side Requests

Giancarlo Pellegrino1, Onur Catakoglu2, Davide Balzarotti2, and Christian Rossow1

giancarlo.pellegrino@cispa.saarland 19th International Symposium on Research in Attacks, Intrusions and Defenses Paris, September 21st, 2016

1 2

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

2

Uses and Abuses of Server-Side Requests

• An increasing number of web applications use Server-Side Requests (SSRs)

to fetch resources

–

E.g., social networks, business applications, and many more

• SSRs adopted before security consequences were fully understood

–

Simple to implement; severe consequences if not done properly

➔ Our work: first extensive assessment of SSRs security implication

• 1. Classification
• 2. Two new SSR-based attacks
• 3. Eight mitigations

Server-Side Requests

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

4

SSR Communication Pattern

ES S C

• Three entities: browser C, SSR service S, External Server ES

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

5

SSR Communication Pattern

ES S C

req(urlES )

• Three entities: browser C, SSR service S, External Server ES
• C provides urlES to S

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

6

SSR Communication Pattern

ES S C

req(urlES ) urlES

SSR!

• Three entities: browser C, SSR service S, External Server ES
• C provides urlES to S
• S instantiates an HTTP client to retrieve urlES

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

7

SSR Communication Pattern

ES S C

req(urlES ) resES resS urlES

• Three entities: browser C, SSR service S, External Server ES
• C provides urlES to S
• S instantiates an HTTP client to retrieve urlES
• S can return either resES to C, e.g., resS = resES, or a transformation, e.g., resS = f (resES)

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

8

What are they used for?

• Share content in social networks
• Import data in online documents
• Security protocols (e.g., OpenID)

– avoid exposing sensitive data,

e.g., security tokens, to untrusted users

• Feed aggregators
• Others ...

urlES resS

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

9

Simple to implement

ES S C

req(urlES ) resES resS

• HTTP client libs available in most popular programming languages

– PHP: e.g., cURL, and file_get_contents – Python: e.g., urllib, httplib, and requests

urlES

$ssr = curl_init(); curl_setopt($ssr, CURLOPT_URL, urlES); curl_setopt($ssr, CURLOPT_RETURNTRANSFER, 1); $data = curl_exec($ssr); curl_close($ssr); $ssr = curl_init(); curl_setopt($ssr, CURLOPT_URL, urlES); curl_setopt($ssr, CURLOPT_RETURNTRANSFER, 1); $data = curl_exec($ssr); curl_close($ssr); ssr = urllib.urlopen(urlES) data = ssr.read() ssr = urllib.urlopen(urlES) data = ssr.read()

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

10

The Problems of SSRs

• If not properly implemented, SSRs can be abused:
• 1. as stepping stones to attack ES
• 2. to access local resources of S, e.g., file://, http://127.0.0.1/
• 3. to expose malicious content to C
• 4. resES can be used to attack S
• Popular abuse is Server-Side Request Forgery (SSRF) [1]

ES S C

req(urlES ) resES resS urlES

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

11

The Problems of SSRs

• If not properly implemented, SSRs can be abused:
• 1. as stepping stones to attack ES
• 2. to access local resources of S, e.g., file://, http://127.0.0.1/
• 3. to expose malicious content to C
• 4. resES can be used to attack S
• Popular abuse is Server-Side Request Forgery (SSRF) [1]

ES S C

req(urlES ) resES resS urlES

1

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

12

The Problems of SSRs

• If not properly implemented, SSRs can be abused:
• 1. as stepping stones to attack ES
• 2. to access local resources of S, e.g., file://, http://127.0.0.1/
• 3. to expose malicious content to C
• 4. resES can be used to attack S
• Popular abuse is Server-Side Request Forgery (SSRF) [1]

ES S C

req(urlES ) resES resS urlES

1 2

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

13

The Problems of SSRs

• If not properly implemented, SSRs can be abused:
• 1. as stepping stones to attack ES
• 2. to access local resources of S, e.g., file://, http://127.0.0.1/
• 3. to expose malicious content to C
• 4. resES can be used to attack S
• Popular abuse is Server-Side Request Forgery (SSRF) [1]

ES S C

req(urlES ) resES resS urlES

1 2 3

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

14

The Problems of SSRs

• If not properly implemented, SSRs can be abused:
• 1. as stepping stones to attack ES
• 2. to access local resources of S, e.g., file://, http://127.0.0.1/
• 3. to expose malicious content to C
• 4. resES can be used to attack S
• Popular abuse is Server-Side Request Forgery (SSRF) [1]

ES S C

req(urlES ) resES resS urlES

1 2 4 3

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

15

The Problems of SSRs

• If not properly implemented, SSRs can be abused:
• 1. as stepping stones to attack ES
• 2. to access local resources of S, e.g., file://, http://127.0.0.1/
• 3. to expose malicious content to C
• 4. resES can be used to attack S
• Popular abuse is Server-Side Request Forgery (SSRF)

ES S C

req(urlES ) resES resS urlES

1 2 4 3

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

16

Server-Side Request Forgery

Attack payload

ES S C

• C aims to exploit vulnerability in ES or access local resources of S
• ES behind a firewall that blocks direct access from the Internet
• S is exposed both to the Internet and to the local network

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

17

Server-Side Request Forgery

ES S C

• SSR used to bypass firewalls and deliver attack payload to ES

– e.g.,

• SSR used to access local resources as well:

– e.g.,

req(attack payload) resES resS attack payload

gopher://ES/X %EB%2A%5E%89v%08%C6 […] %FF%FF/bin/sh%00%89%EC%5D%C3

URL encoded buffer overflow shell code

file:///etc/passwd

Filename

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

18

Server-Side Request Forgery

ES S C

• SSR used to bypass firewalls and deliver attack payload to ES

– e.g.,

• SSR used to access local resources as well:

– e.g.,

req(attack payload) resES resS attack payload

gopher://ES/X %EB%2A%5E%89v%08%C6 […] %FF%FF/bin/sh%00%89%EC%5D%C3

URL encoded buffer overflow shell code

file:///etc/passwd

Filename

Do we, now, know better? Do we, now, know better?

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

19

Awareness of Security Risks: The Present

• Reviewed of academic/non-academic literature and development best

practices:

ES S C

req(urlES ) resES resS urlES

1 2 4 3

Unawareness of risks, and guidelines on implementing SSRs are missing

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

20

Awareness of Security Risks: The Present

• Academic/non-academic literature:

–

No attention from academic literature

–

Non-academic works focused only on SSRF

➔ Attacks against C and S not considered

• Devel. best practices (design patterns, coding rules, and API doc.)

–

Default programming language APIs offer no defense mechanism

–

No patterns nor coding rules specific for SSRs

➔ Lack of both proper ways to implement S and attack countermeasures

ES S C

req(urlES ) resES resS urlES

1 2 4 3

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

21

Awareness of Security Risks: The Present

• Academic/non-academic literature:

–

No attention from academic literature

–

Non-academic works focused only on SSRF

➔ Attacks against C and S not considered

• Devel. best practices (design patterns, coding rules, and API doc.)

–

Default programming language APIs offer no defense mechanism

–

No patterns nor coding rules specific for SSRs

➔ Lack of both proper ways to implement S and attack countermeasures

ES S C

req(urlES ) resES resS urlES

1 2 4 3

How does this lack of knowledge affect SSR implementations? How does this lack of knowledge affect SSR implementations?

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

22

Our Contribution

• Systematic study of security implication of SSRs
• 1. Propose a classification that establishes common terminology and

supersedes pre-existing works

• 2. Present two new attack scenarios against C and S
• Web Origin Laundering and Denial of Service
• 3. Analyse of 68 popular online services
• 4. Present list of mitigations

SSR Classification

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

24

Classification

Behavior Target

Proxy Open Origin Policy Storage Amplifier Bridge Client SSR Service External Service Interpreter Probe

Flaw

Forgery Information Gathering Insufficient Enforcement of Security Policies Client Side Policies Server Side Policies

Control

Request Response Destination Content Content

• Supersedes and includes pre-existing classifications (Polyakov’s, CWE, and SSRF bible)
• Four different dimensions:

– Flaws: includes known classes plus a new one, i.e., insufficient enforcement of security policies – Behavior (new): identified seven distinct behaviors. Most are legitimate, but the combination can lead to

attacks

– Control: the control the attacker has on the content of SSRs and responses (new) – Target: the possible target of an attack

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

25

Classification

Behavior Target

Proxy Open Origin Policy Storage Amplifier Bridge Client SSR Service External Service Interpreter Probe

Flaw

Forgery Information Gathering Insufficient Enforcement of Security Policies Client Side Policies Server Side Policies

Control

Request Response Destination Content Content

• Supersedes and includes pre-existing classifications (Polyakov’s, CWE, and SSRF bible)
• Four different dimensions:

– Flaws: includes known classes plus a new one, i.e., insufficient enforcement of security policies – Behavior (new): identified seven distinct behaviors. Most are legitimate, but the combination can lead to

attacks

– Control: the control the attacker has on the content of SSRs and responses (new) – Target: the possible target of an attack

Elements not considered by previous works

Attacks

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

27

Attacks

• Seven attacks in four categories

– Two previously unknown: Origin Laundering and Denial of Service – Others are already known: Reconnaissance and Bridging

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

28

Attacks

• Seven attacks in four categories

– Two previously unknown: Origin Laundering and Denial of Service – Others are already known: Reconnaissance and Bridging

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

29

Origin-based Web Browser Countermeasures

• Web browsers implement various URL-based defense mechanisms to protect users and data from

attacks/unwanted content

– E.g., Google Safe Browsing, NoScript, and AdBlock

• Security decisions based on the origin (domain and TCP port) of a resource

– E.g., accept/reject a resource, execute a JavaScript program

• Web Origin Laundering is an attack that allows to bypass web browser URL-based defense mechanisms

S C

url res

trusted Origin: S Accept res if origin is trusted

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

30

Web Origin Laundering: Overview

• C asks S to retrieve a resource at ES
• S behaves as a proxy: retrieves from ES and forward to C
• From the point of view of C, the origin of the resource is S, not ES

➔ C will take a security decision accordingly

ES S C

req(urlES ) urlES

Laundering by S Origin: S Origin: ES

res res

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

31

Web Origin Laundering: Attack 1.1

• S is trusted and ES is not (e.g., ES is blacklisted)
• req(urlES ) distributed via phishing email, web links, and/or social network
• The origin of is S (not ES), which is trusted!

➔ C accepts and display to the user: Google Safe Browsing bypass

• This attack can be mitigated with Content-Disposition header (suggest a web browser to store

a resource on a file)

ES S C

req(urlES ) urlES

trusted untrusted

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

32

Web Origin Laundering: Attack 1.2

• Attacker distributes a link to a malicious

JavaScript page that

–

Requests via an XMLHttpRequest

–

XMLHttpRequest allows to ignore Content-Disposition header

–

Finally, transform response in a data URL, that is finally shown within the browser

ES S C

XMLHttpRequest

req(urlES ) urlES

1 1

+ Content-Disposition

var mal = "urlES"; var cor = new XMLHttpRequest(); cor.onreadystatechange = function() { var ct = this.getResponseHeader("content-type") window.location = "data:" + ct + "," + encodeURIComponent(cor.ResponseText); } cor.open("GET", "S?url=" + encodeURIComponent(mal), false); cor.send() ; var mal = "urlES"; var cor = new XMLHttpRequest(); cor.onreadystatechange = function() { var ct = this.getResponseHeader("content-type") window.location = "data:" + ct + "," + encodeURIComponent(cor.ResponseText); } cor.open("GET", "S?url=" + encodeURIComponent(mal), false); cor.send() ;

Case Studies and Analysis

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

34

Analysis and Results

• Analyzed 68 online services and mapped to our

classification

–

Social networks, business web applications, software development tools, online image processing, and security protocols

• Built a tool

– Günther: https://github.com/tgianko/guenther

• ~73% suffer from one flaw of our classification
• ~15% implement insufficient forms of URL validation

to counter SSRF

• ~15% of services can be used for Web Origin

Laundering

Mitigations

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

36

Mitigations

• In the 68 services, we observed the following mitigating behaviors (yet not

sufficient)

(M1) Monitoring (M2) Avoid Acting as a Proxy or Wrap Response (M3) Perform Proper URL Validation (M4) Content Disposition (M5) Limit Resource Usage (M6) Remove Open Access Control Policies for CORs (M7) Limit Information Leakage

• None of them solve Web Origin Laundering, we propose

(M8) Enforce (server-side) URL-Based Browser Countermeasures

Conclusion

September 21, 2016

• G. Pellegrino - Uses and Abuses of Server-Side Requests

38

Conclusion/Takeaway

• First comprehensive study of the security implications of SSRs
• Presented a classification based on flaws, level of message control,

behavior of vulnerable SSR service, and potential attack target

• Presented two new previously-unknown exploitations techniques

– Web Origin Laundering and DoS attacks

• Presented analysis of 68 popular online services
• Proposed a list of eight mitigations