uses and abuses of server side requests
play

Uses and Abuses of Server-Side Requests Giancarlo Pellegrino 1 , Onur - PowerPoint PPT Presentation

May 27, 2023 •176 likes •564 views

Uses and Abuses of Server-Side Requests Giancarlo Pellegrino 1 , Onur Catakoglu 2 , Davide Balzarotti 2 , and Christian Rossow 1 giancarlo.pellegrino@cispa.saarland 19th International Symposium on Research in Attacks, Intrusions and Defenses

  1. Uses and Abuses of Server-Side Requests Giancarlo Pellegrino 1 , Onur Catakoglu 2 , Davide Balzarotti 2 , and Christian Rossow 1 giancarlo.pellegrino@cispa.saarland 19th International Symposium on Research in Attacks, Intrusions and Defenses Paris, September 21 st , 2016 1 2

  2. Uses and Abuses of Server-Side Requests An increasing number of web applications use Server-Side Requests (SSRs) ● to fetch resources E.g., social networks, business applications, and many more – SSRs adopted before security consequences were fully understood ● Simple to implement; severe consequences if not done properly – ➔ Our work: first extensive assessment of SSRs security implication 1. Classification 2. Two new SSR-based attacks 3. Eight mitigations September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 2

  3. Server-Side Requests

  4. SSR Communication Pattern S C ES Three entities: browser C , SSR service S , External Server ES ● September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 4

  5. SSR Communication Pattern S C ES req( url ES ) Three entities: browser C , SSR service S , External Server ES ● C provides url ES to S ● September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 5

  6. SSR Communication Pattern S C ES url ES req( url ES ) SSR! Three entities: browser C , SSR service S , External Server ES ● C provides url ES to S ● S instantiates an HTTP client to retrieve url ES ● September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 6

  7. SSR Communication Pattern S C ES url ES req( url ES ) res S res ES Three entities: browser C , SSR service S , External Server ES ● C provides url ES to S ● S instantiates an HTTP client to retrieve url ES ● S can return either res ES to C , e.g., res S = res ES , or a transformation, e.g., res S = f ( res ES ) ● September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 7

  8. What are they used for? ● Share content in social networks url ES ● Import data in online documents ● Security protocols (e.g., OpenID) – avoid exposing sensitive data, e.g., security tokens, to untrusted users ● Feed aggregators ● Others ... res S September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 8

  9. Simple to implement S C ES url ES req(url ES ) res S res ES $ssr = curl_init(); $ssr = curl_init(); curl_setopt($ssr, CURLOPT_URL, url ES ); curl_setopt($ssr, CURLOPT_URL, url ES ); ssr = urllib.urlopen( url ES ) ssr = urllib.urlopen( url ES ) curl_setopt($ssr, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ssr, CURLOPT_RETURNTRANSFER, 1); data = ssr.read() data = ssr.read() $data = curl_exec($ssr); $data = curl_exec($ssr); curl_close($ssr); curl_close($ssr); ● HTTP client libs available in most popular programming languages – PHP: e.g., cURL, and file_get_contents – Python: e.g., urllib, httplib, and requests September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 9

  10. The Problems of SSRs S C ES url ES req(url ES ) res S res ES ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) [1] September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 10

  11. The Problems of SSRs S C ES url ES req(url ES ) 1 res S res ES ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) [1] September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 11

  12. The Problems of SSRs S C ES url ES req(url ES ) 1 2 res S res ES ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) [1] September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 12

  13. The Problems of SSRs S C ES url ES req(url ES ) 1 2 res S res ES 3 ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) [1] September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 13

  14. The Problems of SSRs S C ES url ES req(url ES ) 1 2 res S res ES 3 4 ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) [1] September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 14

  15. The Problems of SSRs S C ES url ES req(url ES ) 1 2 res S res ES 3 4 ● If not properly implemented, SSRs can be abused: 1. as stepping stones to attack ES 2. to access local resources of S , e.g., file:// , http://127.0.0.1/ 3. to expose malicious content to C 4. res ES can be used to attack S ● Popular abuse is Server-Side Request Forgery (SSRF) September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 15

  16. Server-Side Request Forgery S C ES Attack payload ● C aims to exploit vulnerability in ES or access local resources of S ● ES behind a firewall that blocks direct access from the Internet ● S is exposed both to the Internet and to the local network September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 16

  17. Server-Side Request Forgery S C ES attack payload req( attack payload ) res S res ES ● SSR used to bypass firewalls and deliver attack payload to ES URL encoded buffer overflow shell code – e.g., gopher:// ES /X %EB%2A%5E%89v%08%C6 […] %FF%FF /bin/sh %00%89%EC%5D%C3 ● SSR used to access local resources as well: Filename – e.g., file:///etc/passwd September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 17

  18. Server-Side Request Forgery S C ES attack payload req( attack payload ) res S res ES Do we, now, know better? Do we, now, know better? ● SSR used to bypass firewalls and deliver attack payload to ES URL encoded buffer overflow shell code – e.g., gopher:// ES /X %EB%2A%5E%89v%08%C6 […] %FF%FF /bin/sh %00%89%EC%5D%C3 ● SSR used to access local resources as well: Filename – e.g., file:///etc/passwd September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 18

  19. Awareness of Security Risks: The Present S C ES url ES req(url ES ) 1 2 res S res ES 4 3 ● Reviewed of academic/non-academic literature and development best practices: Unawareness of risks, and guidelines on implementing SSRs are missing September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 19

  20. Awareness of Security Risks: The Present S C ES url ES req(url ES ) 1 2 res S res ES 4 3 Academic/non-academic literature: ● No attention from academic literature – Non-academic works focused only on SSRF – ➔ Attacks against C and S not considered Devel. best practices (design patterns, coding rules, and API doc.) ● Default programming language APIs offer no defense mechanism – No patterns nor coding rules specific for SSRs – ➔ Lack of both proper ways to implement S and attack countermeasures September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 20

  21. Awareness of Security Risks: The Present S C ES url ES req(url ES ) 1 2 res S res ES 4 3 How does this lack of knowledge How does this lack of knowledge Academic/non-academic literature: ● affect SSR implementations? affect SSR implementations? No attention from academic literature – Non-academic works focused only on SSRF – ➔ Attacks against C and S not considered Devel. best practices (design patterns, coding rules, and API doc.) ● Default programming language APIs offer no defense mechanism – No patterns nor coding rules specific for SSRs – ➔ Lack of both proper ways to implement S and attack countermeasures September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 21

  22. Our Contribution ● Systematic study of security implication of SSRs 1. Propose a classification that establishes common terminology and supersedes pre-existing works 2. Present two new attack scenarios against C and S Web Origin Laundering and Denial of Service ● 3. Analyse of 68 popular online services 4. Present list of mitigations September 21, 2016 G. Pellegrino - Uses and Abuses of Server-Side Requests 22

  23. SSR Classification

Recommend

Server side basics 1 CS380 URLs and web servers 2 http://server/path/file Usually when you

Server side basics 1 CS380 URLs and web servers 2 http://server/path/file Usually when you

Server side basics 1 CS380 URLs and web servers 2 http://server/path/file Usually when you type a URL in your browser: Your computer looks up the server's IP address using DNS Your browser connects to that IP address and requests

732 views • 39 slides
Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Server Side Scripting Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a server script provides a way to extend an html page to include logic and insertion of data Understand the

612 views • 12 slides
An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html document SCRIPT HTTP SCRIPT Script engine Pages are generated by a program A html document at the server side includes the code to be

741 views • 72 slides
Introduction to Web built on a two-tier client/server system Requests and responses through

Introduction to Web built on a two-tier client/server system Requests and responses through

Introduction to Web built on a two-tier client/server system Requests and responses through which a Web browser and Web server communicate happen with HTTP Behavior W3C W3C The World Wide Web Consortium "The dream behind

1.33k views • 63 slides
COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart

COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart

COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart Licence de droits dusage Outline HTML forms Principles Input fields Server-side languages An example: PHP Introduction to database

1.08k views • 74 slides
JDBC 1 Three-Tier Architecture Web-browser e.g., Chrome, Safari, IE, HTTP Requests

JDBC 1 Three-Tier Architecture Web-browser e.g., Chrome, Safari, IE, HTTP Requests

JDBC 1 Three-Tier Architecture Web-browser e.g., Chrome, Safari, IE, HTTP Requests HTML Java App Server Application e.g., Apache Tomcat JDBC Tuples Requests DB Server 2 Example Data Entry Forms 123456789 1 John Doe Muir

771 views • 12 slides
Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell & Thomas Holmes 1st June 2012 Explain Server Side options Objective = Efficient use of 1. your time 2. resources (server, client and data network) 1st June 2012 Agenda

626 views • 51 slides
Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of Computer Science CS 431/531 Fall 2019 Sawood Alam <salam@cs.odu.edu> 2019-10-24 Original slides by Michael L. Nelson Common Gateway Interface

653 views • 16 slides
SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW

SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW

SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW PHILLIPS GITHUB.COM/CANJS/CAN-SSR GITHUB.COM/CANJS/CAN-SSR TERMS TERMS Shared codebase Isomorphic Universal WHY BOTHER WHY BOTHER This sucks

453 views • 29 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side)

Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side)

Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side) Remote.JDBC (Client/Server) Server Query Interface Tx Planner Parse Algebra Storage Interface Sql/Util Concurrency Recovery Metadata Index

787 views • 66 slides
Server Side Internet Programming Objectives The basics of servlets mapping and

Server Side Internet Programming Objectives The basics of servlets mapping and

Server Side Internet Programming Server Side Internet Programming Objectives The basics of servlets mapping and configuration compilation and execution Cookies and sessions Request and session attributes JSP execution,

946 views • 53 slides
Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2 http://server/path/file Usually when you type a URL in your browser: Your computer looks up the server's IP address using DNS Your browser connects

645 views • 36 slides
Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the

Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the

Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the web server. The web server is configured to understand the Perl scripts and to execute them. The web server on CCC is configured to connect to both

352 views • 7 slides
Control What You Include! Server-Side Protec7on against Third

Control What You Include! Server-Side Protec7on against Third

Control What You Include! Server-Side Protec7on against Third Party Web Tracking Dolire Francis Som, Nataliia Bielova, Tamara Rezk Privaski 2017

567 views • 18 slides
Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
Internet Engineering: Server Side Development Ali Kamandi Sharif University of Technology

Internet Engineering: Server Side Development Ali Kamandi Sharif University of Technology

Internet Engineering: Server Side Development Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu Fall 2007 HyperText Transfer Protocol Web Server Client Request Response Open a connection Make a request Server

818 views • 54 slides
Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why using a database Persistency Concurrency (avoid race conditions) Query Scalability SQL vs NoSQL databases Relational database (SQL

475 views • 10 slides
React Native HTTP/Fetch Sending data 1 Sending data to web server Two methods GET

React Native HTTP/Fetch Sending data 1 Sending data to web server Two methods GET

React Native HTTP/Fetch Sending data 1 Sending data to web server Two methods GET requests include all required data in the URL. POST requests supply additional data from the client (browser) to the server in the message body.

749 views • 20 slides
Detecting Zero-Day Attacks in Web Server Requests Dr. Melissa Danforth Dept. of Computer &

Detecting Zero-Day Attacks in Web Server Requests Dr. Melissa Danforth Dept. of Computer &

WCIS: A Prototype for Detecting Zero-Day Attacks in Web Server Requests Dr. Melissa Danforth Dept. of Computer & Electrical Engineering & Computer Science California State University, Bakersfield Presentation Outline Web

217 views • 20 slides
Client and Server model Client , like your computer or mobile phone, makes requests to

Client and Server model Client , like your computer or mobile phone, makes requests to

Client and Server model Client , like your computer or mobile phone, makes requests to specific server. Client and Server model Client , like your computer or mobile phone, makes requests to specific server. Server gets the request and

441 views • 25 slides
Client-side scripting Web pages can only update by reloading HTTP requests take too long

Client-side scripting Web pages can only update by reloading HTTP requests take too long

Client-side scripting Web pages can only update by reloading HTTP requests take too long Interactive systems must respond in <= 10ms What updates can be made without retrieving new data? Scrolling a select box, for example,

357 views • 8 slides
Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE

Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE

Introduction to Php Web-based applications: main elements HTTP PROTOCOL CLIENT SIDE SERVER SIDE HTTP request An HTTP request consists of: a request method (verb) , resource URL , header fields ( metadata ), body ( data ) HTTP 1.1

1.84k views • 146 slides

More recommend