(2016) Uses and Abuses of Server-Side Requests.
|
Text
SSR_raid2016.pdf Download (1MB) | Preview |
Abstract
More and more web applications rely on server-side requests (SSRs) to fetch resources (such as images or even entire webpages) from user-provided URLs. As for many other web-related technologies, developers were very quick to adopt SSRs, even before their consequences for security were fully understood. In fact, while SSRs are simple to add from an engineering point of view, in this paper we show that—if not properly implemented—this technology can have several subtle consequences for security, posing severe threats to service providers, their users, and the Internet community as a whole. To shed some light on the risks of this communication pattern, we present the first extensive study of the security implication of SSRs. We propose a classification and four new attack scenarios that describe different ways in which SSRs can be abused to perform malicious activities. We then present an automated scanner we developed to probe web applications to identify possible SSR misuses. Using our tool, we tested 68 popular web applications and find that the majority can be abused to perform malicious activities, ranging from server-side code execution to amplification DoS attacks. Finally, we distill our findings into eight pitfalls and mitigations to help developers to implement SSRs in a more secure way.
Item Type: | Conference or Workshop Item (A Paper) (Paper) |
---|---|
Additional Information: | pub_id: 1023 Bibtex: DBLP:conf/raid/PellegrinoRAID16 URL date: None |
Uncontrolled Keywords: | security testing,web security |
Divisions: | Christian Rossow (System Security Group, SysSec) |
Conference: | RAID The International Symposium on Research in Attacks, Intrusions and Defenses (was International Symposium on Recent Advances in Intrusion Detection) |
Depositing User: | Sebastian Weisgerber |
Date Deposited: | 26 Jul 2017 10:33 |
Last Modified: | 18 Jul 2019 12:10 |
Primary Research Area: | NRA3: Threat Detection and Defenses |
URI: | https://publications.cispa.saarland/id/eprint/1053 |
Actions
Actions (login required)
View Item |