Ecole d'ingénieur et centre de recherche en Sciences du numérique

Uses and abuses of server-side requests

Pellegrino, Giancarlo; Catakoglu, Onur; Balzarotti, Davide; Rossow, Christian

RAID 2016, 19th International Symposium on Research in Attacks, Intrusions and Defenses, September 19-21, 2016, Evry, France / Also published in LNCS, Vol. 9854/2016

More and more web applications rely on server-side requests (SSRs) to fetch resources (such as images or even entire webpages) from user-provided URLs. As for many other web-related technologies, developers were very quick to adopt SSRs, even before their consequences for security were fully understood. In fact, while SSRs are simple to add from an engineering point of view, in this paper we show that|if not properly implemented|this technology can have several subtle consequences for security, posing severe threats to service providers, their users, and the Internet community as a whole. To shed some light on the risks of this communication pattern, we present the rst extensive study of the security implication of SSRs. We propose a classi cation and four new attack scenarios that describe di erent ways in which SSRs can be abused to perform malicious activities. We then present an automated scanner we developed to probe web applications to identify possible SSR misuses. Using our tool, we tested 68 popular web applications and nd that the majority can be abused to perform malicious activities, ranging from server-side code execution to ampli cation DoS attacks. Finally, we distill our ndings into eight pitfalls and mitigations to help developers to implement SSRs in a more secure way.

Document Doi Bibtex

Titre:Uses and abuses of server-side requests
Type:Conférence
Langue:English
Ville:Evry
Pays:FRANCE
Date:
Département:Sécurité numérique
Eurecom ref:4941
Copyright: © Springer. Personal use of this material is permitted. The definitive version of this paper was published in RAID 2016, 19th International Symposium on Research in Attacks, Intrusions and Defenses, September 19-21, 2016, Evry, France / Also published in LNCS, Vol. 9854/2016 and is available at : http://dx.doi.org/10.1007/978-3-319-45719-2_18
Bibtex: @inproceedings{EURECOM+4941, doi = {http://dx.doi.org/10.1007/978-3-319-45719-2_18}, year = {2016}, title = {{U}ses and abuses of server-side requests}, author = {{P}ellegrino, {G}iancarlo and {C}atakoglu, {O}nur and {B}alzarotti, {D}avide and {R}ossow, {C}hristian}, booktitle = {{RAID} 2016, 19th {I}nternational {S}ymposium on {R}esearch in {A}ttacks, {I}ntrusions and {D}efenses, {S}eptember 19-21, 2016, {E}vry, {F}rance / {A}lso published in {LNCS}, {V}ol. 9854/2016}, address = {{E}vry, {FRANCE}}, month = {09}, url = {http://www.eurecom.fr/publication/4941} }
Voir aussi: