RAID 2016, 19th International Symposium on Research in Attacks, Intrusions and Defenses, September 19-21, 2016, Evry, France / Also published in LNCS, Vol. 9854/2016
More and more web applications rely on server-side requests (SSRs) to fetch resources (such as images or even entire webpages) from user-provided URLs. As for many other web-related technologies, developers were very quick to adopt SSRs, even before their consequences for security were fully understood. In fact, while SSRs are simple to add from an engineering point of view, in this paper we show that|if not properly implemented|this technology can have several subtle consequences for security, posing severe threats to service providers, their users, and the Internet community as a whole. To shed some light on the risks of this communication pattern, we present
the
rst extensive study of the security implication of SSRs. We propose a classi
cation and four new attack scenarios that describe di
erent ways in which SSRs can be abused to perform malicious activities. We then present an automated scanner we developed to probe web applications to identify possible SSR misuses. Using our tool, we tested 68 popular web applications and
nd that the majority can be abused to perform malicious activities, ranging from server-side code execution to ampli
cation DoS attacks. Finally, we distill our
ndings into eight pitfalls and mitigations to help developers to implement SSRs in a more secure way.
Type:
Conference
City:
Evry
Date:
2016-09-19
Department:
Digital Security
Eurecom Ref:
4941
Copyright:
© Springer. Personal use of this material is permitted. The definitive version of this paper was published in RAID 2016, 19th International Symposium on Research in Attacks, Intrusions and Defenses, September 19-21, 2016, Evry, France / Also published in LNCS, Vol. 9854/2016 and is available at : http://dx.doi.org/10.1007/978-3-319-45719-2_18
