Abstract
More and more web applications rely on server-side requests (SSRs) to fetch resources (such as images or even entire webpages) from user-provided URLs. As for many other web-related technologies, developers were very quick to adopt SSRs, even before their consequences for security were fully understood. In fact, while SSRs are simple to add from an engineering point of view, in this paper we show that—if not properly implemented—this technology can have several subtle consequences for security, posing severe threats to service providers, their users, and the Internet community as a whole.
To shed some light on the risks of this communication pattern, we present the first extensive study of the security implication of SSRs. We propose a classification and four new attack scenarios that describe different ways in which SSRs can be abused to perform malicious activities. We then present an automated scanner we developed to probe web applications to identify possible SSR misuses. Using our tool, we tested 68 popular web applications and find that the majority can be abused to perform malicious activities, ranging from server-side code execution to amplification DoS attacks. Finally, we distill our findings into eight pitfalls and mitigations to help developers to implement SSRs in a more secure way.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
See bug #1005, http://sourceforge.net/projects/tcpdf/files/CHANGELOG.TXT.
- 2.
- 3.
- 4.
The tool is freely available here: https://github.com/tgianko/guenther.
- 5.
References
Almroth, F., Karlsson, M.: How we got read access on Googles production servers. http://blog.detectify.com/post/82370846588/how-we-got-read-access-on-googles-production
Balzarotti, D., Cova, M., Felmetsger, V.V., Vigna, G.: Multi-module vulnerability analysis of web-based applications. In: ACM CCS 2007 (2007)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: ACM CCS 2008 (2008)
Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art:Automated black-box web application vulnerability testing. In: IEEE S&P 2010 (2010)
Chauhan, J.: OWASP SKANDA - SSRF Exploitation framework. http://www.chmag.in/article/may2013/owasp-skanda-%E2%80%93-ssrf-exploitation-framework
Eyeo GmbH: Adblock plus. https://adblockplus.org/
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. In: RFC 2616 (Draft Standard). Request for Comments. Internet Engineering Task Force (1999). http://www.ietf.org/rfc/rfc2616.txt
Fitzpatrick, B., Recordon, D., Hardt, D., Hoyt, J.: OpenID authentication 2.0 - Final. http://openid.net/specs/openid-authentication-2_0.html
Google Inc.: Safe browsing API. https://developers.google.com/safe%2Dbrowsing/
Grossman, J., Johansen, M.: Million browser botnet. https://media.blackhat.com/us%2D13/us%2D13%2DGrossman%2DMillion%2DBrowsed%2DBotnet.pdf
Hafif, O.: Reflected file download a new web attack vector. https://drive.google.com/file/d/0B0KLoHg_gR_XQnV4RVhlNl96MHM/view
Heiland, D.: Web portals gateway to information or a hole in our perimeter defenses. http://www.shmoocon.org/2008/presentations/Web+portals,+gateway+to+information.ppt
InformAction: NoScript. https://noscript.net/
Jack Whitton: SafeCurl. https://github.com/fin1te/safecurl
Kulkarni, P.: SSRF/XSPA bug in https://www.coinbase.com 06, http://www.prajalkulkarni.com/2013/06/ssrfxspa
ONsec Lab: SSRF Bible, Cheatsheet. https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM
OWASP: The OWASP top 10 project. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Payet, P., Doupé, A., Kruegel, C., Vigna, G.: Ears in the wild: large-scale analysis of execution after redirect vulnerabilities. In: ACM SAC 2013 (2013)
Pellegrino, G., Balzarotti, D.: Toward black-box detection of logic flaws in web applications. In: NDSS 2014 (2014)
Pellegrino, G., Balzarotti, D., Winter, S., Suri, N.: In the compression Hornet’s Nest: a security study of data compression in network services. In: USENIX Security 2015 (2015)
Pellegrino, G., Rossow, C., Ryba, F.J., Schmidt, T.C., Wählisch, M.: Cashing out the great Cannon? On browser-based DDoS attacks and Economics. In: USENIX WOOT 2015 (2015)
Polyakov, A., Chastukjin, D., Tyurin, A.: SSRF vs. business-critical applications. Part 1: XXE Tunnelling in SAP NetWeaver. http://erpscan.com/wp%2Dcontent/uploads/2012/08/SSRF%2Dvs%2DBusinness%2Dcritical%2Dapplications%2Dwhitepaper.pdf
SANS Institute: Critical security controls for effective cyber defense. https://www.sans.org/media/critical-security-controls/CSC-5.pdf
Santese, A.: Yahoo! SSRF/XSPA vulnerability, 06. http://hacksecproject.com/yahoo%2Dssrfxspa%2Dvulnerability/
The MITRE Corporation: Common weakness enumeration. http://cwe.mitre.org/
van Kesteren, A.: Cross-origin resource sharing - W3C Recommendation, 16 January 2014. http://www.w3.org/TR/cors/
Walikar, R.A.: Cross site port attacks - XSPA. http://www.riyazwalikar.com/2012/11/cross%2Dsite%2Dport%2Dattacks%2Dxspa%2Dpart%2D1.html
Zaitov, E.: Universal SSRF fuzzer. https://github.com/kyprizel/ussrfuzzer
Acknowledgments
This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) and for the BMBF project 13N13250.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Pellegrino, G., Catakoglu, O., Balzarotti, D., Rossow, C. (2016). Uses and Abuses of Server-Side Requests. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-45719-2_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45718-5
Online ISBN: 978-3-319-45719-2
eBook Packages: Computer ScienceComputer Science (R0)