Skip to main content
SpringerLink
Log in

Uses and Abuses of Server-Side Requests

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9854))

Abstract

More and more web applications rely on server-side requests (SSRs) to fetch resources (such as images or even entire webpages) from user-provided URLs. As for many other web-related technologies, developers were very quick to adopt SSRs, even before their consequences for security were fully understood. In fact, while SSRs are simple to add from an engineering point of view, in this paper we show that—if not properly implemented—this technology can have several subtle consequences for security, posing severe threats to service providers, their users, and the Internet community as a whole.

To shed some light on the risks of this communication pattern, we present the first extensive study of the security implication of SSRs. We propose a classification and four new attack scenarios that describe different ways in which SSRs can be abused to perform malicious activities. We then present an automated scanner we developed to probe web applications to identify possible SSR misuses. Using our tool, we tested 68 popular web applications and find that the majority can be abused to perform malicious activities, ranging from server-side code execution to amplification DoS attacks. Finally, we distill our findings into eight pitfalls and mitigations to help developers to implement SSRs in a more secure way.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    See bug #1005, http://sourceforge.net/projects/tcpdf/files/CHANGELOG.TXT.

  2. 2.

    See https://isc.sans.edu/diary/How+Malware+Campaigns+Employ+Google+Redirects+and+Analytics/19843.

  3. 3.

    See https://www.blackhat.com/us-15/briefings.html.

  4. 4.

    The tool is freely available here: https://github.com/tgianko/guenther.

  5. 5.

    See http://www.acunetix.com/vulnerability-scanner/.

References

  1. Almroth, F., Karlsson, M.: How we got read access on Googles production servers. http://blog.detectify.com/post/82370846588/how-we-got-read-access-on-googles-production

  2. Balzarotti, D., Cova, M., Felmetsger, V.V., Vigna, G.: Multi-module vulnerability analysis of web-based applications. In: ACM CCS 2007 (2007)

    Google Scholar 

  3. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: ACM CCS 2008 (2008)

    Google Scholar 

  4. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art:Automated black-box web application vulnerability testing. In: IEEE S&P 2010 (2010)

    Google Scholar 

  5. Chauhan, J.: OWASP SKANDA - SSRF Exploitation framework. http://www.chmag.in/article/may2013/owasp-skanda-%E2%80%93-ssrf-exploitation-framework

  6. Eyeo GmbH: Adblock plus. https://adblockplus.org/

  7. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. In: RFC 2616 (Draft Standard). Request for Comments. Internet Engineering Task Force (1999). http://www.ietf.org/rfc/rfc2616.txt

  8. Fitzpatrick, B., Recordon, D., Hardt, D., Hoyt, J.: OpenID authentication 2.0 - Final. http://openid.net/specs/openid-authentication-2_0.html

  9. Google Inc.: Safe browsing API. https://developers.google.com/safe%2Dbrowsing/

  10. Grossman, J., Johansen, M.: Million browser botnet. https://media.blackhat.com/us%2D13/us%2D13%2DGrossman%2DMillion%2DBrowsed%2DBotnet.pdf

  11. Hafif, O.: Reflected file download a new web attack vector. https://drive.google.com/file/d/0B0KLoHg_gR_XQnV4RVhlNl96MHM/view

  12. Heiland, D.: Web portals gateway to information or a hole in our perimeter defenses. http://www.shmoocon.org/2008/presentations/Web+portals,+gateway+to+information.ppt

  13. InformAction: NoScript. https://noscript.net/

  14. Jack Whitton: SafeCurl. https://github.com/fin1te/safecurl

  15. Kulkarni, P.: SSRF/XSPA bug in https://www.coinbase.com 06, http://www.prajalkulkarni.com/2013/06/ssrfxspa

  16. ONsec Lab: SSRF Bible, Cheatsheet. https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM

  17. OWASP: The OWASP top 10 project. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

  18. Payet, P., Doupé, A., Kruegel, C., Vigna, G.: Ears in the wild: large-scale analysis of execution after redirect vulnerabilities. In: ACM SAC 2013 (2013)

    Google Scholar 

  19. Pellegrino, G., Balzarotti, D.: Toward black-box detection of logic flaws in web applications. In: NDSS 2014 (2014)

    Google Scholar 

  20. Pellegrino, G., Balzarotti, D., Winter, S., Suri, N.: In the compression Hornet’s Nest: a security study of data compression in network services. In: USENIX Security 2015 (2015)

    Google Scholar 

  21. Pellegrino, G., Rossow, C., Ryba, F.J., Schmidt, T.C., Wählisch, M.: Cashing out the great Cannon? On browser-based DDoS attacks and Economics. In: USENIX WOOT 2015 (2015)

    Google Scholar 

  22. Polyakov, A., Chastukjin, D., Tyurin, A.: SSRF vs. business-critical applications. Part 1: XXE Tunnelling in SAP NetWeaver. http://erpscan.com/wp%2Dcontent/uploads/2012/08/SSRF%2Dvs%2DBusinness%2Dcritical%2Dapplications%2Dwhitepaper.pdf

  23. SANS Institute: Critical security controls for effective cyber defense. https://www.sans.org/media/critical-security-controls/CSC-5.pdf

  24. Santese, A.: Yahoo! SSRF/XSPA vulnerability, 06. http://hacksecproject.com/yahoo%2Dssrfxspa%2Dvulnerability/

  25. The MITRE Corporation: Common weakness enumeration. http://cwe.mitre.org/

  26. van Kesteren, A.: Cross-origin resource sharing - W3C Recommendation, 16 January 2014. http://www.w3.org/TR/cors/

  27. Walikar, R.A.: Cross site port attacks - XSPA. http://www.riyazwalikar.com/2012/11/cross%2Dsite%2Dport%2Dattacks%2Dxspa%2Dpart%2D1.html

  28. Zaitov, E.: Universal SSRF fuzzer. https://github.com/kyprizel/ussrfuzzer

Download references

Acknowledgments

This work was supported by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) and for the BMBF project 13N13250.

Author information

Authors and Affiliations

  1. CISPA, Saarland University, Saarland Informatics Campus, Saarbrücken, Germany

    Giancarlo Pellegrino & Christian Rossow

  2. Eurecom, Biot, France

    Onur Catakoglu & Davide Balzarotti

Authors
  1. Giancarlo Pellegrino
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Onur Catakoglu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Davide Balzarotti
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Christian Rossow
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Giancarlo Pellegrino .

Editor information

Editors and Affiliations

  1. University of North Carolina at Chapel H , Chapel-Hill, USA

    Fabian Monrose

  2. Qatar Computing Research Institute , Doha, Qatar

    Marc Dacier

  3. Université Paris-Saclay , Evry, France

    Gregory Blanc

  4. TELECOM SudParis , EVRY, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Pellegrino, G., Catakoglu, O., Balzarotti, D., Rossow, C. (2016). Uses and Abuses of Server-Side Requests. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45719-2_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45718-5

  • Online ISBN: 978-3-319-45719-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation