When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego.

Slides:



Advertisements
Similar presentations
JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)
Advertisements

Let's say we want to access domain - reliablescribe.com First we need to buy a computer We need to subscribe to an Internet Service Provider (ISP) The.
CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.
Design and Implementation of HTTP-Gnutella Gateway Baoning Wu (baw4) Wei Zhang (wez5) CSE Department Lehigh University.
1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.
Skills: none Concepts: log, IP address, URL, packet header and body, geo-location, anonymity, proxy server, advertising signals, hacking, social graph.
Skills: none Concepts: data and program files, IP packet, packet header, packet body, IP address, host name This work is licensed under a Creative Commons.
IT skills: IT concepts: Web client (browser), Web server, network connection, URL, mobile client, peer-to- peer application This work is licensed under.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
TCP Splicing for URL-aware Redirection
Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.
1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
The Medusa Proxy A Tool For Exploring User- Perceived Web Performance Mimika Koletsou and Geoffrey M. Voelker University of California, San Diego Proceeding.
Putting the Network to Work
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to but don’t know the IP addresswww.google.com Solution.
MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#43Tdoc SA3LI11_115.
Software Engineering for Cloud Computing Rao, Feng 04/27/2011.
Norman SecureSurf Protect your users when surfing the Internet.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
On the Use and Performance of Content Distribution Networks Balachander Krishnamurthy Craig Wills Yin Zhang Presenter: Wei Zhang CSE Department of Lehigh.
IT 210 The Internet & World Wide Web introduction.
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.
1 San Diego, California 25 February Automating Your Interactions with ARIN Mark Kosters Chief Technology Officer.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Wyatt Pearsall November  HyperText Transfer Protocol.
Web Page Design I Basic Computer Terms “How the Internet & the World Wide Web (www) Works”
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.
HOW WEB SERVER WORKS? By- PUSHPENDU MONDAL RAJAT CHAUHAN RAHUL YADAV RANJIT MEENA RAHUL TYAGI.
DNS Tunneling Mihir Nanavati & Long Zhang {mihirn, April 19th 2010.
Application of Content Computing in Honeyfarm Introduction Overview of CDN (content delivery network) Overview of honeypot and honeyfarm New redirection.
Proxy Servers.
Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.
Network Security, CS6262 Richard G. Personal Information Masquerading, Profiling, Snooping.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
The Intranet.
A Little Bit About Cookies Fort Collins, CO Copyright © XTR Systems, LLC A Little Bit About Cookies Instructor: Joseph DiVerdi, Ph.D., M.B.A.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.
1 Web Servers (Chapter 21 – Pages( ) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3 System Architecture.
Web Caching and Replication Presented by Bhushan Sonawane.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Securing Angular Apps Brian Noyes
REST By: Vishwanath Vineet.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Uniform Resource Locator URL protocol URL host Path to file Every single website on the Internet has its own unique.
WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
WStore Programmer Guide Resources management integration.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
Presented by Michael Rainey South Mississippi Linux Users Group
CSCE 548 Student Presentation Ryan Labrador
NodeJS Security Using PassportJS and HelmetJS:
IS1500: Introduction to Web Development
Essential tools for implementing and testing websites
The Intranet.
Backdooring enemies with a Proxy …..
Instructor: Ahmed Jafer
RESTful Sevices Distributed Objects Presented by: Shivank Malik
Web Development Web Servers.
Ad-blocker circumvention System
Host of Troubles : Multiple Host Ambiguities in HTTP Implementations
Automatic and Precise Client-Side Protection against CSRF Attacks
Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.
Hyper Text Transfer Protocol
Client-Server Model: Requesting a Web Page
Advanced Cross Site Scripting Evil XSS
Presentation transcript:

When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego

The Web Mashup Ecosystem 2

Characteristics of “Mashup” Model 3  Combines data or functionality from more than one source  Produces results beyond original service model  Re-usability and agility at the expense of encapsulation or clean semantics guarantee  Security risks: XSS, CSRF, etc. Existing efforts focus on violations of client’s browser security policy

New Class of Security Concerns 4  Users abuse web services  Reassemble web services for unintended purposes at the expense of reputation of service providers  Exploit combination of web services to create new capabilities  Examples:  DoS attack  IP address laundering CloudProxy built from unrelated web pieces as a proof of concept

Design Overview 5  CloudProxy: a functional web proxy leveraging existing web service APIs  Implemented most used HTTP methods: GET/POST  Design approaches:  Focus on public APIs that allow web content retrieval  Re-write request to fit API requirement if necessary  Assemble response to provide transparent web access Cloud Proxy Web mashup

The Process of Downloading a Webpage 6 1. URL DNS Server 2. ip for sysnet.ucsd.e du Web Server 4.get http/1.0 5.http 302 redirect: 6.get http/1.0 7.HTTP/1.0 OK index.html 8. get images, javascripts, css, and etc 9. return images, javascripts, css, and etc Image URL: + sysnet.ucsd.edu/sysnet/ photos/banner.jpg Index.html … …

HTTP GET 7  Google spreadsheet API  ImportData(“  Only works for ASCII content  Google content server API (non-ASCII content)  opensocial.googleusercontent.com/gadgets/proxy?url=xxxx&co ntainter=###

HTTP Redirection 8  Facebook developer debug info API 

HTTP POST 9  Google gadget caching API 

Summary of Attacking Vectors 10  Facebook developer debug info API   Google spreadsheet API  =ImportData(“url”)  Google content server API  focus.opensocial.googleusercontent.com/gadgets/proxy/url?=x xx&container=###  Google gadget caching API   URL shortener API  ”

Overall Architecture Design 11

Evaluation 12 Web Tasks Performed HTTP Post IP Hiding Video Viewing HTTP Redirect Spreadsheet Demo Bing Search All host machines are owned by either Facebook or Google!

Security Implications 13  Web content provider:  Bypassing IP based content restriction  End users:  Anonymous web access  Black hats:  Aiding DoS attack  Web service provider:  Wasting storage and network resources

Summary 14  Unrelated web services can be easily combined to create new undesired services  abuse Web services  Demonstrated a functional Web proxy based on public web services  Object size <= 10MB  Does not support cookie  Potential security risks  Lack or difficulty of security policy enforcement of web services

15 Thank you!

API Friendly URL 16  URL shortener API 

Example of IP based Content Restriction 17

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.