Uses and Abuses of Server-Side Requests

Pellegrino, Giancarlo; Catakoglu, Onur; Balzarotti, Davide; Rossow, Christian

doi:10.1007/978-3-319-45719-2_18

Cited by 12 publications

(7 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For many years, a large body of studies has delved into discovering vulnerabilities of different network-level entities namely websites(e.g., [12]), web applications such as CM-Ses [13], and web infrastructure such as servers [14]. Only in the past ten years have the security research community also put focus on studying the efficacy of notifying affected parties on remediation.…”

Section: Related Workmentioning

confidence: 99%

Tell Me You Fixed It: Evaluating Vulnerability Notifications via Quarantine Networks

Çetin

Gañán

Altena

et al. 2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

Mechanisms for large-scale vulnerability notifications have been confronted with disappointing remediation rates. It has proven difficult to reach the relevant party and, once reached, to incentivize them to act. We present the first empirical study of a potentially more effective mechanism: quarantining the vulnerable resource until it is remediated. We have measured the remediation rates achieved by a medium-sized ISP for 1, 688 retail customers running open DNS resolvers or Multicast DNS services. These servers can be abused in UDP-based amplification attacks. We assess the effectiveness of quarantining by comparing remediation with two other groups: one group which was notified but not quarantined and another group where no action was taken. We find very high remediation rates for the quarantined users, 87%, even though they can self-release from the quarantine environment. Of those who received the email-only notification, 76% remediated. Surprisingly, over half of the customers who were not notified at all also remediated, though this is tied to the fact that many observations of vulnerable servers are transient. All in all, quarantining appears more effective than other notification and remediation mechanisms, but it is also clear that it can not be deployed as a general solution for Internet-wide notifications.

show abstract

Section: Related Workmentioning

confidence: 99%

Tell Me You Fixed It: Evaluating Vulnerability Notifications via Quarantine Networks

Çetin

Gañán

Altena

et al. 2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

show abstract

“…Since the uploaded script can be invoked via a URL with any crafted parameters, an adversary is capable of executing any system commands. This poses a critical threat such that the adversary is able to access local file resources and databases [4], inject shell commands and scripts [37], and conduct Server-Side Request Forgery (SSRF) attacks [56].…”

Section: B Ufu and Uefu Vulnerabilitiesmentioning

confidence: 99%

FUSE: Finding File Upload Bugs via Penetration Testing

Lee¹,

Lee³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

An Unrestricted File Upload (UFU) vulnerability is a critical security threat that enables an adversary to upload her choice of a forged file to a target web server. This bug evolves into an Unrestricted Executable File Upload (UEFU) vulnerability when the adversary is able to conduct remote code execution of the uploaded file via triggering its URL. We design and implement FUSE, a penetration testing tool designed to discover UFU and UEFU vulnerabilities in server-side PHP web applications. The goal of FUSE is to generate upload requests; each request becomes an exploit payload that triggers a UFU or UEFU vulnerability. However, this approach entails two technical challenges: (1) it should generate an upload request that bypasses all content-filtering checks present in a target web application; and (2) it should preserve the execution semantic of the resulting uploaded file. We address these technical challenges by mutating standard upload requests with carefully designed mutations that enable the bypassing of content-filtering checks and do not tamper with the execution of uploaded files. FUSE discovered 30 previously unreported UEFU vulnerabilities, including 15 CVEs from 33 real-world web applications, thereby demonstrating its efficacy in finding code execution bugs via file uploads.

show abstract

“…However, as URLs often originate from third-party domains, most platforms cannot rely on the client-side programs because the same-origin policy for cross-origin requests (SOP for CORs) prevents the client-side programs from fetching resources from other origins by default. Accordingly, platforms tend to use server-side requests [25] (SSRs). Figure 1 shows the sequence of steps when sharing URLs on social platforms.…”

Section: A Sharing External Content On Social Media Platformsmentioning

confidence: 99%

Deceptive Previews: A Study of the Link Preview Trustworthiness in Social Platforms

Stivala¹,

Pellegrino²

2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Social media has become a primary mean of content and information sharing, thanks to its speed and simplicity. In this scenario, link previews play the important role of giving a meaningful first glance to users, summarizing the content of the shared webpage within their title, description and image. In our work, we analyzed the preview-rendering process, observing how it is possible to misuse it to obtain benign-looking previews for malicious links. Concrete use-case of this research field is phishing and spam spread, considering targeted attacks in addition to large-scale campaigns. We designed a set of experiments for 20 social media platforms including social networks and instant messenger applications and found out how most of the platforms follow their own preview design and format, sometimes providing partial information. Four of these platforms allow preview crafting so as to hide the malicious target even to a tech-savvy user, and we found that it is possible to create misleading previews for the remaining 16 platforms when an attacker can register their own domain. We also observe how 18 social media platforms do not employ active nor passive countermeasures against the spread of known malicious links or software, and that existing cross-checks on malicious URLs can be bypassed through client-and serverside redirections. To conclude, we suggest seven recommendations covering the spectrum of our findings, to improve the overall preview-rendering mechanism and increase users' overall trust in social media platforms.

show abstract

Uses and Abuses of Server-Side Requests

Cited by 12 publications

References 6 publications

Tell Me You Fixed It: Evaluating Vulnerability Notifications via Quarantine Networks

Tell Me You Fixed It: Evaluating Vulnerability Notifications via Quarantine Networks

FUSE: Finding File Upload Bugs via Penetration Testing

Deceptive Previews: A Study of the Link Preview Trustworthiness in Social Platforms

Contact Info

Product

Resources

About