Web Services for Unintended Purposes

greenpepperwhinnyΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 5 μήνες)

59 εμφανίσεις

When Good Services Go Wild: Reassembling
Web Services for Unintended Purposes

Feng

Lu,
Jiaqi

Zhang, Stefan Savage

UC San Diego

The Web
Mashup

Ecosystem

2

Characteristics of “
Mashup
” Model

3


Combines

data or
functionality from more than
one source


Produces results beyond
original service model


Re
-
usability and agility

at the
expense of
encapsulation or
clean semantics guarantee


Security risks: XSS, CSRF, etc.







Existing efforts focus on violations of client’s browser security policy

New Class of Security Concerns

4


Users abuse web services


Reassemble

web services for
unintended

purposes at the
expense
of reputation

of
service providers


Exploit combination of web
services to create new
capabilities


Examples:


DoS

attack


IP
address laundering





CloudProxy

built from unrelated web pieces as a proof of concept

Design Overview

5


CloudProxy
: a functional web proxy leveraging existing
web service APIs


Implemented most used HTTP

methods: GET/POST


Design approaches:



Focus o
n public APIs that allow web content retrieval


Re
-
write request to fit API requirement if necessary


Assemble response to provide transparent web access




Cloud

Proxy

Web

mashup

The Process of Downloading a Webpage

6

1. URL http://sysnet.ucsd.edu

DNS Server

2
.
ip

for

sysnet.ucsd.e
du

3. 137.110.222.10

Web Server

4.get http://sysnet.ucsd.edu http/1.0

5.http 302 redirect: http://sysnet.ucsd.edu/sysnet

6
.get http://sysnet.ucsd.edu/sysnet http/1.0

7.HTTP/1.0 OK index.html

8. get images,
javascripts
,
css
, and etc

9
. return images,
javascripts
,
css
, and etc

Image URL: http://<
absolute path
> +<
relative path
>

sysnet.ucsd.edu/
sysnet
/

photos/banner.jpg

Index.html



<
img

src
=“photos/ba
nner.jpg”>



HTTP GET

7


Google spreadsheet API


ImportData
(“
www.ucsd.edu
”)



Only works for ASCII content




Google
c
ontent server API (non
-
ASCII content)


http://images
-
docs
-
opensocial.googleusercontent.com/gadgets/proxy?url=xxxx&co
ntainter=##
#





HTTP Redirection

8


Facebook developer debug info API


http://developers.facebook.com/tools/debug/og/objects?q=url




HTTP POST

9


Google gadget caching API


http://www.gmodules.com/ig/proxy?url=
xxx





Summary of Attacking Vectors

10


Facebook developer debug info API


http://
developers.facebook.com
/tools/debug/
og
/
objects?q
=
url



Google

spreadsheet API


=
ImportData
(“
url
”)


Google content server API


http://image2
-
focus.opensocial.googleusercontent.com/gadgets/proxy/url?=
x
xx&container
=###


Google gadget caching API


http://
www.gmodules.com
/
ig
/
proxy?url
=xxx


URL

shortener

API


http://
www.googleapis.com
/
urlshortener
/v1/
url?key
=“
api_key






Overall Architecture Design

11

Evaluation

12

Web Tasks Performed

HTTP Post

IP Hiding

Video Viewing


HTTP Redirect

Spreadsheet Demo


Bing Search

All host machines are owned by either Facebook or Google!

Security Implications

13


Web content provider:


Bypassing IP based content restriction



End users:



Anonymous web access


Black hats:



Aiding
DoS

attack


Web service provider:


Wasting

storage and network resources




Summary

14


U
nrelated web services can be easily combined to create
new undesired services


abuse
W
eb services



Demonstrated a functional Web proxy based on public
web services


Object size <= 10MB


Does not support cookie


Potential security risks


Lack or difficulty of security policy enforcement of web
services






15






Thank you!





API Friendly URL

16


URL
shortener

API


http://www.googleapis.com/urlshortener/v1/url?key=“api_key








Example of IP based Content Restriction

17