when good services go wild: reassembling web services for unintended purposes feng lu, jiaqi zhang,...
TRANSCRIPT
When Good Services Go Wild: Reassembling Web Services for Unintended Purposes
Feng Lu, Jiaqi Zhang, Stefan SavageUC San Diego
2
The Web Mashup Ecosystem
3
Characteristics of “Mashup” Model Combines data or
functionality from more than one source
Produces results beyond original service model
Re-usability and agility at the expense of encapsulation or clean semantics guarantee
Security risks: XSS, CSRF, etc.
Existing efforts focus on violations of client’s browser security policy
4
New Class of Security Concerns Users abuse web services Reassemble web services for
unintended purposes at the expense of reputation of service providers
Exploit combination of web services to create new capabilities
Examples: DoS attack IP address laundering
CloudProxy built from unrelated web pieces as a proof of concept
5
Design Overview CloudProxy: a functional web proxy leveraging existing
web service APIs Implemented most used HTTP methods: GET/POST Design approaches:
Focus on public APIs that allow web content retrieval Re-write request to fit API requirement if necessary Assemble response to provide transparent web access
CloudProxy
Web
mashup
6
The Process of Downloading a Webpage1. URL http://sysnet.ucsd.edu
DNS Server
2. ip for sysnet.ucsd.edu
3. 137.110.222.10
Web Server
4.get http://sysnet.ucsd.edu http/1.0
5.http 302 redirect: http://sysnet.ucsd.edu/sysnet
6.get http://sysnet.ucsd.edu/sysnet http/1.0
7.HTTP/1.0 OK index.html
8. get images, javascripts, css, and etc
9. return images, javascripts, css, and etc
Image URL: http://<absolute path> +<relative path>
sysnet.ucsd.edu/sysnet/photos/banner.jpg
Index.html…<img src=“photos/banner.jpg”>…
7
HTTP GET
Google spreadsheet API ImportData(“www.ucsd.edu”) Only works for ASCII content
Google content server API (non-ASCII content) http://images-docs-opensocial.googleusercontent.com/
gadgets/proxy?url=xxxx&containter=###
8
HTTP Redirection Facebook developer debug info API
http://developers.facebook.com/tools/debug/og/objects?q=url
9
HTTP POST Google gadget caching API
http://www.gmodules.com/ig/proxy?url=xxx
10
Summary of Attacking Vectors Facebook developer debug info API
http://developers.facebook.com/tools/debug/og/objects?q=url Google spreadsheet API
=ImportData(“url”) Google content server API
http://image2-focus.opensocial.googleusercontent.com/gadgets/proxy/url?=xxx&container=###
Google gadget caching API http://www.gmodules.com/ig/proxy?url=xxx
URL shortener API http://www.googleapis.com/urlshortener/v1/url?
key=“api_key”
11
Overall Architecture Design
12
Evaluation
Web Tasks Performed
HTTP Post
IP Hiding
Video Viewing
HTTP Redirect
Spreadsheet Demo
Bing Search
All host machines are owned by either Facebook or Google!
13
Security Implications
Web content provider: Bypassing IP based content restriction
End users: Anonymous web access
Black hats: Aiding DoS attack
Web service provider: Wasting storage and network resources
14
Summary
Unrelated web services can be easily combined to create new undesired services abuse Web services
Demonstrated a functional Web proxy based on public web services Object size <= 10MB Does not support cookie
Potential security risks Lack or difficulty of security policy enforcement of web
services
15
Thank you!
16
API Friendly URL URL shortener API
http://www.googleapis.com/urlshortener/v1/url?key=“api_key”
17
Example of IP based Content Restriction