when good services go wild: reassembling web services for unintended purposes feng lu, jiaqi zhang,...
TRANSCRIPT
![Page 1: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/1.jpg)
When Good Services Go Wild: Reassembling Web Services for Unintended Purposes
Feng Lu, Jiaqi Zhang, Stefan SavageUC San Diego
![Page 2: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/2.jpg)
2
The Web Mashup Ecosystem
![Page 3: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/3.jpg)
3
Characteristics of “Mashup” Model Combines data or
functionality from more than one source
Produces results beyond original service model
Re-usability and agility at the expense of encapsulation or clean semantics guarantee
Security risks: XSS, CSRF, etc.
Existing efforts focus on violations of client’s browser security policy
![Page 4: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/4.jpg)
4
New Class of Security Concerns Users abuse web services Reassemble web services for
unintended purposes at the expense of reputation of service providers
Exploit combination of web services to create new capabilities
Examples: DoS attack IP address laundering
CloudProxy built from unrelated web pieces as a proof of concept
![Page 5: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/5.jpg)
5
Design Overview CloudProxy: a functional web proxy leveraging existing
web service APIs Implemented most used HTTP methods: GET/POST Design approaches:
Focus on public APIs that allow web content retrieval Re-write request to fit API requirement if necessary Assemble response to provide transparent web access
CloudProxy
Web
mashup
![Page 6: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/6.jpg)
6
The Process of Downloading a Webpage1. URL http://sysnet.ucsd.edu
DNS Server
2. ip for sysnet.ucsd.edu
3. 137.110.222.10
Web Server
4.get http://sysnet.ucsd.edu http/1.0
5.http 302 redirect: http://sysnet.ucsd.edu/sysnet
6.get http://sysnet.ucsd.edu/sysnet http/1.0
7.HTTP/1.0 OK index.html
8. get images, javascripts, css, and etc
9. return images, javascripts, css, and etc
Image URL: http://<absolute path> +<relative path>
sysnet.ucsd.edu/sysnet/photos/banner.jpg
Index.html…<img src=“photos/banner.jpg”>…
![Page 7: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/7.jpg)
7
HTTP GET
Google spreadsheet API ImportData(“www.ucsd.edu”) Only works for ASCII content
Google content server API (non-ASCII content) http://images-docs-opensocial.googleusercontent.com/
gadgets/proxy?url=xxxx&containter=###
![Page 8: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/8.jpg)
8
HTTP Redirection Facebook developer debug info API
http://developers.facebook.com/tools/debug/og/objects?q=url
![Page 9: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/9.jpg)
9
HTTP POST Google gadget caching API
http://www.gmodules.com/ig/proxy?url=xxx
![Page 10: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/10.jpg)
10
Summary of Attacking Vectors Facebook developer debug info API
http://developers.facebook.com/tools/debug/og/objects?q=url Google spreadsheet API
=ImportData(“url”) Google content server API
http://image2-focus.opensocial.googleusercontent.com/gadgets/proxy/url?=xxx&container=###
Google gadget caching API http://www.gmodules.com/ig/proxy?url=xxx
URL shortener API http://www.googleapis.com/urlshortener/v1/url?
key=“api_key”
![Page 11: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/11.jpg)
11
Overall Architecture Design
![Page 12: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/12.jpg)
12
Evaluation
Web Tasks Performed
HTTP Post
IP Hiding
Video Viewing
HTTP Redirect
Spreadsheet Demo
Bing Search
All host machines are owned by either Facebook or Google!
![Page 13: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/13.jpg)
13
Security Implications
Web content provider: Bypassing IP based content restriction
End users: Anonymous web access
Black hats: Aiding DoS attack
Web service provider: Wasting storage and network resources
![Page 14: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/14.jpg)
14
Summary
Unrelated web services can be easily combined to create new undesired services abuse Web services
Demonstrated a functional Web proxy based on public web services Object size <= 10MB Does not support cookie
Potential security risks Lack or difficulty of security policy enforcement of web
services
![Page 15: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/15.jpg)
15
Thank you!
![Page 16: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/16.jpg)
16
API Friendly URL URL shortener API
http://www.googleapis.com/urlshortener/v1/url?key=“api_key”
![Page 17: When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego](https://reader034.vdocuments.site/reader034/viewer/2022051415/56649db45503460f94aa50ad/html5/thumbnails/17.jpg)
17
Example of IP based Content Restriction