Presentation is loading. Please wait.

Presentation is loading. Please wait.

When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego.

Published byMyron Moore Modified over 9 years ago

Similar presentations

Presentation on theme: "When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego."— Presentation transcript:

1 When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego

2 The Web Mashup Ecosystem 2

3 Characteristics of “Mashup” Model 3  Combines data or functionality from more than one source  Produces results beyond original service model  Re-usability and agility at the expense of encapsulation or clean semantics guarantee  Security risks: XSS, CSRF, etc. Existing efforts focus on violations of client’s browser security policy

4 New Class of Security Concerns 4  Users abuse web services  Reassemble web services for unintended purposes at the expense of reputation of service providers  Exploit combination of web services to create new capabilities  Examples:  DoS attack  IP address laundering CloudProxy built from unrelated web pieces as a proof of concept

5 Design Overview 5  CloudProxy: a functional web proxy leveraging existing web service APIs  Implemented most used HTTP methods: GET/POST  Design approaches:  Focus on public APIs that allow web content retrieval  Re-write request to fit API requirement if necessary  Assemble response to provide transparent web access Cloud Proxy Web mashup

6 The Process of Downloading a Webpage 6 1. URL http://sysnet.ucsd.edu DNS Server 2. ip for sysnet.ucsd.e du 3. 137.110.222.10 Web Server 4.get http://sysnet.ucsd.edu http/1.0 5.http 302 redirect: http://sysnet.ucsd.edu/sysnet 6.get http://sysnet.ucsd.edu/sysnet http/1.0 7.HTTP/1.0 OK index.html 8. get images, javascripts, css, and etc 9. return images, javascripts, css, and etc Image URL: http:// + sysnet.ucsd.edu/sysnet/ photos/banner.jpg Index.html … …

7 HTTP GET 7  Google spreadsheet API  ImportData(“www.ucsd.edu”)  Only works for ASCII content  Google content server API (non-ASCII content)  http://images-docs- opensocial.googleusercontent.com/gadgets/proxy?url=xxxx&co ntainter=###

8 HTTP Redirection 8  Facebook developer debug info API  http://developers.facebook.com/tools/debug/og/objects?q=url

9 HTTP POST 9  Google gadget caching API  http://www.gmodules.com/ig/proxy?url=xxx

10 Summary of Attacking Vectors 10  Facebook developer debug info API  http://developers.facebook.com/tools/debug/og/objects?q=url  Google spreadsheet API  =ImportData(“url”)  Google content server API  http://image2- focus.opensocial.googleusercontent.com/gadgets/proxy/url?=x xx&container=###  Google gadget caching API  http://www.gmodules.com/ig/proxy?url=xxx  URL shortener API  http://www.googleapis.com/urlshortener/v1/url?key=“api_key ”

11 Overall Architecture Design 11

12 Evaluation 12 Web Tasks Performed HTTP Post IP Hiding Video Viewing HTTP Redirect Spreadsheet Demo Bing Search All host machines are owned by either Facebook or Google!

13 Security Implications 13  Web content provider:  Bypassing IP based content restriction  End users:  Anonymous web access  Black hats:  Aiding DoS attack  Web service provider:  Wasting storage and network resources

14 Summary 14  Unrelated web services can be easily combined to create new undesired services  abuse Web services  Demonstrated a functional Web proxy based on public web services  Object size <= 10MB  Does not support cookie  Potential security risks  Lack or difficulty of security policy enforcement of web services

15 15 Thank you!

16 API Friendly URL 16  URL shortener API  http://www.googleapis.com/urlshortener/v1/url?key=“api_key” http://www.googleapis.com/urlshortener/v1/url?key=“api_key

17 Example of IP based Content Restriction 17

Download ppt "When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego."

Similar presentations

JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)

JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)
Let's say we want to access domain - reliablescribe.com First we need to buy a computer We need to subscribe to an Internet Service Provider (ISP) The.

Let's say we want to access domain - reliablescribe.com First we need to buy a computer We need to subscribe to an Internet Service Provider (ISP) The.
CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.

CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.
Design and Implementation of HTTP-Gnutella Gateway Baoning Wu (baw4) Wei Zhang (wez5) CSE Department Lehigh University.

Design and Implementation of HTTP-Gnutella Gateway Baoning Wu (baw4) Wei Zhang (wez5) CSE Department Lehigh University.
1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.

1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.
Skills: none Concepts: log, IP address, URL, packet header and body, geo-location, anonymity, proxy server, advertising signals, hacking, social graph.

Skills: none Concepts: log, IP address, URL, packet header and body, geo-location, anonymity, proxy server, advertising signals, hacking, social graph.
Skills: none Concepts: data and program files, IP packet, packet header, packet body, IP address, host name This work is licensed under a Creative Commons.

Skills: none Concepts: data and program files, IP packet, packet header, packet body, IP address, host name This work is licensed under a Creative Commons.
IT skills: IT concepts: Web client (browser), Web server, network connection, URL, mobile client, peer-to- peer application This work is licensed under.

IT skills: IT concepts: Web client (browser), Web server, network connection, URL, mobile client, peer-to- peer application This work is licensed under.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
TCP Splicing for URL-aware Redirection

TCP Splicing for URL-aware Redirection
Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.

Progress Report 11/1/01 Matt Bridges. Overview Data collection and analysis tool for web site traffic Lets website administrators know who is on their.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
The Medusa Proxy A Tool For Exploring User- Perceived Web Performance Mimika Koletsou and Geoffrey M. Voelker University of California, San Diego Proceeding.

The Medusa Proxy A Tool For Exploring User- Perceived Web Performance Mimika Koletsou and Geoffrey M. Voelker University of California, San Diego Proceeding.
Putting the Network to Work

Putting the Network to Work
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to www.google.com, but don’t know the IP addresswww.google.com Solution.

Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to but don’t know the IP addresswww.google.com Solution.
MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#43Tdoc SA3LI11_115.

MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#43Tdoc SA3LI11_115.
Software Engineering for Cloud Computing Rao, Feng 04/27/2011.

Software Engineering for Cloud Computing Rao, Feng 04/27/2011.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Similar presentations

Ads by Google