When Good Services Go Wild: Reassembling
Web Services for Unintended Purposes
Feng Lu, Jiaqi Zhang, Stefan Savage
UC San Diego
The Web Mashup Ecosystem
2
Characteristics of “Mashup” Model
 Combines data or
functionality from more than
one source
 Produces results beyond
original service model
 Re-usability and agility at the
expense of encapsulation or
clean semantics guarantee
 Security risks: XSS, CSRF, etc.
Existing efforts focus on violations of client’s browser security policy
3
New Class of Security Concerns
 Users abuse web services
 Reassemble web services for
unintended purposes at the
expense of reputation of
service providers
 Exploit combination of web
services to create new
capabilities
 Examples:
 DoS attack
 IP address laundering
CloudProxy built from unrelated web pieces as a proof of concept
4
Design Overview
 CloudProxy: a functional web proxy leveraging existing
web service APIs
 Implemented most used HTTP methods: GET/POST
 Design approaches:
 Focus on public APIs that allow web content retrieval
 Re-write request to fit API requirement if necessary
 Assemble response to provide transparent web access
mashup
Cloud
Proxy
Web
5
The Process of Downloading a Webpage
1. URL http://sysnet.ucsd.edu
4.get http://sysnet.ucsd.edu http/1.0
5.http 302 redirect: http://sysnet.ucsd.edu/sysnet
6.get http://sysnet.ucsd.edu/sysnet http/1.0
2. ip for
sysnet.ucsd.e
du
3. 137.110.222.10
Web Server
7.HTTP/1.0 OK index.html
8. get images, javascripts, css, and etc
DNS Server
9. return images, javascripts, css, and etc
Index.html
…
<img
src=“photos/ba
nner.jpg”>
…
Image URL: http://<absolute path> +<relative path>
sysnet.ucsd.edu/sysnet/ photos/banner.jpg
6
HTTP GET
 Google spreadsheet API
 ImportData(“www.ucsd.edu”)
 Only works for ASCII content
 Google content server API (non-ASCII content)
 http://images-docsopensocial.googleusercontent.com/gadgets/proxy?url=xxxx&co
ntainter=###
7
HTTP Redirection
 Facebook developer debug info API
 http://developers.facebook.com/tools/debug/og/objects?q=url
8
HTTP POST
 Google gadget caching API
 http://www.gmodules.com/ig/proxy?url=xxx
9
Summary of Attacking Vectors
 Facebook developer debug info API
 http://developers.facebook.com/tools/debug/og/objects?q=url
 Google spreadsheet API
 =ImportData(“url”)
 Google content server API
 http://image2focus.opensocial.googleusercontent.com/gadgets/proxy/url?=x
xx&container=###
 Google gadget caching API
 http://www.gmodules.com/ig/proxy?url=xxx
 URL shortener API
 http://www.googleapis.com/urlshortener/v1/url?key=“api_key
”
10
Overall Architecture Design
11
Evaluation
Web Tasks Performed
HTTP Post
IP Hiding
Video Viewing
HTTP Redirect
Spreadsheet Demo
Bing Search
All host machines are owned by either Facebook or Google!
12
Security Implications
 Web content provider:
 Bypassing IP based content restriction
 End users:
 Anonymous web access
 Black hats:
 Aiding DoS attack
 Web service provider:
 Wasting storage and network resources
13
Summary
 Unrelated web services can be easily combined to create
new undesired services  abuse Web services
 Demonstrated a functional Web proxy based on public
web services
 Object size <= 10MB
 Does not support cookie
 Potential security risks
 Lack or difficulty of security policy enforcement of web
services
14
Thank you!
15
API Friendly URL
 URL shortener API
 http://www.googleapis.com/urlshortener/v1/url?key=“api_key”
16
Example of IP based Content Restriction
17