Uses and Abuses of Server-Side Requests

More and more web applications rely on server-side requests (SSRs) to fetch resources (such as images or even entire webpages) from user-provided URLs. As for many other web-related technologies, developers were very quick to adopt SSRs, even before their consequences for security were fully understood. In fact, while SSRs are simple to add from an engineering point of view, in this paper we show that—if not properly implemented—this technology can have several subtle consequences for security, posing severe threats to service providers, their users, and the Internet community as a whole. To shed some light on the risks of this communication pattern, we present the first extensive study of the security implication of SSRs. We propose a classification and four new attack scenarios that describe different ways in which SSRs can be abused to perform malicious activities. We then present an automated scanner we developed to probe web applications to identify possible SSR misuses. Using our tool, we tested 68 popular web applications and find that the majority can be abused to perform malicious activities, ranging from server-side code execution to amplification DoS attacks. Finally, we distill our findings into eight pitfalls and mitigations to help developers to implement SSRs in a more secure way

Future wireless applications for a networked city: services for visitors and residents

Future wireless networks will offer near-ubiquitous high-bandwidth communications to mobile users. In addition, the accurate position of users will be known, either through network services or via additional sensing devices such as GPS. These characteristics of future mobile environments will enable the development of location-aware and, more generally, context-sensitive applications. In an attempt to explore the system, application, and user issues associated with the development and deployment of such applications, we began to develop the Lancaster GUIDE system in early 1997, finishing the first phase of the project in 1999. In its entirety, GUIDE comprises a citywide wireless network based on 802.11, a context-sensitive tour guide application with, crucially, significant content, and a set of supporting distributed systems services. Uniquely in the field, GUIDE has been evaluated using members of the general public, and we have gained significant experience in the design of usable context-sensitive applications. We focus on the applications and supporting infrastructure that will form part of GUIDE II, the successor to the GUIDE system. These developments are designed to expand GUIDE outside the tour guide domain, and to provide applications and services for residents of the city of Lancaster, offering a vision of the future mobile environments that will emerge once ubiquitous high-bandwidth coverage is available in most cities