Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Authors:
Beliz Kaleli Manuel Egele Gianluca Stringhini [email protected] [email protected] [email protected]
DIMVA 2019On the Perils of Leaking Referrers in Online Collaboration Services
Beliz Kaleli
Online Collaboration Services (OCSs)
2
Online Collaboration
Services
File operations;
▪ Upload/Create ▪ View/Edit online▪ Share
Beliz Kaleli
Sharing a File on an OCS
3
OCS
Upload or
Create Share https://www.ocs-name.com/<UniqueIdentifier>}Ideally unguessable
secret location:
Beliz Kaleli
This year McAfee reported that;
“8% of shared files contain sensitive data” [1]
▪ OCS Files, used by individuals and companies, can contain sensitive information.
4
[1] https://www.skyhighnetworks.com/cloud-computing-trends-2019/
[1] Where cloud files are shared.
Beliz Kaleli
Introduction
We show that:The secret location of OCS files can be leaked by the improper handling of links embedded in these files.
▪ 21 OCS are analyzed on 6 different web browsers
5
Beliz Kaleli
Background - HTTP Referer
6
http://ocs.com/file1
--------------------------------------------------------
HTTP Request
▪ HTTP Request Header that identifies the URI from which the request originated.
Request HeadersAccept
Accept-EncodingAccept-Language
ConnectionDNTHost
RefererUser-Agent
Valuetext/html, application/xhtml+xmlgzip, deflateen-US, en; q=0.5keep-alive1ocs.comhttp://ocs.com/file1Mozilla/5.0 (X11; Linux x86_64)
Beliz Kaleli
Background - HTTP Referer
Purpose:▪ Personalize the website: provide specific help, suggest relevant
pages to targeted users▪ Generate special offers ▪ Webpage analytics (e.g., analyzing where most of the traffic is
coming from) ▪ Block visitors from specific domains
The HTTP Referer field is configurable with the Referrer Policy [1]
7
[1] W3C Candidate Recommendation referrer policy. https://www.w3.org/TR/referrer-policy/.
Beliz Kaleli
Background - Existing Mitigations
8
● "no-referrer"● "no-referrer-when-downgrade"● "same-origin"● "origin"● "strict-origin"● "origin-when-cross-origin"● "strict-origin-when-cross-origin"● "unsafe-url"
HTTP Referer Referrer Structure
No Referrer -
ASCII Serialized http(s)://www.service-name.com/
Full Referrer http(s)://www.service-name.com/<UniqueIdentifier>
▪ Referrer Policy
▪ HTML Link Type(i.e. rel=”noreferrer”)
Beliz Kaleli
Attack Model
12
secret URL
secret URL
Referrer: secret URL maggi.cc
Eve
Beliz Kaleli
Attack Model
13
secret URL
secret URL
Referrer: secret URL maggi.cc
maggi.cc Eve
Beliz Kaleli14
Alice:Upload/Create
file
Beliz Kaleli
https://docs.google.com/document/d/17AA7PNbyu94pHe8QxKHKq8SsKPuLZV-9-ZrWvV-k45o/edit?usp=sharing
15
Alice:Share file
Beliz Kaleli16
Bob:Visit link
Beliz Kaleli
Implementation - Methodology
To test our attack model on real-world OCSs:
1. Identifying relevant services
2. Creating files
3. Sharing files
4. Examining the referrer
17
Beliz Kaleli
Implementation - Identifying Relevant Services
▪ We obtained the most popular services by Google queries and crawling Alexa lists▪ Top/Computers/Internet/File_Sharing▪ Top/Computers/Internet/On_the_Web/Web_Applications/Storage
▪ Test manually:▪ Setup an account▪ Upload/Create file with link to our server▪ Check if clickable▪ Check if shareable via a URL
18
----------------------------------------our-server.com-----------------------------------------------------------
Uploaded file
Beliz Kaleli
Implementation - Creating Files
▪ Created different types of files: “.doc”, “.docx”, “.pdf”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.note”, etc.
19
Embedded URL
Our web server
HTTP headers are logged
Beliz Kaleli
Implementation - Sharing Files
Relevant OCSs = File Hosting Services + Instant Messaging Services
For file hosting services and instant messaging services;▪ Shared through links which are editable or view-only
For some instant messaging services; (e.g., Flock)▪ File sent directly to chat between two accounts
20
Beliz Kaleli
Implementation - Examining Referrers
21
OCS
ShareUploadsecret URL
Alice
----------------------------------------our-server.com-----------------------------------------------------------
Beliz Kaleli
Implementation - Examining Referrers
22
OCS
ShareUploadsecret URL
Alice
----------------------------------------our-server.com-----------------------------------------------------------
Beliz Kaleli
Implementation - Examining Referrers
23
secret URLVisit link
Click on embedded link
our-server
Collect Referrer URL from output of script
Bob
----------------------------------------our-server.com-----------------------------------------------------------
Beliz Kaleli
Implementation - Examining Referrers
24
secret URLVisit link
Click on embedded link
our-server
Collect Referrer URL from output of script
Bob
----------------------------------------our-server.com-----------------------------------------------------------
Beliz Kaleli
Implementation - Examining Referrers
25
secret URLVisit link
Click on embedded link
our-server
Collect Referrer URL from output of script
Bob
----------------------------------------our-server.com-----------------------------------------------------------
Beliz Kaleli
Implementation - Examining Referrers
26
Visit recordedReferrer URL
Beliz Kaleli
Implementation - Examining Referrers
27
Visit recordedReferrer URL
File is NOT accessed
Beliz Kaleli
Implementation - Examining Referrers
28
Visit recordedReferrer URL
Secret URL is NOT leaked
File is NOT accessed
Beliz Kaleli
Implementation - Examining Referrers
29
Visit recordedReferrer URL
Secret URL is NOT leaked
File is accessedFile is NOT accessed
Beliz Kaleli
Implementation - Examining Referrers
30
Visit recordedReferrer URL
Secret URL is leaked
Secret URL is NOT leaked
File is accessedFile is NOT accessed
Beliz Kaleli
Referrer Policy
First Public Draft (2014):
▪ "none"▪ "none-when-downgrade"▪ "origin-only"▪ "origin-when-cross-origin"▪ "unsafe-url"
31
Working Draft (2016):
▪ "no-referrer"▪ "no-referrer-when-downgrade"▪ "same-origin"▪ "origin"▪ "origin-when-cross-origin"▪ "unsafe-url"
Beliz Kaleli
Referrer Policy
First Public Draft (2014):
▪ "none"▪ "none-when-downgrade"▪ "origin-only"▪ "origin-when-cross-origin"▪ "unsafe-url"
32
Working Draft (2016):
▪ "no-referrer"▪ "no-referrer-when-downgrade"▪ "same-origin"▪ "origin"▪ "strict-origin"▪ "origin-when-cross-origin"▪ "strict-origin-when-cross-origin"▪ "unsafe-url"
Currently a Candidate Recommendation
Beliz Kaleli
Evaluation - Common Insights
Reasons behind vulnerabilities;
33
Services
▪ Referrer Policy is not set by the OCS
▪ Referrer Policy option is not secure enough
▪ Different behavior on mobile and desktop browsers
Browsers ▪ Edge and iOS Safari support older draft of Referrer Policy
Beliz Kaleli
Evaluation
34
7/21 Vulnerable
: Vulnerable: Not vulnerable: N/A
Beliz Kaleli
Evaluation
▪ Edge and iOS Safari supports older draft of Referrer Policye.g., Overleaf ▪ "origin-when-cross-origin"
→ Overleaf changed to "no-referrer" and added "rel=noreferrer"→ No longer vulnerable
35
Beliz Kaleli
Evaluation
▪ Different behaviors on desktop and mobile browsers▪ PDF.js removes referrers, built-in mechanisms may not
e.g., Box ▪ Desktop browsers - PDF.js (removes referrers in requests)▪ Mobile browsers - native PDF viewer (no referrer removal)▪ "no-referrer-when-downgrade"
▪ Vulnerable: HTTPS → HTTPS
36
Beliz Kaleli
Evaluation
▪ Referrer Policy is not set by the OCSe.g., Onehub, Linkedin Slideshare, Evernote▪ Fallback to "no-referrer-when-downgrade"
▪ Vulnerable: HTTPS → HTTPS
37
Beliz Kaleli
Adoption ofReferrer Policy
▪ First 100K oflists
38
: less safe option
Beliz Kaleli
Countermeasures
39
User Provider
▪ Configure browser settings▪ Use browser extensions▪ Use private browsing mode
(on Firefox)
▪ Trim HTTP Referer to only display the hostname
▪ Use rel=”noreferrer”▪ Redirect links inside
documents
Beliz Kaleli
Future Steps
▪ Analyze different browsers and OCSs
▪ Investigate whether this vulnerability is known▪ Embed links to several real-world websites
▪ Analyze the use of information▪ Fill files with fake sensitive data
40
Beliz Kaleli
Conclusion
▪ We analyzed 21 OCSs with uploading different types of documents containing a link referring to our servers
▪ 7 out of 21 services are vulnerable
▪ Improper use of the Referrer Policy by online services ▪ Limited support offered by web browsers
41
Beliz Kaleli
THANK YOU
42
Beliz Kaleli43
"no-referrer": Referrer header is omitted entirely for requests to any origin.
"no-referrer-when-downgrade": Full referrer is sent in requests from a TLS protected environment to a potentially trustworthy URL and also from a non-TLS protected environment to any origin. Conversely, referrer header is omitted in requests from a TLS protected environment to a non-potentially trustworthy URL.
"same-origin": A full URL, stripped for use as a referrer (the algorithm to strip URLs is defined in [8]), is sent within requests to same-origin. However, the referrer header is omitted in cross-origin requests.
"origin": Along with both same-origin and cross-origin requests, an ASCII serialization of the referrer is sent. An example of this serialization result is given in Table 1.
"strict-origin": ASCII serialization of the referrer is sent along with requests from a TLS protected environment to a potentially trustworthy URL and from a non-TLS protected environment to any origin. Whereas, no referrer is sent from a TLS-protected environment to a non-potentially trustworthy URL.
"origin-when-cross-origin": A full URL, stripped for use as a referrer, is sent within requests to same-origin. ASCII serialization of the origin of the request is sent within requests to cross-origin.
"strict-origin-when-cross-origin": A full URL, stripped for use as a referrer, is sent within requests to same-origin. For the cross-origin requests, the same schema is applied as "strict-origin".
"unsafe-url" : A full URL, stripped for use as a referrer, is sent within both same-origin and cross-origin requests.
Beliz Kaleli44
Beliz Kaleli
Countermeasures - “Safer” Policies
▪ "no-referrer"▪ all requests: no referrer
▪ "same-origin"▪ same origin requests: full referrer▪ cross origin requests: no referrer
45
Beliz Kaleli
Countermeasures - “Safer” Policies
46
▪ TLS-protected environment potentially trustworthy URL
▪ non-TLS-protected environment any origin
▪ TLS-protected environment non-potentially trustworthy URL
ASCII Serial.
ASCII Serial.
No Referrer
▪ "strict-origin"
▪ "strict-origin-when-cross-origin"
▪ same origin requests: full referrer
▪ cross origin requests: same as “strict-origin”