URL parser and normalization processes are common and important operations in different web frameworks and technologies. In recent years, security researchers have targeted these processes and discovered high impact vulnerabilities and exploitation techniques. In a different approach, we will focus on semantic disconnect among different framework-independent web technologies (e.g., browsers, proxies, cache servers, web servers) which results in different URL interpretations. We coined the term “Path Confusion” to represent this disagreement and this thesis will focus on analyzing enabling factors and security impact of this problem.In this thesis, we will show the impact and importance of path confusion in two attack classes including Style Injection by Relative Path Overwrite (RPO) and Web Cache Deception (WCD). We will focus on these attacks as case studies to demonstrate how utilizing path confusion techniques makes targeted sites exploitable. Moreover, we propose novel variations of each attack which would expand the number of vulnerable sites and introduce new attack scenarios. We will present instances which have been secured against these attacks, while being still exploitable with introduced Path Confusion techniques. To further elucidate the seriousness of path confusion, we will also present the large scale analysis results of RPO and WCD attacks on high profile sites. We present repeatable methodologies and automated path confusion crawlers which detect thousands of sites that are still vulnerable to RPO or WCD only with specific types of path confusion techniques. Our results attest the severity of path confusion based class of attacks and how extensively they could hit the clients or systems. We analyze some browser-based mitigation techniques for RPO and discuss that WCD cannot be dealt as a common vulnerability of each component; instead it arises when an ecosystem of individually impeccable components ends up in a faulty situation.
Confused by Path: Analysis of Path Confusion Based Attacks / Mirheidari, Seyed Ali. - (2020 Nov 12), pp. 1-110.
|Titolo:||Confused by Path: Analysis of Path Confusion Based Attacks|
|Anno di pubblicazione:||2020-11-12|
|Struttura:||Dipartimento di Ingegneria e Scienza dell'Informazione|
|Corso di dottorato:||Information and Communication Technology|
|Tesi in cotutela:||no|
|Digital Object Identifier (DOI):||10.15168/11572_280512|
|Appare nelle tipologie:||08.1 Tesi di dottorato (Doctoral Thesis)|