DOCSLIB.ORG

Implementation of a Hypertext Transfer Protocol Server on a High Assurance Multilevel Secure Platform

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Implementation of a Hypertext Transfer Protocol Server on a High Assurance Multilevel Secure Platform Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2000 Implementation of a hypertext transfer protocol server on a high assurance multilevel secure platform Bersack, Evelyn Louise Monterey, California. Naval Postgraduate School http://hdl.handle.net/10945/9236 NAVAL POSTGRADUATE SCHOOL Monterey, California THESIS IMPLEMENTATION OF A HYPERTEXT TRANSFER PROTOCOL SERVER ON A HIGH ASSURANCE MULTILEVEL SECURE PLATFORM by Evelyn Louise Bersack December 2000 Thesis Advisor: Cynthia Irvine Second Reader: Geoffrey Xie Approved for public release; distribution is unlimited 20010215 017 REPORT DOCUMENTATION PAGE F onn Approved OMB No. 0704-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED December 2000 Master's Thesis 4. TITLE AND SUBTITLE : Implementation of a HyperText Transfer Protocol 5. FUNDING NUMBERS Server on a High Assurance Multilevel Secure Platform 6. AUTHOR(S) Evelyn Louise Bersack 8. PERFORMING ORGANIZATION 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) REPORT NUMBER Naval Postgraduate School Monterey, CA 93943-5000 9. SPONSORING I MONITORING AGENCY NAME(S) AND 10. SPONSORING I MONITORING ADDRESS(ES) AGENCY REPORT NUMBER NIA 11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. 12a. DISTRIBUTION I AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE Approved for public release; distribution is unlimited ABSTRACT (maximum 200 words) In a client/server environment on a local area network (LAN), a server should provide various network applications including a hypertext transfer protocol (HTTP) server. HTTP is a client/server, request/response application protocol that is used on the World Wide Web (WWW). It provides the definition and means for transferring objects across internets. A server used in the context of a multilevel secure (MLS) LAN should be no exception. A MLS LAN should be capable of providing an HTTP web server that can be used by commercially available web browsers executing on client workstations. This server needs to be aware of the MLS environment and provide clients access to all web pages and objects for which they are authorized. This thesis implements an HTTP web server running on a high assurance host in a MLS LAN. The web server is based on a commercially available web server application. The commercially available application has been modified and configured to run on the high assurance host. This thesis discusses the details for implementing the web server on the high assurance host. The result of this thesis is an HTTP web server application that runs on a high assurance host servicing clients on a MLS LAN that are using commercially available web browsers. These clients now have the capability of web browsing at varying levels of classification on one workstation. 14. SUBJECT TERMS Hypertext Transfer Protocol, Web Server, Multilevel Secure, Local Area 15. NUMBER OF PAGES Network, High Assurance 144 16. PRICE CODE 17. SECURITY CLASSIFICATION 18. SECURITY 19. SECURITY 20. LIMITATION OF OF REPORT CLASSIFICATION OF THIS CLASSIFICA TIO ABSTRACT PAGE N OF ABSTRACT Unclassified Unclassified Unclassified UL NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. 239-18 THIS PAGE JNTENTIONALLY LEFf BLANK ii Approved for public release; distribution is unlimited IMPLE:MENTATION OF A HYPERTEXT TRANSFER PROTOCOL SERVER ONA HIGH ASSURANCE MULTILEVEL SECURE PLATFORM Evelyn Louise Bersack Civilian, United States Army B.S., University of Arizona, 1986 Submitted in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE IN COMPUTER SCIENCE from the NAVAL POSTGRADUATE SCHOOL December 2000 Author: Approved by: Computer Science Department iii THIS PAGE INTENTIONALLY LEFT BLANK iv ABSTRACT In a client/server environment on a local area network (LAN), a server should provide various network applications including a hypertext transfer protocol (HTTP) server. HTTP is a client/server, request/response application protocol that is used on the World Wide Web (WWW). It provides the definition and means for transferring objects across intemets. A server used in the context of a multilevel secure (MLS) LAN should be no exception. A MLS LAN should be capable of providing an HTTP web server that can be used by commercially available web browsers executing on client workstations. This server needs to be aware of the MLS environment and provide clients access to all web pages and objects for which they are authorized. This thesis implements an HTTP web server running on a high assurance host in a MLS LAN. The web server is based on a commercially available web server application. The commercially available application has been modified and configured to run on the high assurance host. This thesis discusses the details for implementing the web server on the high assurance host. The result of this thesis is an HTTP web server application that runs on a high assurance host servicing clients on a MLS LAN that are using commercially available web browsers. These clients now have the capability of web browsing at varying levels of classification on one workstation. v THIS PAGE JNTENTIONALLY LEFf BLANK vi TABLE OF CONTENTS I. INTRODUCTION ......................................................................................•.......... ! A. PURPOSE ........................................................................•.......••...............• ! B. RESEARCH Q UESTI 0 NS .........................................••.•.•.......•............... 1 C. OVERVIEW .......................•......•............•.•..•.................................•......•.... 2 D. BENEFITS OF RESEARCH ...•...........................................................•... 3 E. ORGANIZATION OF THESIS ............................................................... 5 II. BACKGROUND ........................................................................................•........... 7 A. HYPERTEXT TRANSFER PROTOCOL .......•...........................•......•... 7 B. APACHE SOFTWARE FOUNDATION PRODUCT ......................... 14 C. XTS-300 PLATFORM ...................................•....................................•... 16 D. NPS MULTILEVEL SECURE LOCAL AREA NETWORK PROJECT .......................................................................................•....••.. 17 III. ANALYSIS OF THE APACHE SOFTWARE PACKAGE ............................ 23 A. IMPLEMENTATION REQUIREMENTS ........................................... 23 B. IMPLEMENTATION DECISIONS ...................................................... 24 C. PROBLEMS AND DIFFICULTIES ....................................................• 29 IV. IMPLEMENTATION OF AN APACHE-BASED HTTP WEB SERVER ON THE XTS-300 COMPUTER .............................................................................. 33 A. APACHE SOURCE DIRECTORY STRUCTURE •.........••••..••.....•..•.• 34 B. MAKEFILE MODIFICATIONS ........................................................... 36 C. PHASE 0 NE ............................................................................................ 37 D. PHASE TW0 .............................•............................................................. 46 E. PHASE THREE ....................................................................................... 47 F. PHASE FOUR ......................................................................................... 50 G. DOCUMENTATION MODIFICATIONS ............................................ 51 V. SECURITY CONSIDERATIONS ..................................................................... 53 A. DIRECTORY STRUCTURES AND FILE ACCESS .......................... 53 B. APACHE ADD-ON MODULES ............................................................ 53 C. SECURE SOCKET LAYER .................................................................. 59 VI. CONCLUSIONS AND FUTURE WORK ........................................................ 63 A. DISCUSSION .......................................................................................... 63 B. FUTURE WORK .................................................................................... 64 C. CONCLUSIONS ...................................................................................... 65 APPENDIX A: GLOSSARY .......................................................................................... 67 APPENDIX B: APACHE SOFTWARE LICENSE FILE ........................................... 71 APPENDIX C: DIRECTORY LISTING ...................................................................... 73 APPENDIX D: MODIFICATIONS TO CONFIGURATION FILES ....................... 79 vii APPENDIX E: MODIFICATIONS TO SOURCE CODE ....................................•..... 81 APPENDIX F: MODIFICATIONS TO HEADER
Load more

Recommended publications
  • The Linux Command Line
    The Linux Command Line Fifth Internet Edition William Shotts A LinuxCommand.org Book Copyright ©2008-2019, William E. Shotts, Jr. This work is licensed under the Creative Commons Attribution-Noncommercial-No De- rivative Works 3.0 United States License. To view a copy of this license, visit the link above or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042. A version of this book is also available in printed form, published by No Starch Press. Copies may be purchased wherever fine books are sold. No Starch Press also offers elec- tronic formats for popular e-readers. They can be reached at: https://www.nostarch.com. Linux® is the registered trademark of Linus Torvalds. All other trademarks belong to their respective owners. This book is part of the LinuxCommand.org project, a site for Linux education and advo- cacy devoted to helping users of legacy operating systems migrate into the future. You may contact the LinuxCommand.org project at http://linuxcommand.org. Release History Version Date Description 19.01A January 28, 2019 Fifth Internet Edition (Corrected TOC) 19.01 January 17, 2019 Fifth Internet Edition. 17.10 October 19, 2017 Fourth Internet Edition. 16.07 July 28, 2016 Third Internet Edition. 13.07 July 6, 2013 Second Internet Edition. 09.12 December 14, 2009 First Internet Edition. Table of Contents Introduction....................................................................................................xvi Why Use the Command Line?......................................................................................xvi
    [Show full text]
  • Overview of Internet Direct
    Color profile: Generic CMYK printer profile Composite Default screen ApDev / Building Kylix Applications / Jensen & Anderson / 2947-6 / CHAPTER 20 Overview of Internet Direct 1 P:\010Comp\ApDev\947-6\ch20.vp Tuesday, May 29, 2001 11:32:19 AM Color profile: Generic CMYK printer profile Composite Default screen ApDev / Building Kylix Applications / Jensen & Anderson / 2947-6 / Chapter 20 2 Building Kylix Applications nternet Direct consists of a set of about 70 components for Internet development in Borland’s Kylix and Delphi products. These components include client Icomponents, server components, and various supporting components for writing these clients and servers. Internet Direct differs a bit from the Kylix product itself in that all of the components included with Internet Direct are open source. You will read more about this later in this chapter. This chapter provides an overview of Internet Direct and describes its major features and characteristics. You will also find a description of all of the Internet Direct components that are included with Kylix. Next, discussions of how clients work and how servers work are included. Finally, licensing requirements for using Internet Direct components in your Kylix applications and getting technical support are discussed. NOTE If you are not familiar with Internet-related technologies and terms, you may want to read through Chapter 17 first, or refer back to Chapter 17 periodically as you read about Internet Direct. What Is Internet Direct? Internet Direct, or Indy for short, is a set of open source socket components that are included with Kylix, as well as with Delphi 6. Internet Direct consists of clients, servers, and support components.
    [Show full text]
  • Firefox Hacks Is Ideal for Power Users Who Want to Maximize The
    Firefox Hacks By Nigel McFarlane Publisher: O'Reilly Pub Date: March 2005 ISBN: 0-596-00928-3 Pages: 398 Table of • Contents • Index • Reviews Reader Firefox Hacks is ideal for power users who want to maximize the • Reviews effectiveness of Firefox, the next-generation web browser that is quickly • Errata gaining in popularity. This highly-focused book offers all the valuable tips • Academic and tools you need to enjoy a superior and safer browsing experience. Learn how to customize its deployment, appearance, features, and functionality. Firefox Hacks By Nigel McFarlane Publisher: O'Reilly Pub Date: March 2005 ISBN: 0-596-00928-3 Pages: 398 Table of • Contents • Index • Reviews Reader • Reviews • Errata • Academic Copyright Credits About the Author Contributors Acknowledgments Preface Why Firefox Hacks? How to Use This Book How This Book Is Organized Conventions Used in This Book Using Code Examples Safari® Enabled How to Contact Us Got a Hack? Chapter 1. Firefox Basics Section 1.1. Hacks 1-10 Section 1.2. Get Oriented Hack 1. Ten Ways to Display a Web Page Hack 2. Ten Ways to Navigate to a Web Page Hack 3. Find Stuff Hack 4. Identify and Use Toolbar Icons Hack 5. Use Keyboard Shortcuts Hack 6. Make Firefox Look Different Hack 7. Stop Once-Only Dialogs Safely Hack 8. Flush and Clear Absolutely Everything Hack 9. Make Firefox Go Fast Hack 10. Start Up from the Command Line Chapter 2. Security Section 2.1. Hacks 11-21 Hack 11. Drop Miscellaneous Security Blocks Hack 12. Raise Security to Protect Dummies Hack 13. Stop All Secret Network Activity Hack 14.
    [Show full text]
  • Pyftpdlib Documentation Release 1.5.4
    pyftpdlib Documentation Release 1.5.4 Giampaolo Rodola Aug 29, 2018 Contents 1 Install 3 1.1 Additional dependencies.........................................3 2 Tutorial 5 2.1 A Base FTP server............................................5 2.2 Logging management..........................................6 2.3 Storing passwords as hash digests....................................8 2.4 Unix FTP Server.............................................9 2.5 Windows FTP Server...........................................9 2.6 Changing the concurrency model.................................... 10 2.7 Throttle bandwidth............................................ 11 2.8 FTPS (FTP over TLS/SSL) server.................................... 11 2.9 Event callbacks.............................................. 12 2.10 Command line usage........................................... 13 3 API reference 15 3.1 Modules and classes hierarchy...................................... 15 3.2 Users................................................... 16 3.3 Control connection............................................ 17 3.4 Data connection............................................. 19 3.5 Server (acceptor)............................................. 20 3.6 Filesystem................................................ 21 3.7 Extended classes............................................. 22 4 FAQs 25 4.1 Introduction............................................... 26 4.2 Installing and compatibility....................................... 27 4.3 Usage..................................................
    [Show full text]
  • Rcurl: General Network (HTTP/FTP/...) Client Interface for R
    Package ‘RCurl’ September 17, 2021 Version 1.98-1.5 Title General Network (HTTP/FTP/...) Client Interface for R SystemRequirements GNU make, libcurl Description A wrapper for 'libcurl' <https://curl.se/libcurl/> Provides functions to allow one to compose general HTTP requests and provides convenient functions to fetch URIs, get & post forms, etc. and process the results returned by the Web server. This provides a great deal of control over the HTTP/FTP/... connection and the form of the request while providing a higher-level interface than is available just using R socket connections. Additionally, the underlying implementation is robust and extensive, supporting FTP/FTPS/TFTP (uploads and downloads), SSL/HTTPS, telnet, dict, ldap, and also supports cookies, redirects, authentication, etc. License BSD_3_clause + file LICENSE Depends R (>= 3.4.0), methods Imports bitops Suggests XML Collate aclassesEnums.R bitClasses.R xbits.R base64.R binary.S classes.S curl.S curlAuthConstants.R curlEnums.R curlError.R curlInfo.S dynamic.R form.S getFormParams.R getURLContent.R header.R http.R httpError.R httpErrors.R iconv.R info.S mime.R multi.S options.S scp.R support.S upload.R urlExists.R zclone.R zzz.R NeedsCompilation yes Author CRAN Team [ctb, cre] (de facto maintainer since 2013), Duncan Temple Lang [aut] (<https://orcid.org/0000-0003-0159-1546>) Maintainer CRAN Team <[email protected]> Repository CRAN Date/Publication 2021-09-17 06:19:14 UTC 1 2 R topics documented: R topics documented: AUTH_ANY . .3 base64 . .3 basicHeaderGatherer . .5 basicTextGatherer . .7 binaryBuffer . 10 CFILE . 11 chunkToLineReader . 12 clone .
    [Show full text]
  • Bash Guide for Beginners
    Bash Guide for Beginners Machtelt Garrels Xalasys.com <tille wants no spam _at_ xalasys dot com> Version 1.8 Last updated 20060315 Edition Bash Guide for Beginners Table of Contents Introduction.........................................................................................................................................................1 1. Why this guide?...................................................................................................................................1 2. Who should read this book?.................................................................................................................1 3. New versions, translations and availability.........................................................................................2 4. Revision History..................................................................................................................................2 5. Contributions.......................................................................................................................................3 6. Feedback..............................................................................................................................................3 7. Copyright information.........................................................................................................................3 8. What do you need?...............................................................................................................................4 9. Conventions used in this
    [Show full text]
  • SSRF Bible. Cheatsheet
    SSRF bible. Cheatsheet Revision 1.03 26 Jan 2017 Authors: @Wallarm @d0znpp research team Wallarm.com|lab.wallarm.com ​ ​ Try our new product. Wallarm FAST: security tests from traffic ​ ​ https://wallarm.com/wallarm-fast/ wallarm.com 1 Table of contents Table of contents Basics Typical attack steps File Descriptors exploitation way URL schema support Protocols SSRF smuggling Smuggling examples Apache web-server HTTP parser Nginx web-server HTTP parser Vulnerabilities Basics Examples Google Docs ZeroNights hackquest challenge Exploitation tricks Bypassing restrictions Input validation Unsafe redirect DNS pinning DNS pinning race condition PHP fsockopen() url parsing tricks Network restrictions Protocol fingerprinting Examples HTTP Memcached Retrieving data Examples HTTP response encapsulation into XML formatted response Console cURL wildcards URL responses concatenation SMBRelay exploitation Original request data sniffing Examples Memcached wallarm.com 2 Exploits PHP-FPM Syslog Exploits Zabbix agentd Exploits Postgres Exploits MongoDB Redis CouchDB Exploits FFmpeg References Tools Researches wallarm.com 3 Basics SSRF - Server Side Request Forgery attacks. The ability to create requests from the vulnerable server to intra/internet. Using a protocol supported by available URI schemas, you can communicate with services running on other protocols. Here we collect the various options and examples (exploits) of such interaction. See for introduction related researches. ​ ​ Typical attack steps 1. Scan internal network to determine internal infrastructure which you may access 2. Collect opened ports at localhost and other internal hosts which you want (basically by time-based determination) 3. Determine services/daemons on ports using wiki or daemons banners (if you may watch ​ ​ output) 4. Determine type of you SSRF combination: ○ Direct socket access (such as this example) ​ ​ ○ Sockets client (such as java URI, cURL, LWP, others) 5.
    [Show full text]
  • Licensing Information for Cisco Jabber for Windows 12.1
    Open Source Used In Cisco Jabber for Windows 12.1 Licensing Information 12.1 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. Open Source Used In Cisco Jabber for Windows 12.1 Licensing Information 12.1 1 Text Part Number: 78EE117C99-179107191 Open Source Used In Cisco Jabber for Windows 12.1 Licensing Information 12.1 2 This document contains licenses and notices for open source software used in this product. With respect to the free/open source software listed in this document, if you have any questions or wish to receive a copy of any source code to which you may be entitled under the applicable free/open source license(s) (such as the GNU Lesser/General Public License), please contact us at [email protected]. In your requests please include the following reference number 78EE117C99-179107191 Contents 1.1 Apache Portable Runtime (APR) project - core library 1.4.6 1.1.1 Available under license 1.2 base64.cpp 1.0 1.2.1 Available under license 1.3 boost 1.59.0 :1.59 1.3.1 Available under license 1.4 boost 1.52.0 1.4.1 Notifications 1.4.2 Available under license 1.5 BOOST C++ Library 1.56.0 1.5.1 Available under license 1.6 Bootstrap 3.2.0 1.6.1 Available under license 1.7 ccard 1.0 1.7.1 Available under license 1.8 Chromium Embedded Framework (CEF) 3.3071.1649 1.8.1 Available under license 1.9 CyrusSASL 2.1.26 :2.1.26 1.9.1 Available under license 1.10 e2fsprogs-lib-uuid 1.41.8 1.10.1
    [Show full text]
  • Cisco Jabber for Windows 11.0 Licensing Information
    Open Source Used In Cisco Jabber for Windows 11.0 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. Text Part Number: 78EE117C99-93944029 Open Source Used In Cisco Jabber for Windows 11.0 1 This document contains licenses and notices for open source software used in this product. With respect to the free/open source software listed in this document, if you have any questions or wish to receive a copy of any source code to which you may be entitled under the applicable free/open source license(s) (such as the GNU Lesser/General Public License), please contact us at [email protected]. In your requests please include the following reference number 78EE117C99-93944029 Contents 1.1 base64.cpp 1.0 1.1.1 Available under license 1.2 BOOST C++ Library 1.56.0 1.2.1 Available under license 1.3 Bootstrap 3.2.0 1.3.1 Available under license 1.4 ccard 1.0 1.4.1 Available under license 1.5 curl/apache-portions 7.35 1.5.1 Available under license 1.6 e2fsprogs-lib-uuid 1.41.8 1.6.1 Available under license 1.7 Expat 1.95.2 1.7.1 Available under license 1.8 glib 2.27.1 1.8.1 Available under license 1.9 gstreamer 0.10.35.1 1.9.1 Available under license 1.10 gstreamer-plugins-bad 0.10.22.1 1.10.1 Available under license 1.11 gstreamer-plugins-base 0.10.35.1 1.11.1 Available under license 1.12 gstreamer-plugins-good 0.10.30.1 1.12.1 Available under license 1.13 hunspell 1.3.3 1.13.1 Available under license Open
    [Show full text]
  • 5 Basic Curl Command Examples – Rosehosting.Com Blog 5 Basic Curl Command Examples
    5/29/2017 5 basic cURL command examples – RoseHosting.com Blog 5 basic cURL command examples OCTOBER 21, 2016 1 TIPS AND TRICKS Facebook 0 Twitter 8 Google+ 2 Linkedin 2 cURL is very useful command line tool to transfer data from or to a server. cURL supports various protocols like FILE, HTTP, HTTPS, IMAP, IMAPS, LDAP, DICT, LDAPS, TELNET, FTP, FTPS, GOPHER, RTMP, RTSP, SCP, SFTP, POP3, POP3S, SMB, SMBS, SMTP, SMTPS, and TFTP. cURL can be used in many different and interesting ways. With this tool you can download, upload and manage files, check your email address, or even update your status on some of the social media websites or check the weather outside. In this article will cover five of the most useful and basic uses of the cURL tool on any Linux VPS. 1. Check URL One of the most common and simplest uses of cURL is typing the command itself, followed by the URL you want to check https://www.rosehosting.com/blog/curl­command­examples/ 1/4 5/29/2017 5 basic cURL command examples – RoseHosting.com Blog curl https://domain.com This command will display the content of the URL on your terminal 2. Save the output of the URL to a file The output of the cURL command can be easily saved to a file by adding the ­o option to the command, as shown below curl ‐o website https://domain.com % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 41793 0 41793 0 0 275k 0 ‐‐:‐‐:‐‐ ‐‐:‐‐:‐‐ ‐‐:‐‐:‐‐ 2.9M In this example, output will be save to a file named ‘website’ in the current working directory.
    [Show full text]
  • The Kopete Handbook
    The Kopete Handbook Will Stephenson Matt Rogers Michaël Larouche The Kopete Handbook 2 Contents 1 Introduction 9 1.1 Kopete, the KDE instant messaging client . .9 1.1.1 Before starting... .9 1.1.2 What is Kopete? . .9 1.1.3 More Kopete Information on the Web . .9 1.2 Introduction to Instant Messaging . 10 2 Getting Started 11 2.1 Creating Accounts . 11 2.2 Go Online and Start Chatting! . 12 3 Using Kopete 13 3.1 The Contact List . 13 3.1.1 Layout of the Contact List window . 13 3.1.1.1 Menu . 13 3.1.1.2 Tool bar . 13 3.1.1.3 Contact List . 13 3.1.1.4 Status bar . 14 3.1.2 Setting Your Presence . 14 3.1.3 Start A Chat From The Contact List . 14 3.1.4 Send A File . 14 3.1.5 Organizing Contacts . 14 3.1.5.1 A Word about Metacontacts . 14 3.1.5.2 A Word about Grouping Contacts . 15 3.1.5.3 Adding Contacts . 15 3.1.5.4 Renaming Contacts . 15 3.1.5.5 Removing Contacts . 15 3.1.5.6 Moving Contacts between Metacontacts . 16 3.1.5.7 Removing Contacts from Metacontacts . 16 3.1.6 Configure Kopete . 16 3.1.7 Exiting Kopete . 16 3.1.8 Keyboard shortcuts . 16 The Kopete Handbook 3.2 The Chat Window . 17 3.2.1 Layout of the Chat Window . 17 3.2.1.1 The Chat View . 17 3.2.1.2 Chat Members List .
    [Show full text]
  • Uses and Abuses of Server-Side Requests
    Uses and Abuses of Server-Side Requests Giancarlo Pellegrino( )1, Onur Catakoglu2, Davide Balzarotti2, and Christian Rossow1 1 CISPA, Saarland University, Saarland Informatics Campus fgpellegrino,[email protected] 2 Eurecom fonur.catakoglu,[email protected] Abstract. More and more web applications rely on server-side requests (SSRs) to fetch resources (such as images or even entire webpages) from user-provided URLs. As for many other web-related technologies, devel- opers were very quick to adopt SSRs, even before their consequences for security were fully understood. In fact, while SSRs are simple to add from an engineering point of view, in this paper we show that|if not properly implemented|this technology can have several subtle consequences for security, posing severe threats to service providers, their users, and the Internet community as a whole. To shed some light on the risks of this communication pattern, we present the first extensive study of the security implication of SSRs. We propose a classification and four new attack scenarios that describe different ways in which SSRs can be abused to perform malicious activities. We then present an automated scanner we developed to probe web applications to identify possible SSR misuses. Using our tool, we tested 68 popular web applications and find that the majority can be abused to perform malicious activities, ranging from server-side code execution to amplifi- cation DoS attacks. Finally, we distill our findings into eight pitfalls and mitigations to help developers to implement SSRs in a more secure way. 1 Introduction Web applications have evolved from purely client-to-server patterns to an in- tertwined network of multiple web services.
    [Show full text]