Analysis of Modern Computing Threats: Injection and Server Side Request Forgery

Abstract

In the modern world, digital computing and the Internet define the way we live our lives. Banking, commerce, transit, and even most jobs rely on various computing systems. Due to the importance of these systems, it is imperative that they stay secure from malicious attacks. To protect against such attacks, it is necessary to understand exactly what vulnerabilities exist, and how exactly to exploit them. It is a cybersecurity axiom that there is no security through obscurity. It is not enough to simply hide the implementation details; the security implementer must know how to break into a system to better protect it.¶ The core question that this thesis will address is how many of today’s major services are vulnerable to easily automated and commonplace cybersecurity attacks. This thesis will present a broad overview of two types of vulnerabilities (Injection (A03), and Server Side Request Forgery (A10)), how to exploit them, and give some historical examples. Finally, the conclusion will attempt to show approximately how many web pages are potentially vulnerable.¶ Due to legal constraints, I can only test websites that have a “safe harbor” clause, but malicious users have no such constraints. Consequently, this paper cannot fully determine the scope of vulnerability. Generally, it is not possible to probe for vulnerabilities without exploiting them, and since the researcher is knowingly and intentionally attempting to access unauthorized content, there is legal liability.