14 Being an unwitting accomplice

 

In this chapter

  • How hackers launch HTTP requests from your server
  • How hackers spoof emails
  • How hackers use open redirects

“No man is an island,” wrote the 17th-century metaphysical poet John Donne. The same can be said for web applications. Our applications exist on networks that are connected to most of the world’s computers, so they are very much whatever the opposite of an island is. (Donne was less clear on what that is. A hillock? An isthmus? A precinct?)

Because web apps are hyperconnected, it makes sense that attackers sometimes use one web application as a jumping-off point for attacking another. They may use this technique to hide their trail, or they may use it simply because the servers running the web application offer more computational firepower than whatever grease-stained and crumb-riddled laptop they’re angrily tapping away on.

In this chapter, we will look at three ways in which your application may be acting as an unwitting accomplice in these types of attacks. Running a website generally requires you to be a good internet citizen, not least because your hosting provider will eventually shut you down if you fail to close such vulnerabilities.

Server-side request forgery

Restricting the domains that you access

Making HTTP requests only for real users

Validating the URLs that you access

Using a domain blocklist

Email spoofing

Sender Policy Framework

DomainKeys Identified Mail

Domain-Based Message Authentication, Reporting and Conformance

Practical steps

Open redirects

Disallow offsite redirects

Check the referrer when doing redirects

Summary