XSS Vulnerabilities in cloud-application add-ons

Thanh Bui; Siddharth Rao; Markku Antikainen; Tuomas Aura

doi:10.1145/3320269.3384744

XSS Vulnerabilities in cloud-application add-ons

Thanh Bui, Siddharth Rao, Markku Antikainen, Tuomas Aura

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

5 Citations (Scopus)

129 Downloads (Pure)

Abstract

Many cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. In this work, we found that many of such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons among them. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.

Original language	English
Title of host publication	Proceedings of the 15th ACM Asia Conference on Computer and Communications Security
Publisher	ACM
Pages	610-621
Number of pages	12
ISBN (Electronic)	9781450367509
DOIs	https://doi.org/10.1145/3320269.3384744
Publication status	Published - 5 Oct 2020
MoE publication type	A4 Conference publication
Event	ACM Asia Conference on Computer and Communications Security - Taipei, Taiwan, Republic of China Duration: 5 Oct 2020 → 9 Oct 2020 Conference number: 15

Conference

Conference	ACM Asia Conference on Computer and Communications Security
Abbreviated title	ASIA CCS
Country/Territory	Taiwan, Republic of China
City	Taipei
Period	05/10/2020 → 09/10/2020

Access to Document

10.1145/3320269.3384744

SCI_Bui_etal_XSS_Vulnerabilities_ASIA_CCS_2020Accepted author manuscript, 598 KB

OpenUrl availability

Full text

Cite this

@inproceedings{fd256ceb013145d28c7351236a2bc61f,

title = "XSS Vulnerabilities in cloud-application add-ons",

abstract = "Many cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. In this work, we found that many of such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons among them. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.",

author = "Thanh Bui and Siddharth Rao and Markku Antikainen and Tuomas Aura",

year = "2020",

month = oct,

day = "5",

doi = "10.1145/3320269.3384744",

language = "English",

pages = "610--621",

booktitle = "Proceedings of the 15th ACM Asia Conference on Computer and Communications Security",

publisher = "ACM",

address = "United States",

note = "ACM Asia Conference on Computer and Communications Security, ASIA CCS ; Conference date: 05-10-2020 Through 09-10-2020",

}

TY - GEN

T1 - XSS Vulnerabilities in cloud-application add-ons

AU - Bui, Thanh

AU - Rao, Siddharth

AU - Antikainen, Markku

AU - Aura, Tuomas

N1 - Conference code: 15

PY - 2020/10/5

Y1 - 2020/10/5

N2 - Many cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. In this work, we found that many of such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons among them. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.

AB - Many cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. In this work, we found that many of such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons among them. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.

UR - http://www.scopus.com/inward/record.url?scp=85096378374&partnerID=8YFLogxK

U2 - 10.1145/3320269.3384744

DO - 10.1145/3320269.3384744

M3 - Conference contribution

SP - 610

EP - 621

BT - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

PB - ACM

T2 - ACM Asia Conference on Computer and Communications Security

Y2 - 5 October 2020 through 9 October 2020

ER -

XSS Vulnerabilities in cloud-application add-ons

Abstract

Conference

Access to Document

OpenUrl availability

Other files and links

Fingerprint

Security Failures in Modern Software

Cite this

XSS Vulnerabilities in cloud-application add-ons

Abstract

Conference

Access to Document

OpenUrl availability

Other files and links

Fingerprint

Press/Media

Security Failures in Modern Software

Cite this