Abstract
Many cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. In this work, we found that many of such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons among them. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.
Original language | English |
---|---|
Title of host publication | Proceedings of the 15th ACM Asia Conference on Computer and Communications Security |
Publisher | ACM |
Pages | 610-621 |
Number of pages | 12 |
ISBN (Electronic) | 9781450367509 |
DOIs | |
Publication status | Published - 5 Oct 2020 |
MoE publication type | A4 Conference publication |
Event | ACM Asia Conference on Computer and Communications Security - Taipei, Taiwan, Republic of China Duration: 5 Oct 2020 → 9 Oct 2020 Conference number: 15 |
Conference
Conference | ACM Asia Conference on Computer and Communications Security |
---|---|
Abbreviated title | ASIA CCS |
Country/Territory | Taiwan, Republic of China |
City | Taipei |
Period | 05/10/2020 → 09/10/2020 |
Fingerprint
Dive into the research topics of 'XSS Vulnerabilities in cloud-application add-ons'. Together they form a unique fingerprint.Press/Media
-
Security Failures in Modern Software
Tuomas Aura & Markku Antikainen
14/04/2021
1 item of Media coverage
Press/Media: Media appearance