XSS Vulnerabilities in cloud-application add-ons

Thanh Bui, Siddharth Rao, Markku Antikainen, Tuomas Aura

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

5 Citations (Scopus)
129 Downloads (Pure)


Many cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. In this work, we found that many of such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons among them. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.

Original languageEnglish
Title of host publicationProceedings of the 15th ACM Asia Conference on Computer and Communications Security
Number of pages12
ISBN (Electronic)9781450367509
Publication statusPublished - 5 Oct 2020
MoE publication typeA4 Conference publication
EventACM Asia Conference on Computer and Communications Security - Taipei, Taiwan, Republic of China
Duration: 5 Oct 20209 Oct 2020
Conference number: 15


ConferenceACM Asia Conference on Computer and Communications Security
Abbreviated titleASIA CCS
Country/TerritoryTaiwan, Republic of China


Dive into the research topics of 'XSS Vulnerabilities in cloud-application add-ons'. Together they form a unique fingerprint.

Cite this