XSS Vulnerabilities in cloud-application add-ons

Thanh Bui, Siddharth Rao, Markku Antikainen, Tuomas Aura

Tutkimustuotos: Artikkeli kirjassa/konferenssijulkaisussaConference contributionScientificvertaisarvioitu

5 Sitaatiot (Scopus)
129 Lataukset (Pure)


Many cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. In this work, we found that many of such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons among them. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.

OtsikkoProceedings of the 15th ACM Asia Conference on Computer and Communications Security
ISBN (elektroninen)9781450367509
DOI - pysyväislinkit
TilaJulkaistu - 5 lokak. 2020
OKM-julkaisutyyppiA4 Artikkeli konferenssijulkaisussa
TapahtumaACM Asia Conference on Computer and Communications Security - Taipei, Taiwan
Kesto: 5 lokak. 20209 lokak. 2020
Konferenssinumero: 15


ConferenceACM Asia Conference on Computer and Communications Security
LyhennettäASIA CCS


Sukella tutkimusaiheisiin 'XSS Vulnerabilities in cloud-application add-ons'. Ne muodostavat yhdessä ainutlaatuisen sormenjäljen.

Siteeraa tätä