XSS Vulnerabilities in cloud-application add-ons

Loading...
Thumbnail Image

Access rights

openAccess

URL

Journal Title

Journal ISSN

Volume Title

A4 Artikkeli konferenssijulkaisussa

Date

2020-10-05

Major/Subject

Mcode

Degree programme

Language

en

Pages

12
610-621

Series

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

Abstract

Many cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. In this work, we found that many of such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons among them. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.

Description

Keywords

Other note

Citation

Bui, T, Rao, S, Antikainen, M & Aura, T 2020, XSS Vulnerabilities in cloud-application add-ons . in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security . ACM, pp. 610-621, ACM Asia Conference on Computer and Communications Security, Taipei, Taiwan, Republic of China, 05/10/2020 . https://doi.org/10.1145/3320269.3384744