XSS Vulnerabilities in cloud-application add-ons
Loading...
Access rights
openAccess
URL
Journal Title
Journal ISSN
Volume Title
A4 Artikkeli konferenssijulkaisussa
This publication is imported from Aalto University research portal.
View publication in the Research portal (opens in new window)
View/Open full text file from the Research portal (opens in new window)
Other link related to publication (opens in new window)
View publication in the Research portal (opens in new window)
View/Open full text file from the Research portal (opens in new window)
Other link related to publication (opens in new window)
Date
2020-10-05
Department
Major/Subject
Mcode
Degree programme
Language
en
Pages
12
610-621
610-621
Series
Proceedings of the 15th ACM Asia Conference on Computer and Communications Security
Abstract
Many cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. In this work, we found that many of such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons among them. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.Description
Keywords
Other note
Citation
Bui, T, Rao, S, Antikainen, M & Aura, T 2020, XSS Vulnerabilities in cloud-application add-ons . in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security . ACM, pp. 610-621, ACM Asia Conference on Computer and Communications Security, Taipei, Taiwan, Republic of China, 05/10/2020 . https://doi.org/10.1145/3320269.3384744