XSS Vulnerabilities in Cloud-Application Add-Ons
Cloud-application add-ons are microservices that extend the functionality of the core applications. Many application vendors have opened their APIs for third-party developers and created marketplaces for add-ons (also add-ins or apps). This is a relatively new phenomenon, and its effects on the appl...
Saved in:
Main Authors | , , , |
---|---|
Format | Journal Article |
Language | English |
Published |
27.11.2019
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | Cloud-application add-ons are microservices that extend the functionality of
the core applications. Many application vendors have opened their APIs for
third-party developers and created marketplaces for add-ons (also add-ins or
apps). This is a relatively new phenomenon, and its effects on the application
security have not been widely studied. It seems likely that some of the add-ons
have lower code quality than the core applications themselves and, thus, may
bring in security vulnerabilities. We found that many such add-ons are
vulnerable to cross-site scripting (XSS). The attacker can take advantage of
the document-sharing and messaging features of the cloud applications to send
malicious input to them. The vulnerable add-ons then execute client-side
JavaScript from the carefully crafted malicious input. In a major analysis
effort, we systematically studied 300 add-ons for three popular application
suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a
significant percentage of vulnerable add-ons in each marketplace. We present
the results of this study, as well as analyze the add-on architectures to
understand how the XSS vulnerabilities can be exploited and how the threat can
be mitigated. |
---|---|
DOI: | 10.48550/arxiv.1911.12332 |