Skip to main content
SpringerLink
Log in

XAS: Cross-API scripting attacks in social ecosystems

  • Research Paper
  • Published:
Science China Information Sciences Aims and scope Submit manuscript

Abstract

With the rapid development of online social networks, various Web application programming interfaces (APIs) on social platforms are released to share profitable social data with all kinds of third-party online services. However, it also brings new risks to social networks once Web APIs are insecurely designed, implemented, and invoked. The focused topic in this paper is security analysis of a new type of cross-site scripting (XSS) which is based on Web APIs in new complicated social ecosystems which consist of social networks, third-party apps, and other online services. In this paper, we refer to Web API-based XSS as cross-API scripting (XAS). For the first time, we take typical XAS attacks in diversified context as cases to demonstrate the new exploiting opportunities and threats in social ecosystems. Also, we design a tool to identify the design and implementation flaws of Web APIs in 11 popular social networks. We discover several security flaws of API via our experiment. According to the results, we conclude causes of XAS flaws in depth. We also examined 143 Web-based apps and verified the prevalence of XAS flaws. Finally, we proposed preliminary measures both in social networks and third-party applications to alleviate XAS.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Roy T F. Architectural styles and the design of network-based software architectures. Doctoral Dissertation, University of California, Irvine, 2000

    Google Scholar 

  2. Ryan N. Twitter API ripe for abuse by web worms. 2009. Online available at: http://www.zdnet.com/blog/security/twitter-api-ripe-for-abuse-by-web-worms/3451

    Google Scholar 

  3. Softpedia.com News. Facebook mobile API XSS vulnerability used to launch spam worm. 2011. Online available at: http://cyberinsecure.com/facebook-mobile-api-xss-vulnerability-used-to-launch-spam-worm/

    Google Scholar 

  4. Amol N. Exploitation of “self-only” Cross-Site Scripting in Google code. 2011. Online available at: http://www.exploitdb.com/downloadpdf/17017/

    Google Scholar 

  5. Hristo B, Elie B, Dan B. XCS: Cross channel scripting and its impact on web applications. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, 2009. 420–431

    Google Scholar 

  6. Adam B, Adrienne P F, Prateek S, et al. Protecting browsers from extension vulnerabilities. In: Proceedings of the Network and Distributed System Security Symposium, San Diego, 2010

    Google Scholar 

  7. Opera. Opera extensions: Quick documentation overview. 2010. Online available at: http://dev.opera.com/articles/view/opera-extensions-quick-documentation-overview/

    Google Scholar 

  8. Taras I. Web application vulnerabilities in context of browser extensions. 2011. Online available at: http://oxdef.info/papers/ext/chrome.html

    Google Scholar 

  9. Liu L, Zhang X W, Yan G H, et al. Chrome extensions: Threat analysis and countermeasures. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), 2012

    Google Scholar 

  10. Roberto S L. Cross context scripting with Firefox. Security-Assessment.com White Paper, 2010

    Google Scholar 

  11. Robert H, Tom S. Xploiting Google gadgets: Gmailware and beyond. In: Black Hat 2008 USA, Las Vegas, 2008

    Google Scholar 

  12. Jason A. Why Facebook should police their API. 2011. Online available at: http://www.bandwidthblog.com/2011/05/05/why-facebook-should-police-their-api/

    Google Scholar 

  13. Mark A, Dirk B, Darren B, et al. OAuth Core 1.0 Revision A. 2009. Online available at: http://oauth.net/core/1.0a/

    Google Scholar 

  14. Hammer-Lahav E. RFC 5849, The OAuth 1.0 Protocol. 2010. Online available at: http://tools.ietf.org/html/rfc5849

    Google Scholar 

  15. Hammer-Lahav E. The OAuth 2.0 Authorization Protocol. 2011. Online available at: http://tools.ietf.org/html/draftietf-oauth-v2-22

    Google Scholar 

  16. Mike T L, Venkatakrishnan V N. BLUEPRINT-robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the 30th IEEE Symposium on Security & Privacy, 2009

    Google Scholar 

  17. Yacin N, Prateek S, Dawn S. Document structure integrity: A robust basis for cross-site scripting defense. In: Proceedings of the 16th Annual Network & Distributed System Security Symposium (NDSS), CA, 2009

    Google Scholar 

  18. Matthew V G, Chen H. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: Proceedings of the 16th Annual Network & Distributed System Security Symposium (NDSS), San Diego, CA, 2009

    Google Scholar 

  19. Prithvi B, Venkatakrishnan V N. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In: Proceedings of the 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Paris, 2008. 23–43

    Google Scholar 

  20. Lin J C, Chen J M. The automatic defense mechanism for malicious injection attack. In: Proceedings of 7th International Conference on Computer and Information Technology, Fukushima, 2007. 709–714

    Google Scholar 

  21. Martin J, Bjorn E, Joachim P. XSSDS: Server-side detection of cross-site scripting attacks. In: Proceedings of the 2008 Annual Computer Security Applications Conference, Anaheim, 2008. 335–344

    Google Scholar 

  22. Joel W, Prateek S, Devdatta A, et al. A systematic analysis of XSS sanitization in web application frameworks. In: Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS), 2011

    Google Scholar 

  23. Theodoor S, Davide B, Engin K. Quo Vadis? A study of the evolution of input validation vulnerabilities in web applications, 2011, http://www.iseclab.org/papers/vuln_fcds.pdf

    Google Scholar 

  24. Saxena P, Akhawe D, Hanna S, et al. A symbolic execution framework for javascript. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, 2010

    Google Scholar 

  25. Saxena P, Hanna S, Poosankam P, et al. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In: Proceedings of 17th Annual Network & Distributed System Security Symposium, 2010

    Google Scholar 

  26. Mohammad R F, Hossein S. Social Networks’ XSS worms. In: Proceedings of the International Conference on Computational Science and Engineering, 2009

    Google Scholar 

  27. Sun F Q, Xu L, Su Z D. Client-side detection of XSS worms by monitoring payload propagation. In: Proceedings of the 14th European Conference on Research in Computer Security, Saint-Malo, 2009. 539–554

    Google Scholar 

  28. Adrienne F, David E. Privacy protection for social network APIs. In: Proceedings of the IEEE Web 2.0 Security and Privacy Workshop (W2SP), 2008

    Google Scholar 

  29. Kapil S, Sumeer B, Wenke L. xBook: Redesigning privacy control in social network platforms. In: Proceedings of the 18th USENIX Security Symposium, 2009

    Google Scholar 

  30. Wang R, Chen S, Wang X F, et al. How to shop for free online: Security analysis of cashier-as-a-service based web stores. In: Proceedings of the 32nd IEEE Symposium on Security & Privacy, 2011

    Google Scholar 

  31. Xing L Y, Chen Y Y, Wang X F, et al. InteGuard: Toward automatic protection of third-party web service integrations. In: Proceedings of 20th Annual Network & Distributed System Security Symposium, 2013

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing, 100049, China

    YuQing Zhang, QiXu Liu, QiHan Luo & XiaLi Wang

  2. School of Computer and Control Engineering, University of Chinese Academy of Sciences, Beijing, 101408, China

    YuQing Zhang, QiXu Liu, QiHan Luo & XiaLi Wang

Authors
  1. YuQing Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. QiXu Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. QiHan Luo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. XiaLi Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to YuQing Zhang.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhang, Y., Liu, Q., Luo, Q. et al. XAS: Cross-API scripting attacks in social ecosystems. Sci. China Inf. Sci. 58, 1–14 (2015). https://doi.org/10.1007/s11432-014-5145-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11432-014-5145-1

Keywords

Search

Navigation