skip to main content
10.1145/1972551.1972558acmconferencesArticle/Chapter ViewAbstractPublication PageseurosysConference Proceedingsconference-collections
research-article

An empirical study on the security of cross-domain policies in rich internet applications

Published: 10 April 2011 Publication History

Abstract

Adobe Flash and Microsoft Silverlight are two widely adopted platforms for providing Rich Internet Applications (RIA) over the World Wide Web. The need for RIAs to retrieve content hosted on different domains, in order to enrich user experience, led to the use of cross-domain policies by content providers. Cross-domain policies define the list of RIA hosting domains that are allowed to retrieve content from the content provider's domain. Misinterpretation or misconfigurations of the policies may give the opportunity to malicious RIAs to access and handle users' private data.
In this paper we present an extensive study on the deployment and security issues of cross-domain policies in the web. Through the examination of a large set of popular and diverse (both geographically and content-wise) websites, we reveal that about 50% (more than 6.500 websites) of the websites that have adopted such policies are vulnerable to attacks. Furthermore, we find such policies in more than 50% of the top 500 websites, examined both globally and per-country. Additionally, we examine local sets of e-shopping websites and find that up to 83% implement weak policies. Interestingly, we observe that the less popular a website is, the higher the probability that it will have a weak policy. Compared to previous studies there is an obvious increasing trend in the adoption of RIA but, at the same time, a decreasing trend regarding secure implementations. Through a proof-of-concept attack implementation and a number of real-world examples, we highlight the security impacts of these policy misconfigurations.

References

[1]
Adobe Flash Platform Pervasiveness. http://www.adobe.com/flashplatform/statistics/.
[2]
Jeremiah Grossman - crossdomain.xml statistics. http://jeremiahgrossman.blogspot.com/2006/10/crossdomainxml-statistics.html.
[3]
Rich Internet Application Market Share. http://www.statowl.com/custom_ria_market_penetration.php.
[4]
wikipedia.org - Rich Internet Application. http://en.wikipedia.org/wiki/Rich_Internet_application.
[5]
R. Auger. Socket capable browser plugins result in transparent proxy abuse, 2010. http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf.
[6]
M. Balduzzi, C. T. Gimenez, D. Balzarotti, and E. Kirda. Automated discovery of parameter pollution vulnerabilities in web applications. In Proceedings of the 18th Network and Distributed System Security Symposium, 2011.
[7]
A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008.
[8]
L.-S. Huang, E. Y. Chen, A. Barth, E. Rescorla, and C. Jackson. Transparent proxies: Threat or menace? http://www.adambarth.com/experimental/websocket.pdf.
[9]
C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting browsers from dns rebinding attacks. In Proceedings of 14th ACM conference on Computer and Communications Security, 2008.

Cited By

View all
  • (2023)The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats EvaluationJournal of Cybersecurity and Privacy10.3390/jcp30100033:1(26-43)Online publication date: 29-Jan-2023
  • (2023)Understanding the Country-Level Security of Free Content Websites and their Hosting Infrastructure2023 IEEE 10th International Conference on Data Science and Advanced Analytics (DSAA)10.1109/DSAA60987.2023.10302611(1-10)Online publication date: 9-Oct-2023
  • (2022)A Detailed Evaluation of SQL Injection Attacks, Detection and Prevention Techniques2022 5th International Conference on Advances in Science and Technology (ICAST)10.1109/ICAST55766.2022.10039662(352-357)Online publication date: 2-Dec-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
EUROSEC '11: Proceedings of the Fourth European Workshop on System Security
April 2011
53 pages
ISBN:9781450306133
DOI:10.1145/1972551
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 April 2011

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Funding Sources

Conference

EuroSys '11
Sponsor:
EuroSys '11: Sixth EuroSys Conference 2011
April 10, 2011
Salzburg, Austria

Acceptance Rates

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25
Twentieth European Conference on Computer Systems
March 30 - April 3, 2025
Rotterdam , Netherlands

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)6
  • Downloads (Last 6 weeks)0
Reflects downloads up to 13 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)The Privacy Flag Observatory: A Crowdsourcing Tool for Real Time Privacy Threats EvaluationJournal of Cybersecurity and Privacy10.3390/jcp30100033:1(26-43)Online publication date: 29-Jan-2023
  • (2023)Understanding the Country-Level Security of Free Content Websites and their Hosting Infrastructure2023 IEEE 10th International Conference on Data Science and Advanced Analytics (DSAA)10.1109/DSAA60987.2023.10302611(1-10)Online publication date: 9-Oct-2023
  • (2022)A Detailed Evaluation of SQL Injection Attacks, Detection and Prevention Techniques2022 5th International Conference on Advances in Science and Technology (ICAST)10.1109/ICAST55766.2022.10039662(352-357)Online publication date: 2-Dec-2022
  • (2018)Social Media and Social NetworkingSocial Media for Knowledge Management Applications in Modern Organizations10.4018/978-1-5225-2897-5.ch007(144-167)Online publication date: 2018
  • (2017)Measuring login webpage securityProceedings of the Symposium on Applied Computing10.1145/3019612.3019798(1753-1760)Online publication date: 3-Apr-2017
  • (2014)Ten Years of Rich Internet ApplicationsACM Transactions on the Web10.1145/26263698:3(1-46)Online publication date: 8-Jul-2014
  • (2012)Cross-domain vulnerabilities over social networks2012 Fourth International Conference on Computational Aspects of Social Networks (CASoN)10.1109/CASoN.2012.6412370(8-13)Online publication date: Nov-2012
  • (2012)DEMACROProceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses10.1007/978-3-642-33338-5_13(254-273)Online publication date: 12-Sep-2012

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media