ABSTRACT
The last decade has seen the evolution of web APIs (Application Programming Interfaces) and open data initiatives promoted by governments. This has encouraged develop- ers to build Mashups, web applications that integrate data from multiple servers. ProgrammableWeb.com reports an as- tounding 11,152 APIs and 7384 Mashups, as of March 2014. The browser security model designed for static web pages, however, was insufficient to mitigate the security concerns in mashups. Recent efforts by researchers have enhanced the security model of browsers and provided newer APIs to meet the security requirements of mashups. However, these low- level APIs require significant skill by developers to use them effectively, to avoid creating possibly unsafe applications. In this paper, we start with a survey of security concerns in the insecure usage of HTML5 APIs, particularly relevant to the security of mashups. We then present a high-level library called SafeMash, which helps developers build safe mashups over the current low-level security APIs in HTML5. SafeMash allows the mashup developer to configure the de- gree of interaction and communication of a widget. It warns developers in case of any misconfiguration. Our initial em- pirical analysis shows that an interactive mashup that does not leverage state-of-the-art browser security features can be rebuilt with SafeMash, without any loss in functionality.
- Browserscope, 2014. http://www.browserscope.org/.Google Scholar
- D. Akhawe, P. Saxena, and D. Song. Privilege separation in HTML5 applications. In Proceedings of the USENIX Security Symposium, 2012. Google ScholarDigital Library
- A. Barth. RFC 6454 - The Web Origin Concept. Technical report, 2011. tools.ietf.org/search/rfc6454.Google Scholar
- A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. Communications of the ACM, 52(6):83–91, 2009. Google ScholarDigital Library
- CERN. The birth of the Web. Technical report, 1989. http://home.web.cern.ch/topics/birth-web.Google Scholar
- D. Crockford. Rfc4627: The application/json media type for javascript object notation (json), July 2006. http://tools.ietf.org/html/rfc4627.Google Scholar
- P. De Ryck, M. Decat, L. Desmet, F. Piessens, and W. Joosen. Security of web mashups: a survey. In Information Security Technology for Applications, pages 223–238. Springer, 2012. Google ScholarDigital Library
- R. T. Fielding and R. N. Taylor. Principled design of the modern Web architecture. ACM Transactions on Internet Technology (TOIT), 2(2):115–150, 2002. Google ScholarDigital Library
- M. Finifter, J. Weinberger, and A. Barth. Preventing Capability Leaks in Secure JavaScript Subsets. In NDSS, 2010.Google Scholar
- J. J. Garrett. AJAX: A New Approach to Web Applications, Feb 2005. https://web.archive.org/ web/20080702075113/http://www.adaptivepath.com/ ideas/essays/archives/000385.php.Google Scholar
- S. Hanna, R. Shin, D. Akhawe, A. Boehm, P. Saxena, and D. Song. The Emperor’s New APIs: On the (In)Secure Usage of New Client-side Primitives. In Proceedings of the Web, volume 2, 2010.Google Scholar
- C. Jackson and H. J. Wang. Subspace: Secure Cross-Domain Communication for Web Mashups. In Proceedings of the 16th international conference on World Wide Web, pages 611–620. ACM, 2007. Google ScholarDigital Library
- E. Lawrence. Combating clickjacking with x-frame-options. Blog, March 2010. http: //blogs.msdn.com/b/ieinternals/archive/2010/03/ 30/combating-clickjacking-with-x-frame-options. aspx.Google Scholar
- J. Magazinius, A. Askarov, and A. Sabelfeld. A lattice-based approach to mashup security. In Proceedings of the 5th ACM symposium on information, computer and communications security, pages 15–23. ACM, 2010. Google ScholarDigital Library
- L. A. Meyerovich and B. Livshits. Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 481–496. IEEE, 2010. Google ScholarDigital Library
- J. G. Robert Hansen. Clickjacking, Dec 2008. http://www.sectheory.com/clickjacking.htm.Google Scholar
- G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010), 2010.Google Scholar
- S. Stamm, B. Sterne, and G. Markham. Reining in the web with content security policy. In Proceedings of the 19th international conference on World wide web, pages 921–930. ACM, 2010. Google ScholarDigital Library
- K. C. Telikicherla and V. Choppella. Source code and live demonstration of SafeMash, Feb 2014. https://github.com/iiithyd-websec/safemash.Google Scholar
- W3C. HTML5 CORS-W3C Candidate Recommendation 16 Jan 2014. Technical report. http://www.w3.org/TR/cors/.Google Scholar
- W3C. HTML5 Web Messaging-W3C Candidate Recommendation 1 May 2012. Technical report. http://www.w3.org/TR/webmessaging/.Google Scholar
- W3C. Iframe sandbox-W3C Candidate Recommendation 6 August 2013. Technical report. http://www.w3.org/TR/html5/embedded-content-0. html#the-iframe-element.Google Scholar
- W3C. Simple Object Access Protocol (SOAP) 1.1. http://www.w3.org/TR/soap/.Google Scholar
- W3C. Content Security Policy 1.1-W3C Working Draft 11 February 2014. Technical report, 2014. http://www.w3.org/TR/CSP11/#directives.Google Scholar
- Wikipedia. Principle of least privilege. http://en.wikipedia.org/wiki/Principle_of_ least_privilege.Google Scholar
- O. A. Zabir. Dropthings, 2014. https://code.google.com/p/dropthings/.Google Scholar
Index Terms
- Enabling the development of safer mashups for open data
Recommendations
Third international workshop on web APIs and services Mashups (Mashups'09)
OOPSLA '09: Proceedings of the 24th ACM SIGPLAN conference companion on Object oriented programming systems languages and applicationsThe Web is now programmable. Part of this programmability comes from the many Web APIs available from Web sites, services, and data feeds. An interesting consequence of these APIs is the ability to combine the resulting data and process into new data ...
A Lightweight Platform for Web Mashups in Immersive Mirror Worlds
Cloud City Scene is a lightweight platform that enables visualizations of Web mashups in an immersive mirror-world environment in which annotations blend in with buildings, terrain, and objects, letting users interact with the underlying real-world ...
Developing client-side mashups: experiences, guidelines and the road ahead
MindTrek '10: Proceedings of the 14th International Academic MindTrek Conference: Envisioning Future Media EnvironmentsSoftware mashups that combine content from multiple web sites to an integrated experience are a popular trend. However, methods and tools for creating mashups are still rather undeveloped, and there is little engineering support behind them. In this ...
Comments