skip to main content
10.1145/1435497.1435502acmconferencesArticle/Chapter ViewAbstractPublication PageseurosysConference Proceedingsconference-collections
research-article

Talking to strangers without taking their candy: isolating proxied content

Published:01 April 2008Publication History

ABSTRACT

Social networks have begun supporting external content integration with platforms like OpenSocial and the Facebook API. These platforms let users install third- party applications and are a popular example of a mashup. Content integration is often accomplished by proxying the third-party content or importing third-party scripts. However, these methods introduce serious risks of user impersonation and data exposure. Modern browsers provide no mechanism to differentiate between trusted and untrusted embedded content. As a result, content providers are forced to trust third-party scripts or ensure user safety by means of server-side code sanitization. We demonstrate the difficulties of server-side code filtering -- and the ramifications of its failure - with an example from the Facebook Platform. We then propose browser modifications that would distinguish between trusted and untrusted content and enforce their separation.

References

  1. M. Broersma. Cross-site scripting the top security risk. Technical report, http://www.networkworld.com/news/2006/091806-cross-site-scripting-the -top-security.html, Sep 2006.Google ScholarGoogle Scholar
  2. D. Crockford. The module Tag. Technical report, http://www.json.org/module.html, Oct 2006.Google ScholarGoogle Scholar
  3. G. A. DiLucca, A. R. Fasolino, M. Mastoianni, and wP. Tramontana. Identifying Cross Site Scripting Vulnerabilities in Web Applications. In, 2004.Google ScholarGoogle Scholar
  4. B. Eich. JavaScript: Mobility and Ubiquity. Technical report, http://kathrin.dagstuhl.de/files/Materials/07/07091/07091.EichBrendan.Slides.pdf, Sep 2007.Google ScholarGoogle Scholar
  5. EveryBlock Incorporated. EveryBlock. http://chicago.everyblock.com/.Google ScholarGoogle Scholar
  6. Facebook. Facebook Application Directory. http://uva.facebook.com/apps/.Google ScholarGoogle Scholar
  7. Facebook. Facebook Platform Developer Guide. http://developers.facebook.com/.Google ScholarGoogle Scholar
  8. A. Felt. The Facebook Chronicles. Technical report, http://www.cs.virginia.edu/felt/fbook/, Aug 2007.Google ScholarGoogle Scholar
  9. Flickr. Create your own Flickr badge. http://www.flickr.com/badge.gne.Google ScholarGoogle Scholar
  10. Google. What is the Google Maps API? http://code.google.com/apis/maps/.Google ScholarGoogle Scholar
  11. Google. Google Launches OpenSocial to Spread Social Applications Across The Web. Technical report, http://www.google.com/intl/en/press/pressrel/opensocial.html, Nov 2007.Google ScholarGoogle Scholar
  12. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 13th International Conference on World Wide Web, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th international conference on World Wide Web, pages 601--610, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Proceedings of the 2006 Symposium on Security and Privacy, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Microsoft. SECURITY Attribute (FRAME, IFRAME). Technical report, http://msdn2.microsoft.com/en-us/library/ms534622(VS.85).aspx.Google ScholarGoogle Scholar
  16. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Samy. Technical explanation of The MySpace Worm. Technical report, http://namb.la/popular/tech.html, Oct 2005.Google ScholarGoogle Scholar
  18. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceedings of the 14th Annual Network and Distributed System Security Conference, 2007.Google ScholarGoogle Scholar
  19. H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Yahoo! ADsafe. http://adsafe.org.Google ScholarGoogle Scholar
  21. D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript instrumentation for browser security. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Talking to strangers without taking their candy: isolating proxied content

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in
      • Published in

        cover image ACM Conferences
        SocialNets '08: Proceedings of the 1st Workshop on Social Network Systems
        April 2008
        55 pages
        ISBN:9781605581248
        DOI:10.1145/1435497

        Copyright © 2008 ACM

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 1 April 2008

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article

        Upcoming Conference

        EuroSys '24
        Nineteenth European Conference on Computer Systems
        April 22 - 25, 2024
        Athens , Greece

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader