ABSTRACT
Social networks have begun supporting external content integration with platforms like OpenSocial and the Facebook API. These platforms let users install third- party applications and are a popular example of a mashup. Content integration is often accomplished by proxying the third-party content or importing third-party scripts. However, these methods introduce serious risks of user impersonation and data exposure. Modern browsers provide no mechanism to differentiate between trusted and untrusted embedded content. As a result, content providers are forced to trust third-party scripts or ensure user safety by means of server-side code sanitization. We demonstrate the difficulties of server-side code filtering -- and the ramifications of its failure - with an example from the Facebook Platform. We then propose browser modifications that would distinguish between trusted and untrusted content and enforce their separation.
- M. Broersma. Cross-site scripting the top security risk. Technical report, http://www.networkworld.com/news/2006/091806-cross-site-scripting-the -top-security.html, Sep 2006.Google Scholar
- D. Crockford. The module Tag. Technical report, http://www.json.org/module.html, Oct 2006.Google Scholar
- G. A. DiLucca, A. R. Fasolino, M. Mastoianni, and wP. Tramontana. Identifying Cross Site Scripting Vulnerabilities in Web Applications. In, 2004.Google Scholar
- B. Eich. JavaScript: Mobility and Ubiquity. Technical report, http://kathrin.dagstuhl.de/files/Materials/07/07091/07091.EichBrendan.Slides.pdf, Sep 2007.Google Scholar
- EveryBlock Incorporated. EveryBlock. http://chicago.everyblock.com/.Google Scholar
- Facebook. Facebook Application Directory. http://uva.facebook.com/apps/.Google Scholar
- Facebook. Facebook Platform Developer Guide. http://developers.facebook.com/.Google Scholar
- A. Felt. The Facebook Chronicles. Technical report, http://www.cs.virginia.edu/felt/fbook/, Aug 2007.Google Scholar
- Flickr. Create your own Flickr badge. http://www.flickr.com/badge.gne.Google Scholar
- Google. What is the Google Maps API? http://code.google.com/apis/maps/.Google Scholar
- Google. Google Launches OpenSocial to Spread Social Applications Across The Web. Technical report, http://www.google.com/intl/en/press/pressrel/opensocial.html, Nov 2007.Google Scholar
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. T. Lee, and S.-Y. Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. In Proceedings of the 13th International Conference on World Wide Web, 2004. Google ScholarDigital Library
- T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th international conference on World Wide Web, pages 601--610, 2007. Google ScholarDigital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Proceedings of the 2006 Symposium on Security and Privacy, 2006. Google ScholarDigital Library
- Microsoft. SECURITY Attribute (FRAME, IFRAME). Technical report, http://msdn2.microsoft.com/en-us/library/ms534622(VS.85).aspx.Google Scholar
- C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, 2006. Google ScholarDigital Library
- Samy. Technical explanation of The MySpace Worm. Technical report, http://namb.la/popular/tech.html, Oct 2005.Google Scholar
- P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceedings of the 14th Annual Network and Distributed System Security Conference, 2007.Google Scholar
- H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, 2007. Google ScholarDigital Library
- Yahoo! ADsafe. http://adsafe.org.Google Scholar
- D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript instrumentation for browser security. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2007. Google ScholarDigital Library
Index Terms
Talking to strangers without taking their candy: isolating proxied content
Recommendations
Uses and gratifications of social networking sites for bridging and bonding social capital
Applying uses and gratifications theory (UGT) and social capital theory, our study examined users of four social networking sites (SNSs) (Facebook, Twitter, Instagram, and Snapchat), and their influence on online bridging and bonding social capital. ...
Predicting selfie-posting behavior on social networking sites
Over the past few years, a notable trend has emerged in social networking sites (SNSs). With the growing popularity of image-based SNSs such as Instagram, users increasingly communicate and present themselves by posting photographs they take of ...
Personality, attitudes, social influences, and social networking site usage predicting online social support
This present study examined the associations among personality traits, attitude toward using social networking sites, social influence, social networking site usage, and online social support. There were 460 participants. About half of the participants ...
Comments