Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross-Site Scripting Attacks in Social Network APIs Yuqing Zhang, Xiali Wang, Qihan Luo, Qixu Liu.

Published byBruce Wilkerson Modified over 10 years ago

Similar presentations

Presentation on theme: "Cross-Site Scripting Attacks in Social Network APIs Yuqing Zhang, Xiali Wang, Qihan Luo, Qixu Liu."— Presentation transcript:

1 Cross-Site Scripting Attacks in Social Network APIs Yuqing Zhang, Xiali Wang, Qihan Luo, Qixu Liu

2 RESTful API 2 All kinds of Websites(e.g. Social Network) Third-Party Application Server REST XML-RPC Third-Party Application Server JavaScript SOAP Third-Party Application Server 18% 6% 3% 71% Data From: http://www.bogotobogo.com/WebTechnologies/OpenAPI_RESTful.php 2012

3 /request RESTful API 3 Get everything you need from the server via a URL. http://website.com/resources?q=requestGET POST POSTDATA: q=request The server responses mainly in two formats: JSON and XML. The whole procedure follows the OAuth protocol. Website(e.g. Social Network) Third-Party Application Server Request for authorization Access Token Request for resources Response with resources

4 Cross Site Scripting in RESTful API 4 Website(e.g. Social Network) Evil Code Third-Party Application Server Attacker Victim Can’t Execute Visit Upload Malicious Code Response with escaped code Response with un- encoded code Request for data Visit Can Execute Evil Code Response with un- escaped code Evil Code RESTful API

5 XAS in Social Networks 5 Social Network Mash-up Applications Desktop Applications Third-party Mobile Clients Interconnected Services

6 XAS in Mash-up Applications 6

7 XAS in Interconnected Services 7 Facebook

8 XAS in Desktop Applications 8

9 XAS in Third-party Mobile Clients 9 VulnerableNot Vulnerable m.slandr.net dabr.co.uk m.tweete.net twetmob.com itweet.net www.tweetree.com mobile.twitter.com twittme.mobi www.twittermobile.net Nine Twitter mobile Web applications

10 XAS in Social Networks 10

11 Affect multiple parties. Differences from Traditional XSS 11 Malicious code transmitted through RESTful APIs. Inherited social relationship. Not limited by same-origin policy (SOP).

12 Commonly, there are two ways to escape user inputs: Scheme I : to escape user inputs when they are sent to the server and then stored in sanitized form in the database. Scheme II: to store user inputs as they are and to escape them when they are displayed. Scheme II must be done by third-party websites. Fuzzing and Results 12

13 Fuzzing and Results 13 RESTful API Calling Method http://api.twitter.com/1/statuses/retweet/:id.json? text=testMsg POST https://graph.facebook.com/130***041/comments?message=Test GET Auth_Method = OAuth2.0 CallMethod = POST API_Provider = dev.facebook.com ParamsCount = 1 API_Key = 191742207560268 Param0 = msg API_Secret = af6ddd003cc0e2de697ace0406d4dfc8 Type0 = String Response_Format = JSON Initial_value0 = Test Scope = publish_stream, create_event, … DoTest0 = true Authorization_URI = https://www.facebook.com/dialog/oauth Access_Token_URI= https://graph.facebook.com/oauth/access/token API_ URI=https://graph.facebook.com/***/comments?message=Test Architecture overview of our tool identifying Web API flaws

14 Fuzzing and Results 14 Our tool identified ill-formed API responses: (1) Content-Type Header is incorrectly configured, e.g. “Content-Type: text/html”; (2) The response is in HTML format rather than expected JSON or XML. Our tool also identifies tainted API responses.

15 Tainted API Response 15 The API response contains the JavaScript code we inject as API parameters. The API response contains simple-escaped test vectors. e.g. the character “/” is converted into “\/” and “"” into “\"”. The API response contains the Unicoded or the Hex-encoded form of the test vectors. e.g. “\u003Cscript\u003E alert(131425); \u003C\/script\u003E” and “\x3c iframe onload=alert (/xas/)>\x3e”.

16 Challenges 16 URI path parameters. Rate limiting. Multiple OAuth versions. “(/:\w+(-\w+)*)[/|\?|\.]

17 Fuzzing and Results 17 11 popular social networks were selected: Twitter, Facebook, Foursquare, LinkedIn, Flickr, Tumblr, Renren, Weibo, t.qq.com, t.163.com, t.sohu.com 143 web-based applications were probed. 107 were found vulnerable to XAS.

18 Fuzzing and Results 18 TwitterFacebookFoursquareLinkedInt.qq.com The API Flaws ISSRF√×××√ ISDRF×√-×× ICT√√××√ ICF√×××× VHT, -- TumblrRenrenWeiboFlickrt.163.comt.sohu.com The API Flaws ISSRF×√×√√× ISDRF-√√××× ICT×√×√√√ ICF××××√√ VHT - - - ISSRF: Inconsistent HTML-escape Schemes for the Same Response Format ISDRF: Inconsistent HTML- escape Schemes for Different Response Format (JSON and XML). ICT: Incorrect Content-Type in API responses. ICF: Incorrect Content Format in API responses. VHT: Valid HTML Tags in normal API responses (VHT is not a flaw but a feature of tested APIs). “√” denotes the corresponding flaw exists. “×” denotes the corresponding flaw doesn’t exist. “-” for the API flaws denote XML response format is not supported. “-” for VHT denotes no valid HTML tags exist in the normal API responses. API flaws and valid HTML tags discovered

19 Fuzzing and Results 19 The ratios for adopted HTML-escape schemes in tested APIs

20 Fuzzing and Results 20 TwitterFacebookFoursquareLinkedInt.qq.com Scheme I----1/15 Scheme II13/2117/197/88/99/15 API Response----1/15 TumblrRenrenWeiboFlickrt.163.comt.sohu.com Scheme I----1/114/11 Scheme II3/511/1217/219/115/11- API Response-----1/11 “-” denotes the website does not contain corresponding flaws of a certain cause. “A/B” denotes the ratio of XAS flaws due to a certain cause where “B” represents the total number of third-party applications we checked in the website and “A” represents the number of third-party applications containing XAS flaws of a certain cause. The ratios of XAS flaws due to different causes

21 Mitigation 21 All the API responses should be set with proper Content-Type headers. User-input data from APIs should be sanitized. Data should be loaded dynamically on the client side via JSONP rather than statically on the server side. Scheme I should be applied.

22 Mitigation 22 The characters “ ” and their valid encoding expressions including the Hex-encoded and Unicoded ones in API responses are all HTML-escaped. The tags in the white list are once again unescaped to meet the intention of normal API responses.

23 Conclusions 23 XSS in RESTful API (XAS) spreads widely and is different from traditional XSS. 143 web-based applications in 11 popular social networks were detected and 107 were found vulnerable to XAS. Steps must be taken to mitigate problems.

24 Thank You

Download ppt "Cross-Site Scripting Attacks in Social Network APIs Yuqing Zhang, Xiali Wang, Qihan Luo, Qixu Liu."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
By Loukik Purohit & Rohit Ghatol

By Loukik Purohit & Rohit Ghatol
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
More APIs: Web Services CMPT 281. Announcements Project milestone Lab: – Web services examples.

More APIs: Web Services CMPT 281. Announcements Project milestone Lab: – Web services examples.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Similar presentations

Ads by Google