English

XSS Vulnerabilities in Cloud-Application Add-Ons

Cryptography and Security 2019-11-28 v1

Abstract

Cloud-application add-ons are microservices that extend the functionality of the core applications. Many application vendors have opened their APIs for third-party developers and created marketplaces for add-ons (also add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. We found that many such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons in each marketplace. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.

Keywords

Cite

@article{arxiv.1911.12332,
  title  = {XSS Vulnerabilities in Cloud-Application Add-Ons},
  author = {Thanh Bui and Siddharth Rao and Markku Antikainen and Tuomas Aura},
  journal= {arXiv preprint arXiv:1911.12332},
  year   = {2019}
}
R2 v1 2026-06-23T12:29:21.053Z