(In)Secure Usage of New Client Side Primitives
In Proceedings of the 4th Web 2.0 Security and Privacy Workshop (W2SP), Oakland, May 2010.
@Misc{saxena10kudzu,
author = {Steve Hanna and Richard Shin and Devdatta Akhawe and Arman Boehm and Prateek Saxena and Dawn Song},
title = {The Emperors New APIs: On the (In)Secure Usage of New Client Side Primitives},
booktitle = {Proceedings of the 4th Web 2.0 Security and Privacy Workshop (W2SP), 2010},
}
Abstract
Several new browser primitives have been proposed to meet the demands
of application interactivity while enabling security. To investigate
whether applications consistently use these primitives safely in
practice, we study the real-world usage of two client-side primitives,
namely postMessage and HTML5's client-side database storage. We
examine new purely client-side communication protocols layered on
postMessage (Facebook Connect and Google Friend Connect) and several
real-world web applications (including Gmail, Buzz, Maps and others)
which use clientside storage abstractions. We find that, in practice,
these abstractions are used insecurely, which leads to severe
vulnerabilities and can increase the attack surface for web
applications in unexpected ways. We conclude the paper by offering
insights into why these abstractions can potentially be hard to use
safely, and propose the economy of liabilities principle for designing
future abstractions. The principle recommends that a good design for a
primitive should minimize the liability that the user undertakes to
ensure application security.