Attacks on JavaScript Mashup Communication

Free registration required

Executive Summary

In a mashup, two principals wish to communicate without ceding complete control to each other. In this paper, the authors analyze whether existing and proposed JavaScript mashup communication mechanisms have this security property. They show that a failure to account for details of JavaScript often lets one communicant completely compromise the other. They illustrate these vulnerabilities with proof-of-concept privilege escalation attacks. Based on their analysis, they recommend that mashup communication mechanisms prevent privilege escalation by using lexical authorization across a specified interface that enforces type checks and allows the communicants to exchange only primitive values.

  • Format: PDF
  • Size: 1704.8 KB