Skip to main content
SpringerLink
Log in

Security of Web Mashups: A Survey

  • Conference paper
Information Security Technology for Applications (NordSec 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7127))

Included in the following conference series:

Abstract

Web mashups, a new web application development paradigm, combine content and services from multiple origins into a new service. Web mashups heavily depend on interaction between content from multiple origins and communication with different origins. Contradictory, mashup security relies on separation for protecting code and data. Traditional HTML techniques fail to address both the interaction/communication needs and the separation needs. This paper proposes concrete requirements for building secure mashups, divided in four categories: separation, interaction, communication and advanced behavior control. For the first three categories, all currently available techniques are discussed in light of the proposed requirements. For the last category, we present three relevant academic research results with high potential. We conclude the paper by highlighting the most applicable techniques for building secure mashups, because of functionality and standardization. We also discuss opportunities for future improvements and developments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adobe Systems Inc. Cross-domain policy file specification (January 2010), http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html

  2. Barth, A., Jackson, C., Hickson, I.: The web origin concept (June 2010), http://tools.ietf.org/html/draft-abarth-origin-07

  3. Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. In: In Proceedings of the 17th USENIX Security Symposium (USENIX Security 2008) (2008)

    Google Scholar 

  4. Crites, S., Hsu, F., Chen, H.: Omash: Enabling secure web mashups via object abstractions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 99–108. ACM (2008)

    Google Scholar 

  5. Crockford, D.: The module tag (October 2006), http://www.json.org/module.html

  6. Crockford, D.: Adsafe (December 2009), http://www.adsafe.org/

  7. De Keukelaere, F., Bhola, S., Steiner, M., Chari, S., Yoshihama, S.: Smash: Secure component model for cross-domain mashups on unmodified browsers. In: Proceedings of the 17th International Conference on World Wide Web, pp. 535–544. ACM (2008)

    Google Scholar 

  8. Devriese, D., Piessens, F.: Non-interference through secure multi-execution. In: 2010 IEEE Symposium on Security and Privacy Proceedings, pp. 109–124 (2010)

    Google Scholar 

  9. Dutta, S.: Client-side cross-domain security (June 2008), http://msdn.microsoft.com/library/cc709423.aspx

  10. Facebook Developer Wiki. Cross domain communication (January 2009), http://wiki.developers.facebook.com/index.php/Cross_Domain_Communication

  11. Facebook Developer Wiki. FBJS (August 2010), http://wiki.developers.facebook.com/index.php/FBJS

  12. Harmonia, Inc. Liquidapps (2010), http://www.liquidappsworld.com/

  13. Hickson, I., Hyatt, D.: Html 5 working draft (June 2010), http://www.w3.org/TR/html5/

  14. Hickson, I., Hyatt, D.: Html 5 working draft - cross-document messaging (June 2010), http://www.w3.org/TR/html5/comms.html#crossDocumentMessages

  15. Hickson, I., Hyatt, D.: Html 5 working draft - the sandbox attribute (June 2010), http://www.w3.org/TR/html5/the-iframe-element.html#attr-iframe-sandbox

  16. IBM. IBM Mashup Center (2010), http://www-01.ibm.com/software/info/mashup-center/

  17. Intel Corporation. Mash Maker (2010), http://mashmaker.intel.com/web/

  18. JackBe Corporation. Presto: Powering the enterprise app store (2010), http://www.jackbe.com/products/

  19. Jackson, C., Wang, H.J.: Subspace: secure cross-domain communication for web mashups. In: Proceedings of the 16th International Conference on World Wide Web, p. 620 (2007)

    Google Scholar 

  20. Li, Z., Zhang, K., Wang, X.F.: Mash-if: Practical information-flow control within client-side mashups. In: 2010 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 251–260 (2010)

    Google Scholar 

  21. Livshits, B., Meyerovich, L.: Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. Technical report, Microsoft Research (2009)

    Google Scholar 

  22. Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted web applications. In: Proceedings of IEEE Security and Privacy 2010. IEEE (2010)

    Google Scholar 

  23. Maffeis, S., Taly, A.: Language-based isolation of untrusted javascript. In: 22nd IEEE Computer Security Foundations Symposium, pp. 77–91 (2009)

    Google Scholar 

  24. Magazinius, J., Askarov, A., Sabelfeld, A.: A lattice-based approach to mashup security. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 15–23 (2010)

    Google Scholar 

  25. Magazinius, J., Phung, P., Sands, D.: Safe wrappers and sane policies for self protecting javascript. In: 15th Nordic Conference on Secure IT Systems (2010)

    Google Scholar 

  26. Meyerovich, L.A., Felt, A.P., Miller, M.S.: Object views: Fine-grained sharing in browsers. In: Proceedings of the 19th International Conference on World Wide Web, pp. 721–730 (2010)

    Google Scholar 

  27. Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (January 2008), http://google-caja.googlecode.com/files/caja-spec-2008-01-15.pdf

  28. OpenAjax Alliance. Openajax hub 2.0 specification (July 2009), http://www.openajax.org/member/wiki/index.php?title=OpenAjax_Hub_2.0_Specification&oldid=12174

  29. Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting javascript. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 47–60 (2009)

    Google Scholar 

  30. Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: Adjail: Practical enforcement of confidentiality and integrity policies on web advertisements. In: 19th USENIX Security Symposium (2010)

    Google Scholar 

  31. Thorpe, D.: Secure cross-domain communication in the browser (July 2007), http://msdn.microsoft.com/en-us/library/bb735305.aspx

  32. van Kesteren, A.: Cross-origin resource sharing (2009)

    Google Scholar 

  33. Wang, H.J., Fan, X., Howell, J., Jackson, C.: Protection and communication abstractions for web browsers in mashupos. ACM SIGOPS Operating Systems Review 41(6), 16 (2007)

    Article  Google Scholar 

  34. Zalewski, M.: Browser security handbook (2010), http://code.google.com/p/browsersec/wiki/Main

  35. Zarandioon, S., Yao, D.D., Ganapathy, V.: Omos: A framework for secure communication in mashup applications. In: Annual Computer Security Applications Conference, ACSAC 2008, pp. 355–364 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBBT-DistriNet, Katholieke Universiteit Leuven, 3001, Leuven, Belgium

    Philippe De Ryck, Maarten Decat, Lieven Desmet, Frank Piessens & Wouter Joosen

Authors
  1. Philippe De Ryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maarten Decat
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lieven Desmet
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Science and Technology, Aalto University, Konemiehentie 2, 02150, Espoo, Finland

    Tuomas Aura

  2. Department of Information and Computer Science, Aalto University, Konemiehentie 2, 02150, Aalto, Finland

    Kimmo Järvinen  & Kaisa Nyberg  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

De Ryck, P., Decat, M., Desmet, L., Piessens, F., Joosen, W. (2012). Security of Web Mashups: A Survey. In: Aura, T., Järvinen, K., Nyberg, K. (eds) Information Security Technology for Applications. NordSec 2010. Lecture Notes in Computer Science, vol 7127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27937-9_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27937-9_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27936-2

  • Online ISBN: 978-3-642-27937-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation