Hackers of India

Enabling Un-trusted Mashups

By  Bishan Singh  on 06 Sep 2011 @ Securitybyte

Abstract

Web mashups are the ultimate manifestation of user generated content, arguably primed for an unprecedented growth. This notion is already being hyper realized with proliferation of open social platforms where user is the developer, user and the distributor network.

Mashups are everywhere, but in a avatar that is intrinsically insecure. They run on a technology stack that was never written with consideration of the former. Either the un-trusted mashup code runs with the same privileges as trusted parent code served from the host site or it is iframed. While iframes do have some security benefits, they mostly provide a false sense of security due to provisions that can be easily exploited by a malicious user. Then there is the third kind that was invented specifically to solve this conundrum - the virtual web sand boxing that enable the required secure behavior but with its own trade-offs and limitations.

In this talk you will witness live demos of various attacks on mashups, potential solutions, their drawbacks and relevant risk management approaches.