InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations

A web application today often utilizes web APIs to incorporate third-party services into its functionality. Such API integration, however, is full of security perils: recent studies show that popular web sites using high-profile web services, such as PayPal/Amazon checkouts and Facebook/Google singlesign-on (SSO) services, are riddled with logic flaws, enabling a malicious party to shop for free or log into a victim’s account. To address this new threat, techniques need to be developed to facilitate secure integration of third-party web services. To answer this urgent call, we present in this paper InteGuard, the first system that offers security protection to vulnerable web API integrations. InteGuard operates a proxy in front of the service integrator’s web site, performing security checks on a set of invariant relations among the HTTP messages the integrator receives during a transaction (e.g., a checkout from a web store or a web SSO). These invariants link multiple HTTP sessions to a transaction and capture their security-critical relations. They also characterize transactionrelated communication the proxy cannot directly observe, which happens between the client and the service provider. InteGuard includes a suite of novel techniques that automatically extract such invariants from a variety of communication channels adopted by diverse integrations and achieve effective false positive control in this process. Our evaluation shows that InteGuard can defeat complicated exploits on high-profile web services, with little impact on their normal operations.