Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Feed Injection in Web 2.0 - HackingFeeds

Feed Injection in Web 2.0 - HackingFeeds

Ratings: (0)|Views: 27 |Likes:
Published by Dhruv Jain
Uploaded by Hack Archives - http://undergroundlegacy.co.cc -
Uploaded by Hack Archives - http://undergroundlegacy.co.cc -

More info:

Published by: Dhruv Jain on Mar 19, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/10/2013

pdf

text

original

 
 
Start Secure. Stay Secure.™
 
Feed Injection in Web 2.0
Hacking RSS and Atom Feed Implementations
 
By Robert Auger, SPI Labs
 
 
 
Start Secure. Stay Secure.™
 
© 2006 SPI Dynamics, Inc. All Rights Reserved.No reproduction or redistribution without written permission.
ii
Feed Injection in Web 2.0
Table of Contents
INTRODUCTION................................................................................. 3
 
WEB FEEDS AS ATTACK VECTORS ...................................................... 4
 
Readers treating <> as literals.................................................................. 4
 
Readers converting the HTML entities to their true values.............................. 5
 
Readers stripping out &lt; &gt; < and > during display................................. 6
 
RISKS BY ZONE ................................................................................. 7
 
Remote Zone Risks.................................................................................. 7
 
Local Zone Risks ..................................................................................... 8
 
READER TYPE-SPECIFIC RISKS........................................................ 11
 
Web Reader Risks...................................................................................11
 
Web Site Risks.......................................................................................11
 
USING A FEED AS A DEPLOYMENT VECTOR...................................... 12
 
How Does One Utilize a Web Feed Vulnerability?.........................................12
 
RISKS BY STANDARD....................................................................... 13
 
RSS......................................................................................................13
 
Atom....................................................................................................13
 
CONCLUSION................................................................................... 14
 
REFERENCES AND ADDITIONAL READING....................................... 16
 
ABOUT SPI LABS.............................................................................. 18
 
ABOUT S.P.I. DYNAMICS INCORPORATED ....................................... 19
 
 
 
Start Secure. Stay Secure.™
 
© 2006 SPI Dynamics, Inc. All Rights Reserved.No reproduction or redistribution without written permission.
3
Feed Injection in Web 2.0
Introduction
One new feature of "Web 2.0", the movement to build a more responsiveWeb, is the utilization of XML content feeds which use the RSS and Atomstandards. These feeds allow both users and Web sites to obtain contentheadlines and body text without needing to visit the site in question,basically providing users with a summary of that sites content. Unfortunately,many of the applications that receive this data do not consider the securityimplications of using content from third parties and unknowingly makethemselves and their attached systems susceptible to various forms of attack.This white paper discusses various forms of attacks based on Web feeds thatfollow the RSS, Atom and XML standards. This paper does not extensivelycover each XML element and its usage within Web-based feeds, nor does itaddress other vulnerability scenarios such as buffer overflows and other XML-specific risks. The goal of this paper is to outline the risks of lesser-knownthreats which are currently emerging on the Web utilizing Cross-SiteScripting.

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->