Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Hacking Feeds

Hacking Feeds

Ratings: (0)|Views: 10|Likes:
Published by api-3714345

More info:

Published by: api-3714345 on Oct 18, 2008
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

03/18/2014

pdf

text

original

Start Secure. Stay Secure.\u2122
Feed Injection in Web 2.0
Hacking RSS and Atom Feed Implementations
By Robert Auger, SPI Labs
Start Secure. Stay Secure.\u2122
\u00a9 2006 SPI Dynamics, Inc. All Rights Reserved.
No reproduction or redistribution without written permission.
ii
Feed Injection in Web 2.0
Table of Contents
I NTRODUCTI ON................................................................................. 3
W EB FEEDS AS ATTACK VECTORS...................................................... 4

Readers treating < > as literals.................................................................. 4 Readers converting the HTML entities to their true values.............................. 5 Readers stripping out &lt; &gt; < and > during display................................. 6

RI SKS BY ZONE................................................................................. 7
Remote Zone Risks.................................................................................. 7
Local Zone Risks..................................................................................... 8
READER TYPE- SPECI FI C RI SKS........................................................ 1 1
Web Reader Risks...................................................................................11
Web Site Risks.......................................................................................11
USI NG A FEED AS A DEPLOYMENT VECTOR...................................... 12
How Does One Utilize a Web Feed Vulnerability?.........................................12
RI SKS BY STANDARD....................................................................... 13
RSS...................................................................................................... 13
Atom.................................................................................................... 13

CONCLUSI ON................................................................................... 14 REFERENCES AND ADDI TI ONAL READI NG....................................... 16 ABOUT SPI LABS.............................................................................. 18 ABOUT S.P.I . DYNAMI CS I NCORPORATED....................................... 19

Start Secure. Stay Secure.\u2122
\u00a9 2006 SPI Dynamics, Inc. All Rights Reserved.
No reproduction or redistribution without written permission.
3
Feed Injection in Web 2.0
Introduction

One new feature of "Web 2.0", the movement to build a more responsive Web, is the utilization of XML content feeds which use the RSS and Atom standards. These feeds allow both users and Web sites to obtain content headlines and body text without needing to visit the site in question,

basically providing users with a summary of that sites content. Unfortunately,
many of the applications that receive this data do not consider the security
implications of using content from third parties and unknowingly make

themselves and their attached systems susceptible to various forms of
attack.
This white paper discusses various forms of attacks based on Web feeds that

follow the RSS, Atom and XML standards. This paper does not extensively
cover each XML element and its usage within Web-based feeds, nor does it
address other vulnerability scenarios such as buffer overflows and other XML-

specific risks. The goal of this paper is to outline the risks of lesser-known
threats which are currently emerging on the Web utilizing Cross-Site
Scripting.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->