Hacking RSS and Atom

0
179

RSS and Atom feeds makes easy for the user to surf the Web for any updated information instead of going through each for any updated information instead of going through each Website RSS and Atom feeds are collectively called as Syndication feeds.

These syndication feeds let the user to collect the new information in their inbox, like email.

It slices up the Web into timely capsules of micro content which allows the user to make modifications.

One new feature of “Web 2.0”, the movement to build a more responsive Web, is the utilization of XML content feeds which use the RSS and Atom standards. These feeds allow both users and Web sites to obtain content headlines and body text without needing to visit the site in question, basically providing users with a summary of that sites content. Unfortunately, many of the applications that receive this data do not consider the security implications of using content from third parties and unknowingly make themselves and their attached systems susceptible to various forms of attack.

This white paper discusses various forms of attacks based on Web feeds that follow the RSS, Atom and XML standards. This paper does not extensively cover each XML element and its usage within Web-based feeds, nor does it address other vulnerability scenarios such as buffer overflows and other XML-specific risks. The goal of this paper is to outline the risks of lesser-known threats which are currently emerging on the Web utilizing Cross-Site Scripting.

Web Feeds as Attack Vectors Browsers, local readers, Web sites and online portals such as Blog lines all subscribe to feeds. These applications automatically fetch new content at intervals defined either on the receiving client or by the feed itself. Once a user is subscribed, they are alerted to new entries where they can read the story title and usually a brief description of the story body. The RSS Specification states that story bodies (the tag) allow HTML entities in order to allow HTML formatting, but it isn’t 100% clear about the use of literal HTML tag inclusions. Our research of several Web feed readers revealed different approaches to treating feed input and passing content to users.

Readers treating <> as literals
A vast majority of the readers tested utilized IE components to display the data. In certain instances when a feed contained HTML tags, the viewer application served up the content literally. Below is an RSS 2.0 example of such a feed which has been simplified to only the relevant tags.

Multiple instances of script injection appear in this example. During the presentation phase the readers treat the data as a literal and thus execute any script contained in the feed, in this case JavaScript. This could be used to install malicious software on the client system, steal cookies, or for a wide range of nefarious purposes.

Readers converting the HTML entities to their true values. Most of the time, developers implemented the standard XML specification for their Web-based readers and converted HTML entities to their real values. Unfortunately, when they displayed this converted data they did not take into account the potential for script injection. This example uses an RSS 2.0 feed:

Web 2.0 resulted from the movement to build a more responsive web. A new feature is the utilization of extensible markup language (XML) content feeds that use the Hacking RSS and Atom standards. These feeds allow both users and websites to obtain content headlines and body text without needing to visit a site, providing you with a summary of the site’s content. Unfortunately, many of the applications that receive this data do not consider the security implications of using third-party content, and they unknowingly make themselves and their attached systems susceptible to various forms of attack.

This white paper discusses various forms of attacks based on web feeds that follow the RSS, Atom and XML standards. The paper does not describe each XML element in detail and its usage within web-based feeds, nor does it address other vulnerability scenarios, such as buffer overflows and other XML-specific risks. This paper outlines the risks of lesser-known threats that are currently emerging on the web from cross-site scripting.