Untitled Document
SecurView  
HomeSite Map
Untitled Document
 
Datasheets
Whitepapers
Vulnerability Analysis
Web Feed Injection: Potential Risks
INTRODUCTION
This paper discusses the various possibilities of an attack based on web feeds, which are based on a variety of technologies including RSS Atom and XML standards, with more emphasis on risks pertaining to web feeds and mitigations

What is a "Web Feed"?
Web 2.0 has emerged and is evolving with technologies such as weblogs, social bookmarking, wikis, podcasts, and RSS feeds, with several upcoming new features that aim to facilitate collaboration and sharing between users by means of a more responsive web.

One such feature utilizes XML content feeds, which use the RSS and Atom standards. This is sometimes referred to as "syndication of site content" as a Web 2.0 feature, involving (as it does) standardized protocols, which permit end-users to make use of a site's data in another context (such as another website, a browser plugin, or a separate desktop application). Protocols which permit syndication include RSS (Really Simple Syndication - also known as "web syndication"), RDF (as in RSS 1.1), and Atom, all of them being XML-based formats. People have started to refer to these technologies as "Web feed."

In simpler terms, these feeds facilitate both users and Web sites in obtaining content headlines and body text without the need for them to actually visit the site in the browser. This provides users with a summary of the site's content.

Why there is a security risk associated with feeds?
These feeds can be read with applications that have the capability to do so. That may include "aggregators" - desktop applications designed to read feeds in different formats, and websites, reading feeds from some other websites. Web browsers with the latest versions have also started supporting these web feeds. Additionally, browser plugins (like Sage) act very similar to desktop applications written to read and manage feeds. Many applications that process web feeds hardly seem to have developed, considering the security implications of using content from third parties. This unknowingly makes them, and their attached systems, vulnerable to various forms of attack.
Click here to download PDF version  
Untitled Document
Unified Communication (UC) Management
OnDEMAND Services
PCI Compliance
Untitled Document
COMPANY TECHNOLOGY OnDEMAND SERVICES MANAGED SERVICES COMPLIANCE SOLUTIONS PHYSICAL SECURITY PARTNERS/CUSTOMERS SUPPORT
© 2007 SecurView, Inc. All rights reserved. SecurView and the the SecurView logo are trademakrs of SecurView, Inc.
All other trademarks mentioned in this document or Website are the property of their respective owners.