Untitled Document
SecurView  
HomeSite Map
Untitled Document
 
Datasheets
Whitepapers
Vulnerability Analysis
Web Feed Injection: Potential Risks
REMEDIATION
"RSS, by design, is difficult to consume safely," wrote Pilgrim in a blog entry. Let's discuss possible ways of securing web feeds:
1. In the case of feed readers, ensure that scripts, applets, and plug-ins are disabled. Unfortunately, the practice of republishing remote HTML locally eliminates this safeguard.

2. Strip tags. Script tags can be used by bad publishers to insert pop-up ads onto your news page. It is therefore recommended to strip the following tags:
  • Embed
  • Object
  • Frameset
  • Frame
  • Iframe
  • Meta tags, which can be used to hijack a page and redirect it to a remote URL
  • Link tags, which can be used to import additional style definitions
  • Style tags
  • Style attributes
  • Event handlers
3. A developer may use regular expressions to filter script tags from user-supplied inputs

 /<(script|noscript|object|embed|style|frameset|frame|iframe)[>\s\S]*<\/\1>/i
/<\/?!?(param|link|meta|doctype|div|font)[^>]*>/i
/(class|style|id)=”[^”]*”/i

4. Alternatively, developers can simply strip all but a known subset of tags. Many secure comment systems work this way.
Click here to download PDF version  
Untitled Document
Unified Communication (UC) Management
OnDEMAND Services
PCI Compliance
Untitled Document
COMPANY TECHNOLOGY OnDEMAND SERVICES MANAGED SERVICES COMPLIANCE SOLUTIONS PHYSICAL SECURITY PARTNERS/CUSTOMERS SUPPORT
© 2007 SecurView, Inc. All rights reserved. SecurView and the the SecurView logo are trademakrs of SecurView, Inc.
All other trademarks mentioned in this document or Website are the property of their respective owners.