Risk Types
Broadly, risks pertaining to RSS feed script injection can be classified into two main categories, namely application-specific and standard-specific. These categories can be further classified into zone-specific risks. These attack vectors closely resemble XSS and related attacks.

Application Specific Risks
Application specific risks may be further classified as either client side feed reader software and web based feed reader applications.

(a) Client side feed reader software:
Users generally use standalone utilities or browser plugins to read web feeds. They are affected by both local and remote zone issues, depending on the application's implementation.

(b) Web based Reader Risks :
Online services such as bloglines or Google reader provide web based feed readers, and fall into the remote zone risk category. Vulnerabilities in web based viewers may allow attackers access to the site's zone (allowing cookie theft and XSRF), and provide a means for XSS attacks.

The potential impact of a feed based attack is significantly amplified when the feed being used to carry malicious script is syndicated on other Web sites. Take feedburner, for example. In a hypothetical scenario, if an attacker-controlled feed is created on Site A and implemented on Site B, its content would be included in Site B's content.

If Site B were also vulnerable to a Web feed attack, the attacker could then access Site B's remote zone and users. In some cases, an attacker controlled feed is included in feeds to other sites, and also to users who, in turn, pass it somewhere else, rapidly expanding the base of possible victims.

Standard Specific Risks
(a) RSS
(Really Simple Syndication) RSS is a family of formats using Extensible Markup Language to deliver new content, often from websites, to subscribers. The most typical vulnerabilities in RSS readers are associated with the Feed Title, Feed Description, Item Title, Item Link, and Item Description XML elements. In order to exploit these vulnerabilities, attackers just need to insert their malicious payloads into these XML elements. Depending on the vulnerable reader, attackers may either insert literal script injection or HTML entity injection, or a combination of the two. The following is an imaginary example showing script injection.

<title><script>alert('Title')</script> </title>
<link>&lt;script&gt;alert('Link')lt;/script&gt; </link>
<description>&lt;script>alert('Description')&lt;/script></description>
</item>

A vulnerable reader will attempt to display data within these fields and execute the script. This will result in pop up alerts at multiple phases when XML is being parsed.

The RSS specification allows for description elements to contain arbitrary entity-encoded HTML. While this is great for RSS publishers, it makes writing a safe and effective RSS consumer application exceedingly difficult.

There is a problem with the expansion capabilities of the RSS specification, specifically the "enclosure" field. The enclosure tag is essentially used to link to file types, things like images, word documents, audio files, power point presentations, and executables. The enclosure tag feature has brought podcasting into reality. In simpler words, this is a concept similar to that of an email attachment, resulting in an inherent risk of an infected file being distributed.

(b) Atom Standard
Similar to the issues discovered in RSS, Atom is affected by the same fields in a large majority of affected applications. Common elements include the Author Name, Entry Updated Element, Feed Title, Feed Subtitle, Feed Updated Element, and Div elements, as well as many others. The following is an example of an atom XML script that alerts with popups at multiple phases.

<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="http://www.blogger.com/styles/atom.css" type="text/css"?>
<feed xmlns='http://www.w3.org/2005/Atom' xmlns:openSearch='http://a9.com/-/spec/opensearchrss/1.0/'>

<id><script>alert('ID')</script> </id>
<updated>2007-10-21T18:44:38.752-07:00;<script>alert('Entry Updated')</script> </updated>
<title type='text'>Information and it's Security ...</title>
<link rel='alternate' type='text/html' href='http://my-blog.com/2007/10/page.html'/>

<link rel='http://schemas.google.com/g/2005#feed' type='application/atom+xml'
href='http://my-blog.com/feeds/506968336028831743/comments/default'/>
<link rel='self' type='application/atom+xml'
href='http://my-blog.com/feeds/506968336618831743/comments/default'/>

<author>  <name> <script>alert('Hercules')</script> </name></author>

<generator version='7.00' uri='http://www.blogger.com'>Blogger</generator>
<openSearch:itemsPerPage>25</openSearch:itemsPerPage>

</feed>