Slashdot Mirror

← Back to Stories (view on slashdot.org)

RSS and Web Feeds a Risk?

Posted by ryuzaki0 on from the risk-around-every-cyber-corner dept.

A followup whitepaper [PDF] to a recent talk at the blackhat security conference has been released outlining the risks associated with web based feeds such as RSS and Atom. From the article: "Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said."

5 of 94 comments (clear)

  1. Bloglines by TheOtherChimeraTwin · · Score: 3, Informative

    It turns out that Bloglines was notified in advance by SPI Dynamics about the problem, and took steps to fix the problem the same day. Nicely done by both parties!

  2. The slides can be found here by Anonymous Coward · · Score: 3, Informative


    RSS Security Slides

  3. Re:Old technique, new medium by Bogtha · · Score: 4, Informative

    Not to be the jerk here, but it really shouldn't be that big of a news story that some people discussed the idea that it might not be the best security practice to allow unvalidated user input.

    Exactly. This is a minor variation on the same old mistakes web developers usually make. It's just that a lot of developers seem to have forgotten that Atom and RSS feeds need to be sanitised just as much as any other untrusted input.

    This is by no means a new concept; off the top of my head, I remember Mark Pilgrim talking about this three years ago, and I remember thinking how damn obvious it was back then and being surprised that it was news to people.

    I think one of the contributing factors is that a lot of borderline incompetent developers have learned to sanitise form input not because they understand the problem, but because they've simply had it hammered into their heads that they need to sanitise stuff that comes in through forms. Given a different form of input with exactly the same problem, they don't recognise that they need to sanitise it because it's not coming in through a form. They haven't learned why the problem exists, they've just memorised "form data == sanitise".

    --
    Bogtha Bogtha Bogtha
  4. Re:Huh? by AVryhof · · Score: 3, Informative

    strip_tags SHOULD work ... then you have readers and web browsers that use the IE rendering engine that executes JavaScript whether it's in a script tag or not.

    Quite annoying if you ask me. It shouldn't be executed if the script tag or javascript: doesn't exist.

    That's why I always use a form of bbcode instead of html for comment forms.

    --
    Make America grate again!
  5. In Case You Wanted RSS Comments ... by thetan · · Score: 2, Informative
    "A lot of blogs will take user comments and stick them into their own RSS feeds," he said.

    Blogger doesn't (directly) support comment feeds. If you're interested in setting this up on your Blogspot blog (so you can, for example, get truly recent comments), check out this bloghacking wiki.

    I can't vouch for the security of these methods, though.

    -Thetan.