RSS and Web Feeds a Risk?

A followup whitepaper [PDF] to a recent talk at the blackhat security conference has been released outlining the risks associated with web based feeds such as RSS and Atom. From the article: "Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said."

Huh?

[Umbral+Blot]

Seems more like a problem with allowing javascript in comments (a really dumb idea) than a problem with RSS.

Old technique, new medium

[fosterNutrition]

Not to be the jerk here, but it really shouldn't be that big of a news story that some people discussed the idea that it might not be the best security practice to allow unvalidated user input.

Nobody would think of performing no kind of checking on things submitted into a plain old text box, so why would it be safe just because it's now in the "synergetic web 2.0 blogosphere of community-driven empowerment through technology"

Oh well, still a moderately interesting article...

Re:Old technique, new medium

[Bogtha]

Not to be the jerk here, but it really shouldn't be that big of a news story that some people discussed the idea that it might not be the best security practice to allow unvalidated user input.

Exactly. This is a minor variation on the same old mistakes web developers usually make. It's just that a lot of developers seem to have forgotten that Atom and RSS feeds need to be sanitised just as much as any other untrusted input.

This is by no means a new concept; off the top of my head, I remember Mark Pilgrim talking about this three years ago, and I remember thinking how damn obvious it was back then and being surprised that it was news to people.

I think one of the contributing factors is that a lot of borderline incompetent developers have learned to sanitise form input not because they understand the problem, but because they've simply had it hammered into their heads that they need to sanitise stuff that comes in through forms. Given a different form of input with exactly the same problem, they don't recognise that they need to sanitise it because it's not coming in through a form. They haven't learned why the problem exists, they've just memorised "form data == sanitise".

Re:Old technique, new medium

[darkewolf]

Funnily enough, part of an extension to a project the company I am at is working on, is for users to be able to import their external blog feeds into the blog on the site. Basically so they don't need to type the same blog information in two different places. Easy to do. And even before looking at the output of some places like BlogSpot, it was mandated to sanitize the output to using just basic HTML (P, BR, stripped down IMG, stripped down A) and nothing else. Yes, they will lose some formatting that places like blogspot allows, but so much saner.

So in the real world, a lot of sensible developers understand the problem with risky external input, although lots of baby-developers haven't had enough experience to get jaded and never trust users. Security thoughts come from age and being cynical.

But either way, the Web2.0 look irks me :P

So..

[Tracer_Bullet82]

If I trust someone and let them have free access to my house, there's a chance one day they'll swipe every thing from it and load into a truck..

just because something is some kind of "new" technology does not mean any different..

use common sense and intelligence.

Re:So..

[truthsearch]

That's a bad analogy. The internet's more like a series of tubes than a truck... oh, um, forget it.

Heh

[Andrew+Kismet]

Isn't it amusing I found this article by using /.'s own RSS fee!"$%&() ****NO CARRIER****

Simple rule for input

[fractalVisionz]

Never let input go unchecked. If you do, you are already screwed.

Oh God

[The+MAZZTer]

I can write virii in C++! It's a C++ vulnerability!

Seriously, this is dumb. It is not a problem with RSS/Atom, it is a problem with RSS/Atom viewers that allow JavaScript code to be executed!

Within the context of a web-based viewer this could be a problem, but then again it's no more of a problem than if you go to a questionable site with bad JavaScript. For a browser-based viewer it's simply a matter of the devs remembering to turn off JavaScript support for RSS/Atom feeds.

And in desktop-based viewers... I mean really, who would be stupid enough to even consider implementing JavaScript in one. And if it only does because the programmer took the lazy route and is using a WebControl in the background, well they might want to consider a different method that will actually give them some measure of CONTROL.

Speaking of poorly coded, I wonder if we'll see IE exploits arising from embedded ActiveX controls in RSS feeds, those would cause far more damage than while (1) { window.print(); window.alert("LOL INTERNET"); }.

Re:RSS Feed: Jews are the enemy!

You were awesome in Braveheart.

Bogus

[Nijika]

NEWSFLASH: Hackers MAY set up websites and services to lure victims! Film at 11.

Color me stupid...

[Zaphod2016]

...but why would anyone *want* to include JavaScript in an RSS feed? Other than showing ads or annoying viewers, what possible purpose would it serve?

And, as someone above suggested, what the hell is a "Web 2.0" RSS feed? Even if I used AJAX to make a nice-n-pretty UI for my blog, that still wouldn't explain why I would use JavaScript for my RSS feed.