Web Feed Hacking







Risk Rating:


Web feeds, such as the Really Simple Syndication (RSS) and Atom standards, are XML content that allow web developers to create dynamic web sites that automatically pull together customized links and blurbs from anywhere on the Internet relating to news, blogs, torrents, mailing lists, videos, software, emails, and pretty much anything else that you can put on the Web. Web feeds may seem innocent; however, they bring new concepts into hacking web applications.

The first interesting point is that you don't have to be using a web browser to view web feeds. An increasing number of web feed readers can be installed on your computer, including Google Desktop, that allow you to subscribe to web feeds and have them display in a sidebar or as notification pop-up windows. Web browsers can also be used as web feed readers, with numerous RSS add-ons for Firefox. The RSS standard allows HTML to be inserted into titles, descriptions, and various other sections of the feed to enable formatting; however, the allowed HTML is only restricted by the developer of the web feed client. This means that if the web feed client does not perform proper input validation on the content being downloaded, an attacker could inject malicious JavaScript code into the RSS content, as shown in this example where JavaScript has been injected into the title tag:

<title><script>alert('Hacked via RSS')</script></title>

This brings us to the second interesting point. Web feeds are automatically downloaded by web feed readers periodically without any human interaction. This means that any malicious JavaScript contained within RSS content would be downloaded and executed as soon as the web feed reader displays it. This opens up a whole range of vulnerabilities from cross-site scripting and cross-site request forgery to client-side exploitation of vulnerabilities within local software. Most web feed readers utilize Internet Explorer components to display their content, which opens up the possibility of exploiting Internet Exploiter, oops, I mean Internet Explorer vulnerabilities to compromise a workstation on your internal network. This would be a great way to propagate worms!

So, are you scared of web feeds yet? No? Well here is another interesting point. You can be subscribed to a web feed automatically by your reader without even knowing it. Google Desktop, by default, has an option enabled that says "Automatically add clips from frequently viewed sites." This means that as you are surfing the Internet checking out crazy websites that have turned up in your Google searches a couple of times, you may automatically be subscribed to RSS feeds from untrusted websites that contain malicious content.

Just to make sure this has sunk in, let's walk through an example. You are interested in IT security so you like checking out some of the security mailing list websites now and then to ensure that you are, ironically, on top of the latest attacks. Little do you know, your web feed reader has picked up on this pattern and has decided to automatically subscribe you to the RSS feed for one of the mailing lists.

An attacker, who is also on this mailing list, decides to post a message so the title of one of the RSS items contains the following code within a JavaScript loop that has been designed to exploit a cross-site request forgery (CSRF) vulnerability within an Internet banking web application:

document.write('<img src=http://internetbanking.com?newpassword=hacked>');

Your web feed reader, therefore, automatically starts downloading the emails posted to this mailing list, causing the malicious JavaScript loop to be executed in the background without you knowing that an RSS feed even existed for the mailing list website.

Later in the day, you log in to your Internet banking web application to check that your pay has been deposited. The JavaScript loop comes around, kicks off the CSRF exploit for the Internet banking application, and since you are now authenticated to the application, your web browser automatically sends the cookie values with this exploit, changing the password for your Internet banking account. Due to the popularity of the mailing list site, a large number of people have been affected by this attack allowing the attacker to brute-force Internet banking account numbers using the newly set password of hacked.

This is one example of how attackers could take advantage of web feeds. As mentioned previously, client-side vulnerabilities could also be targeted to gain control of a host on your internal network. It is becoming more and more apparent that the best way to break into an organization is no longer by exploiting vulnerabilities within the devices sitting at the border of an organization's network, but by targeting client-side applications, including web browsers, web browser plug-ins, and web-aware client-side applications. This is because almost every organization spends the majority of their security budget on implementing a secure infrastructure at their network border, including firewalls, intrusion detection and prevention devices, physically separated network segments, load balancers, and antivirus systems. This generally leaves a large, gooey, black hole in the network where all security goes to die. Ironically, this black hole is where the organization's most security-unaware employees are located, and instead of playing Solitaire like in the good old days, these people are surfing the Internet looking for all of the latest and greatest websites, which leaves them open to client-side attacks, such as those just described. This allows an attacker to gain a foothold on your internal network, generally allowing him or her to compromise the entire environment.

Was this article helpful?

0 0
Super SEO GuideBook

Super SEO GuideBook

This course covers everything that you could ever want toknow about getting high rankings in the search engines. Many courses only give you a little bit of information and then try to sell you additional courses with the real secrets in them. Youll never have to worry about that with this course.

Get My Free Ebook

Post a comment