Web 2.0 is big on Feeds

July 30, 2008

This blog is an example of Web 2.0, along with social networking sites, wikis and mashups.  While the underlying concepts surrounding the Internet remain the same, Web 1.0 was about sites with virtually static content and Web 2.0 is all about collaborating and sharing information.

AJAX has arisen as a technology of choice for designing Web 2.0 applications and XML in the form of RSS/ATOM feeds to facilitate sharing of information.  Lets take a look at some very simple exploits for RSS feeds and how to mitigate them as developers, system/network admins and users.

Vulnerabilities

Malicious code – Malicious code (e.g. JavaScript) may be distributed in RSS feeds accessed through mailing lists (news and blog subscriptions) or websites by the owner or a malicious contributor.

Example 1 – JavaScript alert:

Example 2 – Local file read:

Malicious code download – The “automatic feed download” built into most RSS readers may be used to download malicious code after existing malicious code creates or alters feed records.

Mitigation

Sanitisation– RSS feeds and utilities should parse and only work with elements that are acceptable (e.g. plain text) by filtering out scripting and potentially malicious elements.

• Filter out:
  • JavaScript (‘<script>’ and ‘javascript:’)
  • ActiveX
  • Remote scripts or images (e.g. ‘<img src=”remote_site”>’)
  • ‘<meta>’, ‘<embed>’ and ‘<object>’ tags
  • Or possibly ‘&lt;’, ‘>’, ‘&lt;’, and ‘&gt;’ etc
• Or even white list alphanumeric characters and required symbols

Zoning– Run any seemingly untrusted (e.g. not internally produced) RSS feed from the server so it runs in Remote Zone rather than Local Zone which allows additional functionality and risk.

Network controls – Controls such as firewalls and Intrusion Detection/Prevention Systems may be used to detect, filter out and/or block requests to access websites distributing malicious code.

Authentication– Utilise existing HTTP authentication options provided by web servers such as IIS, (i.e. Basic and Digest Authentication) to validate users.

Authorisation – Utilise existing mechanisms available in web servers to provide authorisation that users are permitted to access to access the feed (i.e. file permissions).

Encryption– Utilise existing HTTP encryption options provided by web servers (i.e. SSL/TLS) to encrypt RSS sensitive feeds that transit the Internet or other public networks.