Скачать презентацию An analysis of RSS security Research Topic Network Скачать презентацию An analysis of RSS security Research Topic Network

d855e32b1630089cc4ef8928dab784da.ppt

  • Количество слайдов: 11

An analysis of RSS security Research Topic Network Security Cmp. E 209 Dr. Richard An analysis of RSS security Research Topic Network Security Cmp. E 209 Dr. Richard Sinn Sarbjeet Singh (005886296) Uma Nandanam (006259825)

Introduction o o RSS (Really Simple Syndication or Rich Site Summary) is new and Introduction o o RSS (Really Simple Syndication or Rich Site Summary) is new and efficient content distribution feature using XML format. RSS is used to distribute information (stores/news/articles, blog posts, video clips, audio clips etc) on a topic you choose on your favorite website. You need to subscribe to receive this information (called RSS feeds) o This RSS feed come to you and a reader on your computer read this information. The reader could be a stand alone s/w or web based. o Using RSS we don’t waist time looking for the info you need on the websites or wait for the pages to load. o To subscribe to a feed look for a buttons like this on your favorite website o To Subscribe to SJSU for RSS feeds: www. sjsu. edu/rss

RSS Security Vulnerabilities o RSS Security Vulnerabilities n The major RSS security vulnerabilities involve RSS Security Vulnerabilities o RSS Security Vulnerabilities n The major RSS security vulnerabilities involve the elements of the feeds. o RSS: feed titles, Item description, Item title, Item link, Item description XML elements. o Atom: Author name, Entry update element, Feed title, Feed sub-title, Feed update n Attackers can inject scripts to these elements. n A few threats: o Phishing (To redirect a user to a malicious website) o Stealing Cookies o Deploying malware o Browser Activity Monitoring

RSS Security Vulnerabilities (Contd. , ) HTML literal injections o RSS specifications specify ‘<description>’ RSS Security Vulnerabilities (Contd. , ) HTML literal injections o RSS specifications specify ‘’ tag to allow html entities to comply with html formatting. However, the specifications do not specify the use of literal html tags inclusions o The Readers treat “<>” as literals. When a feed contains html tags, in certain cases, the content is displayed literally o RSS readers or aggregators treat these tags as literals, they execute the scripts (engineered by the attacker) in the feed The title of my RSS 2. 0 Feed http: //www. vaishnavinandanam. com/ Tu, 21 April 2009 18: 30: 00 GMT en-us <script>alert('Title of an item')</script> http: //vaishnavinandanam. com/item/RSS http: // vaishnavinandanam. com/item/RSS Tu, 21 April 2009 18: 30: 00 GMT [CDATA[ This is the description about RSS security examples ]]

RSS Security Vulnerabilities (Contd. , ) HTML entity injections o Some readers convert HTML RSS Security Vulnerabilities (Contd. , ) HTML entity injections o Some readers convert HTML entities of the feed to their true values. Potential script injections are inserted in the feeds. The RSS readers convert < to '<' and > to '>‘, the content is added and viewed by the browser component. Most of the readers store this content to a file in the local directories < script> alert(‘Item Title')< /script> http: //host/? < script> alert(‘Item Link')< /script> < script> alert(‘Item Description')< /script> Cross site scripting: o Today most of the web 2. 0 sites deliver dynamic contents, Using web based readers can lead Cross site scripting (also called as CSS or XSS) n Examples: Hijacking of accounts, changing the user settings, stealing cookie, theft and false advertising. n stealing cookies from the online web reader

RSS Security Vulnerabilities (Contd. , ) Cross site request forgery (CSRF) o Unauthorized commands RSS Security Vulnerabilities (Contd. , ) Cross site request forgery (CSRF) o Unauthorized commands are transmitted from a user that the website trusts o Example-1: An attacker can make your computer send requests to a web site using CSRF attacks n The attacker can inject a tag '' into the feed, and make your computer connect to a website, perform web actions o Example-2: n n o You are accessing a blog site and accessing a malicious feed This feed has a malicious Java. Script that can capture the keystocks from your computer and rely it attacker's host Example-3: n You login to bank. com and authenticate. At the same time you also download a malicious feed n A request is issued from your( you became the victim) browser to the bank’s website for transfer on money.

RSS Security Vulnerabilities (Contd. , ) Re-syndication Venerability o Server-1 stores a malicious feed, RSS Security Vulnerabilities (Contd. , ) Re-syndication Venerability o Server-1 stores a malicious feed, this feed is downloaded by the subscribers including other servers (server-2 and server-3) o Servers-2 and 3 creates a web feed including server-1's feed content without sanitizing it o This content on server-2 and 3 is downloaded by the respective subscribers of Server 2 and 3 o In this process of re-syndicating, many clients get effected. Server-2 Feed also includes Server-1 feed Server-1 stores malicious feed INTERNET Server-3 Feed also includes Server-1 feed

RSS Security Vulnerabilities (Contd. , ) Local zone risks n Effects the subscriber’s system. RSS Security Vulnerabilities (Contd. , ) Local zone risks n Effects the subscriber’s system. Readers typically convert the feed into an html file and store it in a local directory n This file is loaded on to a browser instance. This file can have Active. X objects with permissions to read/write files to the disk n This feed can be engineered to read a local file and send a copy to a the attacker’s intended host in the Internet. RSS Spam n Keyword surfing n Link farms n Fake RSS feeds n How to protect: o A user can unsubscribe for the feed

Conclusions Venurabilites are becasuse of: n Feed is malicious n The site that provides Conclusions Venurabilites are becasuse of: n Feed is malicious n The site that provides the feed is hacked. n The webbased feed is created from mailing lists, bulletin boards messages, p 2 p n Feed is modified during transport o It is extremely difficult to safely consume RSS feed o The feed elements such as the element allow arbitrary encoded html o Arbitrary codes can carry venerable payloads o RSS readers should remove html entities and meta characters before displaying the feed to the user. Sanitize the feed by looking and stripoff venurable tages. o Knowing the security implications regarding feeds and readers will help you avoid some things such as CSS o Before displaying the feed a safe RSS reader can strip tags such as, script, embed, object, frameset, meta, link, style etc o Attackers don’t just expore weaknesses on server but also on client. Client-side vernubilities: engineer scripts in the feed and extract information o In the case of feed readers, ensure that scripts, applets, and plug-ins are disabled o Regular expressions can be used to filter script tags from user-supplied inputs

References o o [1] Zero Day Subscriptions: Using RSS and Atom Feeds As Attack References o o [1] Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems by: Bob Auger (Presented at Black Hat USA 2006) http: //h 71028. www 7. hp. com/enterprise/downloads/Bob. Auger-RSS_Security. pdf [2] Blackhat 2006 RSS Security resources Video presentation: http: //media. blackhat. com/bh-usa-06/video/2006_Black. Hat_Vegas. V 36 -Auger_and_Sima-0 day_subscriptions. mp 4 (Video Presentation) Slides: http: //www. cgisecurity. com/papers/RSS-Security. ppt Paper: http: //www. cgisecurity. com/papers/Hacking. Feeds. pdf o [3] Feed Injection in Web 2. 0: Hacking RSS and Atom Feed Implementations http: //www. cgisecurity. com/papers/Hacking. Feeds. pdf o [4] Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems http: //www. cgisecurity. com/papers/RSS-Security. ppt o [5] RSS Specification http: //www. rss-specifications. com/rss-specifications. htm o [6] Rss security realted papers http: //www. cgisecurity. com/papers/ o [7] The Cross-Site Scripting (XSS) FAQ http: //www. cgisecurity. com/xss-faq. html o [8] CGISecurity Article: The Cross-Site Request Forgery FAQ http: //www. cgisecurity. com/csrf-faq. html

“Things that think…don’t make sense unless they link. ” - Nicholas Negroponte, MIT Media “Things that think…don’t make sense unless they link. ” - Nicholas Negroponte, MIT Media Laboratory