d855e32b1630089cc4ef8928dab784da.ppt
- Количество слайдов: 11
An analysis of RSS security Research Topic Network Security Cmp. E 209 Dr. Richard Sinn Sarbjeet Singh (005886296) Uma Nandanam (006259825)
Introduction o o RSS (Really Simple Syndication or Rich Site Summary) is new and efficient content distribution feature using XML format. RSS is used to distribute information (stores/news/articles, blog posts, video clips, audio clips etc) on a topic you choose on your favorite website. You need to subscribe to receive this information (called RSS feeds) o This RSS feed come to you and a reader on your computer read this information. The reader could be a stand alone s/w or web based. o Using RSS we don’t waist time looking for the info you need on the websites or wait for the pages to load. o To subscribe to a feed look for a buttons like this on your favorite website o To Subscribe to SJSU for RSS feeds: www. sjsu. edu/rss
RSS Security Vulnerabilities o RSS Security Vulnerabilities n The major RSS security vulnerabilities involve the elements of the feeds. o RSS: feed titles, Item description, Item title, Item link, Item description XML elements. o Atom: Author name, Entry update element, Feed title, Feed sub-title, Feed update n Attackers can inject scripts to these elements. n A few threats: o Phishing (To redirect a user to a malicious website) o Stealing Cookies o Deploying malware o Browser Activity Monitoring
RSS Security Vulnerabilities (Contd. , ) HTML literal injections o RSS specifications specify ‘
RSS Security Vulnerabilities (Contd. , ) HTML entity injections o Some readers convert HTML entities of the feed to their true values. Potential script injections are inserted in the feeds. The RSS readers convert < to '<' and > to '>‘, the content is added and viewed by the browser component. Most of the readers store this content to a file in the local directories
RSS Security Vulnerabilities (Contd. , ) Cross site request forgery (CSRF) o Unauthorized commands are transmitted from a user that the website trusts o Example-1: An attacker can make your computer send requests to a web site using CSRF attacks n The attacker can inject a tag '
RSS Security Vulnerabilities (Contd. , ) Re-syndication Venerability o Server-1 stores a malicious feed, this feed is downloaded by the subscribers including other servers (server-2 and server-3) o Servers-2 and 3 creates a web feed including server-1's feed content without sanitizing it o This content on server-2 and 3 is downloaded by the respective subscribers of Server 2 and 3 o In this process of re-syndicating, many clients get effected. Server-2 Feed also includes Server-1 feed Server-1 stores malicious feed INTERNET Server-3 Feed also includes Server-1 feed
RSS Security Vulnerabilities (Contd. , ) Local zone risks n Effects the subscriber’s system. Readers typically convert the feed into an html file and store it in a local directory n This file is loaded on to a browser instance. This file can have Active. X objects with permissions to read/write files to the disk n This feed can be engineered to read a local file and send a copy to a the attacker’s intended host in the Internet. RSS Spam n Keyword surfing n Link farms n Fake RSS feeds n How to protect: o A user can unsubscribe for the feed
Conclusions Venurabilites are becasuse of: n Feed is malicious n The site that provides the feed is hacked. n The webbased feed is created from mailing lists, bulletin boards messages, p 2 p n Feed is modified during transport o It is extremely difficult to safely consume RSS feed o The feed elements such as the
References o o [1] Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems by: Bob Auger (Presented at Black Hat USA 2006) http: //h 71028. www 7. hp. com/enterprise/downloads/Bob. Auger-RSS_Security. pdf [2] Blackhat 2006 RSS Security resources Video presentation: http: //media. blackhat. com/bh-usa-06/video/2006_Black. Hat_Vegas. V 36 -Auger_and_Sima-0 day_subscriptions. mp 4 (Video Presentation) Slides: http: //www. cgisecurity. com/papers/RSS-Security. ppt Paper: http: //www. cgisecurity. com/papers/Hacking. Feeds. pdf o [3] Feed Injection in Web 2. 0: Hacking RSS and Atom Feed Implementations http: //www. cgisecurity. com/papers/Hacking. Feeds. pdf o [4] Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems http: //www. cgisecurity. com/papers/RSS-Security. ppt o [5] RSS Specification http: //www. rss-specifications. com/rss-specifications. htm o [6] Rss security realted papers http: //www. cgisecurity. com/papers/ o [7] The Cross-Site Scripting (XSS) FAQ http: //www. cgisecurity. com/xss-faq. html o [8] CGISecurity Article: The Cross-Site Request Forgery FAQ http: //www. cgisecurity. com/csrf-faq. html
“Things that think…don’t make sense unless they link. ” - Nicholas Negroponte, MIT Media Laboratory