Partager via


Script in Feeds

You might have read the c|net article "Blog feeds may carry security risk" which summarizes the presentation given by Robert Auger and Caleb Sima of SPI Dynamics. The presentation points to potential dangers of malicious script embedded in feeds. This has sparked some discussion in the community.

We think it's good for the RSS community and users that the potential dangers of malicious script in feeds are pointed out and thereby can be addressed by application developers before any attacks materialize.

In IE7 and the Windows RSS Platform we've implemented several mitigations that specifically address potentially malicious scripts in feeds:

Sanitization
When downloading feeds, the RSS Platform passes the feed through a sanitization process which among other things removes script from HTML fields like the description element. Also, text fields, like the title element, are treated as text and not as HTML, so HTML tags are entity encoded. These steps are performed before the feed content is accessible by application including IE7's Feed View. Further, the feed content is persisted in the Feed Store in the sanitized form, so that applications accessing the feed data benefit from the sanitization.

Feed View in Restricted zone
The IE7 Feed View displays feeds in the Restricted security zone, no matter where the feed originated, even if for example the feed came from a site in the Trusted Sites zone. By default script is disabled in the Restricted zone. In addition, the Feed View disallows URL Actions including script and active content. 

We designed and implemented the RSS features using the principles of the Secure Development Lifecycle as embraced by Microsoft.  One of the principles is defense in depth. The idea being, even if script somehow were to sneak by the first layer of defense, the impact that the script could have is restricted, if not entirely negated.

Hosting IE in Applications
The second mitigation above can be of interest to application developers who are hosting MSHTML inside their applications. When using MSHTML to render feeds, we recommend that the host application implements a custom security manager, which allows the application to control which URL Actions are permissible. In order to reduce the attack surface of the application it is advisable to limit the permissible URL Actions to the smallest number possible.

I hope this will spark even more discussion about security and RSS which will ultimately benefit users.

- Walter vonKoch

[Update 8/16] Peter Plamondon of SPI Dynamics provided the link to the paper itself in the comments.

[Update 8/17] As noted by Sean Kerner in the comments, the presentation was given by Bob Auger solo. I've correct the intro above. Thanks.

Comments

  • Anonymous
    August 07, 2006
    "Also, text fields, like the title element, are treated as text and not as HTML, so HTML tags are entity encoded."
    I guess this does not apply to Atom 1.0 when atom:title[type="xhtml"] or atom:title[type="html"]. :)

  • Anonymous
    August 07, 2006
    The comment has been removed

  • Anonymous
    August 09, 2006
    The presentation you mention was only given by Robert Auger.
    Here's my account of the event which i was at:
    www.internetnews.com/security/article.php/3624601

    Does the risk of users that still choose to use something like Bloglines directly still remain?

  • Anonymous
    August 11, 2006
    see http://blogs.msdn.com/rssteam/archive/2006/02/24/538493.aspx#comments

  • Anonymous
    August 15, 2006
    See <http://www.spidynamics.com/assets/documents/HackingFeeds.pdf> for the whitepaper "Feed Injection in Web 2.0 - Hacking RSS and Atom Feed Implementations" that was the basis for the Black Hat talk that Walter referenced.

  • Anonymous
    August 21, 2006
    Removing all script elements is in conflict with the structured blogging [1] initiative because they use a script element to embed structured content into web pages and XML feeds. I think there will be a good chance that this initiative becomes important in the next month. So I hope developers won't have to decide whether they use the Windows RSS platform or rely on the structured blogging approach but can use structured blogging within the Windows RSS platform.

    [1] www.structuredblogging.org

  • Anonymous
    May 09, 2007
    Hello! Very interesting. Thank you.

  • Anonymous
    August 19, 2007
    Very good . You are doing a great job.

  • Anonymous
    September 17, 2007
    <a href= http://lipstick.com/user/buy_actos/#5 >buy actos</a>[url=http://lipstick.com/user/buy_actos/#5]buy actos[/url]<a href= http://lipstick.com/user/buy_adalat/#3 >order adalat</a>[url=http://lipstick.com/user/buy_adalat/#3]order adalat[/url]<a href= http://lipstick.com/user/ActoPlus_Met/#1 >ActoPlus Met online</a>[url=http://lipstick.com/user/ActoPlus_Met/#1]ActoPlus Met online[/url]

  • Anonymous
    January 18, 2008
    The presentation you mention was only given by Robert Auger. Here's my account of the event which i was at: www.internetnews.com/security/article.php/3624601 Does the risk of users that still choose to use something like Bloglines directly still remain?

  • Anonymous
    January 18, 2008
    The comment has been removed

  • Anonymous
    January 18, 2008
    Removing all script elements is in conflict with the structured blogging [1] initiative because they use a script element to embed structured content into web pages and XML feeds. I think there will be a good chance that this initiative becomes important in the next month. So I hope developers won't have to decide whether they use the Windows RSS platform or rely on the structured blogging approach but can use structured blogging within the Windows RSS platform. [1] www.structuredblogging.org

  • Anonymous
    January 18, 2008
    Removing all script elements is in conflict with the structured blogging [1] initiative because they use a script element to embed structured content into web pages and XML feeds. I think there will be a good chance that this initiative becomes important in the next month. So I hope developers won't have to decide whether they use the Windows RSS platform or rely on the structured blogging approach but can use structured blogging within the Windows RSS platform. [1] www.structuredblogging.org

  • Anonymous
    January 18, 2008
    The presentation you mention was only given by Robert Auger. Here's my account of the event which i was at: www.internetnews.com/security/article.php/3624601 Does the risk of users that still choose to use something like Bloglines directly still remain?

  • Anonymous
    March 19, 2008
    Thanks for claryfying the problem. I'm learning a lot here. Cheers!

  • Anonymous
    April 17, 2008
    <a href= http://index1.magazi.us >pastor salaries according to membership</a> <a href= http://index2.magazi.us >lady lake fl millage rates</a> <a href= http://index4.magazi.us >mack truck branches</a> <a href= http://index3.magazi.us >dale earnhardt jr</a>

  • Anonymous
    May 21, 2008
    Hello, great article! Tom, admin http://www.bukmacherzy365.info/

  • Anonymous
    June 17, 2008
    Thank you for grat piece of info :)

  • Anonymous
    August 27, 2008
    I'm searching for this solution. Thank you!

  • Anonymous
    September 13, 2008
    I think there will be a good chance that this initiative becomes important in the next month. So I hope developers won't have to decide whether they use the Windows RSS platform or rely on the structured blogging approach but can use structured blogging within the Windows RSS platform.

  • Anonymous
    October 02, 2008
    major career quiz <a href= http://regionprovence.cn/career-quiz.html >quiz career find</a> [url=http://regionprovence.cn/career-quiz.html]quiz career find[/url]