[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Announcement: Feed Injection in Web 2.0: Hacking RSS and Atom Feed Implementations [Whitepaper]

From: "SPI Labs" <Spi.Labs@xxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Announcement: Feed Injection in Web 2.0: Hacking RSS and Atom Feed Implementations [Whitepaper]
Date: Mon, 7 Aug 2006 16:12:52 -0400
------_=_NextPart_001_01C6BA5D.DD0AB5C4
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

"One new feature of "Web 2.0", the movement to build a more responsive
Web, is the utilization of XML content feeds which use the RSS and Atom
standards. These feeds allow both users and web sites to obtain content
headlines and body text without needing to visit the site in question,
basically providing users with a summary of that sites content.
Unfortunately, many of the applications that receive this data do not
consider the security implications of using content from third parties
and unknowingly make themselves and their attached systems susceptible
to various forms of attack."

=20

=20

[Link]

Feed Injection in Web 2.0: Hacking RSS and Atom Feed Implementations
http://www.spidynamics.com/assets/documents/HackingFeeds.pdf

=20

=20

[Contact Information]

spilabs@spidynamics.com

SPI Dynamics, Inc.

115 Perimeter Center Place N.E.

suite 1100

Atlanta, GA. 30346

Toll-Free Phone: (866) 774-2700

=20

SPI Dynamics was founded in 2000 by a team of accomplished Web security
specialists; SPI Dynamics is the leader in Web application security
technology. With such signature products as WebInspect, SPI Dynamics is
dedicated to protecting companies' most valuable assets. SPI Dynamics
has created a new breed of Internet security products for the Web
application, the most vulnerable yet least secure component of online
business infrastructure.

=20

Copyright (c) 2006 SPI Dynamics, Inc. All rights reserved worldwide.=20

=20


------_=_NextPart_001_01C6BA5D.DD0AB5C4
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"Street"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PostalCode"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"State"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"address"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>&quot;One new =
feature of
&quot;Web 2.0&quot;, the movement to build a more responsive Web, is the
utilization of XML content feeds which use the RSS and Atom standards. =
These
feeds allow both users and web sites to obtain content headlines and =
body text
without needing to visit the site in question, basically providing users =
with a
summary of that sites content. Unfortunately, many of the applications =
that
receive this data do not consider the security implications of using =
content
from third parties and unknowingly make themselves and their attached =
systems
susceptible to various forms of =
attack.&quot;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>[Link]<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Feed Injection in =
Web 2.0:
Hacking RSS and Atom Feed Implementations <a
href=3D"http://www.spidynamics.com/assets/documents/HackingFeeds.pdf";>htt=
p://www.spidynamics.com/assets/documents/HackingFeeds.pdf</a><o:p></o:p><=
/span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>[Contact =
Information]<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>spilabs@spidynamics.com<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>SPI Dynamics, =
Inc.<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><st1:Street =
w:st=3D"on"><st1:address
 w:st=3D"on"><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
  font-family:"Courier New"'>115 Perimeter Center Place =
N.E.</span></font></st1:address></st1:Street><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><st1:address =
w:st=3D"on"><st1:Street
 w:st=3D"on"><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
  font-family:"Courier New"'>suite</span></font></st1:Street><font =
size=3D2
 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;font-family:"Courier New"'>
 1100</span></font></st1:address><font size=3D2 face=3D"Courier =
New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><st1:place =
w:st=3D"on"><st1:City
 w:st=3D"on"><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
  font-family:"Courier New"'>Atlanta</span></font></st1:City><font =
size=3D2
 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;font-family:"Courier New"'>, <st1:State
 w:st=3D"on">GA.</st1:State> <st1:PostalCode =
w:st=3D"on">30346</st1:PostalCode></span></font></st1:place><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Toll-Free Phone: =
(866)
774-2700<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>SPI Dynamics was =
founded in
2000 by a team of accomplished Web security specialists; SPI Dynamics is =
the
leader in Web application security technology. With such signature =
products as
WebInspect, SPI Dynamics is dedicated to protecting companies' most =
valuable
assets. SPI Dynamics has created a new breed of Internet security =
products for
the Web application, the most vulnerable yet least secure component of =
online
business infrastructure.<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Copyright (c) 2006 =
SPI
Dynamics, Inc. All rights reserved worldwide. =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C6BA5D.DD0AB5C4--
Prev by Date: Re: [WEB SECURITY] Autocomplete attribute
Next by Date: [WEB SECURITY] Article about HttpOnly
Previous by thread: [WEB SECURITY] Autocomplete attribute
Next by thread: [WEB SECURITY] Article about HttpOnly
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org