It’s just data

Attack Delivery TestSuite

It is just a matter of time.  One of these days, some hacker will deface a popular site like Engadget.  But instead of putting something visible on the site, they will put something invisible in the feed.

By the magic of syndication, that data will then be distributed like spores to untold thousands of locations.  In the process it will be transported from a relatively untrusted location (like BoingBoing) to a place of equal or greater trust.  Places like popular portal sites, or just perhaps, to your very own hard drive.

From there, it will lie in wait until you check for news.  Invisibly it will spring into action.  You won’t even notice it running.  It will be able to do things that vary from uploading your preferences and passwords to a remote location, to downloading malware onto your machine.  Shortly thereafter, this entry will be marked as read, or scroll off the bottom of your river of news, and you will never know how you just got p0wned.

Last week, SPI Dynamics presented a whitepaper on this topic.  Underreported at the time was the cooperation and dedication that a number of authors of popular feed reader software have demonstrated to date.  Also underreported is the difficulty of reliably detecting the presence of JavaScript in feeds.

As a first step, James Holderness devised 85 tests for Snarfer.  None of these tests attempt to do anything malicious, instead they simply attempt to produce a popup identifying the source of the exposure.  I’ve tried these tests against the latest Universal Feed Parser, and in each case the javascript was either outright removed or otherwise rendered harmless.

Sometime in November (i.e., in about 90 days), and with James’s consent, I will commit these tests as a part of the Feed Parser regression test suite.  At which point, they will be open source, and easy to find by friend and foe alike.

Meanwhile, if you are developing software that consumes feeds, please get ahold of either James or myself and we will share these tests with you.  Contributions of additional tests are also welcome.


everyone is still vulnerable to NSFW attacks. Just point them at content they arent meant to look at work, have it appear in the proxy log/browser cache and suddenly they are incriminated. Can you really say “my machine downloads adult content automatically” and expect to avoid the short conversation with HR?

go on sam, take the flash from here and stick it in a post.
[link]

Posted by Steve Loughran at

‘p0wned’... weird, a typo in the middle of a typo.  Yeah, that should totally be ‘pwned’. :-)

I should probably run those tests against FeedTools.  I discovered that some of the sanitization code wasn’t working as intended the other day, though I haven’t committed the fix for it yet because of some other code that isn’t working right.

Posted by Bob Aman at

Sam Ruby: Attack Delivery TestSuite

Paul Hammond : Sam Ruby: Attack Delivery TestSuite - Sometime in November (i.e., in about 90 days), and with James’s consent, I will commit these tests as a part of the Feed Parser regression test suite...

Excerpt from HotLinks - Level 1 at

I haven’t yet had a chance to add sanitization to XML_Feed_Parser but I really should. A copy of those tests would be a great start...

Posted by James Stewart at

Malicious RSS Tests

Mark Woodman has a list of 7 RSS Javascript tests that you should be......

Excerpt from Real Geek at

Sam Ruby: “As a first step, James Holderness devised 85 tests for Snarfer. None of these tests attempt to do anything malicious, instead they simply attempt to produce a popup identifying the source of the exposure.” James’...

Excerpt from snellspace.com at

[from ade] Sam Ruby: Attack Delivery TestSuite

[link]...

Excerpt from del.icio.us/network/andreweland at

Mark Woodman: The Threat is Real

Posted by Sam Ruby at

Today's links [August 10, 2006]

Mac OS X Leopard dev goodiesNew features, which include an RSS/Atom parser, generator and feed store Ted Neward » The Vietnam of Computer Science “analysis of Object/Relational Mapping--and its relationship to the Second South Indochina War”...

Excerpt from Blogging Roller at

Sam Ruby: Attack Delivery TestSuite

[link]...

Excerpt from del.icio.us/hypermedia at

Malicious RSS Tests

Mark Woodman has a list of 7 RSS Javascript tests that you should be checking against your RSS Reader. Or maybe not, Mark managed to break his RSS reader with them. James Holderness also has some tests (85), but they are not public yet. James...

Excerpt from The RSS Blog at

Full Disclosure

Charles Miller: [via Stefan Tilkov] If you are involved with the development of any tool that consumes feeds, I encourage you to read James Snell’s recent post.  It is clear now that giving people months to react only advantages the... [more]

Trackback from Sam Ruby

at

Sam Ruby: Full Disclosure

Planet WebservicesCharles Miller: Often, full disclosure is explained as a way to make sure vendors are responsive, using “naming and shaming” to force a faster patch schedule. This is certainly one aspect of the practice, but far more important is...

Excerpt from java.blogs Recent Entries at

Feed Security and FeedDemon, Part II

In my previous post I wrote about FeedDemon’s security features, the most important of which is the fact that FeedDemon’s newspapers operate in Internet Explorer’s “Internet Zone” instead of the less secure local zone. This means that even if...

Excerpt from Nick Bradbury at

[from cdent] Sam Ruby: Attack Delivery TestSuite

[link]...

Excerpt from del.icio.us/network/esinclai at

Today's links [August 10, 2006]

Mac OS X Leopard dev goodiesNew features, which include an RSS/Atom parser, generator and feed store Ted Neward » The Vietnam of Computer Science “analysis of Object/Relational Mapping--and its relationship to the Second South Indochina War”...

Excerpt from Blogging Roller at

Feed Security

Ok, so it’s been about a month I guess since I started talking about scripting exploits in feeds. I put together a whole bunch of Atom test cases based on an initial set of RSS tests produced by James Holderness. Several Feed Reader developers...

Excerpt from snellspace.com at

Feed Security and FeedDemon, Part III

Last month I promised to talk about the exploits that James Snell uncovered which left feed readers vulnerable to some very annoying script-based attacks. I didn’t want to provide details of the exploits until other feed readers had patched them,...

Excerpt from Nick Bradbury at

I would also love to get a copy of those tests for SimplePie development.  Please pass them along as soon as you are able.  Thanks!

Posted by Ryan Parman at

snellspace.com; Feed Security

If you are an enterprise considering deployment of RSS technology, this post might point you to some test suites to assess vendor security: Feed Security Ok, so it’s been about a month I guess since I started talking about scripting......

Excerpt from Collaborative Thinking at

Hi Sam, how do i get a hold of the tests for RSS feeds? I’ve been working on a RSS reader for an enterprises' product and would like to run the reader thru the vulnerabilities?

Posted by Perry Loh at

Perry: look here and here.

Posted by Sam Ruby at

Inline vs. Referenced SVG

Jeff Schiller:  Thanks! FYI: my personal “publish” interface has a select dropdown that lets me chose from my ever growing pallet of icons and incorporates then into the page in a way that allows resi... [more]

Trackback from Sam Ruby

at

Exploiting Chrome and Opera’s inbuilt ATOM/RSS reader with Script Execution and more

============================================= SECURETHOUGHTS.COM ADVISORY - CVE-ID : CVE-2009-XXXX (Chrome) {Pending} - Release Date : September 15, 2009 - Severity : Medium to High - Discovered by : Inferno...

Excerpt from SecureThoughts.com at

Perry: look here and here

Posted by Dljetarora at

Keep the springs protected: The onesies cover the feet. It is a well-known fact that in case the extremities are well covered and warm, this will lead to spread the warmth across the human body and generally increase the body temperature. Onesies are the very best kind of garment which helps control the body temperature, especially during an extreme cold. animal onesies for adults

Posted by S E O Experts at

This is essential, however it’s important to enable you to make a beeline for it weblink: lifestyle

Posted by S E O Experts at

This is exceptionally engaging, however , it is vital that will mouse tap on the association: levné letenky

Posted by Merck SEO at

Piperr is a flagship dataops platform from Saturam Inc. Piperr’s continous dataops platform deliver quality data to all applications and business processes with end users of data such as data scientist, data analyst etc. Piperr is a suite of ML-based apps for enterprise data operations and specialised in assembling AI ready data faster and smoother. AI ready data

Posted by S E O Experts at

I’m excited to uncover this page. I need to to thank you for ones time for this particularly fantastic read !! I definitely really liked every part of it and i also have you saved to fav to look at new information in your site. HVAC Consumer Financing

Posted by Merck SEO at

There are an extensive measure of unfathomable contemplations in this post. I believe you keep this quality level up so we can acknowledge altogether more extraordinary substance from your side. Security guard company Oakland CA

Posted by S E O Experts at

I needed to leave a little remark to help you and wish you a decent continuation. Wishing you the good luck for all you’re blogging endeavors. Offer Financing to Customers

Posted by Merck SEO at

I feel particularly appreciative that I read this. It is especially useful and to an awesome degree important and I incredibly took in an inconceivable game plan from it. Pet Financing

Posted by Merck SEO at

It is phenomenally ordinary to see the best unobtrusive portions presented in a basic and seeing way. No Credit Check Auto Repair Financing

Posted by jack Robert at

A decent blog dependably thinks of new and energizing data and keeping in mind that understanding I have feel that this blog is truly have each one of those quality that qualify a blog to be a one. bank nifty price

Posted by Merck SEO at

I’m eager to reveal this page. I have to thank you for ones time for this especially phenomenal read!! I certainly extremely enjoyed all aspects of it and I additionally have you spared to fav to take a gander at new data in your site. Holiday Villa

Posted by Merck SEO at

Amazing knowledge and I like to share this kind of information with my friends and hope they like it they why I do.. web design houston

Posted by Merck SEO at

Awesome tips and straightforward. This will be exceptionally helpful for me when I get an opportunity to begin my blog. MEMES GOSPEL

Posted by Merck SEO at

It also has an added incentive, its Spa, with everything you need to relax in your jacuzzi, Turkish bath, contrasts and foot showers. In addition, it has available to all its clients beauty rituals such as facials, peels, wraps, muds, manicures and pedicures. It also has a space dedicated to oxygen therapy in which they offer different anti-stress treatments, to detoxify the skin and to recover from sleep.  hotel spa cadiz plaza

Posted by Merck SEO at

They’re conveyed by the most perfect degree specialists will’s character perceived for your polo dress making. You’ll find polo Ron Lauren inside particular group which fuse particular classes for men, women. nifty future

Posted by Merck SEO at

I was very pleased to find this site.I wanted to thank you for this great read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post. writing a history paper

Posted by Merck SEO at

Making with style and getting incredible compliments on the article is hard, to be honest.But you’ve done it so gently and with so cool feeling and you’ve nailed the action. This article is had with style and I am giving awesome compliment. Best! social studies homework

Posted by Merck SEO at

We are tied particularly into the fulfill’s rebuilding database which empowers us to process your request promptly. dnp capstone

Posted by Merck SEO at

I’m impressed, I must say. Very rarely do I come across a blog thats both informative and entertaining, and let me tell you, you ve hit the nail on the head. Your blog is important.. apofraxeis drosia

Posted by Merck SEO at

In fact, this influenced them to think what diverse activities are valuable for those of us who end up all over the place or have confined rigging decisions. contact voyant

Posted by jojojani at

jumpapoker own Doug Polk shares some quick poker tips and tricks that will help you elevate your skills both live and online. agen poker terpercaya

Posted by Merck SEO at

I’m upbeat I found this blog! Every once in a while, understudies need to subjective the keys of beneficial artistic articles creating. Your top notch information about this great post can turn into an appropriate reason for such individuals. pleasant one bank nifty

Posted by Merck SEO at

You really influence it to look so natural with your execution however I observe this issue to be really something which I figure I could never appreciate. It appears to be excessively convoluted and amazingly wide for me. I’m searching forward for your next post, I’ll endeavor to get its hang! αποφραξεις κηφισια

Posted by Merck SEO at

Invisibly it will spring into action.  You won’t even notice it running.  It will be able to do things that vary from uploading your preferences and passwords to a remote location, to downloading malware onto your machine....

Posted by happy wheels at

عندما ياتى ميعاد نقل الاثاث بالقاهرة يفكر العميل فى البحث عن ارخص اسعار شركات نقل الاثاث التى تقدم نقل الاثاث باحتراف عن طريق عمال نقل عفش مدربين ومحترفين وبمعرفة خبراء فى الفك والتركيبوالتغليف وباستعمال اوناش رفع الاثاث المختلفه نقل الاثاث بالقاهرة

Posted by Merck SEO at

Through this post, I understand that your incredible data in playing with each one of the pieces was extraordinarily helpful. I prompt this is the essential spot where I find issues I’ve been checking for. You have a keen yet charming technique for creating. Vindoria Blog

Posted by Merck SEO at

معهد بريتش كانسيل 2018 - دراسة اللغة الانجليزية في ماليزيا 2018 - معاهد اللغة في ماليزيا - معهد بريتش كونسيل ماليزيا - معهد اي ال سي 2018 ماليزيا - المعهد الاسترالي ماليزيا -british council malaysia معهد بريتش كانسيل

Posted by Merck SEO at

we can offer quote by phone or emails but should tour property require a visit we will send a team member to give you a free comprehensive quotation. roof gutter cleaning london

Posted by Khatri SEO at

The 5G standard redefines ethernet to allow mass device connectivity. The result is less congestion and a more reliable network, which will add to the perception of a faster experience. total 5g

Posted by Merck SEO at

To a great degree wonderful and entrancing post. I was hunting down this kind of information and had a great time examining this one. 토토

Posted by robinjack at

Very good points you wrote here..Great stuff...I think you’ve made some truly interesting points.Keep up the good work. Bill Bronchick

Posted by robinjack at

Glad to chat your blog, I seem to be forward to more reliable articles and I think we all wish to thank so many good articles, blog to share with us. <a href="https://londongutterclean.co.uk/">fascia & soffit replacement</a>

Posted by Adilkhatri at

Just unadulterated magnificence from you here. I have never expected something not as much as this from you and you have not baffled me by any extend of the creative energy. I accept you will keep the quality work going on. rev check

Posted by Seoexpert at

very informative content , keep it up

https://beststockstips.com/intraday-tips.html

Posted by intradaytips at

plz author i need more of it this is not full fleged content you have to put down more on this topic

Posted by webhostingscoupon at

Mmm.. great to be here in your article or post, whatever, I figure I ought to likewise buckle down for my own site like I see some great and refreshed working in your site.

Posted by godaddy $1 hosting at

a very detailed and meticulous lesson, it really has a lot of values, I will learn a lot thanks

Posted by candy crush soda at

rajapoker

Posted by wijaya at

everything candy crush soda

Posted by awfelicya at

Wow in this site have everything information

Posted by ionclub at

Website Foods and Travel / Trip Ideas, Things to do and What to buy in cities, islands, countries in the world

Posted by tripadvisor login at

Very interesting post.this is my first time visit here. I found so many interesting stuff in your blog especially its discussion..thanks for the post!
Click Here

Thank you for sharing such a piece of information. This is such an Amazing article, I have never seen before this type of Information and here is a lot of information if we see carefully.
Click Here

Very interesting post.this is my first time visit here. I found so many interesting stuff in your blog especially its discussion..thanks for the post!
Click Here

Posted by Mukesh Bangara at

Very interesting post.this is my first time visit here. I found so many interesting stuff in your blog especially its discussion..thanks for the post!

Posted by Mukesh Bangara at

I am looking for sites with useful information and well crafted article. Your write-ups about motivation are excellent with deep information and perception. Also the discussion with readers is vital. We will await the new blogpost. Many thanks.

Posted by judi poker at

whether the lawyer is involved in the case depends on the actual role it plays. Hermes Belt Replica If a lawyer knows that he is a road loan

Posted by mysvetilnik at

Add your comment