Script in Feeds


You might have read the c|net article “Blog feeds may carry security risk” which summarizes the presentation given by Robert Auger and Caleb Sima of SPI Dynamics. The presentation points to potential dangers of malicious script embedded in feeds. This has sparked some discussion in the community.


We think it’s good for the RSS community and users that the potential dangers of malicious script in feeds are pointed out and thereby can be addressed by application developers before any attacks materialize.


In IE7 and the Windows RSS Platform we’ve implemented several mitigations that specifically address potentially malicious scripts in feeds:



Sanitization
When downloading feeds, the RSS Platform passes the feed through a sanitization process which among other things removes script from HTML fields like the description element. Also, text fields, like the title element, are treated as text and not as HTML, so HTML tags are entity encoded. These steps are performed before the feed content is accessible by application including IE7’s Feed View. Further, the feed content is persisted in the Feed Store in the sanitized form, so that applications accessing the feed data benefit from the sanitization.


Feed View in Restricted zone
The IE7 Feed View displays feeds in the Restricted security zone, no matter where the feed originated, even if for example the feed came from a site in the Trusted Sites zone. By default script is disabled in the Restricted zone. In addition, the Feed View disallows URL Actions including script and active content. 


We designed and implemented the RSS features using the principles of the Secure Development Lifecycle as embraced by Microsoft.  One of the principles is defense in depth. The idea being, even if script somehow were to sneak by the first layer of defense, the impact that the script could have is restricted, if not entirely negated.


Hosting IE in Applications
The second mitigation above can be of interest to application developers who are hosting MSHTML inside their applications. When using MSHTML to render feeds, we recommend that the host application implements a custom security manager, which allows the application to control which URL Actions are permissible. In order to reduce the attack surface of the application it is advisable to limit the permissible URL Actions to the smallest number possible.


I hope this will spark even more discussion about security and RSS which will ultimately benefit users.


– Walter vonKoch


[Update 8/16] Peter Plamondon of SPI Dynamics provided the link to the paper itself in the comments.


[Update 8/17] As noted by Sean Kerner in the comments, the presentation was given by Bob Auger solo. I’ve correct the intro above. Thanks.

Comments (21)

  1. Federico says:

    "Also, text fields, like the title element, are treated as text and not as HTML, so HTML tags are entity encoded."

    I guess this does not apply to Atom 1.0 when atom:title[type="xhtml"] or atom:title[type="html"]. :)

  2. "I guess this does not apply to Atom 1.0 when atom:title[type="xhtml"] or atom:title[type="html"]."

    A good point that deserves some clarification:

    Atom 1.0 titles of type (X)HTML have all markup (script or otherwise) stripped out, and the remaining text is displayed.

  3. Sean Kerner says:

    The presentation you mention was only given by Robert Auger.

    Here’s my account of the event which i was at:

    http://www.internetnews.com/security/article.php/3624601

    Does the risk of users that still choose to use something like Bloglines directly still remain?

  4. peterpla says:

    See <http://www.spidynamics.com/assets/documents/HackingFeeds.pdf&gt; for the whitepaper "Feed Injection in Web 2.0 – Hacking RSS and Atom Feed Implementations" that was the basis for the Black Hat talk that Walter referenced.

  5. Removing all script elements is in conflict with the structured blogging [1] initiative because they use a script element to embed structured content into web pages and XML feeds. I think there will be a good chance that this initiative becomes important in the next month. So I hope developers won’t have to decide whether they use the Windows RSS platform or rely on the structured blogging approach but can use structured blogging within the Windows RSS platform.

    [1] http://www.structuredblogging.org

  6. Max R. says:

    Hello! Very interesting. Thank you.

  7. program says:

    Very good . You are doing a great job.

  8. Webdesign says:

    The presentation you mention was only given by Robert Auger.

    Here’s my account of the event which i was at:

    http://www.internetnews.com/security/article.php/3624601

    Does the risk of users that still choose to use something like Bloglines directly still remain?

  9. Tweaks says:

    "I guess this does not apply to Atom 1.0 when atom:title[type="xhtml"] or atom:title[type="html"]."

    A good point that deserves some clarification:

    Atom 1.0 titles of type (X)HTML have all markup (script or otherwise) stripped out, and the remaining text is displayed.

  10. Webhosting says:

    Removing all script elements is in conflict with the structured blogging [1] initiative because they use a script element to embed structured content into web pages and XML feeds. I think there will be a good chance that this initiative becomes important in the next month. So I hope developers won’t have to decide whether they use the Windows RSS platform or rely on the structured blogging approach but can use structured blogging within the Windows RSS platform.

    [1] http://www.structuredblogging.org

  11. LFERC says:

    Removing all script elements is in conflict with the structured blogging [1] initiative because they use a script element to embed structured content into web pages and XML feeds. I think there will be a good chance that this initiative becomes important in the next month. So I hope developers won’t have to decide whether they use the Windows RSS platform or rely on the structured blogging approach but can use structured blogging within the Windows RSS platform.

    [1] http://www.structuredblogging.org

  12. The presentation you mention was only given by Robert Auger.

    Here’s my account of the event which i was at:

    http://www.internetnews.com/security/article.php/3624601

    Does the risk of users that still choose to use something like Bloglines directly still remain?

  13. Thanks for claryfying the problem. I’m learning a lot here. Cheers!

  14. balabo_ri says:

    <a href= http://index1.magazi.us >pastor salaries according to membership</a> <a href= http://index2.magazi.us >lady lake fl millage rates</a> <a href= http://index4.magazi.us >mack truck branches</a> <a href= http://index3.magazi.us >dale earnhardt jr</a>

  15. Typy says:

    Hello, great article!

    Tom, admin

    http://www.bukmacherzy365.info/

  16. MSI says:

    Thank you for grat piece of info :)

  17. Bread bins says:

    I’m searching for this solution. Thank you!

  18. Rules says:

    I think there will be a good chance that this initiative becomes important in the next month. So I hope developers won’t have to decide whether they use the Windows RSS platform or rely on the structured blogging approach but can use structured blogging within the Windows RSS platform.