rss/.atom/arbitary extension preceded by. html, jsp, etc.Īttacker uploads a file with extension. The trusted website uses blacklist to block known executable file types for scripted content. The trusted web site lets the attacker inject JavaScript content into any section of the site’s RSS or an Atom feed. Scans user’s internal network with/without javascript īoth attacker and victim user have an account to a trusted website.
Searches user’s browser history for visited url list Modifies into a phishing page and asks user credentials for subscribing to Google Reader / My. Malicious javascript gets executed on victim’s browser. Victim uses Google Chrome / Opera browser to view the feed. Google Chrome and Opera’s inbuilt RSS/ATOM Reader renders untrusted javascript in an RSS/ATOM feed.Īttacker social engineers a victim user to visit a rss/atom feed link pointing to his or her evil site. I have found Google Chrome (v2,3) and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8), Firefox 3.5 and Safari 4 are resilient to the exploits mentioned below. I want to extend that research by doing threat analysis on inbuilt feed readers offered in most modern browsers. The vulnerability arises from the fact that it is not expected of RSS readers to render scripted content. Snell which uncovered a variety of XSS issues in various online feed aggregator services (e.g. Feed Demon). BACKGROUNDīack in 2006, there was interesting research done by James Holderness and James M. ADVISORY – CVE-IDĬhrome all versions – 2 and 3 (< 3.0.195.21) Also, Michal Zalewski has written about the RSS and ATOM vulnerabilities in the comprehensive Browser Security Handbook. Update: I missed pointing out the cutting edge research done by Robert Auger in this area back in 2006. How To Keep Your Email Secure From Hackers.What Do You Do If Your Social Security Number Is Stolen?.Best Identity Theft Protection Services.The Frightening Facts of Credit Card Fraud.The Do’s and Don’ts of Online Background Checks.What Do Free Background Checks Really Offer?.How to Find Out if Someone You Know Has Been Arrested.What Can You Learn from a Reverse Phone Lookup?.What Will Show Up on a Background Check?.The Ultimate Guide to Background Checks.Norton vs Kaspersky – Battle of the Antivirus Giants.Is Windows Defender Enough to Safeguard Your PC in 2021?.
Banned from Omegle? Find How to Unblock the Ban to Your Chatting Service.Millennial’s Irresponsible When it Comes to Internet Security.The Mysterious Dark Web: Which Dark Web Browsers Are Best?.Popular Privacy Coins: Top 5 Anonymous Cryptocurrencies.The Best Ransomware Protection for 2021.How To Enhance Your Home Wireless Network Security.What Is Encryption And How Does It Work.Signs of Malware Infection on Android: Removal and Prevention Tips.How to Protect Your Online Privacy in 2021.The Best Private Search Engines for 2021.
0 kommentar(er)
