[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more
- To: "'Michal Zalewski'" <lcamtuf@xxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Exploiting Chrome and Opera's inbuilt ATOM/RSS reader with Script Execution and more
- From: "Inferno" <inferno@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 16 Sep 2009 01:23:46 -0700
Hi Michal,
Thanks for clarifying the feed reader functionality in Chrome and link to
the browser security handbook. The browser security handbook is a great
resource, sorry, I missed reading that section on RSS.
A question I had was it mentions Opera browser does not render javascript
inside feeds, whereas I found that it does. Also, for Chrome, now since it
has removed script rendering part completely, I think the handbook might
need a slight update for both Opera and Chrome in next version revision.
Thanks for your efforts in developing such a useful resource for the
community.
Thanks and Regards,
Inferno
Security Researcher
SecureThoughts.com
-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Michal
Zalewski
Sent: Wednesday, September 16, 2009 12:07 AM
To: Inferno
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Exploiting Chrome and Opera's inbuilt
ATOM/RSS reader with Script Execution and more
> Back in 2006, there was interesting research done by James Holderness[1]
and
> James M. Snell[2] which uncovered a variety of XSS issues in various
online
> feed aggregator services (e.g. Feed Demon). The vulnerability arises from
> the fact that it is not expected of RSS readers to render scripted
content.
> I want to extend that research by doing threat analysis on inbuilt feed
> readers offered in most modern browsers. I have found Google Chrome (v2,3)
> and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8),
Firefox
> 3.5 and Safari 4 are resilient to the exploits mentioned below.
To be precise, Chrome does *not* have a built-in feed reader, and
instead, attempts to render the payload as a generic XML/HTML document
- which causes the behavior observed. The behavior of Chrome, MSIE6,
and Opera is actually covered for a longer while in Browser Security
Handbook:
http://code.google.com/p/browsersec/wiki/Part1#Other_built-in_document_forma
ts
More specifically, this is outlined in the "Is generic XML document
support present?", "Is RSS feed support present?", "Is ATOM feed
support present?", "Does JavaScript execute within feeds?", and "Are
javascript: or data: URLs permitted in feeds?" tests.
There are also some interesting details related to SVG and other XML
formats along these same lines.
Cheers,
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/