« Validating SELECT Boxes in JavaScript Another IE JavaScript Difference - TypeOf Operator »
Cross Site Scripting via RSS?
Posted October 22, 2004 – 1:37 am by Yakov Shafranovich in ProgrammingJust recently I realized that many RSS readers do not completely filter out JavaScripts. BlogLines for example takes out SCRIPT tags but not “onMouseOver”, “onClick”, etc. Since many RSS readers render RSS in a regular browser since it is HTML, a strong possibility of Cross Site Scripting attacks exists. For an example, try clicking on the button below which will display your cookies.
For many web based readers such as Feedster and BlogLines this can be used to obtain the username of your account. With some, even the session ID can be obtained, thus granting access to your account. Additionally, the usual gamut of CSS attacks might possible as well. More information to come as I research this…
UPDATE #1: If you are a BlogLines subscriber, you can test this via this link. Make sure you are logged in first to see the cookies.
Permalink | Trackback URL | This post has
One Response to “Cross Site Scripting via RSS?”
I am using Bloglines in an Opera browser and the link you provided in “UPDATE #1″ didn’t show anything. The button, however, did show the cookies.
By Daniel Goldman on Oct 22, 2004