Google AJAX Feed API Dangers
Recently Google has released their AJAX Feed API which helps developers to create web mashups by consuming RSS and Atom feeds from 3rd-party web sites. Just like Google’s AJAX Search API, the Feed API can be abused to create and spread web malware. For more information about Google AJAX Search API security aspects, you can read here, here and here.
I am not going to get in details why the Feed API is dangerous and how it can be abused. I think that the security aspects are obvious. One of the main areas where the Feed API greatly improves the live of malware coders is when they try to circumvent the Same Origin Policy (SOP) introduced by modern browsers.
We all know what SOP is but here is a snippet from Wikipedia for those who don’t know:
In computing, the same origin policy is an important security measure for client-side scripting (mostly JavaScript). The policy dates from Netscape Navigator 2.0, with necessary coverage fixes in Navigator 2.01 and Navigator 2.02. It prevents a document or script loaded from one “origin” from getting or setting properties of a document from a different “origin”. Wikipedia
In simple words, SOP disallows JavaScript malware to access resources other then the current one.
Although SOP works and it greatly improves the browser security, there are ways it can be circumvented to one degree or another. For example, I’ve demonstrated a simple technique where attackers can use publicly available anonymous proxies to unify the origins of two or more web resources. The techniques was used as a key component of Jikto, which was released by Billy Hoffman from SPI Dynamics as a Proof of Concept of how JavaScript can probe various websites for vulnerabilities and spread when XSS or SQL Injection holes are found.
My POC and Billy’s Jikto ware interesting experiments that proved and demonstrated the dangers that modern browsers introduce. However, they were clumsy, slow and not practical. That was a good thing for a while, since we do realise that our research can harm a lot of users and potentially bring havoc to corporations and organizations whose business is entirely web based. Things change though.
The further we go, the easier it will get for malware writers. Google’s AJAX Search API and Feed API are example of technologies that can be easily abused. RSS feeds are designed to provide highly concentrated site content in an easily accessible way. Now attackers can create a lot faster worms, they can spider with much greater accuracy.
Sometimes I hesitate to write about everything I see and experience, mainly because I am afraid of leaking too much information that can be used for bad purposes. However, with the great power comes the great responsibility. This does not mean that every time someone finds a vulnerability they need to wait for a vendor patch. For example, I released the QuickTime XSS vulnerability mainly because I knew that the found issue was related to a feature which I thought is quite useful to be eliminated. I was right, Apple closed the bug after six months considering how to eliminate the issue but keeping the feature. Depending on the situation the security researcher needs to decide what is the most appropriate way to inform the society. Sometimes, drastic actions needs to be taken.
I guess we are going to talk about the legal side of disclosing bugs and hacking techniques on the 6th OWASP Conference in Milan, Italy. Speaking of OWASP, I will present some advance JavaScript techniques that attackers can use to break into web applications and also show how penetration testers can build huge, distributed, testing infrastructures to counter attack. I promise that the talk will be quite interesting and very intensive since I have only 40 minutes. I will cover topics such as web based exploits, 2nd generation web worms, security mashups. None of these has been discussed before, so, there will be quite a lot food for thought.
The rest of this post is a simple POC that shows the power of Google’s AJAX Feed API functionalities. I guarantee that this is nothing to what is available out there. For more information, wait until OWASP.
Comments
The 6th OWASP Conference will be nice event and it is good that you will be there and take part in conference.
Pdp, please, think about writing summary about OWASP Conference. You may write brief info about whole conference (what was the most interesting and what do you liked more) and write detailed info about your speech (Advance Web Hacking Revealed) and your last projects.
Also there are some other nice topics:
* Panel: “Public site vulnerability research - good or evil?†(for good ;-) )
* Protecting Web Applications from Universal PDF XSS: A discussion of how weird the web application security world has become (UXSS is a hot topic)
* Testing Flash Applications: A new attack vector for XSS and XSFlashing (it will be simultaneously with your speech)
About these topics you may write additional posts (with more details than just in brief post). I think there will be a lot of interesting information on conference.
Google AJAX Feed API is nice. And yes, it has dangers :-). The security aspects of this are obvious.
And you remember about it for web community once more (it is necessary to remember periodically about danger of some things to people). Circumventing of SOP especially. In some case SOP need to be circumvented (for hackers).
P.S.
You can talk about the legal side of disclosing bugs at conference, if you are going to. But you need to incline that it is legal and good ;-). Disclosure policy need to be considered, but in any case it is for good purposes.
MustLive, actually I am actively taking part in the “Public site vulnerability research” panel so I will try present my point of view.
I think that OWASP does a good job at exposing what has been discussed on their conferences. However, If the miss something I most definitely put it on GNUCITIZEN.
One thing is for sure. Now we can have thousands of web pages subscribing to
http://sla.ckers.org/forum/rss.php
http://www.securityfocus.com/r.....lities.xml
etc.
And along with google search API, they can exploit sites as soon as the advisories are released.
you are telling me that… :) wait for the OWASP con. I have some really good stuff for it.
I can’t wait any longer to see what you present at OWASP con.
But I live faaar away from Italy, and therefore a video would help!
Otherwise I’m sure you’ll share it in some other form anyway.