WhoCares.atom.xml.rss.html

Google has released their AJAX Feed API which helps developers to create web mashups by consuming RSS and Atom feeds from 3rd-party web sites. Just like Google’s AJAX Search API, the Feed API can be abused to create and spread web malware. For more information about Google AJAX Search API security aspects, you can read the articles over here, here and here.

I am not going to get into details why the Feed API is dangerous and how it can be abused. I think that the security aspects are obvious. One of the main areas where the Feed API greatly improves the live of malware coders is when they try to circumvent the Same Origin Policy (SOP) introduced by modern browsers.

We all know what SOP is but here is a snippet from Wikipedia for those who don’t know:

In computing, the same origin policy is an important security measure for client-side scripting (mostly JavaScript). The policy dates from Netscape Navigator 2.0, with necessary coverage fixes in Navigator 2.01 and Navigator 2.02. It prevents a document or script loaded from one “origin” from getting or setting properties of a document from a different “origin”. Wikipedia

In simple words, SOP disallows JavaScript malware to access resources other then the current one.

Although SOP works and it greatly improves browsers’ security, there are ways it can be circumvented to one degree or another. For example, I’ve demonstrated a simple technique where attackers can use publicly available anonymous proxies to unify the origins of two or more web resources. The techniques was used as a key component of Jikto, which was released by Billy Hoffman from SPI Dynamics as a Proof of Concept of how JavaScript can probe various websites for vulnerabilities and spread when XSS or SQL Injection holes are found.

My POC and Billy’s Jikto ware interesting experiments that proved and demonstrated the dangers of modern browser technologies. However, they were clumsy, slow and not practical. That was a good thing for a while, since we do realize that our research can harm a lot of users and potentially bring havoc to corporations and organizations whose business is entirely web-based. Things change though.

The further we go, the easier it will get for malware writers. Google’s AJAX Search API and Feed API are examples of technologies that can be easily abused. RSS feeds are designed to provide highly concentrated site content in an easily accessible way. Now attackers can create a lot faster worms, they can spider with much greater accuracy.

Sometimes I hesitate to write about things I see and experience, mainly because I am afraid of leaking too much information that can be used for bad purposes. However, with the great power comes the great responsibility. This does not mean that every time someone finds a vulnerability they need to wait for a vendor patch. For example, I released the QuickTime XSS vulnerability mainly because I knew that the issue was related to a feature rather than a bug. I thought that Apple wont eliminate the feature to close the bug and I was right. Apple closed the bug after six months of consideration of how to eliminate the issue by keeping the feature at the same time.

Depending on the situation security researchers need to decide what is the most appropriate way to inform the society. Sometimes, drastic actions needs to be taken.

I guess we are going to talk about the legal side of disclosing bugs and hacking techniques on the 6th OWASP Conference in Milan, Italy. Speaking of OWASP, I will present some advance JavaScript techniques that attackers can use to break into web applications and also show how penetration testers can build huge, distributed, testing infrastructures to counter attack. I promise that the talk will be quite interesting and very intensive since I have a 40 minutes slit. I will cover topics such as web based exploits, 2nd generation web worms, security mashups.

You can download my Google AJAX Feed API POC from here.