Attack Delivery TestSuite
Sam Ruby: “As a first step, James Holderness devised 85 tests for Snarfer. None of these tests attempt to do anything malicious, instead they simply attempt to produce a popup identifying the source of the exposure.”
James’ original tests are targeted at RSS. I’ve gone through and ported all of his tests over to Atom 1.0 and expanded the suite to 1,397 individual tests checking a broad range of potential threat vectors (most of which are simple variations of each other). For many of the tests, if your feed reader properly handles the difference between text, HTML and XHTML, you won’t see any problems. However, some of the tests even manage to trip up the Universal Feed Parser.
If you’d like a copy of the tests, send me an email (google for it, I’m not that hard to find). Around November, I will commit the tests to the Apache Abdera source repository.
Update: Depending on your needs, the tests are available under two licenses: ASF 2.0 and the same license used by the Universal Feed Parser.
August 11th, 2006 at 10:04 pm
[…] Mark Woodman has a list of 7 RSS Javascript tests that you should be checking against your RSS Reader. Or maybe not, Mark managed to break his RSS reader with them. James Holderness also has some tests (85), but they are not public yet. James Snell has 1397. The tests demonstrate the hacking feeds vulnerability that I mentioned earlier this week. http://rsstest.markwoodman.com/ […]
August 17th, 2006 at 9:33 pm
[…] Last week i created a whole bunch of security tests for Atom 1.0 enabled feed readers designed to check how vulnerable readers are to various scripting-based attacks. I set out to test the feed readers that show up most frequently in the snellspace.com logs. The very first reader I tested was Feed Demon. I was optimistic given that Feed Demon’s creators have gone on the record as saying that it is not vulnerable. Unfortunately, things didn’t turn out too well. Feed Demon failed a *significant* number of the 1,397 tests I had come up with. In fact, it was embarassingly easy for me to sneak a script by in the content of an entry. Experimenting further, I was able to sneak script into Feed Demon that would place text on the status bar, open popup windows, show message dialogs, rewrite the entire contents of the newspaper view, send the entire contents of the newspaper view to a remote website, change every link in the newspaper view to point to a different web site, toggle the read/unread status of any entry, open a window to del.icio.us to bookmark any URI i wanted, prompt the user to subscribe to any feed I wanted, prompt the user to unsubscribe from any feed I wanted, open a compose new email dialog, and so on. I reported the problem to Newsgator last week and was waiting to see if they’d make any kind of public statement warning their users that vulnerabilities do in fact exist. Unfortunately, I haven’t seen anything yet, so I decided to go ahead and post about it. I’m not going to go into detail on how I was able to bypass the script filter, but I will say that it was drop dead simple. […]
September 7th, 2006 at 9:39 am
[…] Ok, so it’s been about a month I guess since I started talking about scripting exploits in feeds. I put together a whole bunch of Atom test cases based on an initial set of RSS tests produced by James Holderness. Several Feed Reader developers took those tests and plugged holes in their implementations. Now that implementors have had plenty of time to review the tests and check to see if they’re vulnerable, it’s time to start talking a bit about what those specific vulnerabilities are. […]