Snellspace ATOM XSS Tests
I happened accross a link at snellspace.com showing some interesting XSS tests he had done in RSS readers. Typically I’m not particularly interested in RSS reader security unless it applies to web applications, but he actually showed a vector that I hadn’t seen before.
<link xml:base="javascript:alert('XSS')//" href="" />
Because RSS is all XML you fall into interesting namespaces. This is a little more interesting than most things like it I’ve seen because of that simple fact. Anyway, he has some really nice test cases if you are doing RSS aggregator development or otherwise just want to test your own feed reader. It’s worth a look if you’re interested in that sort of thing.
September 29th, 2006 at 9:41 am
I’m being a bit pedantic, but this particular vector is not actually much of a problem with RSS as it is with Atom. The reason is that RSS does not support the use of xml:base to establish the base URL for links and many RSS readers are likely to ignore it. Atom, on the other hand, explicitly allows for using xml:base and many readers tend to resolve relative references without paying any attention to what they’re resolving against.
September 29th, 2006 at 1:03 pm
You’re exactly right… my appologies! I know it’s incorrect of me, but I’ve always seen them as basically the same thing - not correct, I realize. Thanks, James!