RSS as an injection vector

Tags:

Blog feeds may carry security risk

Several months ago, I myself independently found that apps relying on RSS (or ATOM or whatever) can be extremely vulnerable if subscribers/app developers do not pay much attention to the XSS attack. I believe many meta blogs and RSS readers are vulnerable to those type of attacks.

But actual attacks won’t be easy. Attacks need tests and simple test will be easily found in the meta blogs. Bad RSS feeds fed to RSS reader apps won’t be big problem, cuz RSS (which is XML and is displayed as HTML) can not do many things to standalone apps.

p.s. Injection vector in the title means a channel through which malicious input is being sent.