Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

RSS security issues and useful reading

From: "Kenneth R. van Wyk" <Ken () KRvW com>
Date: Wed, 11 Feb 2004 16:43:05 +0000
Hi all,

Over the last couple weeks, I've been reading up on RSS* in my spare time, 
having only recently been introduced to this neat mechanism--thanks, Dana!.  
(FYI, we even put up an RSS feed of updates/announcements on securecoding.org 
in order to dive directly into it.)  One of my concerns, naturally, has been 
security, especially since stand-alone RSS aggregators are _relatively_ new, 
and I couldn't recall having seen many vulnerability advisories on them.

After just a bit of googling, I found several real good sources of 
information, which I'm including here for anyone that's interested.  Most of 
these have been available for a while, but I thought that they were pretty 
interesting reads anyway.  YMMV...

- http://silverstr.ufies.org/blog/archives/000480.html - Dana Epp's blog 
entry, complete with a Powerpoint presentation that provides a very useful 
overview of RSS and its benefits.  It certainly piqued my interest to explore 
further.

- http://www.2rss.com/ - Solid and worthwhile information on the technology 
and how it works, along with pointers to news feeds, aggregation tools, etc.

- http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely - 
Excellent article by Mark Pilgrim on the security issues of RSS and how to 
safely code an RSS aggregator.  A must-read if you're writing an aggregator, 
as well as a highly recommended read if you're just interested in the 
technology.

- http://bitworking.org/news/47 - Information on the security of the Aggie RC5 
aggregator, but also contains links to more general RSS security issues as 
well as a link to a test XML file for testing aggregators for common flaws.

- http://www.fibiger.org/archives/2003_02.html#000509 - Interesting horror 
story about one person's experience with an RSS aggregator (Newsgator) within 
Outlook.

* RSS stands for "RDF Site Summary" or "Rich Site Summary" or "Really Simple 
Syndication," depending on whom you ask.  If you're not familiar with it, 
check it out.  If you spend time reading through various web sites for news, 
technical info, and other info, then you REALLY should check it out.  RSS can 
be a tremendous time saver.

Cheers,

Ken
-- 
KRvW Associates, LLC
http://www.KRvW.com
Previous By Date Next
Previous By Thread Next

Current thread: