Following up on my Hacking Feeds: Malware Javascript in RSS and Atom post and some discussion at the RSS Advisory Board’s public forums, I have decided to make some of my malicious RSS test scripts available to the community. They are variations on Javascript insertions into RSS 2.0 feeds in various elements.

Any successful script insertion (which is a bad thing) will result in a Javascript alert box appearing with the vulnerability name. Or worse.

Warning: I immediately blew up my online web reader account (site name withheld for now) with these scripts, so I can confirm the threat is very real in at least one case. Don’t play with these unless you’re willing to really screw things up. I don’t make any warranty or guarantee or manatee about them… caveat emptor.

If you like, feel free to comment your findings of which readers (and versions) are affected by which test script. (The goal is to find the vulnerabilities, report them, and get them fixed quickly so that we can all get back to feedy goodness.)

This entry was posted on Tuesday, August 8th, 2006 at 22:57 and is filed under syndication. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.