If you visit this article on the New York Times website, you'll get immediately redirected to the website containing the original content of the article. [UPDATE: they fixed it, so it won't redirect you anymore] Why does this happen, you ask? Apparently the New York Times ingests various third-party news feeds, wraps the article in the New York Times template, and serves it up. Here's an example of an IDG article that was served up in similar fashion -- note the word /external in the URL. When importing the article, the New York Times allows the external feed to include HTML markup. Going back to the McAfee article from ReadWriteWeb, the text includes a little tutorial on how HTML Injection works:

<p><span class="bold">How To: HTML Injection</span></p></p><p>
<li>Go to the McAfee <a href="http://www.mcafeerebates.com/promocenter/mcafee/">Rebate Center</a></li>
<li>Click on Get Rebate</li>
<li>Include this line of code into the 'Date Purchased' field: <br/>
  <span class="italic">
    "<meta  HTTP-EQUIV="refresh" content="0; URL=http://readwriteweb.com">
<li>Click on continue</li>
</p><p>This is a very basic redirect that will take you to ReadWriteWeb.</p><p>
</p><p>And voila - you've just effected your first HTML injection.</p>

The New York Times shoves this content right down the pipe to your browser, and the META tag triggers a redirect to http://readwriteweb.com. Harmless, but confusing if you're the reader. What this behavior indicates is that any third-party news feed used by the New York Times can probably inject arbitrary HTML content, such as XSS attacks, into nytimes.com. Oops!

Veracode Security Solutions
Security Threat Guides

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (3)

Andre Gironda | May 4, 2009 6:58 pm

External content coming through the integration or business tiers is a serious issue and one that web application security scanners and web application firewalls are very poor at solving (since they focus only on the content between the client tier and presentation tier, i.e. HTTP or SSL).

kingthorin | May 5, 2009 2:21 pm

It's a simple programming fact that input (whether from a user, file, or another site) should not be trusted.

nytimes.com is IMHO guilty of a 21st century cardinal sin, they blindly syndicated content without any validation of the input.

Erzengel | May 6, 2009 1:16 am

Looks like they fixed it, I'm getting the NYT article when I click the link. It is a rather ironic article for it to happen on.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu