If you visit this article on the New York Times website, you'll get immediately redirected to the website containing the original content of the article. [UPDATE: they fixed it, so it won't redirect you anymore] Why does this happen, you ask? Apparently the New York Times ingests various third-party news feeds, wraps the article in the New York Times template, and serves it up. Here's an example of an IDG article that was served up in similar fashion -- note the word /external in the URL. When importing the article, the New York Times allows the external feed to include HTML markup. Going back to the McAfee article from ReadWriteWeb, the text includes a little tutorial on how HTML Injection works:

<p><span class="bold">How To: HTML Injection</span></p></p><p>
<ol>
<li>Go to the McAfee <a href="http://www.mcafeerebates.com/promocenter/mcafee/">Rebate Center</a></li>
<li>Click on Get Rebate</li>
<li>Include this line of code into the 'Date Purchased' field: <br/>
  <span class="italic">
    "<meta  HTTP-EQUIV="refresh" content="0; URL=http://readwriteweb.com">
  </span></li>
<li>Click on continue</li>
</ol>
</p><p>This is a very basic redirect that will take you to ReadWriteWeb.</p><p>
</p><p>And voila - you've just effected your first HTML injection.</p>

The New York Times shoves this content right down the pipe to your browser, and the META tag triggers a redirect to http://readwriteweb.com. Harmless, but confusing if you're the reader. What this behavior indicates is that any third-party news feed used by the New York Times can probably inject arbitrary HTML content, such as XSS attacks, into nytimes.com. Oops!

Veracode Security Solutions
Security Threat Guides

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu