Best Practice: Consider External Data Feeds Untrusted

If you visit this article on the New York Times website, you'll get immediately redirected to the website containing the original content of the article. [UPDATE: they fixed it, so it won't redirect you anymore]

Why does this happen, you ask? Apparently the New York Times ingests various third-party news feeds, wraps the article in the New York Times template, and serves it up. Here's an example of an IDG article that was served up in similar fashion -- note the word /external in the URL. When importing the article, the New York Times allows the external feed to include HTML markup. Going back to the McAfee article from ReadWriteWeb, the text includes a little tutorial on how HTML Injection works:

<p><span class="bold">How To: HTML Injection</span></p></p><p>
<ol>
<li>Go to the McAfee <a href="http://www.mcafeerebates.com/promocenter/mcafee/">Rebate Center</a></li>
<li>Click on Get Rebate</li>
<li>Include this line of code into the 'Date Purchased' field: <br/>
  <span class="italic">
    "<meta  HTTP-EQUIV="refresh" content="0; URL=http://readwriteweb.com">
  </span></li>
<li>Click on continue</li>
</ol>
</p><p>This is a very basic redirect that will take you to ReadWriteWeb.</p><p>
</p><p>And voila - you've just effected your first HTML injection.</p>

The New York Times shoves this content right down the pipe to your browser, and the META tag triggers a redirect to http://readwriteweb.com. Harmless, but confusing if you're the reader.

What this behavior indicates is that any third-party news feed used by the New York Times can probably inject arbitrary HTML content, such as XSS attacks, into nytimes.com. Oops!

Veracode Security Solutions
Security Threat Guides

Comments (3)

Andre Gironda | May 4, 2009 6:58 pm

External content coming through the integration or business tiers is a serious issue and one that web application security scanners and web application firewalls are very poor at solving (since they focus only on the content between the client tier and presentation tier, i.e. HTTP or SSL).

kingthorin | May 5, 2009 2:21 pm

It's a simple programming fact that input (whether from a user, file, or another site) should not be trusted. nytimes.com is IMHO guilty of a 21st century cardinal sin, they blindly syndicated content without any validation of the input.

Erzengel | May 6, 2009 1:16 am

Looks like they fixed it, I'm getting the NYT article when I click the link. It is a rather ironic article for it to happen on.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

The content of this field is kept private and will not be shown publicly.