Web 2.0 technologies are penetrating deeper into the financial services sector as Enterprise 2.0 solutions, adding value to financial services. Analysts can leverage information sources to go beyond the obvious. Trading and Banking companies like Wells Fargo and E*Trade are developing their next generation technologies using Web 2.0 components; components that will be used in banking software, trading portals and other peripheral services. The true advantage of RSS components is to push information to the end user rather than pull it from the Internet. The financial industry estimates that 95% of information exists in non-RSS formats and could become a key strategic advantage if it can be converted into RSS format. Wells Fargo has already implemented systems on the ground and these have started to yield benefits. RSS comes with its own security issues that assume critical significance with regard to financial services. In this article we will see some of the security concerns around RSS security and attack vectors.

RSS feed manipulation with JavaScript and HTML tags

RSS stream gets builds from databases or input supplied by users. RSS streams can source information from third party sources such as news sites, blogs, etc. Financial services incorporate this information for end user’s benefits and it get served in the browser along with other sensitive information. If RSS feeds originate from untrusted sources then they are likely to be injected with JavaScript or other HTML tags. These malicious tags can have capabilities to exploit the browser. Financial systems must have sound filtering lists prior to forwarding any information coming from the end user to the system or filtering certain character sets that hit the end browser. Increasing RSS consumption is going to put at risk clients in financial sectors. To combat the threat, RSS input and output validation must be handled in the application.


Cross site scripting (XSS/CSS) with RSS feeds

The cause of successful RSS exploitation with XSS lies in RSS script injection. RSS that is injected with JavaScript and successfully passed to end clients in financial systems can lead to exploits such as RSS feeds with SCRIPT or HREF with “onClick” being successful on these systems. Several exploits written on top of XSS exist, by with attackers can hijack sessions or run keyloggers on the session. All these exploits can put the financial system at risk. Once again, countermeasures to this threat lie in “filtering” the characters before they hit the end client. Browsers don’t have any built in filtering capabilities and application layer needs to support it for better security. Extra precaution is needed against cross domain calls as well cross site RSS access.