Find solution
Free email service list?

Is there any RSS or email service which releases data about security issues defined by the list of products which I use?

  • I would like to register to some kind of an RSS  service which sends out updates for any 0-day issues I might have in a product.  For  example lets say I use Apache Tomcat, Node.js and  RandomExample. My RSS feed will contain security concern regarding these  products only. Does such a thing exist ?

  • Answer:

    It's Web 2.0. It's the rarest possibility which might exist with a web application but 'that' exists. Now before reading this, I might warn you about not concluding your ground facts to straight limitations. That been said, RSS feed could be vulnerable as a part of a 'service' provided to a web application linked to your web references. The RSS pull's data out of your web architecture using secure (or insecure) tokens via any 'web-service' which might be available. This transaction of data between you and your readers using a 3rd part deliverable service as an application could be vulnerable in pointless but in certain ways. There is very less or no research work done to the RSS feeds. But anyhow, I am going to mention my preview copy of what I had researched and to what I had already been working on for a very 'specific' documentational work for my private research which later would be a product. That been stripped off, you should know any RSS feed which exists in the midway of an API which is co-related to Web 2.0 and has basic fuctions and access of your web application could fall vulnerable. This could be triggered in certain ways. I am not going to mantion the very specific vectors here as that would take a ~200 pages long descriptive content; however I am going to provide you some basic hints on how that could be done or maybe is being done (Blackhats!). First, the real compromise could be for your 'readers' in various ways. Maybe the readers were treating the <> as literals, or the RSS might end up be treated as in conversion to the HTML which could again end up from HTML entities to true-value pairs of the whole set. A skilled reader (the alternative of what you call as a 'hacker', not that I am implying myselves as a 'hacker' here, I am not close enough maybe!) could strip off those &lt; and &gt; or those '>' '<' chars during the display using proxies. There is this good exaple I would like to state here. "Fiddler2". Yes, those and some more.. Next there are zone attacks. This is divided into two. Remote Zone attacks which come from a 3rd party owned/used/service/SaaS (in)secure web architectural zone or local zone attacks which encircles to your own Web API. Not all MVC's, and those n-Hibernate and Spring deployed framework have real tough security. To be honest, if I wished, I could de-infilterate, infilterate them again and look at the hidden binaries in the storage realm locations which were called 'native secured'. There are 'risks with standards' and not the world is enough. Apart from this, no; you don't get this above information via OWASP, or any other testing methodologies like CHECK or OSSTMM related work. This was my private information. Use Secunia anyway, that is the good go for RSS provider. All in one, I am not the one who claims to be a 'hacker'. Ask the ones who do.

Shritam Bhowmick at Quora Visit the source

Was this solution helpful to you?

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.