Best Practice: Consider External Data Feeds Untrusted
If you visit this article on the New York Times website, you’ll get immediately redirected to the website containing the original content of the article. [UPDATE: they fixed it, so it won't redirect you anymore]
Why does this happen, you ask? Apparently the New York Times ingests various third-party news feeds, wraps the article in the New York Times template, and serves it up. Here’s an example of an IDG article that was served up in similar fashion — note the word /external in the URL. When importing the article, the New York Times allows the external feed to include HTML markup. Going back to the McAfee article from ReadWriteWeb, the text includes a little tutorial on how HTML Injection works:
<p><span class="bold">How To: HTML Injection</span></p></p><p> <ol> <li>Go to the McAfee <a href="http://www.mcafeerebates.com/promocenter/mcafee/">Rebate Center</a></li> <li>Click on Get Rebate</li> <li>Include this line of code into the 'Date Purchased' field: <br/> <span class="italic"> "<meta HTTP-EQUIV="refresh" content="0; URL=http://readwriteweb.com"> </span></li> <li>Click on continue</li> </ol> </p><p>This is a very basic redirect that will take you to ReadWriteWeb.</p><p> </p><p>And voila - you've just effected your first HTML injection.</p>
The New York Times shoves this content right down the pipe to your browser, and the META tag triggers a redirect to http://readwriteweb.com. Harmless, but confusing if you’re the reader.
What this behavior indicates is that any third-party news feed used by the New York Times can probably inject arbitrary HTML content, such as XSS attacks, into nytimes.com. Oops!
Veracode Security Solutions
Web Application Security
Static Code Analysis
Source Code Analysis
Software Testing Tools