Researchers and security testers of SBA Research found a RXSS vulnerability at W3C online tidy services via combinatorial testing
Dimitris Simos, Bernhard Garn of the research team and Severin Winkler, Peter Aufner, Andreas Bernauer of the security testing team of SBA Research found a RXSS vulnerability in W3C online tidy services using combinatorial testing methodologies and demonstrated its applicability to web application security testing. These novel research methods have been developed within the context of the MoBSeTiP (Model-based Security Testing in Practice) Bridge FFG project. Combinatorial testing in conjunction with prototype penetration testing tools made feasible to test a website of the magnitude of W3C in a completely automated way. The penetration test was led by Dimitris Simos together with Severin Winkler.
SBA Research would like to thank Ted Guild (head of W3C Systems Team) and Rigo Wenning (W3C legal counsel and privacy activity lead) for the excellent communication and cooperation.
More details can be found on W3C site: http://www.w3.org/blog/2014/12/rxss-security-audit-results/
The World Wide Web Consortium (W3C) is an international community that develops open standards to ensure the long-term growth of the Web.