Researchers and security testers of SBA Research found a RXSS vulnerability at W3C online tidy services via combinatorial testing

Dimitris E. Simos, Bernhard Garn of the research team and Severin Winkler, Peter Aufner, Andreas Bernauer-Puchegger of the security testing team of SBA Research found a RXSS vulnerability in W3C online [1] tidy services using combinatorial testing methodologies and demonstrated its applicability to web application security testing. These novel research methods have been developed within the context of the MoBSeTiP (Model-based Security Testing in Practice) Bridge FFG project. Combinatorial testing in conjunction with prototype penetration testing tools made feasible to test a website of the magnitude of W3C in a completely automated way. The penetration test was led by Dimitris Simos together with Severin Winkler.

SBA Research would like to thank Ted Guild (head of W3C Systems Team) and Rigo Wenning (W3C legal counsel and privacy activity lead) for the excellent communication and cooperation.


[1] The World Wide Web Consortium (W3C) is an international community that develops open standards to ensure the long-term growth of the Web

Location


Vienna, Austria

Date


12.12.2014

contact


SBA Research

Press Phone: +43 664 88 00 11 51

E-Mail: presse@sba-research.org