Okay, this is convoluted but still kinda cool. I was looking through some pages on various tools out there, and happened across GRC’s probe page that is designed to detect if there are open ports and what the threats are associated with that port. It is protected from nefarious purposes by only scanning the port of the IP address you are originating from. Then I thought, wait, I can come from anywhere that I can get to request this page. The first page that came to mind? W3C’s validator.
Click here to see W3C’s validator requesting and getting the results of GRC’s probe against W3C’s port 80. Pretty esoteric, huh? Yah, I know, there’s not a whole lot of practicality here, except if I wanted to launch a port scan against a site that had something like a http get function (remote image include for instance) I could get GRC to perform the probe on my behalf. If someone were actually logging, they’d most likely see GRC as the attacker. GRC would say, “no, you are the attacker, asking us to attack you.” and W3C would have to look in their logs to find my IP (which would unlikely be associated with me if I had any clue, as an attacker). Maybe locking things down to IP based restrictions isn’t the best security measure if the only input is via a GET string. Something as simple as a post parameter would have stopped me. Odd but worth mentioning.